Search
Total
2785 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-25621 | 1 Solarwinds | 1 N-central | 2021-07-21 | 2.1 LOW | 8.4 HIGH |
| An issue was discovered in SolarWinds N-Central 12.3.0.670. The local database does not require authentication: security is only based on ability to access a network interface. The database has keys and passwords. | |||||
| CVE-2020-11542 | 1 3xlogic | 3 Infinias Eidc32, Infinias Eidc32 Firmware, Infinias Eidc32 Web | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| 3xLOGIC Infinias eIDC32 2.213 devices with Web 1.107 allow Authentication Bypass via CMD.HTM?CMD= because authentication depends on the client side's interpretation of the <KEY>MYKEY</KEY> substring. | |||||
| CVE-2020-9143 | 1 Huawei | 2 Emui, Magic Ui | 2021-07-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| There is a missing authentication vulnerability in some Huawei smartphone.Successful exploitation of this vulnerability may lead to low-sensitive information exposure. | |||||
| CVE-2020-2076 | 1 Sick | 1 Package Analytics | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| SICK Package Analytics software up to and including version V04.0.0 are vulnerable to an authentication bypass by directly interfacing with the REST API. An attacker can send unauthorized requests, bypass current authentication controls presented by the application and could potentially write files without authentication. | |||||
| CVE-2020-13838 | 1 Google | 1 Android | 2021-07-21 | 3.6 LOW | 3.5 LOW |
| An issue was discovered on Samsung mobile devices with P(9.0) and Q(10.0) software. The DeX Lockscreen feature does not block access to Quick Panel and notifications. The Samsung ID is SVE-2020-17187 (June 2020). | |||||
| CVE-2020-24580 | 1 D-link | 2 Dsl2888a, Dsl2888a Firmware | 2021-07-21 | 5.4 MEDIUM | 7.5 HIGH |
| An issue was discovered on D-Link DSL-2888A devices with firmware prior to AU_2.31_V1.1.47ae55. Lack of authentication functionality allows an attacker to assign a static IP address that was once used by a valid user. | |||||
| CVE-2020-13297 | 1 Gitlab | 1 Gitlab | 2021-07-21 | 4.9 MEDIUM | 5.4 MEDIUM |
| A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. When 2 factor authentication was enabled for groups, a malicious user could bypass that restriction by sending a specific query to the API endpoint. | |||||
| CVE-2020-23356 | 1 Nibbleblog | 1 Nibbleblog | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| dmin/kernel/api/login.class.phpin in nibbleblog v3.7.1c allows type juggling for login bypass because == is used instead of === for password hashes, which mishandles hashes that begin with 0e followed by exclusively numerical characters. | |||||
| CVE-2020-6309 | 1 Sap | 1 Netweaver Application Server Java | 2021-07-21 | 7.8 HIGH | 7.5 HIGH |
| SAP NetWeaver AS JAVA, versions - (ENGINEAPI 7.10; WSRM 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50; J2EE-FRMW 7.10, 7.11), does not perform any authentication checks for a web service allowing the attacker to send several payloads and leading to complete denial of service. | |||||
| CVE-2020-25273 | 1 Online Bus Booking System Project | 1 Online Bus Booking System | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| In SourceCodester Online Bus Booking System 1.0, there is Authentication bypass on the Admin Login screen in admin.php via username or password SQL injection. | |||||
| CVE-2020-15506 | 1 Mobileiron | 5 Cloud, Core, Enterprise Connector and 2 more | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| An authentication bypass vulnerability in MobileIron Core & Connector versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0 and 10.6.0.0 that allows remote attackers to bypass authentication mechanisms via unspecified vectors. | |||||
| CVE-2020-6852 | 1 Cacagoo | 2 Tv-288zd-2mp, Tv-288zd-2mp Firmware | 2021-07-21 | 10.0 HIGH | 9.8 CRITICAL |
| CACAGOO Cloud Storage Intelligent Camera TV-288ZD-2MP with firmware 3.4.2.0919 has weak authentication of TELNET access, leading to root privileges without any password required. | |||||
| CVE-2020-5849 | 1 Unraid | 1 Unraid | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| Unraid 6.8.0 allows authentication bypass. | |||||
| CVE-2020-1957 | 1 Apache | 1 Shiro | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| Apache Shiro before 1.5.2, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass. | |||||
| CVE-2020-4493 | 1 Ibm | 1 Maximo Asset Management | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| IBM Maximo Asset Management 7.6.0 and 7.6.1 could allow an attacker to bypass authentication and issue commands using a specially crafted HTTP command. IBM X-Force ID: 181995. | |||||
| CVE-2020-4282 | 1 Ibm | 1 Security Information Queue | 2021-07-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| IBM Security Information Queue (ISIQ) 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, and 1.0.5 could allow an authenticated user to perform unauthorized actions by bypassing illegal character restrictions. X-Force ID: 176205. | |||||
| CVE-2020-15838 | 1 Connectwise | 1 Automate | 2021-07-21 | 6.5 MEDIUM | 8.8 HIGH |
| The Agent Update System in ConnectWise Automate before 2020.8 allows Privilege Escalation because the _LTUPDATE folder has weak permissions. | |||||
| CVE-2020-27902 | 1 Apple | 2 Ipados, Iphone Os | 2021-07-21 | 2.1 LOW | 4.6 MEDIUM |
| An authentication issue was addressed with improved state management. This issue is fixed in iOS 14.2 and iPadOS 14.2. A person with physical access to an iOS device may be able to access stored passwords without authentication. | |||||
| CVE-2020-35962 | 1 Loopring | 1 Loopring | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| The sellTokenForLRC function in the vault protocol in the smart contract implementation for Loopring (LRC), an Ethereum token, lacks access control for fee swapping and thus allows price manipulation. | |||||
| CVE-2020-17466 | 1 Turcom | 1 Trcwifizone | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| Turcom TRCwifiZone through 2020-08-10 allows authentication bypass by visiting manage/control.php and ignoring 302 Redirect responses. | |||||
| CVE-2020-3920 | 1 Unisoon | 2 Ultralog Express, Ultralog Express Firmware | 2021-07-21 | 5.5 MEDIUM | 8.1 HIGH |
| UltraLog Express device management interface does not properly perform access authentication in some specific pages/functions. Any user can access the privileged page to manage accounts through specific system directory. | |||||
| CVE-2020-26927 | 1 Netgear | 34 Ac2100, Ac2100 Firmware, Ac2400 and 31 more | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| Certain NETGEAR devices are affected by authentication bypass. This affects D6200 before 1.1.00.40, D7000 before 1.0.1.78, R6020 before 1.0.0.42, R6080 before 1.0.0.42, R6050 before 1.0.1.26, JR6150 before 1.0.1.26, R6120 before 1.0.0.66, R6220 before 1.1.0.100, R6260 before 1.1.0.66, R6700v2 before 1.2.0.62, R6800 before 1.2.0.62, R6900v2 before 1.2.0.62, AC2100 before 1.2.0.62, AC2400 before 1.2.0.62, AC2600 before 1.2.0.62, R7450 before 1.2.0.62, and WNR2020 before 1.1.0.62. | |||||
| CVE-2020-11788 | 1 Netgear | 24 D6200, D6200 Firmware, D7000 and 21 more | 2021-07-21 | 5.8 MEDIUM | 8.8 HIGH |
| Certain NETGEAR devices are affected by authentication bypass. This affects D6200 before 1.1.00.34, D7000 before 1.0.1.68, PR2000 before 1.0.0.28, R6050 before 1.0.1.18, JR6150 before 1.0.1.18, R6120 before 1.0.0.46, R6220 before 1.1.0.80, R6230 before 1.1.0.80, R6260 before 1.1.0.64, R6700v2 before 1.2.0.36, R6800 before 1.2.0.36, and R6900v2 before 1.2.0.36. | |||||
| CVE-2020-4421 | 1 Ibm | 1 Websphere Application Server | 2021-07-21 | 5.5 MEDIUM | 5.4 MEDIUM |
| IBM WebSphere Application Liberty 19.0.0.5 through 20.0.0.4 could allow an authenticated user using openidconnect to spoof another users identify. IBM X-Force ID: 180084. | |||||
| CVE-2020-8827 | 1 Linuxfoundation | 1 Argo Continuous Delivery | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| As of v1.5.0, the Argo API does not implement anti-automation measures such as rate limiting, account lockouts, or other anti-bruteforce measures. Attackers can submit an unlimited number of authentication attempts without consequence. | |||||
| CVE-2020-28937 | 1 Openclinic Project | 1 Openclinic | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| OpenClinic version 0.8.2 is affected by a missing authentication vulnerability that allows unauthenticated users to access any patient's medical test results, possibly resulting in disclosure of Protected Health Information (PHI) stored in the application, via a direct request for the /tests/ URI. | |||||
| CVE-2019-18991 | 1 Qualcomm | 6 Atheros Ar9132, Atheros Ar9132 Firmware, Atheros Ar9283 and 3 more | 2021-07-21 | 4.8 MEDIUM | 5.4 MEDIUM |
| A partial authentication bypass vulnerability exists on Atheros AR9132 3.60(AMX.8), AR9283 1.85, and AR9285 1.0.0.12NA devices. The vulnerability allows sending an unencrypted data frame to a WPA2-protected WLAN router where the packet is routed through the network. If successful, a response is sent back as an encrypted frame, which would allow an attacker to discern information or potentially modify data. | |||||
| CVE-2019-20771 | 1 Google | 1 Android | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered on LG mobile devices with Android OS 7.0, 7.1, 7.2, 8.0, 8.1, and 9.0 software. WapService allows unconfirmed configuration changes via a modified OMACP message. The LG ID is LVE-SMP-190006 (August 2019). | |||||
| CVE-2020-27985 | 1 Securityonionsolutions | 1 Security Onion | 2021-07-21 | 7.2 HIGH | 7.8 HIGH |
| Security Onion v2 prior to 2.3.10 has an incorrect sudo configuration, which allows the administrative user to obtain root access without using the sudo password by editing and executing /home/<user>/SecurityOnion/setup/so-setup. | |||||
| CVE-2019-20783 | 1 Google | 1 Android | 2021-07-21 | 6.4 MEDIUM | 9.1 CRITICAL |
| An issue was discovered on LG mobile devices with Android OS 7.0, 7.1, 7.2, 8.0, and 8.1 (North America CDMA) software. The LTE protocol implementation allows a bypass of AKA (Authentication and Key Agreement). The LG ID is LVE-SMP-180014 (February 2019). | |||||
| CVE-2019-19556 | 1 Harman | 1 Hermes | 2021-07-21 | 2.1 LOW | 4.6 MEDIUM |
| An authentication bypass in the debug interface in Mercedes-Benz HERMES 1 allows an attacker with physical access to device hardware to obtain system information. | |||||
| CVE-2020-4128 | 1 Hcltech | 1 Domino | 2021-07-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| HCL Domino is susceptible to a lockout policy bypass vulnerability in the ID Vault service. An unauthenticated attacker could use this vulnerability to mount a brute force attack against the ID Vault service. | |||||
| CVE-2020-11650 | 1 Ixsystems | 4 Freenas, Freenas Firmware, Truenas and 1 more | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in iXsystems FreeNAS (and TrueNAS) 11.2 before 11.2-u8 and 11.3 before 11.3-U1. It allows a denial of service. The login authentication component has no limits on the length of an authentication message or the rate at which such messages are sent. | |||||
| CVE-2020-24051 | 1 Moog | 4 Exvf5c-2, Exvf5c-2 Firmware, Exvp7c2-3 and 1 more | 2021-07-21 | 10.0 HIGH | 9.8 CRITICAL |
| The Moog EXO Series EXVF5C-2 and EXVP7C2-3 units support the ONVIF interoperability IP-based physical security protocol, which requires authentication for some of its operations. It was found that the authentication check for those ONVIF operations can be bypassed. An attacker can abuse this issue to execute privileged operations without authentication, for instance, to create a new Administrator user. | |||||
| CVE-2019-19878 | 1 Br-automation | 1 Industrial Automation Aprol | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in B&R Industrial Automation APROL before R4.2 V7.08. An attacker can get access to historical data from AprolSqlServer by bypassing authentication, a different vulnerability than CVE-2019-16358. | |||||
| CVE-2020-25747 | 1 Rubetek | 6 Rv-3406, Rv-3406 Firmware, Rv-3409 and 3 more | 2021-07-21 | 9.0 HIGH | 9.4 CRITICAL |
| The Telnet service of Rubetek RV-3406, RV-3409, and RV-3411 cameras (firmware versions v342, v339) can allow a remote attacker to gain access to RTSP and ONFIV services without authentication. Thus, the attacker can watch live streams from the camera, rotate the camera, change some settings (brightness, clarity, time), restart the camera, or reset it to factory settings. | |||||
| CVE-2020-1813 | 1 Huawei | 2 P30, P30 Firmware | 2021-07-21 | 4.6 MEDIUM | 6.8 MEDIUM |
| HUAWEI P30 smart phone with versions earlier than 10.1.0.135(C00E135R2P11) have an improper authentication vulnerability. Due to improper authentication of specific interface, in specific scenario attackers could access specific interface without authentication. Successful exploit could allow the attacker to perform unauthorized operations. | |||||
| CVE-2020-23512 | 1 Vr Cam | 2 P1, P1 Firmware | 2021-07-21 | 10.0 HIGH | 9.8 CRITICAL |
| VR CAM P1 Model P1 v1 has an incorrect access control vulnerability where an attacker can obtain complete access of the device from web (remote) without authentication. | |||||
| CVE-2020-11445 | 1 Tp-link | 30 Kc200, Kc200 Firmware, Kc300s2 and 27 more | 2021-07-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| TP-Link cloud cameras through 2020-02-09 allow remote attackers to bypass authentication and obtain sensitive information via vectors involving a Wi-Fi session with GPS enabled, aka CNVD-2020-04855. | |||||
| CVE-2020-11673 | 1 Total-soft | 1 Responsive Poll | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in the Responsive Poll through 1.3.4 for Wordpress. It allows an unauthenticated user to manipulate polls, e.g., delete, clone, or view a hidden poll. This is due to the usage of the callback wp_ajax_nopriv function in Includes/Total-Soft-Poll-Ajax.php for sensitive operations. | |||||
| CVE-2020-11532 | 1 Zohocorp | 2 Manageengine Adaudit Plus, Manageengine Datasecurity Plus | 2021-07-21 | 10.0 HIGH | 9.8 CRITICAL |
| Zoho ManageEngine DataSecurity Plus prior to 6.0.1 uses default admin credentials to communicate with a DataEngine Xnode server. This allows an attacker to bypass authentication for this server and execute all operations in the context of admin user. | |||||
| CVE-2020-13638 | 1 Rconfig | 1 Rconfig | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| lib/crud/userprocess.php in rConfig 3.9.x before 3.9.7 has an authentication bypass, leading to administrator account creation. This issue has been fixed in 3.9.7. | |||||
| CVE-2019-10562 | 1 Qualcomm | 56 Ipq6018, Ipq6018 Firmware, Kamorta and 53 more | 2021-07-21 | 7.2 HIGH | 7.8 HIGH |
| u'Improper authentication and signature verification of debug polices in secure boot loader will allow unverified debug policies to be loaded into secure memory and leads to memory corruption' in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wired Infrastructure and Networking in IPQ6018, Kamorta, MSM8998, Nicobar, QCS404, QCS605, QCS610, Rennell, SA415M, SA6155P, SC7180, SDA660, SDA845, SDM630, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130 | |||||
| CVE-2020-11551 | 1 Netgear | 6 Rbs50y, Rbs50y Firmware, Srr60 and 3 more | 2021-07-21 | 5.8 MEDIUM | 8.8 HIGH |
| An issue was discovered on NETGEAR Orbi Tri-Band Business WiFi Add-on Satellite (SRS60) AC3000 V2.5.1.106, Outdoor Satellite (RBS50Y) V2.5.1.106, and Pro Tri-Band Business WiFi Router (SRR60) AC3000 V2.5.1.106. The administrative SOAP interface allows an unauthenticated remote write of arbitrary Wi-Fi configuration data such as authentication details (e.g., the Web-admin password), network settings, DNS settings, system administration interface configuration, etc. | |||||
| CVE-2019-18989 | 1 Mediatek | 2 Mt7620n, Mt7620n Firmware | 2021-07-21 | 4.8 MEDIUM | 5.4 MEDIUM |
| A partial authentication bypass vulnerability exists on Mediatek MT7620N 1.06 devices. The vulnerability allows sending an unencrypted data frame to a WPA2-protected WLAN router where the packet is routed through the network. If successful, a response is sent back as an encrypted frame, which would allow an attacker to discern information or potentially modify data. | |||||
| CVE-2020-28333 | 1 Barco | 2 Wepresent Wipg-1600w, Wepresent Wipg-1600w Firmware | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| Barco wePresent WiPG-1600W devices allow Authentication Bypass. Affected Version(s): 2.5.1.8. The Barco wePresent WiPG-1600W web interface does not use session cookies for tracking authenticated sessions. Instead, the web interface uses a "SEID" token that is appended to the end of URLs in GET requests. Thus the "SEID" would be exposed in web proxy logs and browser history. An attacker that is able to capture the "SEID" and originate requests from the same IP address (via a NAT device or web proxy) would be able to access the user interface of the device without having to know the credentials. | |||||
| CVE-2020-0943 | 1 Microsoft | 1 Your Phone Companion | 2021-07-21 | 2.1 LOW | 4.6 MEDIUM |
| An authentication bypass vulnerability exists in Microsoft YourPhoneCompanion application for Android, in the way the application processes notifications generated by work profiles.This could allow an unauthenticated attacker to view notifications, aka 'Microsoft YourPhone Application for Android Authentication Bypass Vulnerability'. | |||||
| CVE-2020-10570 | 1 Telegram | 1 Telegram | 2021-07-21 | 3.6 LOW | 6.1 MEDIUM |
| The Telegram application through 5.12 for Android, when Show Popup is enabled, might allow physically proximate attackers to bypass intended restrictions on message reading and message replying. This might be interpreted as a bypass of the passcode feature. | |||||
| CVE-2020-14245 | 1 Hcltechsw | 1 Onetest Performance | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| HCL OneTest UI V9.5, V10.0, and V10.1 does not perform authentication for functionality that either requires a provable user identity or consumes a significant amount of resources. | |||||
| CVE-2020-29379 | 1 Vsolcn | 4 V1600d-mini, V1600d-mini Firmware, V1600d4l and 1 more | 2021-07-21 | 2.1 LOW | 5.5 MEDIUM |
| An issue was discovered on V-SOL V1600D4L V1.01.49 and V1600D-MINI V1.01.48 OLT devices. During the process of updating the firmware, the update script starts a telnetd -l /bin/sh process that does not require authentication for TELNET access. | |||||