Search
Total
2785 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-11015 | 1 Miui | 1 Miui | 2020-08-24 | 2.1 LOW | 6.8 MEDIUM |
| A vulnerability was found in the MIUI OS version 10.1.3.0 that allows a physically proximate attacker to bypass Lockscreen based authentication via the Wallpaper Carousel application to obtain sensitive Clipboard data and the user's stored credentials (partially). This occurs because of paste access to a social media login page. | |||||
| CVE-2018-14868 | 1 Odoo | 1 Odoo | 2020-08-24 | 4.0 MEDIUM | 6.5 MEDIUM |
| Incorrect access control in the Password Encryption module in Odoo Community 9.0 and Odoo Enterprise 9.0 allows authenticated users to change the password of other users without knowing their current password via a crafted RPC call. | |||||
| CVE-2019-11232 | 1 Eic | 1 Biyan | 2020-08-24 | 5.0 MEDIUM | 9.8 CRITICAL |
| EXCELLENT INFOTEK BiYan v1.57 ~ v2.8 allows an attacker to leak user information (Password) without being authenticated, by sending an EMP_NO element to the kws_login/asp/query_user.asp URI, and then reading the PWD element. | |||||
| CVE-2018-7213 | 1 Abine | 1 Blur | 2020-08-24 | 5.0 MEDIUM | 9.8 CRITICAL |
| The Password Manager Extension in Abine Blur 7.8.242* before 7.8.2428 allows attackers to bypass the Multi-Factor Authentication and macOS disk-encryption protection mechanisms, and consequently exfiltrate secured data, because the right-click context menu is not secured. | |||||
| CVE-2018-7034 | 1 Trendnet | 6 Tew-751dr, Tew-751dr Firmware, Tew-752dru and 3 more | 2020-08-24 | 5.0 MEDIUM | 7.5 HIGH |
| TRENDnet TEW-751DR v1.03B03, TEW-752DRU v1.03B01, and TEW733GR v1.03B01 devices allow authentication bypass via an AUTHORIZED_GROUP=1 value, as demonstrated by a request for getcfg.php. | |||||
| CVE-2019-5909 | 1 Yokogawa | 4 B\/m 9000 Vp, Centum Vp, Prm and 1 more | 2020-08-24 | 10.0 HIGH | 9.8 CRITICAL |
| License Manager Service of YOKOGAWA products (CENTUM VP (R5.01.00 - R6.06.00), CENTUM VP Entry Class (R5.01.00 - R6.06.00), ProSafe-RS (R3.01.00 - R4.04.00), PRM (R4.01.00 - R4.02.00), B/M9000 VP(R7.01.01 - R8.02.03)) allows remote attackers to bypass access restriction to send malicious files to the PC where License Manager Service runs via unspecified vectors. | |||||
| CVE-2019-5679 | 2 Google, Nvidia | 2 Android, Shield Experience | 2020-08-24 | 7.2 HIGH | 7.8 HIGH |
| NVIDIA Shield TV Experience prior to v8.0, NVIDIA Tegra bootloader contains a vulnerability in nvtboot where the Trusted OS image is improperly authenticated, which may lead to code execution, denial of service, escalation of privileges, and information disclosure, code execution, denial of service, or escalation of privileges | |||||
| CVE-2019-16649 | 1 Supermicro | 672 A1sa2-2750f, A1sa2-2750f Firmware, A1sai-2550f and 669 more | 2020-08-24 | 5.0 MEDIUM | 10.0 CRITICAL |
| On Supermicro H11, H12, M11, X9, X10, and X11 products, a combination of encryption and authentication problems in the virtual media service allows capture of BMC credentials and data transferred over virtual media devices. Attackers can use captured credentials to connect virtual USB devices to the server managed by the BMC. | |||||
| CVE-2019-6441 | 1 Coship | 8 Rt3050, Rt3050 Firmware, Rt3052 and 5 more | 2020-08-24 | 10.0 HIGH | 9.8 CRITICAL |
| An issue was discovered on Shenzhen Coship RT3050 4.0.0.40, RT3052 4.0.0.48, RT7620 10.0.0.49, WM3300 5.0.0.54, and WM3300 5.0.0.55 devices. The password reset functionality of the router doesn't have backend validation for the current password and doesn't require any type of authentication. By making a POST request to the apply.cgi file of the router, the attacker can change the admin username and password of the router. | |||||
| CVE-2019-3997 | 1 Simplisafe | 2 Ss3, Ss3 Firmware | 2020-08-24 | 2.1 LOW | 4.6 MEDIUM |
| Authentication bypass using an alternate path or channel in SimpliSafe SS3 firmware 1.0-1.3 allows a local, unauthenticated attacker to pair a rogue keypad to an armed system. | |||||
| CVE-2018-6011 | 1 Rainmachine | 2 Mini-8, Mini-8 Firmware | 2020-08-24 | 6.8 MEDIUM | 8.1 HIGH |
| The time-based one-time-password (TOTP) function in the application logic of the Green Electronics RainMachine Mini-8 (2nd generation) uses the administrator's password hash to generate a 6-digit temporary passcode that can be used for remote and local access, aka a "Use of Password Hash Instead of Password for Authentication" issue. This is exploitable by an attacker who discovers a hash value in the rainmachine-settings.sqlite file. | |||||
| CVE-2018-12013 | 1 Qualcomm | 50 Mdm9206, Mdm9206 Firmware, Mdm9607 and 47 more | 2020-08-24 | 7.2 HIGH | 7.8 HIGH |
| Improper authentication in locked memory region can lead to unprivilged access to the memory in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in MDM9206, MDM9607, MDM9650, MDM9655, QCS605, SD 210/SD 212/SD 205, SD 410/12, SD 615/16/SD 415, SD 636, SD 712 / SD 710 / SD 670, SD 835, SD 845 / SD 850, SD 8CX, SDA660, SDM630, SDM660, SXR1130 | |||||
| CVE-2019-3584 | 1 Mcafee | 1 Mvision Endpoint | 2020-08-24 | 3.6 LOW | 6.0 MEDIUM |
| Exploitation of Authentication vulnerability in MVision Endpoint in McAfee MVision Endpoint Prior to 1811 Update 1 (18.11.31.62) allows authenticated administrator users --> administrators to Remove MVision Endpoint via unspecified vectors. | |||||
| CVE-2019-3654 | 2 Mcafee, Microsoft | 2 Client Proxy, Windows | 2020-08-24 | 6.8 MEDIUM | 8.6 HIGH |
| Authentication Bypass vulnerability in the Microsoft Windows client in McAfee Client Proxy (MCP) prior to 3.0.0 allows local user to bypass scanning of web traffic and gain access to blocked sites for a short period of time via generating an authorization key on the client which should only be generated by the network administrator. | |||||
| CVE-2019-19006 | 1 Sangoma | 1 Freepbx | 2020-08-24 | 7.5 HIGH | 9.8 CRITICAL |
| Sangoma FreePBX 115.0.16.26 and below, 14.0.13.11 and below, 13.0.197.13 and below have Incorrect Access Control. | |||||
| CVE-2018-2483 | 1 Sap | 1 Businessobjects Business Intelligence | 2020-08-24 | 4.0 MEDIUM | 4.3 MEDIUM |
| HTTP Verb Tampering is possible in SAP BusinessObjects Business Intelligence Platform, versions 4.1 and 4.2, Central Management Console (CMC) by changing request method. | |||||
| CVE-2019-18661 | 1 Fastweb | 2 Fastgate, Fastgate Firmware | 2020-08-24 | 5.0 MEDIUM | 7.5 HIGH |
| Fastweb FASTGate 1.0.1b devices allow partial authentication bypass by changing a certain check_pwd return value from 0 to 1. An attack does not achieve administrative control of a device; however, the attacker can view all of the web pages of the administration console. | |||||
| CVE-2018-20954 | 1 Mailpile | 1 Mailpile | 2020-08-24 | 5.0 MEDIUM | 7.5 HIGH |
| The "Security and Privacy" Encryption feature in Mailpile before 1.0.0rc4 does not exclude disabled, revoked, and expired keys. | |||||
| CVE-2019-11081 | 1 Dentsplysirona | 1 Sidexis | 2020-08-24 | 10.0 HIGH | 9.8 CRITICAL |
| A default username and password in Dentsply Sirona Sidexis 4.3.1 and earlier allows an attacker to gain administrative access to the application server. | |||||
| CVE-2019-12564 | 1 Douco | 1 Douphp | 2020-08-24 | 5.0 MEDIUM | 9.8 CRITICAL |
| In DouCo DouPHP v1.5 Release 20190516, remote attackers can view the database backup file via a brute-force guessing approach for data/backup/DyyyymmddThhmmss.sql filenames. | |||||
| CVE-2019-15897 | 1 Thinkparq | 1 Beegfs | 2020-08-24 | 8.3 HIGH | 9.6 CRITICAL |
| beegfs-ctl in ThinkParQ BeeGFS through 7.1.3 allows Authentication Bypass via communication with a BeeGFS metadata server (which is typically not exposed to external networks). | |||||
| CVE-2019-12845 | 1 Jetbrains | 1 Teamcity | 2020-08-24 | 5.0 MEDIUM | 5.3 MEDIUM |
| The generated Kotlin DSL settings allowed usage of an unencrypted connection for resolving artifacts. The issue was fixed in JetBrains TeamCity 2018.2.3. | |||||
| CVE-2020-9233 | 1 Huawei | 1 Fusioncompute | 2020-08-21 | 6.4 MEDIUM | 9.1 CRITICAL |
| FusionCompute 8.0.0 have an insufficient authentication vulnerability. An attacker may exploit the vulnerability to delete some files and cause some services abnormal. | |||||
| CVE-2020-8206 | 1 Pulsesecure | 2 Pulse Connect Secure, Pulse Policy Secure | 2020-08-20 | 6.8 MEDIUM | 8.1 HIGH |
| An improper authentication vulnerability exists in Pulse Connect Secure <9.1RB that allows an attacker with a users primary credentials to bypass the Google TOTP. | |||||
| CVE-2018-15751 | 1 Saltstack | 1 Salt | 2020-08-20 | 7.5 HIGH | 9.8 CRITICAL |
| SaltStack Salt before 2017.7.8 and 2018.3.x before 2018.3.3 allow remote attackers to bypass authentication and execute arbitrary commands via salt-api(netapi). | |||||
| CVE-2020-8685 | 1 Intel | 1 Led Manager For Nuc | 2020-08-19 | 2.1 LOW | 4.4 MEDIUM |
| Improper authentication in subsystem for Intel (R) LED Manager for NUC before version 1.2.3 may allow privileged user to potentially enable denial of service via local access. | |||||
| CVE-2020-8714 | 1 Intel | 153 Compute Module Hns2600bp Firmware, Compute Module Hns2600bpb, Compute Module Hns2600bpb24 and 150 more | 2020-08-19 | 4.6 MEDIUM | 7.8 HIGH |
| Improper authentication for some Intel(R) Server Boards, Server Systems and Compute Modules before version 1.59 may allow an authenticated user to potentially enable escalation of privilege via local access. | |||||
| CVE-2020-8713 | 1 Intel | 153 Compute Module Hns2600bp Firmware, Compute Module Hns2600bpb, Compute Module Hns2600bpb24 and 150 more | 2020-08-19 | 5.8 MEDIUM | 8.8 HIGH |
| Improper authentication for some Intel(R) Server Boards, Server Systems and Compute Modules before version 1.59 may allow an unauthenticated user to potentially enable escalation of privilege via adjacent access. | |||||
| CVE-2020-8709 | 1 Intel | 153 Compute Module Hns2600bp Firmware, Compute Module Hns2600bpb, Compute Module Hns2600bpb24 and 150 more | 2020-08-19 | 5.8 MEDIUM | 8.8 HIGH |
| Improper authentication in socket services for some Intel(R) Server Boards, Server Systems and Compute Modules before version 2.45 may allow an unauthenticated user to potentially enable escalation of privilege via adjacent access. | |||||
| CVE-2020-8708 | 1 Intel | 153 Compute Module Hns2600bp Firmware, Compute Module Hns2600bpb, Compute Module Hns2600bpb24 and 150 more | 2020-08-19 | 5.8 MEDIUM | 8.8 HIGH |
| Improper authentication for some Intel(R) Server Boards, Server Systems and Compute Modules before version 1.59 may allow an unauthenticated user to potentially enable escalation of privilege via adjacent access. | |||||
| CVE-2017-12160 | 1 Redhat | 1 Keycloak | 2020-08-19 | 6.5 MEDIUM | 7.2 HIGH |
| It was found that Keycloak oauth would permit an authenticated resource to obtain an access/refresh token pair from the authentication server, permitting indefinite usage in the case of permission revocation. An attacker on an already compromised resource could use this flaw to grant himself continued permissions and possibly conduct further attacks. | |||||
| CVE-2019-16201 | 2 Debian, Ruby-lang | 2 Debian Linux, Ruby | 2020-08-16 | 7.8 HIGH | 7.5 HIGH |
| WEBrick::HTTPAuth::DigestAuth in Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 has a regular expression Denial of Service cause by looping/backtracking. A victim must expose a WEBrick server that uses DigestAuth to the Internet or a untrusted network. | |||||
| CVE-2020-4662 | 1 Ibm | 1 Event Streams | 2020-08-14 | 6.5 MEDIUM | 8.8 HIGH |
| IBM Event Streams 10.0.0 could allow an authenticated user to perform tasks to a schema due to improper authentication validation. IBM X-Force ID: 186233. | |||||
| CVE-2020-5608 | 1 Yokogawa | 8 B\/m9000cs, B\/m9000cs Firmware, B\/m9000vp and 5 more | 2020-08-12 | 7.5 HIGH | 9.8 CRITICAL |
| CAMS for HIS CENTUM CS 3000 (includes CENTUM CS 3000 Small) R3.08.10 to R3.09.50, CENTUM VP (includes CENTUM VP Small, Basic) R4.01.00 to R6.07.00, B/M9000CS R5.04.01 to R5.05.01, and B/M9000 VP R6.01.01 to R8.03.01 allows a remote unauthenticated attacker to bypass authentication and send altered communication packets via unspecified vectors. | |||||
| CVE-2020-13292 | 1 Gitlab | 1 Gitlab | 2020-08-11 | 5.5 MEDIUM | 9.6 CRITICAL |
| In GitLab before 13.0.12, 13.1.6 and 13.2.3, it is possible to bypass E-mail verification which is required for OAuth Flow. | |||||
| CVE-2020-5384 | 1 Rsa | 1 Multifactor Authentication Agent | 2020-08-11 | 7.2 HIGH | 8.4 HIGH |
| Authentication Bypass Vulnerability RSA MFA Agent 2.0 for Microsoft Windows contains an Authentication Bypass vulnerability. A local unauthenticated attacker could potentially exploit this vulnerability by using an alternate path to bypass authentication in order to gain full access to the system. | |||||
| CVE-2020-15055 | 1 Tp-link | 2 Tl-ps310u, Tl-ps310u Firmware | 2020-08-09 | 8.3 HIGH | 8.8 HIGH |
| TP-Link USB Network Server TL-PS310U devices before 2.079.000.t0210 allow an attacker on the same network to bypass authentication via a web-administration request that lacks a password parameter. | |||||
| CVE-2020-15059 | 1 Lindy-international | 2 42633, 42633 Firmware | 2020-08-09 | 8.3 HIGH | 8.8 HIGH |
| Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to bypass authentication via a web-administration request that lacks a password parameter. | |||||
| CVE-2020-15063 | 1 Digitus | 2 Da-70254, Da-70254 Firmware | 2020-08-09 | 8.3 HIGH | 8.8 HIGH |
| DIGITUS DA-70254 4-Port Gigabit Network Hub 2.073.000.E0008 devices allow an attacker on the same network to bypass authentication via a web-administration request that lacks a password parameter. | |||||
| CVE-2020-5616 | 8 Calendar01 Project, Calendar02 Project, Calendarform01 Project and 5 more | 8 Calendar01, Calendar02, Calendarform01 and 5 more | 2020-08-06 | 7.5 HIGH | 9.8 CRITICAL |
| [Calendar01], [Calendar02], [PKOBO-News01], [PKOBO-vote01], [Telop01], [Gallery01], [CalendarForm01], and [Link01] [Calendar01] free edition ver1.0.0, [Calendar02] free edition ver1.0.0, [PKOBO-News01] free edition ver1.0.3 and earlier, [PKOBO-vote01] free edition ver1.0.1 and earlier, [Telop01] free edition ver1.0.0, [Gallery01] free edition ver1.0.3 and earlier, [CalendarForm01] free edition ver1.0.3 and earlier, and [Link01] free edition ver1.0.0 allows remote attackers to bypass authentication and log in to the product with administrative privileges via unspecified vectors. | |||||
| CVE-2017-1000068 | 1 Betterment | 1 Testtrack | 2020-08-05 | 5.0 MEDIUM | 7.5 HIGH |
| TestTrack Server versions 1.0 and earlier are vulnerable to an authentication flaw in the split disablement feature resulting in the ability to disable arbitrary running splits and cause denial of service to clients in the field. | |||||
| CVE-2020-14158 | 1 Abus | 2 Secvest Hybrid Fumo50110, Secvest Hybrid Fumo50110 Firmware | 2020-08-05 | 6.4 MEDIUM | 9.1 CRITICAL |
| The ABUS Secvest FUMO50110 hybrid module does not have any security mechanism that ensures confidentiality or integrity of RF packets that are exchanged with an alarm panel. This makes it easier to conduct wAppLoxx authentication-bypass attacks. | |||||
| CVE-2019-20027 | 1 Nec | 8 Sl1100, Sl1100 Firmware, Sl2100 and 5 more | 2020-08-04 | 7.5 HIGH | 9.8 CRITICAL |
| Aspire-derived NEC PBXes, including the SV8100, SV9100, SL1100 and SL2100 with software releases 7.0 or higher contain the possibility if incorrectly configured to allow a blank username and password combination to be entered as a valid, successfully authenticating account. | |||||
| CVE-2020-8108 | 1 Bitdefender | 1 Endpoint Security | 2020-08-04 | 4.6 MEDIUM | 8.8 HIGH |
| Improper Authentication vulnerability in Bitdefender Endpoint Security for Mac allows an unprivileged process to restart the main service and potentially inject third-party code into a trusted process. This issue affects: Bitdefender Endpoint Security for Mac versions prior to 4.12.80. | |||||
| CVE-2013-0759 | 5 Canonical, Mozilla, Opensuse and 2 more | 15 Ubuntu Linux, Firefox, Firefox Esr and 12 more | 2020-08-04 | 5.0 MEDIUM | N/A |
| Mozilla Firefox before 18.0, Firefox ESR 10.x before 10.0.12 and 17.x before 17.0.2, Thunderbird before 17.0.2, Thunderbird ESR 10.x before 10.0.12 and 17.x before 17.0.2, and SeaMonkey before 2.15 allow remote attackers to spoof the address bar via vectors involving authentication information in the userinfo field of a URL, in conjunction with a 204 (aka No Content) HTTP status code. | |||||
| CVE-2020-8207 | 1 Citrix | 1 Workspace | 2020-07-29 | 6.0 MEDIUM | 8.8 HIGH |
| Improper access control in Citrix Workspace app for Windows 1912 CU1 and 2006.1 causes privilege escalation and code execution when the automatic updater service is running. | |||||
| CVE-2020-10918 | 1 Automationdirect | 13 C-more Hmi Ea9 Firmware, Ea9-pgmsw, Ea9-rhmi and 10 more | 2020-07-28 | 5.0 MEDIUM | 7.5 HIGH |
| This vulnerability allows remote attackers to bypass authentication on affected installations of C-MORE HMI EA9 Firmware version 6.52 touch screen panels. Authentication is not required to exploit this vulnerability. The specific flaw exists within the authentication mechanism. The issue is due to insufficient authentication on post-authentication requests. An attacker can leverage this vulnerability to escalate privileges to resources normally protected from unauthenticated users. Was ZDI-CAN-10182. | |||||
| CVE-2020-15896 | 1 Dlink | 2 Dap-1522, Dap-1522 Firmware | 2020-07-27 | 5.0 MEDIUM | 7.5 HIGH |
| An authentication-bypass issue was discovered on D-Link DAP-1522 devices 1.4x before 1.10b04Beta02. There exist a few pages that are directly accessible by any unauthorized user, e.g., logout.php and login.php. This occurs because of checking the value of NO_NEED_AUTH. If the value of NO_NEED_AUTH is 1, the user has direct access to the webpage without any authentication. By appending a query string NO_NEED_AUTH with the value of 1 to any protected URL, any unauthorized user can access the application directly, as demonstrated by bsc_lan.php?NO_NEED_AUTH=1. | |||||
| CVE-2020-6871 | 1 Zte | 6 R5300g4, R5300g4 Firmware, R5500g4 and 3 more | 2020-07-24 | 7.5 HIGH | 9.8 CRITICAL |
| The server management software module of ZTE has an authentication issue vulnerability, which allows users to skip the authentication of the server and execute some commands for high-level users. This affects: <R5300G4V03.08.0100/V03.07.0300/V03.07.0200/V03.07.0108/V03.07.0100/V03.05.0047/V03.05.0046/V03.05.0045/V03.05.0044/V03.05.0043/V03.05.0040/V03.04.0020;R8500G4V03.07.0103/V03.07.0101/V03.06.0100/V03.05.0400/V03.05.0020;R5500G4V03.08.0100/V03.07.0200/V03.07.0100/V03.06.0100> | |||||
| CVE-2020-15027 | 1 Connectwise | 1 Automate | 2020-07-24 | 7.5 HIGH | 9.8 CRITICAL |
| ConnectWise Automate through 2020.x has insufficient validation on certain authentication paths, allowing authentication bypass via a series of attempts. This was patched in 2020.7 and in a hotfix for 2019.12. | |||||