Search
Total
2785 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-29012 | 1 Dmasoftlab | 1 Dma Radius Manager | 2022-07-12 | 7.5 HIGH | 9.8 CRITICAL |
| DMA Softlab Radius Manager 4.4.0 assigns the same session cookie to every admin session. The cookie is valid when the admin is logged in, but is invalid (temporarily) during times when the admin is logged out. In other words, the cookie is functionally equivalent to a static password, and thus provides permanent access if stolen. | |||||
| CVE-2020-19111 | 1 Projectworlds | 1 Online Book Store Project In Php | 2022-07-12 | 7.5 HIGH | 9.8 CRITICAL |
| Incorrect Access Control vulnerability in Online Book Store v1.0 via admin_verify.php, which could let a remote mailicious user bypass authentication and obtain sensitive information. | |||||
| CVE-2021-27734 | 1 Belden | 2 Hirschmann Hios, Hisecos | 2022-07-12 | 7.5 HIGH | 9.8 CRITICAL |
| Hirschmann HiOS 07.1.01, 07.1.02, and 08.1.00 through 08.5.xx and HiSecOS 03.3.00 through 03.5.01 allow remote attackers to change the credentials of existing users. | |||||
| CVE-2021-38376 | 1 Open-xchange | 1 Ox App Suite | 2022-07-12 | 5.0 MEDIUM | 5.3 MEDIUM |
| OX App Suite through 7.10.5 has Incorrect Access Control for retrieval of session information via the rampup action of the login API call. | |||||
| CVE-2021-21502 | 1 Dell | 1 Emc Powerscale Onefs | 2022-07-12 | 7.5 HIGH | 9.8 CRITICAL |
| Dell PowerScale OneFS versions 8.1.0 – 9.1.0 contain a "use of SSH key past account expiration" vulnerability. A user on the network with the ISI_PRIV_AUTH_SSH RBAC privilege that has an expired account may potentially exploit this vulnerability, giving them access to the same things they had before account expiration. This may by a high privileged account and hence Dell recommends customers upgrade at the earliest opportunity. | |||||
| CVE-2021-38299 | 1 Spomky-labs | 1 Webauthn Framwork | 2022-07-12 | 7.5 HIGH | 9.8 CRITICAL |
| Webauthn Framework 3.3.x before 3.3.4 has Incorrect Access Control. An attacker that controls a user's system is able to login to a vulnerable service using an attached FIDO2 authenticator without passing a check of the user presence. | |||||
| CVE-2021-31602 | 1 Hitachi | 2 Vantara Pentaho, Vantara Pentaho Business Intelligence Server | 2022-07-12 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in Hitachi Vantara Pentaho through 9.1 and Pentaho Business Intelligence Server through 7.x. The Security Model has different layers of Access Control. One of these layers is the applicationContext security, which is defined in the applicationContext-spring-security.xml file. The default configuration allows an unauthenticated user with no previous knowledge of the platform settings to extract pieces of information without possessing valid credentials. | |||||
| CVE-2021-20161 | 1 Trendnet | 2 Tew-827dru, Tew-827dru Firmware | 2022-07-12 | 7.2 HIGH | 6.8 MEDIUM |
| Trendnet AC2600 TEW-827DRU version 2.08B01 does not have sufficient protections for the UART functionality. A malicious actor with physical access to the device is able to connect to the UART port via a serial connection. No username or password is required and the user is given a root shell with full control of the device. | |||||
| CVE-2020-16839 | 1 Crestron | 6 Dm-nvx-dir-160, Dm-nvx-dir-160 Firmware, Dm-nvx-dir-80 and 3 more | 2022-07-12 | 5.0 MEDIUM | 7.5 HIGH |
| On Crestron DM-NVX-DIR, DM-NVX-DIR80, and DM-NVX-ENT devices before the DM-XIO/1-0-3-802 patch, the password can be changed by sending an unauthenticated WebSocket request. | |||||
| CVE-2021-35943 | 1 Couchbase | 1 Couchbase Server | 2022-07-12 | 7.5 HIGH | 9.8 CRITICAL |
| Couchbase Server 6.5.x and 6.6.x through 6.6.2 has Incorrect Access Control. Externally managed users are not prevented from using an empty password, per RFC4513. | |||||
| CVE-2021-44937 | 1 Glfusion | 1 Glfusion | 2022-07-12 | 5.0 MEDIUM | 5.3 MEDIUM |
| glFusion CMS v1.7.9 is affected by an arbitrary user registration vulnerability in /public_html/users.php. An attacker can register with the mailbox of any user. When users want to register, they will find that the mailbox has been occupied. | |||||
| CVE-2021-42837 | 1 Talend | 1 Data Catalog | 2022-07-12 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Talend Data Catalog before 7.3-20210930. After setting up SAML/OAuth, authentication is not correctly enforced on the native login page. Any valid user from the SAML/OAuth provider can be used as the username with an arbitrary password, and login will succeed. | |||||
| CVE-2021-31924 | 2 Fedoraproject, Yubico | 2 Fedora, Pam-u2f | 2022-07-12 | 4.6 MEDIUM | 6.8 MEDIUM |
| Yubico pam-u2f before 1.1.1 has a logic issue that, depending on the pam-u2f configuration and the application used, could lead to a local PIN bypass. This issue does not allow user presence (touch) or cryptographic signature verification to be bypassed, so an attacker would still need to physically possess and interact with the YubiKey or another enrolled authenticator. If pam-u2f is configured to require PIN authentication, and the application using pam-u2f allows the user to submit NULL as the PIN, pam-u2f will attempt to perform a FIDO2 authentication without PIN. If this authentication is successful, the PIN requirement is bypassed. | |||||
| CVE-2021-20092 | 1 Buffalo | 4 Wsr-2533dhp3-bk, Wsr-2533dhp3-bk Firmware, Wsr-2533dhpl2-bk and 1 more | 2022-07-12 | 5.0 MEDIUM | 7.5 HIGH |
| The web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 do not properly restrict access to sensitive information from an unauthorized actor. | |||||
| CVE-2021-37417 | 1 Zohocorp | 1 Manageengine Adselfservice Plus | 2022-07-12 | 5.0 MEDIUM | 9.8 CRITICAL |
| Zoho ManageEngine ADSelfService Plus version 6103 and prior allows CAPTCHA bypass due to improper parameter validation. | |||||
| CVE-2021-20168 | 1 Netgear | 2 Rax43, Rax43 Firmware | 2022-07-12 | 7.2 HIGH | 6.8 MEDIUM |
| Netgear RAX43 version 1.0.3.96 does not have sufficient protections to the UART interface. A malicious actor with physical access to the device is able to connect to the UART port via a serial connection, login with default credentials, and execute commands as the root user. These default credentials are admin:admin. | |||||
| CVE-2021-45389 | 1 Starwind | 2 Command Center, San\&nas | 2022-07-12 | 7.5 HIGH | 9.8 CRITICAL |
| StarWind SAN & NAS build 1578 and StarWind Command Center Build 6864 Update Manager allows authentication with JTW token which is signed with any key. An attacker could use self-signed JTW token to bypass authentication resulting in escalation of privileges. | |||||
| CVE-2022-23725 | 1 Pingidentity | 1 Pingid Integration For Windows Login | 2022-07-12 | 2.1 LOW | 5.5 MEDIUM |
| PingID Windows Login prior to 2.8 does not properly set permissions on the Windows Registry entries used to store sensitive API keys under some circumstances. | |||||
| CVE-2022-23719 | 1 Pingidentity | 1 Pingid Integration For Windows Login | 2022-07-11 | 6.9 MEDIUM | 6.4 MEDIUM |
| PingID Windows Login prior to 2.8 does not authenticate communication with a local Java service used to capture security key requests. An attacker with the ability to execute code on the target machine maybe able to exploit and spoof the local Java service using multiple attack vectors. A successful attack can lead to code executed as SYSTEM by the PingID Windows Login application, or even a denial of service for offline security key authentication. | |||||
| CVE-2022-1955 | 1 Opft | 1 Session | 2022-07-11 | 2.1 LOW | 4.6 MEDIUM |
| Session 1.13.0 allows an attacker with physical access to the victim's device to bypass the application's password/pin lock to access user data. This is possible due to lack of adequate security controls to prevent dynamic code manipulation. | |||||
| CVE-2020-24987 | 1 Tendacn | 2 Ac18, Ac18 Firmware | 2022-07-10 | 6.8 MEDIUM | 9.8 CRITICAL |
| Tenda AC18 Router through V15.03.05.05_EN and through V15.03.05.19(6318) CN devices could cause a remote code execution due to incorrect authentication handling of vulnerable logincheck() function in /usr/lib/lua/ngx_authserver/ngx_wdas.lua file if the administrator UI Interface is set to "radius". | |||||
| CVE-2020-23058 | 1 File Explorer Project | 1 File Explorer | 2022-07-10 | 2.1 LOW | 4.6 MEDIUM |
| An issue in the authentication mechanism in Nong Ge File Explorer v1.4 unauthenticated allows to access sensitive data. | |||||
| CVE-2021-1561 | 1 Cisco | 1 Secure Email And Web Manager | 2022-07-08 | 5.5 MEDIUM | 5.4 MEDIUM |
| A vulnerability in the spam quarantine feature of Cisco Secure Email and Web Manager, formerly Cisco Security Management Appliance (SMA), could allow an authenticated, remote attacker to gain unauthorized access and modify the spam quarantine settings of another user. This vulnerability exists because access to the spam quarantine feature is not properly restricted. An attacker could exploit this vulnerability by sending malicious requests to an affected system. A successful exploit could allow the attacker to modify another user's spam quarantine settings, possibly disabling security controls or viewing email messages stored on the spam quarantine interfaces. | |||||
| CVE-2022-31463 | 1 Owllabs | 2 Meeting Owl Pro, Meeting Owl Pro Firmware | 2022-07-08 | 4.3 MEDIUM | 7.1 HIGH |
| Owl Labs Meeting Owl 5.2.0.15 does not require a password for Bluetooth commands, because only client-side authentication is used. | |||||
| CVE-2022-29858 | 1 Silverstripe | 1 Assets | 2022-07-08 | 4.0 MEDIUM | 4.3 MEDIUM |
| Silverstripe silverstripe/assets through 1.10 is vulnerable to improper access control that allows protected images to be published by changing an existing image short code on website content. | |||||
| CVE-2022-33202 | 1 Softcreate | 1 L2blocker | 2022-07-07 | 4.8 MEDIUM | 8.1 HIGH |
| Authentication bypass vulnerability in the setup screen of L2Blocker(on-premise) Ver4.8.5 and earlier and L2Blocker(Cloud) Ver4.8.5 and earlier allows an adjacent attacker to perform an unauthorized login and obtain the stored information or cause a malfunction of the device by using alternative paths or channels for Sensor. | |||||
| CVE-2022-29578 | 1 Meridian | 1 Meridian | 2022-07-06 | 5.0 MEDIUM | 5.3 MEDIUM |
| Meridian Cooperative Utility Software versions 22.02 and 22.03 allows remote attackers to obtain sensitive information such as name, address, and daily energy usage. | |||||
| CVE-2021-32691 | 1 Apollosapp | 1 Data-connector-rock | 2022-07-02 | 7.5 HIGH | 9.8 CRITICAL |
| Apollos Apps is an open source platform for launching church-related apps. In Apollos Apps versions prior to 2.20.0, new user registrations are able to access anyone's account by only knowing their basic profile information (name, birthday, gender, etc). This includes all app functionality within the app, as well as any authenticated links to Rock-based webpages (such as giving and events). There is a patch in version 2.20.0. As a workaround, one can patch one's server by overriding the `create` data source method on the `People` class. | |||||
| CVE-2021-32967 | 1 Deltaww | 1 Diaenergie | 2022-07-02 | 10.0 HIGH | 9.8 CRITICAL |
| Delta Electronics DIAEnergie Version 1.7.5 and prior may allow an attacker to add a new administrative user without being authenticated or authorized, which may allow the attacker to log in and use the device with administrative privileges. | |||||
| CVE-2021-37172 | 1 Siemens | 10 Cpu 1211c, Cpu 1212c, Cpu 1212fc and 7 more | 2022-07-01 | 5.0 MEDIUM | 7.5 HIGH |
| A vulnerability has been identified in SIMATIC S7-1200 CPU family (incl. SIPLUS variants) (V4.5.0). Affected devices fail to authenticate against configured passwords when provisioned using TIA Portal V13. This could allow an attacker using TIA Portal V13 or later versions to bypass authentication and download arbitrary programs to the PLC. The vulnerability does not occur when TIA Portal V13 SP1 or any later version was used to provision the device. | |||||
| CVE-2021-36368 | 2 Debian, Openbsd | 2 Debian Linux, Openssh | 2022-07-01 | 2.6 LOW | 3.7 LOW |
| ** DISPUTED ** An issue was discovered in OpenSSH before 8.9. If a client is using public-key authentication with agent forwarding but without -oLogLevel=verbose, and an attacker has silently modified the server to support the None authentication option, then the user cannot determine whether FIDO authentication is going to confirm that the user wishes to connect to that server, or that the user wishes to allow that server to connect to a different server on the user's behalf. NOTE: the vendor's position is "this is not an authentication bypass, since nothing is being bypassed." | |||||
| CVE-2020-7297 | 1 Mcafee | 1 Web Gateway | 2022-07-01 | 2.7 LOW | 5.7 MEDIUM |
| Privilege Escalation vulnerability in McAfee Web Gateway (MWG) prior to 9.2.1 allows authenticated user interface user to access protected dashboard data via improper access control in the user interface. | |||||
| CVE-2021-41638 | 1 Melag | 1 Ftp Server | 2022-07-01 | 5.0 MEDIUM | 7.5 HIGH |
| The authentication checks of the MELAG FTP Server in version 2.2.0.4 are incomplete, which allows a remote attacker to access local files only by using a valid username. | |||||
| CVE-2020-25251 | 1 Hyland | 1 Onbase | 2022-06-30 | 6.4 MEDIUM | 9.1 CRITICAL |
| An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. Client-side authentication is used for critical functions such as adding users or retrieving sensitive information. | |||||
| CVE-2021-26638 | 1 Xisnd | 1 S\&d Smarthome | 2022-06-30 | 10.0 HIGH | 9.8 CRITICAL |
| Improper Authentication vulnerability in S&D smarthome(smartcare) application can cause authentication bypass and information exposure. Remote attackers can use this vulerability to take control of the home environment including indoor control. | |||||
| CVE-2020-36548 | 1 Ge | 2 Voluson S8, Voluson S8 Firmware | 2022-06-30 | 7.2 HIGH | 7.8 HIGH |
| A vulnerability classified as problematic has been found in GE Voluson S8. Affected is the file /uscgi-bin/users.cgi of the Service Browser. The manipulation leads to improper authentication and elevated access possibilities. It is possible to launch the attack on the local host. | |||||
| CVE-2021-26637 | 1 Shinasys | 6 Sihas Acm-300, Sihas Acm-300 Firmware, Sihas Gcm-300 and 3 more | 2022-06-29 | 7.5 HIGH | 9.8 CRITICAL |
| There is no account authentication and permission check logic in the firmware and existing apps of SiHAS's SGW-300, ACM-300, GCM-300, so unauthorized users can remotely control the device. | |||||
| CVE-2022-31083 | 1 Parseplatform | 1 Parse-server | 2022-06-29 | 5.0 MEDIUM | 7.5 HIGH |
| Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 4.10.11 and 5.2.2, the certificate in the Parse Server Apple Game Center auth adapter not validated. As a result, authentication could potentially be bypassed by making a fake certificate accessible via certain Apple domains and providing the URL to that certificate in an authData object. Versions 4.0.11 and 5.2.2 prevent this by introducing a new `rootCertificateUrl` property to the Parse Server Apple Game Center auth adapter which takes the URL to the root certificate of Apple's Game Center authentication certificate. If no value is set, the `rootCertificateUrl` property defaults to the URL of the current root certificate as of May 27, 2022. Keep in mind that the root certificate can change at any time and that it is the developer's responsibility to keep the root certificate URL up-to-date when using the Parse Server Apple Game Center auth adapter. There are no known workarounds for this issue. | |||||
| CVE-2018-25043 | 1 Bittorrent | 1 Utorrent | 2022-06-29 | 6.8 MEDIUM | 8.8 HIGH |
| A vulnerability classified as critical was found in uTorrent. This vulnerability affects unknown code of the component PRNG. The manipulation leads to weak authentication. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. It is recommended to upgrade the affected component. | |||||
| CVE-2022-33139 | 1 Siemens | 1 Wincc Open Architecture | 2022-06-29 | 6.8 MEDIUM | 9.8 CRITICAL |
| A vulnerability has been identified in SIMATIC WinCC OA V3.16 (All versions in default configuration), SIMATIC WinCC OA V3.17 (All versions in non-default configuration), SIMATIC WinCC OA V3.18 (All versions in non-default configuration). Affected applications use client-side only authentication, when neither server-side authentication (SSA) nor Kerberos authentication is enabled. In this configuration, attackers could impersonate other users or exploit the client-server protocol without being authenticated. | |||||
| CVE-2022-29775 | 1 Ispyconnect | 1 Ispy | 2022-06-28 | 7.5 HIGH | 9.8 CRITICAL |
| iSpyConnect iSpy v7.2.2.0 allows attackers to bypass authentication via a crafted URL. | |||||
| CVE-2018-18907 | 1 Dlink | 2 Dir-850l, Dir-850l Firmare | 2022-06-28 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered on D-Link DIR-850L 1.21WW devices. A partially completed WPA handshake is sufficient for obtaining full access to the wireless network. A client can access the network by sending packets on Data Frames to the AP without encryption. | |||||
| CVE-2022-33750 | 1 Broadcom | 1 Ca Automic Automation | 2022-06-28 | 7.5 HIGH | 9.8 CRITICAL |
| CA Automic Automation 12.2 and 12.3 contain an authentication error vulnerability in the Automic agent that could allow a remote attacker to potentially execute arbitrary commands. | |||||
| CVE-2022-32276 | 1 Grafana | 1 Grafana | 2022-06-28 | 5.0 MEDIUM | 7.5 HIGH |
| ** DISPUTED ** Grafana 8.4.3 allows unauthenticated access via (for example) a /dashboard/snapshot/*?orgId=0 URI. NOTE: the vendor considers this a UI bug, not a vulnerability. | |||||
| CVE-2022-29865 | 1 Opcfoundation | 1 Ua .net Standard Stack | 2022-06-27 | 5.0 MEDIUM | 7.5 HIGH |
| OPC UA .NET Standard Stack allows a remote attacker to bypass the application authentication check via crafted fake credentials. | |||||
| CVE-2022-20798 | 1 Cisco | 2 Email Security Appliance, Secure Email And Web Manager | 2022-06-27 | 6.8 MEDIUM | 9.8 CRITICAL |
| A vulnerability in the external authentication functionality of Cisco Secure Email and Web Manager, formerly known as Cisco Security Management Appliance (SMA), and Cisco Email Security Appliance (ESA) could allow an unauthenticated, remote attacker to bypass authentication and log in to the web management interface of an affected device. This vulnerability is due to improper authentication checks when an affected device uses Lightweight Directory Access Protocol (LDAP) for external authentication. An attacker could exploit this vulnerability by entering a specific input on the login page of the affected device. A successful exploit could allow the attacker to gain unauthorized access to the web-based management interface of the affected device. | |||||
| CVE-2022-20733 | 1 Cisco | 1 Identity Services Engine | 2022-06-24 | 5.0 MEDIUM | 9.8 CRITICAL |
| A vulnerability in the login page of Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to log in without credentials and access all roles without any restrictions. This vulnerability is due to exposed sensitive Security Assertion Markup Language (SAML) metadata. An attacker could exploit this vulnerability by using the exposed SAML metadata to bypass authentication to the user portal. A successful exploit could allow the attacker to access all roles without any restrictions. | |||||
| CVE-2022-21935 | 1 Johnsoncontrols | 3 Metasys Application And Data Server, Metasys Extended Application And Data Server, Metasys Open Application Server | 2022-06-24 | 5.0 MEDIUM | 7.5 HIGH |
| A vulnerability in Metasys ADS/ADX/OAS 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS 11 versions prior to 11.0.2 allows unverified password change. | |||||
| CVE-2017-20050 | 1 Axis | 12 M3005, M3005 Firmware, M3007 and 9 more | 2022-06-24 | 7.5 HIGH | 9.8 CRITICAL |
| A vulnerability has been found in AXIS P1204, P3225, P3367, M3045, M3005 and M3007 and classified as problematic. This vulnerability affects unknown code of the component Web Interface. The manipulation leads to improper access controls. The attack can be initiated remotely. It is recommended to upgrade the affected component. | |||||
| CVE-2022-30229 | 1 Siemens | 1 Sicam Gridedge Essential | 2022-06-23 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability has been identified in SICAM GridEdge Essential ARM (All versions < V2.6.6), SICAM GridEdge Essential Intel (All versions < V2.6.6), SICAM GridEdge Essential with GDS ARM (All versions < V2.6.6), SICAM GridEdge Essential with GDS Intel (All versions < V2.6.6). The affected software does not require authenticated access for privileged functions. This could allow an unauthenticated attacker to change data of an user, such as credentials, in case that user's id is known. | |||||