Search
Total
634 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-12017 | 1 Ge | 6 Rt430, Rt430 Firmware, Rt431 and 3 more | 2020-06-08 | 9.0 HIGH | 9.8 CRITICAL |
| GE Grid Solutions Reason RT Clocks, RT430, RT431, and RT434, all firmware versions prior to 08A05. The device’s vulnerability in the web application could allow multiple unauthenticated attacks that could cause serious impact. The vulnerability may allow an unauthenticated attacker to execute arbitrary commands and send a request to a specific URL that could cause the device to become unresponsive. The unauthenticated attacker may change the password of the 'configuration' user account, allowing the attacker to modify the configuration of the device via the web interface using the new password. This vulnerability may also allow an unauthenticated attacker to bypass the authentication required to configure the device and reboot the system. | |||||
| CVE-2017-3209 | 2 Busybox, Dbpower | 3 Busybox, U818a, U818a Firmware | 2020-05-28 | 4.8 MEDIUM | 8.1 HIGH |
| The DBPOWER U818A WIFI quadcopter drone provides FTP access over its own local access point, and allows full file permissions to the anonymous user. The DBPower U818A WIFI quadcopter drone runs an FTP server that by default allows anonymous access without a password, and provides full filesystem read/write permissions to the anonymous user. A remote user within range of the open access point on the drone may utilize the anonymous user of the FTP server to read arbitrary files, such as images and video recorded by the device, or to replace system files such as /etc/shadow to gain further access to the device. Furthermore, the DBPOWER U818A WIFI quadcopter drone uses BusyBox 1.20.2, which was released in 2012, and may be vulnerable to other known BusyBox vulnerabilities. | |||||
| CVE-2009-1780 | 1 Frax | 1 Php Recommend | 2020-05-20 | 7.5 HIGH | N/A |
| admin.php in Frax.dk Php Recommend 1.3 and earlier does not require authentication when the user password is changed, which allows remote attackers to gain administrative privileges via modified form_admin_user and form_admin_pass parameters. | |||||
| CVE-2020-9473 | 1 Siedle | 2 Sg 150-0, Sg 150-0 Firmware | 2020-05-14 | 8.5 HIGH | 6.6 MEDIUM |
| The S. Siedle & Soehne SG 150-0 Smart Gateway before 1.2.4 has a passwordless ftp ssh user. By using an exploit chain, an attacker with access to the network can get root access on the gateway. | |||||
| CVE-2019-5620 | 2 Abb, Microsoft | 3 Microscada Pro Sys600, Windows 7, Windows Xp | 2020-05-06 | 7.5 HIGH | 9.8 CRITICAL |
| ABB MicroSCADA Pro SYS600 version 9.3 suffers from an instance of CWE-306: Missing Authentication for Critical Function. | |||||
| CVE-2020-5870 | 1 F5 | 1 Big-iq Centralized Management | 2020-04-28 | 4.8 MEDIUM | 8.1 HIGH |
| In BIG-IQ 5.2.0-7.0.0, high availability (HA) synchronization mechanisms do not use any form of authentication for connecting to the peer. | |||||
| CVE-2020-11649 | 1 Gitlab | 1 Gitlab | 2020-04-28 | 4.0 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in GitLab CE and EE 8.15 through 12.9.2. Members of a group could still have access after the group is deleted. | |||||
| CVE-2018-21132 | 1 Netgear | 4 Wac505, Wac505 Firmware, Wac510 and 1 more | 2020-04-24 | 7.5 HIGH | 9.8 CRITICAL |
| Certain NETGEAR devices are affected by authentication bypass. This affects WAC505 before 5.0.0.17 and WAC510 before 5.0.0.17. | |||||
| CVE-2020-7114 | 1 Arubanetworks | 1 Clearpass | 2020-04-23 | 7.5 HIGH | 9.8 CRITICAL |
| A vulnerability exists allowing attackers, when present in the same network segment as ClearPass' management interface, to make changes to certain databases in ClearPass by crafting HTTP packets. As a result of this attack, a possible complete cluster compromise might occur. Resolution: Fixed in 6.7.13, 6.8.4, 6.9.0 and higher. | |||||
| CVE-2019-16879 | 1 Mysyngeryss | 2 Husky Rtu 6049-e70, Husky Rtu 6049-e70 Firmware | 2020-04-14 | 7.5 HIGH | 9.8 CRITICAL |
| The Synergy Systems & Solutions (SSS) HUSKY RTU 6049-E70, with firmware Versions 5.0 and prior, has a Missing Authentication for Critical Function (CWE-306) vulnerability. The affected product does not require authentication for TELNET access, which may allow an attacker to change configuration or perform other malicious activities. | |||||
| CVE-2011-3055 | 2 Google, Opensuse | 2 Chrome, Opensuse | 2020-04-14 | 4.3 MEDIUM | N/A |
| The browser native UI in Google Chrome before 17.0.963.83 does not require user confirmation before an unpacked extension installation, which allows user-assisted remote attackers to have an unspecified impact via a crafted extension. | |||||
| CVE-2020-10625 | 1 Advantech | 1 Webaccess\/nms | 2020-04-10 | 7.5 HIGH | 9.8 CRITICAL |
| WebAccess/NMS (versions prior to 3.0.2) allows an unauthenticated remote user to create a new admin account. | |||||
| CVE-2018-21041 | 1 Google | 1 Android | 2020-04-09 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered on Samsung mobile devices with O(8.x) software. Access to Gallery in the Secure Folder can occur without authentication. The Samsung ID is SVE-2018-13057 (December 2018). | |||||
| CVE-2020-10265 | 1 Universal-robots | 7 Ur10, Ur10e, Ur3 and 4 more | 2020-04-06 | 9.0 HIGH | 9.4 CRITICAL |
| Universal Robots Robot Controllers Version CB2 SW Version 1.4 upwards, CB3 SW Version 3.0 and upwards, e-series SW Version 5.0 and upwards expose a service called DashBoard server at port 29999 that allows for control over core robot functions like starting/stopping programs, shutdown, reset safety and more. The DashBoard server is not protected by any kind of authentication or authorization. | |||||
| CVE-2020-7479 | 1 Schneider-electric | 1 Interactive Graphical Scada System | 2020-04-03 | 4.6 MEDIUM | 7.8 HIGH |
| A CWE-306: Missing Authentication for Critical Function vulnerability exists in IGSS (Versions 14 and prior using the service: IGSSupdate), which could allow a local user to execute processes that otherwise require escalation privileges when sending local network commands to the IGSS Update Service. | |||||
| CVE-2019-19092 | 1 Abb | 1 Esoms | 2020-04-03 | 3.5 LOW | 3.5 LOW |
| ABB eSOMS versions 4.0 to 6.0.3 use ASP.NET Viewstate without Message Authentication Code (MAC). Alterations to Viewstate might thus not be noticed. | |||||
| CVE-2019-12125 | 1 Onap | 1 Open Network Automation Platform | 2020-03-20 | 7.5 HIGH | 9.8 CRITICAL |
| In ONAP Logging through Dublin, by accessing an applicable port (30234, 30290, 32010, 30270, 30224, 30281, 30254, 30285, and/or 30271), an attacker gains full access to the respective ONAP services without any authentication. All ONAP Operations Manager (OOM) setups are affected. | |||||
| CVE-2019-12126 | 1 Onap | 1 Open Network Automation Platform | 2020-03-20 | 7.5 HIGH | 9.8 CRITICAL |
| In ONAP DCAE through Dublin, by accessing an applicable port (30234, 30290, 32010, 30270, 30224, 30281, 30254, 30285, and/or 30271), an attacker gains full access to the respective ONAP services without any authentication. All ONAP Operations Manager (OOM) setups are affected. | |||||
| CVE-2019-12127 | 1 Onap | 1 Open Network Automation Platform | 2020-03-20 | 7.5 HIGH | 9.8 CRITICAL |
| In ONAP OOM through Dublin, by accessing an applicable port (30234, 30290, 32010, 30270, 30224, 30281, 30254, 30285, and/or 30271), an attacker gains full access to the respective ONAP services without any authentication. All ONAP Operations Manager (OOM) setups are affected. | |||||
| CVE-2020-10079 | 1 Gitlab | 1 Gitlab | 2020-03-18 | 5.0 MEDIUM | 5.3 MEDIUM |
| GitLab 7.10 through 12.8.1 has Incorrect Access Control. Under certain conditions where users should have been required to configure two-factor authentication, it was not being required. | |||||
| CVE-2020-6964 | 1 Gehealthcare | 12 Apexpro Telemetry Server, Apexpro Telemetry Server Firmware, Carescape Central Station Mai700 and 9 more | 2020-03-17 | 5.0 MEDIUM | 8.6 HIGH |
| In ApexPro Telemetry Server Versions 4.2 and prior, CARESCAPE Telemetry Server v4.2 & prior, Clinical Information Center (CIC) Versions 4.X and 5.X, CARESCAPE Central Station (CSCS) Versions 1.X and CARESCAPE Central Station (CSCS) Versions 2.X, the integrated service for keyboard switching of the affected devices could allow attackers to obtain remote keyboard input access without authentication over the network. | |||||
| CVE-2020-5328 | 1 Dell | 1 Emc Isilon Onefs | 2020-03-09 | 10.0 HIGH | 9.8 CRITICAL |
| Dell EMC Isilon OneFS versions prior to 8.2.0 contain an unauthorized access vulnerability due to a lack of thorough authorization checks when SyncIQ is licensed, but encrypted syncs are not marked as required. When this happens, loss of control of the cluster can occur. | |||||
| CVE-2015-5201 | 1 Redhat | 2 Enterprise Virtualization, Enterprise Virtualization Hypervisor | 2020-03-05 | 5.0 MEDIUM | 7.5 HIGH |
| VDSM and libvirt in Red Hat Enterprise Virtualization Hypervisor (aka RHEV-H) 7-7.x before 7-7.2-20151119.0 and 6-6.x before 6-6.7-20151117.0 as packaged in Red Hat Enterprise Virtualization before 3.5.6 when VSDM is run with -spice disable-ticketing and a VM is suspended and then restored, allows remote attackers to log in without authentication via unspecified vectors. | |||||
| CVE-2020-5326 | 1 Dell | 348 Chengming 3980, Chengming 3980 Firmware, Embedded Box Pc 5000 and 345 more | 2020-03-03 | 2.1 LOW | 5.3 MEDIUM |
| Affected Dell Client platforms contain a BIOS Setup configuration authentication bypass vulnerability in the pre-boot Intel Rapid Storage Response Technology (iRST) Manager menu. An attacker with physical access to the system could perform unauthorized changes to the BIOS Setup configuration settings without requiring the BIOS Admin password by selecting the Optimized Defaults option in the pre-boot iRST Manager. | |||||
| CVE-2020-6186 | 1 Sap | 1 Host Agent | 2020-02-19 | 5.0 MEDIUM | 7.5 HIGH |
| SAP Host Agent, version 7.21, allows an attacker to cause a slowdown in processing of username/password-based authentication requests of the SAP Host Agent, leading to Denial of Service. | |||||
| CVE-2020-6769 | 1 Bosch | 8 Divar Ip 2000, Divar Ip 2000 Firmware, Divar Ip 3000 and 5 more | 2020-02-12 | 6.4 MEDIUM | 9.1 CRITICAL |
| Missing Authentication for Critical Function in the Bosch Video Streaming Gateway (VSG) allows an unauthenticated remote attacker to retrieve and set arbitrary configuration data of the Video Streaming Gateway. A successful attack can impact the confidentiality and availability of live and recorded video data of all cameras configured to be controlled by the VSG as well as the recording storage associated with the VSG. This affects Bosch Video Streaming Gateway versions 6.45 <= 6.45.08, 6.44 <= 6.44.022, 6.43 <= 6.43.0023 and 6.42.10 and older. This affects Bosch DIVAR IP 3000, DIVAR IP 7000 and DIVAR IP all-in-one 5000 if a vulnerable VSG version is installed with BVMS. This affects Bosch DIVAR IP 2000 <= 3.62.0019 and DIVAR IP 5000 <= 3.80.0039 if the corresponding port 8023 has been opened in the device's firewall. | |||||
| CVE-2020-8636 | 1 Opservices | 1 Opmon | 2020-02-12 | 10.0 HIGH | 9.8 CRITICAL |
| An issue was discovered in OpServices OpMon 9.3.2 that allows Remote Code Execution . | |||||
| CVE-2020-7953 | 1 Opservices | 1 Opmon | 2020-02-11 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in OpServices OpMon 9.3.2. Without authentication, it is possible to read server files (e.g., /etc/passwd) due to the use of the nmap -iL (aka input file) option. | |||||
| CVE-2019-5077 | 1 Wago | 4 Pfc 100, Pfc 100 Firmware, Pfc 200 and 1 more | 2020-02-10 | 8.5 HIGH | 9.1 CRITICAL |
| An exploitable denial-of-service vulnerability exists in the iocheckd service ‘’I/O-Chec’’ functionality of WAGO PFC 200 Firmware versions 03.01.07(13) and 03.00.39(12), and WAGO PFC 100 Firmware version 03.00.39(12). A specially crafted set of packets can cause a denial of service, resulting in the device entering an error state where it ceases all network communications. An attacker can send unauthenticated packets to trigger this vulnerability. | |||||
| CVE-2019-13549 | 2 Carel, Rittal | 2 Pcoweb Firmware, Chiller Sk 3232 | 2020-02-10 | 5.0 MEDIUM | 7.5 HIGH |
| Rittal Chiller SK 3232-Series web interface as built upon Carel pCOWeb firmware A1.5.3 – B1.2.4. The authentication mechanism on affected systems does not provide a sufficient level of protection against unauthorized configuration changes. Primary operations, namely turning the cooling unit on and off and setting the temperature set point, can be modified without authentication. | |||||
| CVE-2019-4551 | 1 Ibm | 1 Security Directory Server | 2020-02-04 | 5.0 MEDIUM | 5.3 MEDIUM |
| IBM Security Directory Server 6.4.0 does not perform an authentication check for a critical resource or functionality allowing anonymous users access to protected areas. IBM X-Force ID: 165953. | |||||
| CVE-2011-4322 | 1 Websitebaker | 1 Websitebaker | 2020-01-29 | 5.0 MEDIUM | 7.5 HIGH |
| websitebaker prior to and including 2.8.1 has an authentication error in backup module. | |||||
| CVE-2020-3142 | 1 Cisco | 1 Webex Meetings Online | 2020-01-28 | 5.0 MEDIUM | 7.5 HIGH |
| A vulnerability in Cisco Webex Meetings Suite sites and Cisco Webex Meetings Online sites could allow an unauthenticated, remote attendee to join a password-protected meeting without providing the meeting password. The connection attempt must initiate from a Webex mobile application for either iOS or Android. The vulnerability is due to unintended meeting information exposure in a specific meeting join flow for mobile applications. An unauthorized attendee could exploit this vulnerability by accessing a known meeting ID or meeting URL from the mobile device’s web browser. The browser will then request to launch the device’s Webex mobile application. A successful exploit could allow the unauthorized attendee to join the password-protected meeting. The unauthorized attendee will be visible in the attendee list of the meeting as a mobile attendee. Cisco has applied updates that address this vulnerability and no user action is required. This vulnerability affects Cisco Webex Meetings Suite sites and Cisco Webex Meetings Online sites releases earlier than 39.11.5 and 40.1.3. | |||||
| CVE-2019-16003 | 1 Cisco | 1 Ucs Director | 2020-01-27 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability in the web-based management interface of Cisco UCS Director could allow an unauthenticated, remote attacker to download system log files from an affected device. The vulnerability is due to an issue in the authentication logic of the web-based management interface. An attacker could exploit this vulnerability by sending a crafted request to the web interface. A successful exploit could allow the attacker to download log files if they were previously generated by an administrator. | |||||
| CVE-2019-20143 | 1 Gitlab | 1 Gitlab | 2020-01-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) 12.6. It has Incorrect Access Control. | |||||
| CVE-2019-16271 | 1 Dten | 4 D5, D5 Firmware, D7 and 1 more | 2020-01-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| DTEN D5 and D7 before 1.3.2 devices allows remote attackers to read saved whiteboard image PDF documents via storage/emulated/0/Notes/PDF on TCP port 8080 without authentication. | |||||
| CVE-2014-3449 | 1 Bss Continuity Cms Project | 1 Bss Continuty Cms | 2020-01-14 | 7.5 HIGH | 9.8 CRITICAL |
| BSS Continuity CMS 4.2.22640.0 has an Authentication Bypass vulnerability | |||||
| CVE-2018-20507 | 1 Gitlab | 1 Gitlab | 2020-01-09 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in GitLab Enterprise Edition 11.2.x through 11.4.x before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It has Incorrect Access Control. | |||||
| CVE-2012-2736 | 4 Canonical, Debian, Gnome and 1 more | 4 Ubuntu Linux, Debian Linux, Networkmanager and 1 more | 2020-01-04 | 3.3 LOW | 4.4 MEDIUM |
| In NetworkManager 0.9.2.0, when a new wireless network was created with WPA/WPA2 security in AdHoc mode, it created an open/insecure network. | |||||
| CVE-2019-5078 | 1 Wago | 4 Pfc 100, Pfc 100 Firmware, Pfc 200 and 1 more | 2019-12-27 | 9.4 HIGH | 9.1 CRITICAL |
| An exploitable denial of service vulnerability exists in the iocheckd service "I/O-Check" functionality of WAGO PFC200 Firmware versions 03.01.07(13) and 03.00.39(12), and WAGO PFC100 Firmware version 03.00.39(12). A specially crafted set of packets can cause a denial of service, resulting in the device entering an error state where it ceases all network communications. An attacker can send unauthenticated packets to trigger this vulnerability. | |||||
| CVE-2019-5080 | 1 Wago | 4 Pfc 100, Pfc 100 Firmware, Pfc 200 and 1 more | 2019-12-27 | 6.4 MEDIUM | 9.1 CRITICAL |
| An exploitable denial-of-service vulnerability exists in the iocheckd service "I/O-Check" functionality of WAGO PFC 200 Firmware versions 03.01.07(13) and 03.00.39(12), and WAGO PFC100 Firmware version 03.00.39(12). A single packet can cause a denial of service and weaken credentials resulting in the default documented credentials being applied to the device. An attacker can send an unauthenticated packet to trigger this vulnerability. | |||||
| CVE-2019-8292 | 1 Online Store System Project | 1 Online Store System | 2019-12-23 | 6.4 MEDIUM | 5.3 MEDIUM |
| Online Store System v1.0 delete_product.php doesn't check to see if a user authtenticated or has administrative rights allowing arbitrary product deletion. | |||||
| CVE-2019-8682 | 1 Apple | 2 Iphone Os, Watchos | 2019-12-20 | 2.1 LOW | 2.4 LOW |
| The issue was addressed with improved UI handling. This issue is fixed in iOS 12.4, watchOS 5.3. A user may inadvertently complete an in-app purchase while on the lock screen. | |||||
| CVE-2011-2187 | 2 Debian, Xscreensaver Project | 2 Debian Linux, Xscreensaver | 2019-12-16 | 4.6 MEDIUM | 7.8 HIGH |
| xscreensaver before 5.14 crashes during activation and leaves the screen unlocked when in Blank Only Mode and when DPMS is disabled, which allows local attackers to access resources without authentication. | |||||
| CVE-2013-1793 | 1 Redhat | 2 Openstack, Openstack Essex | 2019-12-14 | 5.0 MEDIUM | 7.5 HIGH |
| openstack-utils openstack-db has insecure password creation | |||||
| CVE-2019-4244 | 1 Ibm | 1 Smartcloud Analytics Log Analysis | 2019-12-13 | 6.4 MEDIUM | 9.1 CRITICAL |
| IBM SmartCloud Analytics 1.3.1 through 1.3.5 could allow a remote attacker to gain unauthorized information and unrestricted control over Zookeeper installations due to missing authentication. IBM X-Force ID: 159518. | |||||
| CVE-2006-0061 | 1 Sillycycle | 1 Xlockmore | 2019-11-08 | 7.5 HIGH | 9.8 CRITICAL |
| xlockmore 5.13 and 5.22 segfaults when using libpam-opensc and returns the underlying xsession. This allows unauthorized users access to the X session. | |||||
| CVE-2006-0062 | 1 Sillycycle | 1 Xlockmore | 2019-11-06 | 7.5 HIGH | 9.8 CRITICAL |
| xlockmore 5.13 allows potential xlock bypass when FVWM switches to the same virtual desktop as a new Gaim window. | |||||
| CVE-2019-18230 | 1 Honeywell | 96 H2w2gr1, H2w2gr1 Firmware, H3w2gr1 and 93 more | 2019-11-05 | 5.0 MEDIUM | 7.5 HIGH |
| Honeywell equIP and Performance series IP cameras, multiple versions, A vulnerability exists where the affected product allows unauthenticated access to audio streaming over HTTP. | |||||
| CVE-2019-18465 | 1 Ipswitch | 1 Moveit Transfer | 2019-11-04 | 6.8 MEDIUM | 9.8 CRITICAL |
| In Progress MOVEit Transfer 11.1 before 11.1.3, a vulnerability has been found that could allow an attacker to sign in without full credentials via the SSH (SFTP) interface. The vulnerability affects only certain SSH (SFTP) configurations, and is applicable only if the MySQL database is being used. | |||||