Search
Total
634 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-12105 | 1 Supervisord | 1 Supervisor | 2019-09-17 | 6.4 MEDIUM | 8.2 HIGH |
| ** DISPUTED ** In Supervisor through 4.0.2, an unauthenticated user can read log files or restart a service. Note: The maintainer responded that the affected component, inet_http_server, is not enabled by default but if the user enables it and does not set a password, Supervisor logs a warning message. The maintainer indicated the ability to run an open server will not be removed but an additional warning was added to the documentation. | |||||
| CVE-2019-14511 | 1 Sphinxsearch | 1 Sphinx | 2019-09-14 | 5.0 MEDIUM | 7.5 HIGH |
| Sphinx Technologies Sphinx 3.1.1 by default has no authentication and listens on 0.0.0.0, making it exposed to the internet (unless filtered by a firewall or reconfigured to listen to 127.0.0.1 only). | |||||
| CVE-2019-13983 | 1 Rangerstudio | 1 Directus 7 Api | 2019-07-22 | 5.0 MEDIUM | 9.8 CRITICAL |
| Directus 7 API before 2.2.2 has insufficient anti-automation, as demonstrated by lack of a CAPTCHA in core/Directus/Services/AuthService.php and endpoints/Auth.php. | |||||
| CVE-2017-15123 | 1 Redhat | 1 Cloudforms Management Engine | 2019-07-17 | 5.0 MEDIUM | 5.3 MEDIUM |
| A flaw was found in the CloudForms web interface, versions 5.8 - 5.10, where the RSS feed URLs are not properly restricted to authenticated users only. An attacker could use this flaw to view potentially sensitive information from CloudForms including data such as newly created virtual machines. | |||||
| CVE-2016-2004 | 1 Hp | 1 Data Protector | 2019-07-12 | 9.3 HIGH | 9.8 CRITICAL |
| HPE Data Protector before 7.03_108, 8.x before 8.15, and 9.x before 9.06 allow remote attackers to execute arbitrary code via unspecified vectors related to lack of authentication. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-2623. | |||||
| CVE-2019-9881 | 1 Wpgraphql | 1 Wpgraphql | 2019-06-11 | 5.0 MEDIUM | 5.3 MEDIUM |
| The createComment mutation in the WPGraphQL 0.2.3 plugin for WordPress allows unauthenticated users to post comments on any article, even when 'allow comment' is disabled. | |||||
| CVE-2019-9879 | 1 Wpgraphql | 1 Wpgraphql | 2019-06-11 | 7.5 HIGH | 9.8 CRITICAL |
| The WPGraphQL 0.2.3 plugin for WordPress allows remote attackers to register a new user with admin privileges, whenever new user registrations are allowed. This is related to the registerUser mutation. | |||||
| CVE-2019-9880 | 1 Wpgraphql | 1 Wpgraphql | 2019-06-11 | 6.4 MEDIUM | 9.1 CRITICAL |
| An issue was discovered in the WPGraphQL 0.2.3 plugin for WordPress. By querying the 'users' RootQuery, it is possible, for an unauthenticated attacker, to retrieve all WordPress users details such as email address, role, and username. | |||||
| CVE-2018-5338 | 1 Zohocorp | 1 Manageengine Desktop Central | 2019-03-05 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Zoho ManageEngine Desktop Central 10.0.124 and 10.0.184: missing authentication/authorization for a database query mechanism. | |||||
| CVE-2018-11247 | 1 Nasdaq | 1 Bwise | 2018-10-23 | 7.5 HIGH | 9.8 CRITICAL |
| The JMX/RMI interface in Nasdaq BWise 5.0 does not require authentication for an SAP BO Component, which allows remote attackers to execute arbitrary code via a session on port 81. | |||||
| CVE-2018-7778 | 1 Schneider-electric | 2 Evlink Charging Station, Evlink Charging Station Firmware | 2018-09-05 | 7.5 HIGH | 9.8 CRITICAL |
| In Schneider Electric Evlink Charging Station versions prior to v3.2.0-12_v1, the Web Interface has an issue that may allow a remote attacker to gain administrative privileges without properly authenticating remote users. | |||||
| CVE-2017-0919 | 1 Gitlab | 1 Gitlab | 2018-09-04 | 5.0 MEDIUM | 7.5 HIGH |
| GitLab Community and Enterprise Editions before 10.1.6, 10.2.6, and 10.3.4 are vulnerable to an authorization bypass issue in the GitLab import component resulting in an attacker being able to perform operations under a group in which they were previously unauthorized. | |||||
| CVE-2018-11476 | 1 Vgate | 2 Icar 2 Wi-fi Obd2, Icar 2 Wi-fi Obd2 Firmware | 2018-07-05 | 5.8 MEDIUM | 8.8 HIGH |
| An issue was discovered on Vgate iCar 2 Wi-Fi OBD2 Dongle devices. The dongle opens an unprotected wireless LAN that cannot be configured with encryption or a password. This enables anyone within the range of the WLAN to connect to the network without authentication. | |||||
| CVE-2018-9119 | 1 Brilliantts | 3 Fuze Card, Fuze Card Ble Firmware, Fuze Card Mcu Firmware | 2018-05-21 | 3.6 LOW | 6.1 MEDIUM |
| An attacker with physical access to a BrilliantTS FUZE card (MCU firmware 0.1.73, BLE firmware 0.7.4) can unlock the card, extract credit card numbers, and tamper with data on the card via Bluetooth because no authentication is needed, as demonstrated by gatttool. | |||||
| CVE-2018-0554 | 1 Buffalo | 2 Wzr-1750dhp2, Wzr-1750dhp2 Firmware | 2018-05-16 | 8.3 HIGH | 8.8 HIGH |
| Buffalo WZR-1750DHP2 Ver.2.30 and earlier allows an attacker to bypass authentication and execute arbitrary commands on the device via unspecified vectors. | |||||
| CVE-2018-9162 | 1 Contec-touch | 2 Smart Home, Smart Home Firmware | 2018-05-15 | 7.5 HIGH | 9.8 CRITICAL |
| Contec Smart Home 4.15 devices do not require authentication for new_user.php, edit_user.php, delete_user.php, and user.php, as demonstrated by changing the admin password and then obtaining control over doors. | |||||
| CVE-2014-7271 | 2 Fedoraproject, Sddm Project | 2 Fedora, Sddm | 2018-03-27 | 4.6 MEDIUM | 7.8 HIGH |
| Simple Desktop Display Manager (SDDM) before 0.10.0 allows local users to log in as user "sddm" without authentication. | |||||
| CVE-2017-10854 | 1 Corega | 2 Cg-wgr 1200, Cg-wgr 1200 Firmware | 2018-03-27 | 5.8 MEDIUM | 8.8 HIGH |
| Corega CG-WGR1200 firmware 2.20 and earlier allows an attacker to bypass authentication and change the login password via unspecified vectors. | |||||
| CVE-2018-0521 | 1 Buffalo | 2 Wxr-1900dhp2, Wxr-1900dhp2 Firmware | 2018-03-26 | 8.3 HIGH | 8.8 HIGH |
| Buffalo WXR-1900DHP2 firmware Ver.2.48 and earlier allows an attacker to bypass authentication and execute arbitrary commands on the device via unspecified vectors. | |||||
| CVE-2018-2368 | 1 Sap | 1 Netweaver System Landscape Directory | 2018-03-23 | 7.5 HIGH | 9.8 CRITICAL |
| SAP NetWeaver System Landscape Directory, LM-CORE 7.10, 7.20, 7.30, 7.31, 7.40, does not perform any authentication checks for functionalities that require user identity. | |||||
| CVE-2018-7301 | 1 Eq-3 | 2 Homematic Central Control Unit Ccu2, Homematic Central Control Unit Ccu2 Firmware | 2018-03-18 | 7.5 HIGH | 9.8 CRITICAL |
| eQ-3 AG HomeMatic CCU2 2.29.22 devices have an open XML-RPC port without authentication. This can be exploited by sending arbitrary XML-RPC requests to control the attached BidCos devices. | |||||
| CVE-2018-2360 | 1 Sap | 1 Sap Kernel | 2018-01-29 | 5.0 MEDIUM | 7.5 HIGH |
| SAP Startup Service, SAP KERNEL 7.45, 7.49, and 7.52, is missing an authentication check for functionalities that require user identity and cause consumption of file system storage. | |||||
| CVE-2017-8156 | 1 Huawei | 2 B2338-168, B2338-168 Firmware | 2017-12-11 | 7.2 HIGH | 6.8 MEDIUM |
| The outdoor unit of Customer Premise Equipment (CPE) product B2338-168 V100R001C00 has a no authentication vulnerability on the serial port. An attacker can access the serial port on the circuit board of the outdoor unit and log in to the CPE without authentication. Successful exploit could allow the attacker to take control over the outdoor unit. | |||||
| CVE-2017-8155 | 1 Huawei | 2 B2338-168, B2338-168 Firmware | 2017-12-11 | 7.2 HIGH | 8.4 HIGH |
| The outdoor unit of Customer Premise Equipment (CPE) product B2338-168 V100R001C00 has a no authentication vulnerability on a certain port. After accessing the network between the indoor and outdoor units of the CPE, an attacker can deliver commands to the specific port of the outdoor unit and execute them without authentication. Successful exploit could allow the attacker to take control over the outdoor unit. | |||||
| CVE-2017-1483 | 1 Ibm | 3 Security Identity Governance And Intelligence, Security Identity Manager, Security Privileged Identity Manager | 2017-10-06 | 7.5 HIGH | 8.6 HIGH |
| IBM Security Identity Manager Adapters 6.0 and 7.0 does not perform an authentication check for a critical resource or functionality allowing anonymous users access to protected areas. IBM X-Force ID: 128621. | |||||
| CVE-2017-14350 | 1 Hp | 1 Application Performance Management | 2017-10-05 | 10.0 HIGH | 9.8 CRITICAL |
| A potential security vulnerability has been identified in HPE Application Performance Management (BSM) Platform versions 9.26, 9.30, 9.40. The vulnerability could be remotely exploited to allow code execution. | |||||
| CVE-2017-4052 | 1 Mcafee | 1 Advanced Threat Defense | 2017-07-17 | 7.5 HIGH | 9.8 CRITICAL |
| Authentication Bypass vulnerability in the web interface in McAfee Advanced Threat Defense (ATD) 3.10, 3.8, 3.6, 3.4 allows remote unauthenticated users / remote attackers to change or update any configuration settings, or gain administrator functionality via a crafted HTTP request parameter. | |||||
| CVE-2017-4055 | 1 Mcafee | 1 Advanced Threat Defense | 2017-07-17 | 5.0 MEDIUM | 7.5 HIGH |
| Exploitation of Authentication vulnerability in the web interface in McAfee Advanced Threat Defense (ATD) 3.10, 3.8, 3.6, 3.4 allows remote unauthenticated users / remote attackers to bypass ATD detection via loose enforcement of authentication and authorization. | |||||
| CVE-2017-10804 | 1 Odoo | 1 Odoo | 2017-07-12 | 7.5 HIGH | 9.8 CRITICAL |
| In Odoo 8.0, Odoo Community Edition 9.0 and 10.0, and Odoo Enterprise Edition 9.0 and 10.0, remote attackers can bypass authentication under certain circumstances because parameters containing 0x00 characters are truncated before reaching the database layer. This occurs because Psycopg 2.x before 2.6.3 is used. | |||||
| CVE-2015-9030 | 1 Google | 1 Android | 2017-07-08 | 9.3 HIGH | 7.8 HIGH |
| In all Android releases from CAF using the Linux kernel, the Hypervisor API could be misused to bypass authentication. | |||||
| CVE-2016-7830 | 1 Sony | 10 Pcs-xc1, Pcs-xc1 Firmware, Pcs-xg100 and 7 more | 2017-06-22 | 5.8 MEDIUM | 8.8 HIGH |
| Sony PCS-XG100, PCS-XG100S, PCS-XG100C, PCS-XG77, PCS-XG77S, PCS-XG77C devices with firmware versions prior to Ver.1.51 and PCS-XC1 devices with firmware version prior to Ver.1.22 allow an attacker on the same network segment to bypass authentication to perform administrative operations via unspecified vectors. | |||||
| CVE-2016-5053 | 1 Osram | 1 Lightify Home | 2017-04-14 | 7.5 HIGH | 9.8 CRITICAL |
| OSRAM SYLVANIA Osram Lightify Home before 2016-07-26 allows remote attackers to execute arbitrary commands via TCP port 4000. | |||||
| CVE-2016-8355 | 1 Smiths-medical | 1 Cadd-solis Medication Safety Software | 2017-02-28 | 9.0 HIGH | 9.9 CRITICAL |
| An issue was discovered in Smiths-Medical CADD-Solis Medication Safety Software, Version 1.0; 2.0; 3.0; and 3.1. CADD-Solis Medication Safety Software grants an authenticated user elevated privileges on the SQL database, which would allow an authenticated user to modify drug libraries, add and delete users, and change user permissions. According to Smiths-Medical, physical access to the pump is required to install drug library updates. | |||||
| CVE-2017-5162 | 1 Binom3 | 2 Universal Multifunctional Electric Power Quality Meter, Universal Multifunctional Electric Power Quality Meter Firmware | 2017-02-16 | 10.0 HIGH | 9.8 CRITICAL |
| An issue was discovered in BINOM3 Universal Multifunctional Electric Power Quality Meter. Lack of authentication for remote service gives access to application set up and configuration. | |||||