Total
3293 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-19076 | 2 Foscam, Opticam | 6 C2, C2 Application Firmware, C2 System Firmware and 3 more | 2018-12-11 | 5.0 MEDIUM | 9.8 CRITICAL |
| An issue was discovered on Foscam C2 devices with System Firmware 1.11.1.8 and Application Firmware 2.72.1.32, and Opticam i5 devices with System Firmware 1.5.2.11 and Application Firmware 2.21.1.128. The FTP and RTSP services make it easier for attackers to conduct brute-force authentication attacks, because failed-authentication limits apply only to HTTP (not FTP or RTSP). | |||||
| CVE-2013-7093 | 1 Sap | 1 Network Interface Router | 2018-12-10 | 5.0 MEDIUM | N/A |
| SAP Network Interface Router (SAProuter) 39.3 SP4 allows remote attackers to bypass authentication and modify the configuration via unspecified vectors. | |||||
| CVE-2017-15297 | 1 Sap | 1 Host Agent | 2018-12-10 | 5.0 MEDIUM | 7.5 HIGH |
| SAP Hostcontrol does not require authentication for the SOAP SAPControl endpoint. This is SAP Security Note 2442993. | |||||
| CVE-2018-12242 | 1 Symantec | 1 Messaging Gateway | 2018-12-08 | 7.5 HIGH | 9.8 CRITICAL |
| The Symantec Messaging Gateway product prior to 10.6.6 may be susceptible to an authentication bypass exploit, which is a type of issue that can allow attackers to potentially circumvent security mechanisms currently in place and gain access to the system or network. | |||||
| CVE-2018-7989 | 1 Huawei | 2 Mate 10 Pro, Mate 10 Pro Firmware | 2018-12-06 | 2.1 LOW | 4.6 MEDIUM |
| Huawei Mate 10 pro smartphones with the versions before BLA-AL00B 8.1.0.326(C00) have an improper authentication vulnerability. App Lock is a function to prevent unauthorized use of apps on smartphones, an attacker could directly change the lock password after a series of operations. Successful exploit could allow the attacker to use the application which is locked. | |||||
| CVE-2016-10732 | 1 Projectsend | 1 Projectsend | 2018-12-06 | 7.5 HIGH | 9.8 CRITICAL |
| ProjectSend (formerly cFTP) r582 allows authentication bypass via a direct request for users.php, home.php, edit-file.php?file_id=1, or process-zip-download.php, or add_user_form_* parameters to users-add.php. | |||||
| CVE-2018-18891 | 1 1234n | 1 Minicms | 2018-12-03 | 6.4 MEDIUM | 7.5 HIGH |
| MiniCMS 1.10 allows file deletion via /mc-admin/post.php?state=delete&delete= because the authentication check occurs too late. | |||||
| CVE-2018-7076 | 1 Hp | 1 Intelligent Management Center | 2018-12-03 | 10.0 HIGH | 9.8 CRITICAL |
| A remote code execution vulnerability was identified in HPE Intelligent Management Center (iMC) prior to iMC PLAT 7.3 E0605P04. | |||||
| CVE-2018-12455 | 1 Intelbras | 2 Nplug, Nplug Firmware | 2018-11-28 | 9.3 HIGH | 8.1 HIGH |
| Intelbras NPLUG 1.0.0.14 wireless repeater devices have a critical vulnerability that allows an attacker to authenticate in the web interface just by using "admin:" as the name of a cookie. | |||||
| CVE-2018-18061 | 1 Tecrail | 1 Responsive Filemanager | 2018-11-28 | 6.4 MEDIUM | 7.5 HIGH |
| An issue was discovered in dialog.php in tecrail Responsive FileManager 9.8.1. Attackers can access the file manager interface that provides them with the ability to upload and delete files. | |||||
| CVE-2017-7660 | 1 Apache | 1 Solr | 2018-11-28 | 5.0 MEDIUM | 7.5 HIGH |
| Apache Solr uses a PKI based mechanism to secure inter-node communication when security is enabled. It is possible to create a specially crafted node name that does not exist as part of the cluster and point it to a malicious node. This can trick the nodes in cluster to believe that the malicious node is a member of the cluster. So, if Solr users have enabled BasicAuth authentication mechanism using the BasicAuthPlugin or if the user has implemented a custom Authentication plugin, which does not implement either "HttpClientInterceptorPlugin" or "HttpClientBuilderPlugin", his/her servers are vulnerable to this attack. Users who only use SSL without basic authentication or those who use Kerberos are not affected. | |||||
| CVE-2018-7572 | 1 Pulsesecure | 1 Pulse Secure Desktop | 2018-11-27 | 7.2 HIGH | 6.8 MEDIUM |
| Pulse Secure Client 9.0R1 and 5.3RX before 5.3R5, when configured to authenticate VPN users during Windows Logon, can allow attackers to bypass Windows authentication and execute commands on the system with the privileges of Pulse Secure Client. The attacker must interrupt the client's network connectivity, and trigger a connection to a crafted proxy server with an invalid SSL certificate that allows certification-manager access, leading to the ability to browse local files and execute local programs. | |||||
| CVE-2018-17341 | 2 Bigtreecms, Microsoft | 2 Bigtree Cms, Windows | 2018-11-21 | 6.8 MEDIUM | 8.1 HIGH |
| BigTree 4.2.23 on Windows, when Advanced or Simple Rewrite routing is enabled, allows remote attackers to bypass authentication via a ..\ substring, as demonstrated by a launch.php?bigtree_htaccess_url=admin/images/..\ URI. | |||||
| CVE-2013-0282 | 1 Openstack | 1 Keystone | 2018-11-16 | 5.0 MEDIUM | N/A |
| OpenStack Keystone Grizzly before 2013.1, Folsom 2012.1.3 and earlier, and Essex does not properly check if the (1) user, (2) tenant, or (3) domain is enabled when using EC2-style authentication, which allows context-dependent attackers to bypass access restrictions. | |||||
| CVE-2012-4457 | 1 Openstack | 1 Keystone | 2018-11-16 | 4.0 MEDIUM | N/A |
| OpenStack Keystone Essex before 2012.1.2 and Folsom before folsom-3 does not properly handle authorization tokens for disabled tenants, which allows remote authenticated users to access the tenant's resources by requesting a token for the tenant. | |||||
| CVE-2018-16590 | 1 Furuno | 4 Felcom 250, Felcom 250 Firmware, Felcom 500 and 1 more | 2018-11-14 | 10.0 HIGH | 9.8 CRITICAL |
| FURUNO FELCOM 250 and 500 devices use only client-side JavaScript in login.js for authentication. | |||||
| CVE-2018-15485 | 1 Kone | 2 Group Controller, Group Controller Firmware | 2018-11-13 | 6.4 MEDIUM | 9.1 CRITICAL |
| An issue was discovered on KONE Group Controller (KGC) devices before 4.6.5. FTP does not require authentication or authorization, aka KONE-03. | |||||
| CVE-2016-7141 | 2 Haxx, Opensuse | 2 Libcurl, Leap | 2018-11-13 | 5.0 MEDIUM | 7.5 HIGH |
| curl and libcurl before 7.50.2, when built with NSS and the libnsspem.so library is available at runtime, allow remote attackers to hijack the authentication of a TLS connection by leveraging reuse of a previously loaded client certificate from file for a connection for which no certificate has been set, a different vulnerability than CVE-2016-5420. | |||||
| CVE-2018-15479 | 1 Mystrom | 12 Wifi Bulb, Wifi Bulb Firmware, Wifi Button and 9 more | 2018-11-09 | 6.4 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in myStrom WiFi Switch V1 before 2.66, WiFi Switch V2 before 3.80, WiFi Switch EU before 3.80, WiFi Bulb before 2.58, WiFi LED Strip before 3.80, WiFi Button before 2.73, and WiFi Button Plus before 2.73. Devices did not authenticate themselves to the cloud in device to cloud communication. This lack of device authentication allowed an attacker to impersonate any device by guessing or learning their MAC address. | |||||
| CVE-2009-0614 | 1 Cisco | 1 Unified Meetingplace Web Conferencing | 2018-11-08 | 9.0 HIGH | N/A |
| Unspecified vulnerability in the Web Server in Cisco Unified MeetingPlace Web Conferencing 6.0 before 6.0(517.0) (aka 6.0 MR4) and 7.0 before 7.0(2) (aka 7.0 MR1) allows remote attackers to bypass authentication and obtain administrative access via a crafted URL. | |||||