Total
3293 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-25030 | 1 Mirmay | 2 File Manager, Secure Private Browser | 2022-04-04 | 1.9 LOW | 2.5 LOW |
| A vulnerability classified as problematic has been found in Mirmay Secure Private Browser and File Manager up to 2.5. Affected is the Auto Lock. A race condition leads to a local authentication bypass. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2022-0342 | 1 Zyxel | 46 Atp100, Atp100 Firmware, Atp100w and 43 more | 2022-04-04 | 7.5 HIGH | 9.8 CRITICAL |
| An authentication bypass vulnerability in the CGI program of Zyxel USG/ZyWALL series firmware versions 4.20 through 4.70, USG FLEX series firmware versions 4.50 through 5.20, ATP series firmware versions 4.32 through 5.20, VPN series firmware versions 4.30 through 5.20, and NSG series firmware versions V1.20 through V1.33 Patch 4, which could allow an attacker to bypass the web authentication and obtain administrative access of the device. | |||||
| CVE-2022-1084 | 1 One Church Management System Project | 1 One Church Management System | 2022-04-04 | 7.5 HIGH | 9.8 CRITICAL |
| A vulnerability classified as critical was found in SourceCodester One Church Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /one_church/userregister.php. The manipulation leads to authentication bypass. The attack can be launched remotely. | |||||
| CVE-2021-26620 | 1 Iptime | 18 Nas-i, Nas-i Firmware, Nas-ii and 15 more | 2022-03-31 | 5.0 MEDIUM | 7.5 HIGH |
| An improper authentication vulnerability leading to information leakage was discovered in iptime NAS2dual. Remote attackers are able to steal important information in the server by exploiting vulnerabilities such as insufficient authentication when accessing the shared folder and changing user’s passwords. | |||||
| CVE-2019-20412 | 1 Atlassian | 4 Jira, Jira Data Center, Jira Server and 1 more | 2022-03-30 | 5.0 MEDIUM | 5.3 MEDIUM |
| The Convert Sub-Task to Issue page in affected versions of Atlassian Jira Server and Data Center allow remote attackers to enumerate the following information via an Improper Authentication vulnerability: Workflow names; Project Key, if it is part of the workflow name; Issue Keys; Issue Types; Status Types. The affected versions are before version 7.13.9, and from version 8.0.0 before 8.4.2. | |||||
| CVE-2021-46390 | 1 Lexar | 2 F35, F35 Firmware | 2022-03-29 | 7.2 HIGH | 6.8 MEDIUM |
| An access control issue in the authentication module of Lexar_F35 v1.0.34 allows attackers to access sensitive data and cause a Denial of Service (DoS). An attacker without access to securely protected data on a secure USB flash drive can bypass user authentication without having any information related to the password of the registered user. The secure USB flash drive transmits the password entered by the user to the authentication module in the drive after the user registers a password, and then the input password is compared with the registered password stored in the authentication module. Subsequently, the module returns the comparison result for the authentication decision. Therefore, an attacker can bypass password authentication by analyzing the functions that return the password verification or comparison results and manipulate the authentication result values. Accordingly, even if attackers enter an incorrect password, they can be authenticated as a legitimate user and can therefore exploit functions of the secure USB flash drive by manipulating the authentication result values. | |||||
| CVE-2021-26070 | 1 Atlassian | 3 Data Center, Jira, Jira Server | 2022-03-25 | 6.4 MEDIUM | 7.2 HIGH |
| Affected versions of Atlassian Jira Server and Data Center allow remote attackers to evade behind-the-firewall protection of app-linked resources via a Broken Authentication vulnerability in the `makeRequest` gadget resource. The affected versions are before version 8.13.3, and from version 8.14.0 before 8.14.1. | |||||
| CVE-2021-45786 | 1 Maccms | 1 Maccms | 2022-03-22 | 7.5 HIGH | 9.8 CRITICAL |
| In maccms v10, an attacker can log in through /index.php/user/login in the "col" and "openid" parameters to gain privileges. | |||||
| CVE-2022-24740 | 1 Plone | 1 Volto | 2022-03-22 | 6.0 MEDIUM | 7.5 HIGH |
| Volto is a ReactJS-based frontend for the Plone Content Management System. Between versions 14.0.0-alpha.5 and 15.0.0-alpha.0, a user could have their authentication cookie replaced with an authentication cookie from another user, effectively giving them control of the other user's account and privileges. This occurs when using an outdated version of the `react-cookie` library and a server is under high load. A proof of concept does not currently exist, but it is possible for this issue to occur in the wild. The patch and fix is present in Volto 15.0.0-alpha.0. As a workaround, one may manually upgrade the `react-cookie` package to 4.1.1 and then override all Volto components that use this library. | |||||
| CVE-2022-25825 | 1 Samasung | 1 Account | 2022-03-18 | 2.1 LOW | 5.5 MEDIUM |
| Improper access control vulnerability in Samsung Account prior to version 13.1.0.1 allows attackers to access to the authcode for sign-in. | |||||
| CVE-2022-22729 | 1 Yokogawa | 9 Centum Cs 3000, Centum Cs 3000 Entry, Centum Cs 3000 Entry Firmware and 6 more | 2022-03-18 | 6.0 MEDIUM | 8.8 HIGH |
| CAMS for HIS Server contained in the following Yokogawa Electric products improperly authenticate the receiving packets. The authentication may be bypassed via some crafted packets: CENTUM CS 3000 versions from R3.08.10 to R3.09.00, CENTUM VP versions from R4.01.00 to R4.03.00, from R5.01.00 to R5.04.20, and from R6.01.00 to R6.08.00, and Exaopc versions from R3.72.00 to R3.79.00. | |||||
| CVE-2021-44736 | 1 Lexmark | 2 Mc3224i, Mc3224i Firmware | 2022-03-17 | 10.0 HIGH | 9.8 CRITICAL |
| The initial admin account setup wizard on Lexmark devices allow unauthenticated access to the “out of service erase” feature. | |||||
| CVE-2022-24286 | 1 Acer | 1 Quickaccess | 2022-03-16 | 7.2 HIGH | 7.8 HIGH |
| Acer QuickAccess 2.01.300x before 2.01.3030 and 3.00.30xx before 3.00.3038 contains a local privilege escalation vulnerability. The user process communicates with a service of system authority through a named pipe. In this case, the Named Pipe is also given Read and Write rights to the general user. In addition, the service program does not verify the user when communicating. A thread may exist with a specific command. When the path of the program to be executed is sent, there is a local privilege escalation in which the service program executes the path with system privileges. | |||||
| CVE-2022-24285 | 1 Acer | 1 Care Center | 2022-03-16 | 7.2 HIGH | 7.8 HIGH |
| Acer Care Center 4.00.30xx before 4.00.3042 contains a local privilege escalation vulnerability. The user process communicates with a service of system authority called ACCsvc through a named pipe. In this case, the Named Pipe is also given Read and Write rights to the general user. In addition, the service program does not verify the user when communicating. A thread may exist with a specific command. When the path of the program to be executed is sent, there is a local privilege escalation in which the service program executes the path with system privileges. | |||||
| CVE-2022-25816 | 1 Google | 1 Android | 2022-03-16 | 2.1 LOW | 4.6 MEDIUM |
| Improper authentication in Samsung Lock and mask apps setting prior to SMR Mar-2022 Release 1 allows attacker to change enable/disable without authentication | |||||
| CVE-2021-40376 | 1 Otris | 1 Update Manager | 2022-03-16 | 7.2 HIGH | 7.8 HIGH |
| otris Update Manager 1.2.1.0 allows local users to achieve SYSTEM access via unauthenticated calls to exposed interfaces over a .NET named pipe. A remote attack may be possible as well, by leveraging WsHTTPBinding for HTTP traffic on TCP port 9000. | |||||
| CVE-2022-23383 | 1 Yzmcms | 1 Yzmcms | 2022-03-15 | 6.4 MEDIUM | 9.1 CRITICAL |
| YzmCMS v6.3 is affected by broken access control. Without login, unauthorized access to the user's personal home page can be realized. It is necessary to judge the user's login status before accessing the personal home page, but the vulnerability can access other users' home pages through the non login status because real authentication is not carried out. | |||||
| CVE-2022-23729 | 1 Google | 1 Android | 2022-03-11 | 6.9 MEDIUM | 7.8 HIGH |
| When the device is in factory state, it can be access the shell without adb authentication process. The LG ID is LVE-SMP-210010. | |||||
| CVE-2019-18312 | 1 Siemens | 1 Sppa-t3000 Ms3000 Migration Server | 2022-03-04 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability has been identified in SPPA-T3000 MS3000 Migration Server (All versions). An attacker with network access to the MS3000 Server could be able to enumerate running RPC services. Please note that an attacker needs to have network access to the MS3000 in order to exploit this vulnerability. At the time of advisory publication no public exploitation of this security vulnerability was known. | |||||
| CVE-2019-18322 | 1 Siemens | 1 Sppa-t3000 Ms3000 Migration Server | 2022-03-04 | 6.4 MEDIUM | 9.1 CRITICAL |
| A vulnerability has been identified in SPPA-T3000 MS3000 Migration Server (All versions). An attacker with network access to the MS3000 Server could be able to read and write arbitrary files on the local file system by sending specifically crafted packets to port 5010/tcp. This vulnerability is independent from CVE-2019-18321. Please note that an attacker needs to have network access to the MS3000 in order to exploit this vulnerability. At the time of advisory publication no public exploitation of this security vulnerability was known. | |||||