Total
3293 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-13365 | 1 Zyxel | 8 Nas326, Nas326 Firmware, Nas520 and 5 more | 2022-02-09 | 9.0 HIGH | 8.8 HIGH |
| Certain Zyxel products have a locally accessible binary that allows a non-root user to generate a password for an undocumented user account that can be used for a TELNET session as root. This affects NAS520 V5.21(AASZ.4)C0, V5.21(AASZ.0)C0, V5.11(AASZ.3)C0, and V5.11(AASZ.0)C0; NAS542 V5.11(ABAG.0)C0, V5.20(ABAG.1)C0, and V5.21(ABAG.3)C0; NSA325 v2_V4.81(AALS.0)C0 and V4.81(AAAJ.1)C0; NSA310 4.22(AFK.0)C0 and 4.22(AFK.1)C0; NAS326 V5.21(AAZF.8)C0, V5.11(AAZF.4)C0, V5.11(AAZF.2)C0, and V5.11(AAZF.3)C0; NSA310S V4.75(AALH.2)C0; NSA320S V4.75(AANV.2)C0 and V4.75(AANV.1)C0; NSA221 V4.41(AFM.1)C0; and NAS540 V5.21(AATB.5)C0 and V5.21(AATB.3)C0. | |||||
| CVE-2012-1145 | 1 Redhat | 2 Enterprise Linux, Satellite | 2022-02-03 | 5.0 MEDIUM | N/A |
| spacewalk-backend in Red Hat Network Satellite 5.4 on Red Hat Enterprise Linux 6 does not properly authorize or authenticate uploads to the NULL organization when mod_wsgi is used, which allows remote attackers to cause a denial of service (/var partition disk consumption and failed updates) via a large number of package uploads. | |||||
| CVE-2013-2056 | 1 Redhat | 1 Satellite | 2022-02-03 | 5.0 MEDIUM | N/A |
| The Inter-Satellite Sync (ISS) operation in Red Hat Network (RHN) Satellite 5.3, 5.4, and 5.5 does not properly check client "authenticity," which allows remote attackers to obtain channel content by skipping the initial authentication call. | |||||
| CVE-2018-7791 | 1 Schneider-electric | 2 Modicon M221, Modicon M221 Firmware | 2022-02-03 | 7.5 HIGH | 9.8 CRITICAL |
| A Permissions, Privileges, and Access Control vulnerability exists in Schneider Electric's Modicon M221 product (all references, all versions prior to firmware V1.6.2.0). The vulnerability allows unauthorized users to overwrite the original password with their password. If an attacker exploits this vulnerability and overwrite the password, the attacker can upload the original program from the PLC. | |||||
| CVE-2018-7847 | 1 Schneider-electric | 8 Modicon M340, Modicon M340 Firmware, Modicon M580 and 5 more | 2022-02-03 | 7.5 HIGH | 9.8 CRITICAL |
| A CWE-284: Improper Access Control vulnerability exists in all versions of the Modicon M580, Modicon M340, Modicon Quantum, and Modicon Premium which could cause denial of service or potential code execution by overwriting configuration settings of the controller over Modbus. | |||||
| CVE-2018-7228 | 1 Schneider-electric | 40 Ibp1110-1er, Ibp1110-1er Firmware, Ibp219-1er and 37 more | 2022-02-02 | 7.5 HIGH | 9.8 CRITICAL |
| A vulnerability exists in Schneider Electric's Pelco Sarix Professional in all firmware versions prior to 3.29.67 which could allow an unauthenticated, remote attacker to bypass authentication and get the administrator privileges. | |||||
| CVE-2018-7227 | 1 Schneider-electric | 40 Ibp1110-1er, Ibp1110-1er Firmware, Ibp219-1er and 37 more | 2022-02-02 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability exists in Schneider Electric's Pelco Sarix Professional in all firmware versions prior to 3.29.67 which could allow retrieving of specially crafted URLs without authentication that can reveal sensitive information to an attacker. | |||||
| CVE-2018-7236 | 1 Schneider-electric | 40 Ibp1110-1er, Ibp1110-1er Firmware, Ibp219-1er and 37 more | 2022-02-02 | 5.8 MEDIUM | 8.1 HIGH |
| A vulnerability exists in Schneider Electric's Pelco Sarix Professional in all firmware versions prior to 3.29.67 which could enable SSH service due to lack of authentication for /login/bin/set_param could enable SSH service. | |||||
| CVE-2021-22025 | 1 Vmware | 3 Cloud Foundation, Vrealize Operations Manager, Vrealize Suite Lifecycle Manager | 2022-02-01 | 5.0 MEDIUM | 7.5 HIGH |
| The vRealize Operations Manager API (8.x prior to 8.5) contains a broken access control vulnerability leading to unauthenticated API access. An unauthenticated malicious actor with network access to the vRealize Operations Manager API can add new nodes to existing vROps cluster. | |||||
| CVE-2021-43394 | 1 Unisys | 2 Clearpath 2200, Messaging Integration Services | 2022-01-31 | 7.5 HIGH | 9.8 CRITICAL |
| Unisys OS 2200 Messaging Integration Services (NTSI) 7R3B IC3 and IC4, 7R3C, and 7R3D has an Incorrect Implementation of an Authentication Algorithm. An LDAP password is not properly validated. | |||||
| CVE-2020-4879 | 2 Ibm, Microsoft | 2 Cognos Controller, Windows | 2022-01-27 | 7.5 HIGH | 9.8 CRITICAL |
| IBM Cognos Controller 10.4.0, 10.4.1, and 10.4.2 could allow a remote attacker to bypass security restrictions, caused by improper validation of authentication cookies. IBM X-Force ID: 190847. | |||||
| CVE-2021-33046 | 1 Dahuasecurity | 56 Asc2204c, Asc2204c Firmware, Hcvr7xxx and 53 more | 2022-01-25 | 7.5 HIGH | 9.8 CRITICAL |
| Some Dahua products have access control vulnerability in the password reset process. Attackers can exploit this vulnerability through specific deployments to reset device passwords. | |||||
| CVE-2022-21692 | 1 Onionshare | 1 Onionshare | 2022-01-24 | 4.0 MEDIUM | 4.3 MEDIUM |
| OnionShare is an open source tool that lets you securely and anonymously share files, host websites, and chat with friends using the Tor network. In affected versions anyone with access to the chat environment can write messages disguised as another chat participant. | |||||
| CVE-2022-21695 | 1 Onionshare | 1 Onionshare | 2022-01-24 | 5.0 MEDIUM | 5.3 MEDIUM |
| OnionShare is an open source tool that lets you securely and anonymously share files, host websites, and chat with friends using the Tor network. In affected versions authenticated users (or unauthenticated in public mode) can send messages without being visible in the list of chat participants. This issue has been resolved in version 2.5. | |||||
| CVE-2017-2297 | 1 Puppet | 1 Puppet Enterprise | 2022-01-24 | 6.0 MEDIUM | 7.5 HIGH |
| Puppet Enterprise versions prior to 2016.4.5 and 2017.2.1 did not correctly authenticate users before returning labeled RBAC access tokens. This issue has been fixed in Puppet Enterprise 2016.4.5 and 2017.2.1. This only affects users with labeled tokens, which is not the default for tokens. | |||||
| CVE-2012-3408 | 2 Puppet, Puppetlabs | 2 Puppet Enterprise, Puppet | 2022-01-24 | 2.6 LOW | N/A |
| lib/puppet/network/authstore.rb in Puppet before 2.7.18, and Puppet Enterprise before 2.5.2, supports use of IP addresses in certnames without warning of potential risks, which might allow remote attackers to spoof an agent by acquiring a previously used IP address. | |||||
| CVE-2021-34993 | 1 Commvault | 1 Commcell | 2022-01-22 | 7.5 HIGH | 9.8 CRITICAL |
| This vulnerability allows remote attackers to bypass authentication on affected installations of Commvault CommCell 11.22.22. Authentication is not required to exploit this vulnerability. The specific flaw exists within the CVSearchService service. The issue results from the lack of proper validation prior to authentication. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-13706. | |||||
| CVE-2021-4073 | 1 Metagauss | 1 Registrationmagic | 2022-01-21 | 6.8 MEDIUM | 8.1 HIGH |
| The RegistrationMagic WordPress plugin made it possible for unauthenticated users to log in as any site user, including administrators, if they knew a valid username on the site due to missing identity validation in the social login function social_login_using_email() of the plugin. This affects versions equal to, and less than, 5.0.1.7. | |||||
| CVE-2021-34977 | 1 Netgear | 2 R7000, R7000 Firmware | 2022-01-20 | 5.8 MEDIUM | 8.8 HIGH |
| This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of NETGEAR R7000 1.0.11.116_10.2.100 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the processing of SOAP requests. The issue results from the lack of proper authentication verification before performing a password reset. An attacker can leverage this vulnerability to reset the admin password. Was ZDI-CAN-13483. | |||||
| CVE-2022-22289 | 1 Samsung | 1 S Assistant | 2022-01-19 | 5.0 MEDIUM | 5.3 MEDIUM |
| Improper access control vulnerability in S Assistant prior to version 7.5 allows attacker to remotely get senstive information. | |||||