Total
144 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-29334 | 1 H Project | 1 H | 2023-08-08 | 7.5 HIGH | 9.8 CRITICAL |
| An issue in H v1.0 allows attackers to bypass authentication via a session replay attack. | |||||
| CVE-2021-31958 | 1 Microsoft | 8 Windows 10, Windows 7, Windows 8.1 and 5 more | 2023-08-01 | 6.8 MEDIUM | 7.5 HIGH |
| Windows NTLM Elevation of Privilege Vulnerability | |||||
| CVE-2023-34625 | 1 Showmojo | 2 Mojobox, Mojobox Firmware | 2023-07-28 | N/A | 8.1 HIGH |
| ShowMojo MojoBox Digital Lockbox 1.4 is vulnerable to Authentication Bypass. The implementation of the lock opening mechanism via Bluetooth Low Energy (BLE) is vulnerable to replay attacks. A malicious user is able to intercept BLE requests and replicate them to open the lock at any time. Alternatively, an attacker with physical access to the device on which the Android app is installed, can obtain the latest BLE messages via the app logs and use them for opening the lock. | |||||
| CVE-2022-31158 | 1 Packback | 1 Lti 1.3 Tool Library | 2023-07-24 | N/A | 7.5 HIGH |
| LTI 1.3 Tool Library is a library used for building IMS-certified LTI 1.3 tool providers in PHP. Prior to version 5.0, the Nonce Claim Value was not being validated against the nonce value sent in the Authentication Request. Users should upgrade to version 5.0 to receive a patch. There are currently no known workarounds. | |||||
| CVE-2022-48507 | 1 Huawei | 2 Emui, Harmonyos | 2023-07-12 | N/A | 7.5 HIGH |
| Vulnerability of identity verification being bypassed in the storage module. Successful exploitation of this vulnerability may affect service confidentiality. | |||||
| CVE-2023-2846 | 1 Mitsubishielectric | 300 Fx3g-14mr\/ds, Fx3g-14mr\/ds Firmware, Fx3g-14mr\/es and 297 more | 2023-07-10 | N/A | 9.1 CRITICAL |
| Authentication Bypass by Capture-replay vulnerability in Mitsubishi Electric Corporation MELSEC iQ-F Series main modules allows a remote unauthenticated attacker to cancel the password/keyword setting and login to the affected products by sending specially crafted packets. | |||||
| CVE-2023-34553 | 1 Wafucn | 2 Wafu Keyless Smart Lock, Wafu Keyless Smart Lock Firmware | 2023-07-03 | N/A | 6.5 MEDIUM |
| An issue was discovered in WAFU Keyless Smart Lock v1.0 allows attackers to unlock a device via code replay attack. | |||||
| CVE-2023-29158 | 1 Subnet | 1 Powersystem Center | 2023-06-29 | N/A | 9.1 CRITICAL |
| SUBNET PowerSYSTEM Center versions 2020 U10 and prior are vulnerable to replay attacks which may result in a denial-of-service condition or a loss of data integrity. | |||||
| CVE-2023-33621 | 1 Gl-inet | 2 Gl-ar750s, Gl-ar750s Firmware | 2023-06-23 | N/A | 5.9 MEDIUM |
| GL.iNET GL-AR750S-Ext firmware v3.215 inserts the admin authentication token into a GET request when the OpenVPN Server config file is downloaded. The token is then left in the browser history or access logs, potentially allowing attackers to bypass authentication via session replay. | |||||
| CVE-2019-11334 | 1 Tzumi | 3 Klic Lock, Klic Smart Padlock Model 5686, Klic Smart Padlock Model 5686 Firmware | 2023-03-24 | 4.3 MEDIUM | 3.7 LOW |
| An authentication bypass in website post requests in the Tzumi Electronics Klic Lock application 1.0.9 for mobile devices allows attackers to access resources (that are not otherwise accessible without proper authentication) via capture-replay. Physically proximate attackers can use this information to unlock unauthorized Tzumi Electronics Klic Smart Padlock Model 5686 Firmware 6.2. | |||||
| CVE-2023-1537 | 1 Answer | 1 Answer | 2023-03-23 | N/A | 9.8 CRITICAL |
| Authentication Bypass by Capture-replay in GitHub repository answerdev/answer prior to 1.0.6. | |||||
| CVE-2021-38296 | 2 Apache, Oracle | 2 Spark, Financial Services Crime And Compliance Management Studio | 2023-02-09 | 5.0 MEDIUM | 7.5 HIGH |
| Apache Spark supports end-to-end encryption of RPC connections via "spark.authenticate" and "spark.network.crypto.enabled". In versions 3.1.2 and earlier, it uses a bespoke mutual authentication protocol that allows for full encryption key recovery. After an initial interactive attack, this would allow someone to decrypt plaintext traffic offline. Note that this does not affect security mechanisms controlled by "spark.authenticate.enableSaslEncryption", "spark.io.encryption.enabled", "spark.ssl", "spark.ui.strictTransportSecurity". Update to Apache Spark 3.1.3 or later | |||||
| CVE-2020-15688 | 1 Embedthis | 1 Goahead | 2023-01-31 | 6.8 MEDIUM | 8.8 HIGH |
| The HTTP Digest Authentication in the GoAhead web server before 5.1.2 does not completely protect against replay attacks. This allows an unauthenticated remote attacker to bypass authentication via capture-replay if TLS is not used to protect the underlying communication channel. | |||||
| CVE-2022-37011 | 1 Mendix | 1 Saml | 2022-12-13 | N/A | 9.8 CRITICAL |
| A vulnerability has been identified in Mendix SAML (Mendix 7 compatible) (All versions < V1.17.0), Mendix SAML (Mendix 8 compatible) (All versions < V2.3.0), Mendix SAML (Mendix 9 compatible, New Track) (All versions < V3.3.1), Mendix SAML (Mendix 9 compatible, Upgrade Track) (All versions < V3.3.0). Affected versions of the module insufficiently protect from packet capture replay. This could allow unauthorized remote attackers to bypass authentication and get access to the application. For compatibility reasons, fix versions still contain this issue, but only when the not recommended, non default configuration option `'Allow Idp Initiated Authentication'` is enabled. | |||||
| CVE-2022-29475 | 1 Goabode | 2 Iota All-in-one Security Kit, Iota All-in-one Security Kit Firmware | 2022-10-26 | N/A | 8.1 HIGH |
| An information disclosure vulnerability exists in the XFINDER functionality of Abode Systems, Inc. iota All-In-One Security Kit 6.9X and 6.9Z. A specially-crafted man-in-the-middle attack can lead to increased privileges. An attacker can perform a man-in-the-middle attack to trigger this vulnerability. | |||||
| CVE-2022-40621 | 1 Wavlink | 2 Wn531g3, Wn531g3 Firmware | 2022-09-19 | N/A | 7.5 HIGH |
| Because the WAVLINK Quantum D4G (WN531G3) running firmware version M31G3.V5030.200325 and earlier communicates over HTTP and not HTTPS, and because the hashing mechanism does not rely on a server-supplied key, it is possible for an attacker with sufficient network access to capture the hashed password of a logged on user and use it in a classic Pass-the-Hash style attack. | |||||
| CVE-2022-36089 | 1 Kubevela | 1 Kubevela | 2022-09-16 | N/A | 9.8 CRITICAL |
| KubeVela is an application delivery platform Users using KubeVela's VelaUX APIServer could be affected by an authentication bypass vulnerability. In KubeVela prior to versions 1.4.11 and 1.5.4, VelaUX APIServer uses the `PlatformID` as the signed key to generate the JWT tokens for users. Another API called `getSystemInfo` exposes the platformID. This vulnerability allows users to use the platformID to re-generate the JWT tokens to bypass the authentication. Versions 1.4.11 and 1.5.4 contain a patch for this issue. | |||||
| CVE-2022-37418 | 3 Hyundai, Kia, Nissan | 6 Hyundai, Hyundai Firmware, Kia and 3 more | 2022-08-31 | N/A | 6.4 MEDIUM |
| The Remote Keyless Entry (RKE) receiving unit on certain Nissan, Kia, and Hyundai vehicles through 2017 allows remote attackers to perform unlock operations and force a resynchronization after capturing two consecutive valid key fob signals over the radio, aka a RollBack attack. The attacker retains the ability to unlock indefinitely. | |||||
| CVE-2022-37305 | 1 Honda | 2 Honda, Honda Firmware | 2022-08-31 | N/A | 6.4 MEDIUM |
| The Remote Keyless Entry (RKE) receiving unit on certain Honda vehicles through 2018 allows remote attackers to perform unlock operations and force a resynchronization after capturing five consecutive valid RKE signals over the radio, aka a RollBack attack. The attacker retains the ability to unlock indefinitely. | |||||
| CVE-2022-36945 | 1 Mazda | 2 Mazda, Mazda Firmware | 2022-08-31 | N/A | 6.4 MEDIUM |
| The Remote Keyless Entry (RKE) receiving unit on certain Mazda vehicles through 2020 allows remote attackers to perform unlock operations and force a resynchronization after capturing three consecutive valid key-fob signals over the radio, aka a RollBack attack. The attacker retains the ability to unlock indefinitely. | |||||