Total
1252 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-36239 | 1 Atlassian | 3 Jira Data Center, Jira Service Desk, Jira Service Management | 2024-10-17 | 7.5 HIGH | 9.8 CRITICAL |
| Jira Data Center, Jira Core Data Center, Jira Software Data Center from version 6.3.0 before 8.5.16, from 8.6.0 before 8.13.8, from 8.14.0 before 8.17.0 and Jira Service Management Data Center from version 2.0.2 before 4.5.16, from version 4.6.0 before 4.13.8, and from version 4.14.0 before 4.17.0 exposed a Ehcache RMI network service which attackers, who can connect to the service, on port 40001 and potentially 40011[0][1], could execute arbitrary code of their choice in Jira through deserialization due to a missing authentication vulnerability. While Atlassian strongly suggests restricting access to the Ehcache ports to only Data Center instances, fixed versions of Jira will now require a shared secret in order to allow access to the Ehcache service. [0] In Jira Data Center, Jira Core Data Center, and Jira Software Data Center versions prior to 7.13.1, the Ehcache object port can be randomly allocated. [1] In Jira Service Management Data Center versions prior to 3.16.1, the Ehcache object port can be randomly allocated. | |||||
| CVE-2024-9984 | 1 Ragic | 1 Enterprise Cloud Database | 2024-10-16 | N/A | 9.8 CRITICAL |
| Enterprise Cloud Database from Ragic does not authenticate access to specific functionality, allowing unauthenticated remote attackers to use this functionality to obtain any user's session cookie. | |||||
| CVE-2023-6595 | 1 Progress | 1 Whatsup Gold | 2024-10-16 | N/A | 5.3 MEDIUM |
| In WhatsUp Gold versions released before 2023.1, an API endpoint was found to be missing an authentication mechanism. It is possible for an unauthenticated attacker to enumerate ancillary credential information stored within WhatsUp Gold. | |||||
| CVE-2023-6368 | 1 Progress | 1 Whatsup Gold | 2024-10-16 | N/A | 5.3 MEDIUM |
| In WhatsUp Gold versions released before 2023.1, an API endpoint was found to be missing an authentication mechanism. It is possible for an unauthenticated attacker to enumerate information related to a registered device being monitored by WhatsUp Gold. | |||||
| CVE-2024-22326 | 1 Ibm | 1 Ds8900f Firmware | 2024-10-15 | N/A | 6.3 MEDIUM |
| IBM System Storage DS8900F 89.22.19.0, 89.30.68.0, 89.32.40.0, 89.33.48.0, 89.40.83.0, and 89.40.93.0 could allow a remote user to create an LDAP connection with a valid username and empty password to establish an anonymous connection. IBM X-Force ID: 279518. | |||||
| CVE-2024-9522 | 1 Lagunaisw | 1 Wp Users Masquerade | 2024-10-15 | N/A | 8.8 HIGH |
| The WP Users Masquerade plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.0.0. This is due to incorrect authentication and capability checking in the 'ajax_masq_login' function. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to log in as any existing user on the site, such as an administrator. | |||||
| CVE-2024-8530 | 2024-10-15 | N/A | N/A | ||
| CWE-306: Missing Authentication for Critical Function vulnerability exists that could cause exposure of private data when an already generated “logcaptures” archive is accessed directly by HTTPS. | |||||
| CVE-2024-3774 | 2024-10-14 | N/A | 5.3 MEDIUM | ||
| aEnrich Technology a+HRD's functionality for front-end retrieval of system configuration values lacks proper restrictions on a specific parameter, allowing attackers to modify this parameter to access certain sensitive system configuration values. | |||||
| CVE-2023-5716 | 1 Asus | 1 Armoury Crate | 2024-10-14 | N/A | 9.8 CRITICAL |
| ASUS Armoury Crate has a vulnerability in arbitrary file write and allows remote attackers to access or modify arbitrary files by sending specific HTTP requests without permission. | |||||
| CVE-2024-9289 | 1 Redefiningtheweb | 1 Affiliate Pro | 2024-10-07 | N/A | 9.8 CRITICAL |
| The WordPress & WooCommerce Affiliate Program plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 8.4.1. This is due to the rtwwwap_login_request_callback() function not properly validating a user's identity prior to authenticating them to the site. This makes it possible for unauthenticated attackers to log in as any user, including administrators, granted they have access to the administrator's email. | |||||
| CVE-2024-8456 | 1 Planet | 4 Gs-4210-24p2s, Gs-4210-24p2s Firmware, Gs-4210-24pl4c and 1 more | 2024-10-04 | N/A | 9.8 CRITICAL |
| Certain switch models from PLANET Technology lack proper access control in firmware upload and download functionality, allowing unauthenticated remote attackers to download and upload firmware and system configurations, ultimately gaining full control of the devices. | |||||
| CVE-2024-41988 | 2024-10-04 | N/A | N/A | ||
| TEM Opera Plus FM Family Transmitter allows access to an unprotected endpoint that allows MPFS File System binary image upload without authentication. This file system serves as the basis for the HTTP2 web server module but is also used by the SNMP module and is available to other applications that require basic read-only storage capabilities. This can be exploited to overwrite the flash program memory that holds the web server's main interfaces and execute arbitrary code. | |||||
| CVE-2024-35293 | 2024-10-04 | N/A | 9.1 CRITICAL | ||
| An unauthenticated remote attacker may use a missing authentication for critical function vulnerability to reboot or erase the affected devices resulting in data loss and/or a DoS. | |||||
| CVE-2024-35294 | 2024-10-04 | N/A | 6.5 MEDIUM | ||
| An unauthenticated remote attacker may use the devices traffic capture without authentication to grab plaintext administrative credentials. | |||||
| CVE-2024-38279 | 1 Motorola | 2 Vigilant Fixed Lpr Coms Box, Vigilant Fixed Lpr Coms Box Firmware | 2024-10-03 | N/A | 4.6 MEDIUM |
| The affected product is vulnerable to an attacker modifying the bootloader by using custom arguments to bypass authentication and gain access to the file system and obtain password hashes. | |||||
| CVE-2024-7781 | 1 Artbees | 1 Jupiter X Core | 2024-10-02 | N/A | 9.8 CRITICAL |
| The Jupiter X Core plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 4.7.5. This is due to improper authentication via the Social Login widget. This makes it possible for unauthenticated attackers to log in as the first user to have logged in with a social media account, including administrator accounts. Attackers can exploit the vulnerability even if the Social Login element has been disabled, as long as it was previously enabled and used. The vulnerability was partially patched in version 4.7.5, and fully patched in version 4.7.8. | |||||
| CVE-2023-52947 | 1 Synology | 1 Active Backup For Business Agent | 2024-10-02 | N/A | 3.3 LOW |
| Missing authentication for critical function vulnerability in logout functionality in Synology Active Backup for Business Agent before 2.6.3-3101 allows local users to logout the client via unspecified vectors. The backup functionality will continue to operate and will not be affected by the logout. | |||||
| CVE-2023-52949 | 1 Synology | 1 Active Backup For Business Agent | 2024-10-02 | N/A | 5.5 MEDIUM |
| Missing authentication for critical function vulnerability in proxy settings functionality in Synology Active Backup for Business Agent before 2.7.0-3221 allows local users to obtain user credential via unspecified vectors. | |||||
| CVE-2023-1083 | 2024-10-02 | N/A | 9.8 CRITICAL | ||
| An unauthenticated remote attacker who is aware of a MQTT topic name can send and receive messages, including GET/SET configuration commands, reboot commands and firmware updates. | |||||
| CVE-2024-8310 | 2024-09-30 | N/A | N/A | ||
| OPW Fuel Management Systems SiteSentinel could allow an attacker to bypass authentication to the server and obtain full admin privileges. | |||||