Total
1252 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-32453 | 1 Sitel-sa | 2 Cap\/prx, Cap\/prx Firmware | 2023-11-09 | 2.1 LOW | 3.3 LOW |
| SITEL CAP/PRX firmware version 5.2.01 allows an attacker with access to the local network, to access via HTTP to the internal configuration database of the device without any authentication. An attacker could exploit this vulnerability in order to obtain information about the device´s configuration. | |||||
| CVE-2020-15894 | 1 Dlink | 2 Dir-816l, Dir-816l Firmware | 2023-11-08 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered on D-Link DIR-816L devices 2.x before 1.10b04Beta02. There exists an exposed administration function in getcfg.php, which can be used to call various services. It can be utilized by an attacker to retrieve various sensitive information, such as admin login credentials, by setting the value of _POST_SERVICES in the query string to DEVICE.ACCOUNT. | |||||
| CVE-2019-15655 | 1 Dlink | 2 Dsl-2875al, Dsl-2875al Firmware | 2023-11-08 | 5.0 MEDIUM | 7.5 HIGH |
| D-Link DSL-2875AL devices through 1.00.05 are prone to password disclosure via a simple crafted /romfile.cfg request to the web management server. This request doesn't require any authentication and will lead to saving the configuration file. The password is stored in cleartext. | |||||
| CVE-2017-14417 | 1 Dlink | 2 Dir-850l, Dir-850l Firmware | 2023-11-08 | 7.5 HIGH | 9.8 CRITICAL |
| register_send.php on D-Link DIR-850L REV. B (with firmware through FW208WWb02) devices does not require authentication, which can result in unintended enrollment in mydlink Cloud Services. | |||||
| CVE-2023-46249 | 1 Goauthentik | 1 Authentik | 2023-11-08 | N/A | 9.8 CRITICAL |
| authentik is an open-source Identity Provider. Prior to versions 2023.8.4 and 2023.10.2, when the default admin user has been deleted, it is potentially possible for an attacker to set the password of the default admin user without any authentication. authentik uses a blueprint to create the default admin user, which can also optionally set the default admin users' password from an environment variable. When the user is deleted, the `initial-setup` flow used to configure authentik after the first installation becomes available again. authentik 2023.8.4 and 2023.10.2 fix this issue. As a workaround, ensure the default admin user (Username `akadmin`) exists and has a password set. It is recommended to use a very strong password for this user, and store it in a secure location like a password manager. It is also possible to deactivate the user to prevent any logins as akadmin. | |||||
| CVE-2022-3738 | 1 Wago | 14 Cc100, Cc100 Firmware, Edge Controller and 11 more | 2023-11-07 | N/A | 5.9 MEDIUM |
| The vulnerability allows a remote unauthenticated attacker to download a backup file, if one exists. That backup file might contain sensitive information like credentials and cryptographic material. A valid user has to create a backup after the last reboot for this attack to be successfull. | |||||
| CVE-2023-30744 | 1 Sap | 1 Netweaver Application Server For Java | 2023-11-07 | N/A | 9.1 CRITICAL |
| In SAP AS NetWeaver JAVA - versions SERVERCORE 7.50, J2EE-FRMW 7.50, CORE-TOOLS 7.50, an unauthenticated attacker can attach to an open interface and make use of an open naming and directory API to instantiate an object which has methods which can be called without further authorization and authentication. A subsequent call to one of these methods can read or change the state of existing services without any effect on availability. | |||||
| CVE-2023-30643 | 1 Samsung | 1 Android | 2023-11-07 | N/A | 7.1 HIGH |
| Missing authentication vulnerability in Galaxy Themes Service prior to SMR Jul-2023 Release 1 allows local attackers to delete arbitrary non-preloaded applications. | |||||
| CVE-2023-2704 | 1 Vibethemes | 1 Bp Social Connect | 2023-11-07 | N/A | 9.8 CRITICAL |
| The BP Social Connect plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.5. This is due to insufficient verification on the user being supplied during a Facebook login through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email. | |||||
| CVE-2023-2834 | 1 Stylemixthemes | 1 Bookit | 2023-11-07 | N/A | 9.8 CRITICAL |
| The BookIt plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.3.7. This is due to insufficient verification on the user being supplied during booking an appointment through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email. | |||||
| CVE-2023-2781 | 1 Wisetr | 1 User Email Verification For Woocommerce | 2023-11-07 | N/A | 9.8 CRITICAL |
| The User Email Verification for WooCommerce plugin for WordPress is vulnerable to authentication bypass via authenticate_user_by_email in versions up to, and including, 3.5.0. This is due to a random token generation weakness in the resend_verification_email function. This allows unauthenticated attackers to impersonate users and trigger an email address verification for arbitrary accounts, including administrative accounts, and automatically be logged in as that user, including any site administrators. This requires the Allow Automatic Login After Successful Verification setting to be enabled, which it is not by default. | |||||
| CVE-2023-22803 | 1 Ls-electric | 2 Xbc-dn32u, Xbc-dn32u Firmware | 2023-11-07 | N/A | 7.5 HIGH |
| LS ELECTRIC XBC-DN32U with operating system version 01.80 is missing authentication to perform critical functions to the PLC. This could allow an attacker to change the PLC's mode arbitrarily. | |||||
| CVE-2023-22804 | 1 Ls-electric | 2 Xbc-dn32u, Xbc-dn32u Firmware | 2023-11-07 | N/A | 9.8 CRITICAL |
| LS ELECTRIC XBC-DN32U with operating system version 01.80 is missing authentication to create users on the PLC. This could allow an attacker to create and use an account with elevated privileges and take control of the device. | |||||
| CVE-2023-20126 | 1 Cisco | 2 Spa112, Spa112 Firmware | 2023-11-07 | N/A | 9.8 CRITICAL |
| A vulnerability in the web-based management interface of Cisco SPA112 2-Port Phone Adapters could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device. This vulnerability is due to a missing authentication process within the firmware upgrade function. An attacker could exploit this vulnerability by upgrading an affected device to a crafted version of firmware. A successful exploit could allow the attacker to execute arbitrary code on the affected device with full privileges. Cisco has not released firmware updates to address this vulnerability. | |||||
| CVE-2023-20003 | 1 Cisco | 16 Business 140ac Access Point, Business 140ac Access Point Firmware, Business 141acm and 13 more | 2023-11-07 | N/A | 8.8 HIGH |
| A vulnerability in the social login configuration option for the guest users of Cisco Business Wireless Access Points (APs) could allow an unauthenticated, adjacent attacker to bypass social login authentication. This vulnerability is due to a logic error with the social login implementation. An attacker could exploit this vulnerability by attempting to authenticate to an affected device. A successful exploit could allow the attacker to access the Guest Portal without authentication. | |||||
| CVE-2023-1140 | 1 Deltaww | 1 Infrasuite Device Master | 2023-11-07 | N/A | 9.8 CRITICAL |
| Delta Electronics InfraSuite Device Master versions prior to 1.0.5 contain a vulnerability that could allow an attacker to achieve unauthenticated remote code execution in the context of an administrator. | |||||
| CVE-2023-0102 | 1 Ls-electric | 2 Xbc-dn32u, Xbc-dn32u Firmware | 2023-11-07 | N/A | 9.1 CRITICAL |
| LS ELECTRIC XBC-DN32U with operating system version 01.80 is missing authentication for its deletion command. This could allow an attacker to delete arbitrary files. | |||||
| CVE-2022-43761 | 1 Br-automation | 1 Industrial Automation Aprol | 2023-11-07 | N/A | 7.5 HIGH |
| Missing authentication when creating and managing the B&R APROL database in versions < R 4.2-07 allows reading and changing the system configuration. | |||||
| CVE-2022-41776 | 1 Deltaww | 1 Infrasuite Device Master | 2023-11-07 | N/A | 7.5 HIGH |
| Delta Electronics InfraSuite Device Master versions 00.00.01a and prior allow unauthenticated users to trigger the WriteConfiguration method, which could allow an attacker to provide new values for user configuration files such as UserListInfo.xml. This could lead to the changing of administrative passwords. | |||||
| CVE-2022-41688 | 1 Deltaww | 1 Infrasuite Device Master | 2023-11-07 | N/A | 7.5 HIGH |
| Delta Electronics InfraSuite Device Master versions 00.00.01a and prior lack proper authentication for functions that create and modify user groups. An attacker could provide malicious serialized objects that could run these functions without authentication to create a new user and add them to the administrator group. | |||||