Total
1252 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-5022 | 2 Ibm, Linux | 2 Spectrum Protect Plus, Linux Kernel | 2021-07-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| IBM Spectrum Protect Plus 10.1.0 through 10.1.6 may allow unauthenticated and unauthorized access to VDAP proxy which can result in an attacker obtaining information they are not authorized to access. IBM X-Force ID: 193658. | |||||
| CVE-2020-28946 | 1 Plummac | 2 Ik-401, Ik-401 Firmware | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| An improper webserver configuration on Plum IK-401 devices with firmware before 1.02 allows an attacker (with network access to the device) to obtain the configuration file, including hashed credential data. Successful exploitation could allow access to hashed credential data with a single unauthenticated GET request. | |||||
| CVE-2020-26876 | 1 Wpcoursesplugin | 1 Wp-courses | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| The wp-courses plugin through 2.0.27 for WordPress allows remote attackers to bypass the intended payment step (for course videos and materials) by using the /wp-json REST API, as exploited in the wild in September 2020. This occurs because show_in_rest is enabled for custom post types (e.g., /wp-json/wp/v2/course and /wp-json/wp/v2/lesson exist). | |||||
| CVE-2019-12120 | 1 Onap | 1 Open Network Automation Platform | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in ONAP VNFSDK through Dublin. By accessing port 8000 of demo-vnfsdk-vnfsdk, an unauthenticated attacker (who already has access to pod-to-pod communication) may execute arbitrary code inside that pod. All ONAP Operations Manager (OOM) setups are affected. | |||||
| CVE-2020-29311 | 1 Ubilling | 1 Ubilling | 2021-07-21 | 10.0 HIGH | 9.8 CRITICAL |
| Ubilling v1.0.9 allows Remote Command Execution as Root user by executing a malicious command that is injected inside the config file and being triggered by another part of the software. | |||||
| CVE-2020-9278 | 1 Dlink | 2 Dsl-2640b, Dsl-2640b Firmware | 2021-07-21 | 6.4 MEDIUM | 9.1 CRITICAL |
| An issue was discovered on D-Link DSL-2640B B2 EU_4.01B devices. The device can be reset to its default configuration by accessing an unauthenticated URL. | |||||
| CVE-2019-20624 | 1 Google | 1 Android | 2021-07-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered on Samsung mobile devices with N(7.x) and O(8.x) software. S-Voice leaks keyboard learned words via the lock screen. The Samsung ID is SVE-2018-12981 (February 2019). | |||||
| CVE-2020-35951 | 1 Expresstech | 1 Quiz And Survey Master | 2021-07-21 | 6.4 MEDIUM | 9.9 CRITICAL |
| An issue was discovered in the Quiz and Survey Master plugin before 7.0.1 for WordPress. It allows users to delete arbitrary files such as wp-config.php file, which could effectively take a site offline and allow an attacker to reinstall with a WordPress instance under their control. This occurred via qsm_remove_file_fd_question, which allowed unauthenticated deletions (even though it was only intended for a person to delete their own quiz-answer files). | |||||
| CVE-2020-28937 | 1 Openclinic Project | 1 Openclinic | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| OpenClinic version 0.8.2 is affected by a missing authentication vulnerability that allows unauthenticated users to access any patient's medical test results, possibly resulting in disclosure of Protected Health Information (PHI) stored in the application, via a direct request for the /tests/ URI. | |||||
| CVE-2020-23448 | 1 Newbee-mall Project | 1 Newbee-mall | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| newbee-mall all versions are affected by incorrect access control to remotely gain privileges through AdminLoginInterceptor.java. The authentication logic of the system's background /admin is in code AdminLoginInterceptor, which can be bypassed. | |||||
| CVE-2020-9544 | 1 D-link | 2 Dsl-2640b, Dsl-2640b Firmware | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered on D-Link DSL-2640B E1 EU_1.01 devices. The administrative interface doesn't perform authentication checks for a firmware-update POST request. Any attacker that can access the administrative interface can install firmware of their choice. | |||||
| CVE-2019-5514 | 1 Vmware | 1 Fusion | 2021-07-21 | 6.8 MEDIUM | 8.8 HIGH |
| VMware VMware Fusion (11.x before 11.0.3) contains a security vulnerability due to certain unauthenticated APIs accessible through a web socket. An attacker may exploit this issue by tricking the host user to execute a JavaScript to perform unauthorized functions on the guest machine where VMware Tools is installed. This may further be exploited to execute commands on the guest machines. | |||||
| CVE-2020-9349 | 1 Cacagoo | 2 Tv-288zd-2mp, Tv-288zd-2mp Firmware | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| The CACAGOO Cloud Storage Intelligent Camera TV-288ZD-2MP with firmware 3.4.2.0919 allows access to the RTSP service without a password. | |||||
| CVE-2018-4840 | 1 Siemens | 17 Digsi 4, En100 Ethernet Module Dnp3, En100 Ethernet Module Dnp3 Firmware and 14 more | 2021-07-13 | 5.0 MEDIUM | 7.5 HIGH |
| A vulnerability has been identified in DIGSI 4 (All versions < V4.92), EN100 Ethernet module DNP3 variant (All versions < V1.05.00), EN100 Ethernet module IEC 104 variant (All versions), EN100 Ethernet module IEC 61850 variant (All versions < V4.30), EN100 Ethernet module Modbus TCP variant (All versions), EN100 Ethernet module PROFINET IO variant (All versions). The device engineering mechanism allows an unauthenticated remote user to upload a modified device configuration overwriting access authorization passwords. | |||||
| CVE-2021-28809 | 1 Qnap | 2 Hybrid Backup Sync, Qts | 2021-07-12 | 10.0 HIGH | 9.8 CRITICAL |
| An improper access control vulnerability has been reported to affect certain legacy versions of HBS 3. If exploited, this vulnerability allows attackers to compromise the security of the operating system.QNAP have already fixed this vulnerability in the following versions of HBS 3: QTS 4.3.6: HBS 3 v3.0.210507 and later QTS 4.3.4: HBS 3 v3.0.210506 and later QTS 4.3.3: HBS 3 v3.0.210506 and later | |||||
| CVE-2021-20474 | 1 Ibm | 1 Guardium Data Encryption | 2021-07-12 | 5.0 MEDIUM | 7.5 HIGH |
| IBM Guardium Data Encryption (GDE) 3.0.0.2 and 4.0.0.4 does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. | |||||
| CVE-2021-32659 | 1 Matrix | 1 Matrix-appservice-bridge | 2021-07-09 | 3.5 LOW | 4.9 MEDIUM |
| Matrix-appservice-bridge is the bridging service for the Matrix communication program's application services. In versions 2.6.0 and earlier, if a bridge has room upgrade handling turned on in the configuration (the `roomUpgradeOpts` key when instantiating a new `Bridge` instance.), any `m.room.tombstone` event it encounters will be used to unbridge the current room and bridge into the target room. However, the target room `m.room.create` event is not checked to verify if the `predecessor` field contains the previous room. This means that any malicious admin of a bridged room can repoint the traffic to a different room without the new room being aware. Versions 2.6.1 and greater are patched. As a workaround, disabling the automatic room upgrade handling can be done by removing the `roomUpgradeOpts` key from the `Bridge` class options. | |||||
| CVE-2021-33221 | 1 Commscope | 1 Ruckus Iot Controller | 2021-07-09 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in CommScope Ruckus IoT Controller 1.7.1.0 and earlier. There are Unauthenticated API Endpoints. | |||||
| CVE-2020-35184 | 1 Docker | 1 Composer Docker Image | 2021-07-08 | 10.0 HIGH | 9.8 CRITICAL |
| The official composer docker images before 1.8.3 contain a blank password for a root user. System using the composer docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank password. | |||||
| CVE-2021-31337 | 1 Siemens | 6 Sinamics Sl150, Sinamics Sl150 Firmware, Sinamics Sm150 and 3 more | 2021-07-02 | 6.8 MEDIUM | 9.8 CRITICAL |
| The Telnet service of the SIMATIC HMI Comfort Panels system component in affected products does not require authentication, which may allow a remote attacker to gain access to the device if the service is enabled. Telnet is disabled by default on the SINAMICS Medium Voltage Products (SINAMICS SL150: All versions, SINAMICS SM150: All versions, SINAMICS SM150i: All versions). | |||||