Total
1252 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-18925 | 1 Systematic | 1 Iris Webforms | 2020-08-24 | 7.5 HIGH | 9.8 CRITICAL |
| Systematic IRIS WebForms 5.4 and its functionalities can be accessed and used without any form of authentication. | |||||
| CVE-2019-12500 | 1 Mi | 2 M365, M365 Firmware | 2020-08-24 | 3.3 LOW | 6.5 MEDIUM |
| The Xiaomi M365 scooter 2019-02-12 before 1.5.1 allows spoofing of "suddenly accelerate" commands. This occurs because Bluetooth Low Energy commands have no server-side authentication check. Other affected commands include suddenly braking, locking, and unlocking. | |||||
| CVE-2019-16906 | 1 Infosysta | 1 In-app \& Desktop Notifications | 2020-08-24 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in the Infosysta "In-App & Desktop Notifications" app 1.6.13_J8 for Jira. By using plugins/servlet/nfj/PushNotification?username= with a modified username, a different user's notifications can be read without authentication/authorization. These notifications are then no longer displayed to the normal user. | |||||
| CVE-2019-11466 | 1 Couchbase | 1 Couchbase Server | 2020-08-24 | 5.0 MEDIUM | 5.3 MEDIUM |
| In Couchbase Server 6.0.0 and 5.5.0, the eventing service exposes system diagnostic profile via an HTTP endpoint that does not require credentials on a port earmarked for internal traffic only. This has been remedied in version 6.0.1 and now requires valid credentials to access. | |||||
| CVE-2019-9727 | 1 Eq-3 | 2 Ccu3, Ccu3 Firmware | 2020-08-24 | 5.0 MEDIUM | 7.5 HIGH |
| Unauthenticated password hash disclosure in the User.getUserPWD method in eQ-3 AG Homematic CCU3 3.43.15 and earlier allows remote attackers to retrieve the GUI password hashes of GUI users. This vulnerability can be exploited by unauthenticated attackers with access to the web interface. | |||||
| CVE-2019-9871 | 1 Jector | 2 Fm-k75, Fm-k75 Firmware | 2020-08-24 | 10.0 HIGH | 9.8 CRITICAL |
| Jector Smart TV FM-K75 devices allow remote code execution because there is an adb open port with root permission. | |||||
| CVE-2019-13405 | 1 Androvideo | 2 Vd 1, Vd 1 Firmware | 2020-08-24 | 10.0 HIGH | 9.8 CRITICAL |
| A broken access control vulnerability found in Advan VD-1 firmware version 230 leads to insecure ADB service. An attacker can send a POST request to cgibin/AdbSetting.cgi to enable ADB without any authentication then take the compromised device as a relay or to install mining software. | |||||
| CVE-2019-10119 | 1 Eq-3 | 4 Ccu2, Ccu2 Firmware, Ccu3 and 1 more | 2020-08-24 | 7.5 HIGH | 9.8 CRITICAL |
| eQ-3 HomeMatic CCU2 devices before 2.41.8 and CCU3 devices before 3.43.16 use session IDs for authentication but lack authorization checks. An attacker can obtain a session ID via an invalid login attempt to the RemoteApi account, aka HMCCU-154. This leads to automatic login as admin. | |||||
| CVE-2019-19822 | 11 Ciktel, Coship, Fg-products and 8 more | 36 Mesh Router, Mesh Router Firmware, Emta Ap and 33 more | 2020-08-24 | 5.0 MEDIUM | 7.5 HIGH |
| A certain router administration interface (that includes Realtek APMIB 0.11f for Boa 0.94.14rc21) allows remote attackers to retrieve the configuration, including sensitive data (usernames and passwords). This affects TOTOLINK A3002RU through 2.0.0, A702R through 2.1.3, N301RT through 2.1.6, N302R through 3.4.0, N300RT through 3.4.0, N200RE through 4.0.0, N150RT through 3.4.0, and N100RE through 3.4.0; Rutek RTK 11N AP through 2019-12-12; Sapido GR297n through 2019-12-12; CIK TELECOM MESH ROUTER through 2019-12-12; KCTVJEJU Wireless AP through 2019-12-12; Fibergate FGN-R2 through 2019-12-12; Hi-Wifi MAX-C300N through 2019-12-12; HCN MAX-C300N through 2019-12-12; T-broad GN-866ac through 2019-12-12; Coship EMTA AP through 2019-12-12; and IO-Data WN-AC1167R through 2019-12-12. | |||||
| CVE-2019-12390 | 1 Anviz | 1 Anviz Firmware | 2020-08-24 | 5.0 MEDIUM | 5.3 MEDIUM |
| Anviz access control devices expose private Information (pin code and name) by allowing remote attackers to query this information without credentials via port tcp/5010. | |||||
| CVE-2019-12289 | 1 Vstracam | 4 C38s, C38s Firmware, C7824wip and 1 more | 2020-08-24 | 10.0 HIGH | 9.8 CRITICAL |
| An issue was discovered in upgrade_firmware.cgi on VStarcam 100T (C7824WIP) CH-sys-48.53.75.119~123 and 200V (C38S) CH-sys-48.53.203.119~123 devices. A remote command can be executed through a system firmware update without authentication. The attacker can modify the files within the internal firmware or even steal account information by executing a command. | |||||
| CVE-2019-15102 | 1 Sahipro | 1 Sahi Pro | 2020-08-24 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Tyto Sahi Pro 6.x through 8.0.0. TestRunner_Non_distributed (and distributed end points) does not have any authentication mechanism. This allow an attacker to execute an arbitrary script on the remote Sahi Pro server. There is also a password-protected web interface intended for remote access to scripts. This web interface lacks server-side validation, which allows an attacker to create/modify/delete a script remotely without any password. Chaining both of these issues results in remote code execution on the Sahi Pro server. | |||||
| CVE-2019-12505 | 1 Inateck | 2 Wp1001, Wp1001 Firmware | 2020-08-24 | 8.3 HIGH | 8.8 HIGH |
| Due to unencrypted and unauthenticated data communication, the wireless presenter Inateck WP1001 v1.3C is prone to keystroke injection attacks. Thus, an attacker is able to send arbitrary keystrokes to a victim's computer system, e.g., to install malware when the target system is unattended. In this way, an attacker can remotely take control over the victim's computer that is operated with an affected receiver of this device. | |||||
| CVE-2019-9974 | 1 Dasannetworks | 2 H660rm, H660rm Firmware | 2020-08-24 | 6.4 MEDIUM | 9.1 CRITICAL |
| diag_tool.cgi on DASAN H660RM GPON routers with firmware 1.03-0022 lacks any authorization check, which allows remote attackers to run a ping command via a GET request to enumerate LAN devices or crash the router with a DoS attack. | |||||
| CVE-2019-10042 | 1 Dlink | 2 Dir-816, Dir-816 Firmware | 2020-08-24 | 7.8 HIGH | 7.5 HIGH |
| The D-Link DIR-816 A2 1.11 router only checks the random token when authorizing a goform request. An attacker can get this token from dir_login.asp and use an API URL /goform/LoadDefaultSettings to reset the router without authentication. | |||||
| CVE-2019-10040 | 1 Dlink | 2 Dir-816, Dir-816 Firmware | 2020-08-24 | 10.0 HIGH | 9.8 CRITICAL |
| The D-Link DIR-816 A2 1.11 router only checks the random token when authorizing a goform request. An attacker can get this token from dir_login.asp and use a hidden API URL /goform/SystemCommand to execute a system command without authentication. | |||||
| CVE-2019-17512 | 1 Dlink | 2 Dir-412, Dir-412 Firmware | 2020-08-24 | 6.4 MEDIUM | 9.1 CRITICAL |
| There are some web interfaces without authentication requirements on D-Link DIR-412 A1-1.14WW routers. An attacker can clear the router's log file via act=clear&logtype=sysact to log_clear.php, which could be used to erase attack traces. | |||||
| CVE-2019-15932 | 1 Intesync | 1 Solismed | 2020-08-24 | 7.5 HIGH | 9.8 CRITICAL |
| Intesync Solismed 3.3sp has Incorrect Access Control. | |||||
| CVE-2019-17219 | 1 Vzug | 2 Combi-stream Mslq, Combi-stream Mslq Firmware | 2020-08-24 | 5.8 MEDIUM | 8.8 HIGH |
| An issue was discovered on V-Zug Combi-Steam MSLQ devices before Ethernet R07 and before WLAN R05. By default, the device does not enforce any authentication. An adjacent attacker is able to use the network interface without proper access control. | |||||
| CVE-2019-0246 | 1 Sap | 1 Cloud Connector | 2020-08-24 | 7.5 HIGH | 9.8 CRITICAL |
| SAP Cloud Connector, before version 2.11.3, does not perform any authentication checks for functionalities that require user identity. | |||||