Total
1117 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-40585 | 1 Metal3 | 1 Ironic-image | 2023-09-01 | N/A | 7.5 HIGH |
| ironic-image is a container image to run OpenStack Ironic as part of Metal³. Prior to version capm3-v1.4.3, if Ironic is not deployed with TLS and it does not have API and Conductor split into separate services, access to the API is not protected by any authentication. Ironic API is also listening in host network. In case the node is not behind a firewall, the API could be accessed by anyone via network without authentication. By default, Ironic API in Metal3 is protected by TLS and basic authentication, so this vulnerability requires operator to configure API without TLS for it to be vulnerable. TLS and authentication however should not be coupled as they are in versions prior to capm3-v1.4.3. A patch exists in versions capm3-v1.4.3 and newer. Some workarounds are available. Either configure TLS for Ironic API (`deploy.sh -t ...`, `IRONIC_TLS_SETUP=true`) or split Ironic API and Conductor via configuration change (old implementation, not recommended). With both workarounds, services are configured with httpd front-end, which has proper authentication configuration in place. | |||||
| CVE-2018-9119 | 1 Brilliantts | 3 Fuze Card, Fuze Card Ble Firmware, Fuze Card Mcu Firmware | 2023-08-31 | 3.6 LOW | 6.1 MEDIUM |
| An attacker with physical access to a BrilliantTS FUZE card (MCU firmware 0.1.73, BLE firmware 0.7.4) can unlock the card, extract credit card numbers, and tamper with data on the card via Bluetooth because no authentication is needed, as demonstrated by gatttool. | |||||
| CVE-2023-38028 | 1 Saho | 4 Adm-100, Adm-100 Firmware, Adm-100fp and 1 more | 2023-08-29 | N/A | 9.1 CRITICAL |
| Saho’s attendance devices ADM100 and ADM-100FP have insufficient authentication. An unauthenticated remote attacker can exploit this vulnerability to bypass authentication to read system information and operate user's data, but can’t control system or disrupt service. | |||||
| CVE-2023-38030 | 1 Saho | 4 Adm-100, Adm-100 Firmware, Adm-100fp and 1 more | 2023-08-29 | N/A | 7.5 HIGH |
| Saho’s attendance devices ADM100 and ADM-100FP have a vulnerability of missing authentication for critical functions. An unauthenticated remote attacker can execute system commands in partial website URLs to read sensitive device information without permissions. | |||||
| CVE-2023-4334 | 1 Broadcom | 1 Raid Controller Web Interface | 2023-08-21 | N/A | 7.5 HIGH |
| Broadcom RAID Controller Web server (nginx) is serving private files without any authentication | |||||
| CVE-2023-4335 | 2 Broadcom, Linux | 2 Raid Controller Web Interface, Linux Kernel | 2023-08-21 | N/A | 7.5 HIGH |
| Broadcom RAID Controller Web server (nginx) is serving private server-side files without any authentication on Linux | |||||
| CVE-2019-13194 | 1 Brother | 600 Ads-2400n, Ads-2400n Firmware, Ads-2800w and 597 more | 2023-08-16 | 5.0 MEDIUM | 7.5 HIGH |
| Some Brother printers (such as the HL-L8360CDW v1.20) were affected by different information disclosure vulnerabilities that provided sensitive information to an unauthenticated user who visits a specific URL. | |||||
| CVE-2022-28771 | 1 Sap | 1 Business One License Service Api | 2023-08-14 | 5.0 MEDIUM | 7.5 HIGH |
| Due to missing authentication check, SAP Business one License service API - version 10.0 allows an unauthenticated attacker to send malicious http requests over the network. On successful exploitation, an attacker can break the whole application making it inaccessible. | |||||
| CVE-2023-37373 | 1 Siemens | 1 Ruggedcom Crossbow | 2023-08-10 | N/A | 7.5 HIGH |
| A vulnerability has been identified in RUGGEDCOM CROSSBOW (All versions < V5.4). The affected applications accept unauthenticated file write messages. An unauthenticated remote attacker could write arbitrary files to the affected application's file system. | |||||
| CVE-2022-35136 | 1 Boodskap | 1 Iot Platform | 2023-08-08 | N/A | 6.5 MEDIUM |
| Boodskap IoT Platform v4.4.9-02 allows attackers to make unauthenticated API requests. | |||||
| CVE-2022-24935 | 1 Lexmark | 2 Lexmark, Lexmark Firmware | 2023-08-08 | 5.0 MEDIUM | 7.5 HIGH |
| Lexmark products through 2022-02-10 have Incorrect Access Control. | |||||
| CVE-2021-42889 | 1 Totolink | 2 Ex1200t, Ex1200t Firmware | 2023-08-08 | 5.0 MEDIUM | 7.5 HIGH |
| In TOTOLINK EX1200T V4.1.2cu.5215, an attacker can obtain sensitive information (wifikey, wifiname, etc.) without authorization. | |||||
| CVE-2022-24190 | 1 Sz-fujia | 1 Ourphoto | 2023-08-08 | N/A | 7.5 HIGH |
| The /device/acceptBind end-point for Ourphoto App version 1.4.1 does not require authentication or authorization. The user_token header is not implemented or present on this end-point. An attacker can send a request to bind their account to any users picture frame, then send a POST request to accept their own bind request, without the end-users approval or interaction. | |||||
| CVE-2022-31701 | 2 Linux, Vmware | 4 Linux Kernel, Access, Cloud Foundation and 1 more | 2023-08-08 | N/A | 5.3 MEDIUM |
| VMware Workspace ONE Access and Identity Manager contain a broken authentication vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.3. | |||||
| CVE-2022-35572 | 1 Linksys | 2 E5350, E5350 Firmware | 2023-08-08 | N/A | 7.5 HIGH |
| On Linksys E5350 WiFi Router with firmware version 1.0.00.037 and lower, (and potentially other vendors/devices due to code reuse), the /SysInfo.htm URI does not require a session ID. This web page calls a show_sysinfo function which retrieves WPA passwords, SSIDs, MAC Addresses, serial numbers, WPS Pins, and hardware/firmware versions, and prints this information into the web page. This web page is visible when remote management is enabled. A user who has access to the web interface of the device can extract these secrets. If the device has remote management enabled and is connected directly to the internet, this vulnerability is exploitable over the internet without interaction. | |||||
| CVE-2022-3312 | 1 Google | 1 Chrome | 2023-08-08 | N/A | 4.6 MEDIUM |
| Insufficient validation of untrusted input in VPN in Google Chrome on ChromeOS prior to 106.0.5249.62 allowed a local attacker to bypass managed device restrictions via physical access to the device. (Chromium security severity: Medium) | |||||
| CVE-2022-44216 | 1 Sir | 1 Gnuboard | 2023-08-08 | N/A | 7.5 HIGH |
| Gnuboard 5.5.4 and 5.5.5 is vulnerable to Insecure Permissions. An attacker can change password of all users without knowing victim's original password. | |||||
| CVE-2022-47703 | 1 Tianjie | 2 Cpe906-3, Cpe906-3 Firmware | 2023-08-08 | N/A | 7.5 HIGH |
| TIANJIE CPE906-3 is vulnerable to password disclosure. This is present on Software Version WEB5.0_LCD_20200513, Firmware Version MV8.003, and Hardware Version CPF906-V5.0_LCD_20200513. | |||||
| CVE-2022-45423 | 1 Dahuasecurity | 8 Dhi-dss4004-s2, Dhi-dss4004-s2 Firmware, Dhi-dss7016d-s2 and 5 more | 2023-08-08 | N/A | 7.5 HIGH |
| Some Dahua software products have a vulnerability of unauthenticated request of MQTT credentials. An attacker can obtain encrypted MQTT credentials by sending a specific crafted packet to the vulnerable interface (the credentials cannot be directly exploited). | |||||
| CVE-2021-31814 | 1 Stormshield | 1 Stormshield Network Security | 2023-08-08 | 3.6 LOW | 6.1 MEDIUM |
| In Stormshield 1.1.0, and 2.1.0 through 2.9.0, an attacker can block a client from accessing the VPN and can obtain sensitive information through the SN VPN SSL Client. | |||||