Total
1117 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-42473 | 1 Fortinet | 1 Fortisoar | 2022-11-03 | N/A | 5.5 MEDIUM |
| A missing authentication for a critical function vulnerability in Fortinet FortiSOAR 6.4.0 - 6.4.4 and 7.0.0 - 7.0.3 and 7.2.0 allows an attacker to disclose information via logging into the database using a privileged account without a password. | |||||
| CVE-2022-2474 | 1 Haascnc | 2 Haas Controller, Haas Controller Firmware | 2022-11-02 | N/A | 8.0 HIGH |
| Authentication is currently unsupported in Haas Controller version 100.20.000.1110 when using the “Ethernet Q Commands” service, which allows any user on the same network segment as the controller (even while connected remotely) to access the service and write unauthorized macros to the device. | |||||
| CVE-2021-20990 | 1 Fibaro | 4 Home Center 2, Home Center 2 Firmware, Home Center Lite and 1 more | 2022-10-29 | 7.8 HIGH | 7.5 HIGH |
| In Fibaro Home Center 2 and Lite devices with firmware version 4.600 and older an internal management service is accessible on port 8000 and some API endpoints could be accessed without authentication to trigger a shutdown, a reboot or a reboot into recovery mode. | |||||
| CVE-2021-36888 | 1 Blocksera | 1 Image Hover Effects | 2022-10-27 | 7.5 HIGH | 9.8 CRITICAL |
| Unauthenticated Arbitrary Options Update vulnerability leading to full website compromise discovered in Image Hover Effects Ultimate (versions <= 9.6.1) WordPress plugin. | |||||
| CVE-2021-37624 | 1 Freeswitch | 1 Freeswitch | 2022-10-27 | 5.0 MEDIUM | 7.5 HIGH |
| FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.10.7, FreeSWITCH does not authenticate SIP MESSAGE requests, leading to spam and message spoofing. By default, SIP requests of the type MESSAGE (RFC 3428) are not authenticated in the affected versions of FreeSWITCH. MESSAGE requests are relayed to SIP user agents registered with the FreeSWITCH server without requiring any authentication. Although this behaviour can be changed by setting the `auth-messages` parameter to `true`, it is not the default setting. Abuse of this security issue allows attackers to send SIP MESSAGE messages to any SIP user agent that is registered with the server without requiring authentication. Additionally, since no authentication is required, chat messages can be spoofed to appear to come from trusted entities. Therefore, abuse can lead to spam and enable social engineering, phishing and similar attacks. This issue is patched in version 1.10.7. Maintainers recommend that this SIP message type is authenticated by default so that FreeSWITCH administrators do not need to be explicitly set the `auth-messages` parameter. When following such a recommendation, a new parameter can be introduced to explicitly disable authentication. | |||||
| CVE-2021-38457 | 1 Auvesy | 1 Versiondog | 2022-10-27 | 7.5 HIGH | 9.8 CRITICAL |
| The server permits communication without any authentication procedure, allowing the attacker to initiate a session with the server without providing any form of authentication. | |||||
| CVE-2021-38412 | 1 Digi | 2 Portserver Ts 16, Portserver Ts 16 Firmware | 2022-10-27 | 7.5 HIGH | 9.8 CRITICAL |
| Properly formatted POST requests to multiple resources on the HTTP and HTTPS web servers of the Digi PortServer TS 16 Rack device do not require authentication or authentication tokens. This vulnerability could allow an attacker to enable the SNMP service and manipulate the community strings to achieve further control in. | |||||
| CVE-2021-33843 | 1 Fresenius-kabi | 2 Agilia Sp Mc Wifi, Agilia Sp Mc Wifi Firmware | 2022-10-27 | 5.0 MEDIUM | 5.3 MEDIUM |
| Fresenius Kabi Agilia SP MC WiFi vD25 and prior has a default configuration page accessible without authentication. An attacker may use this functionality to change the exposed configuration values such as network settings. | |||||
| CVE-2022-38870 | 1 Free5gc | 1 Free5gc | 2022-10-26 | N/A | 7.5 HIGH |
| Free5gc v3.2.1 is vulnerable to Information disclosure. | |||||
| CVE-2022-37062 | 1 Flir | 2 Flir Ax8, Flir Ax8 Firmware | 2022-10-26 | N/A | 7.5 HIGH |
| All FLIR AX8 thermal sensor cameras version up to and including 1.46.16 are affected by an insecure design vulnerability due to an improper directory access restriction. An unauthenticated, remote attacker can exploit this by sending a URI that contains the path of the SQLite users database and download it. A successful exploit could allow the attacker to extract usernames and hashed passwords. | |||||
| CVE-2022-27623 | 1 Synology | 1 Diskstation Manager | 2022-10-26 | N/A | 9.1 CRITICAL |
| Missing authentication for critical function vulnerability in iSCSI management functionality in Synology DiskStation Manager (DSM) before 7.1-42661 allows remote attackers to read or write arbitrary files via unspecified vectors. | |||||
| CVE-2020-21996 | 1 Ave | 13 53ab-wbs, 53ab-wbs Firmware, Dominaplus and 10 more | 2022-10-26 | 5.0 MEDIUM | 7.5 HIGH |
| AVE DOMINAplus <=1.10.x suffers from an unauthenticated reboot command execution. Attackers can exploit this issue to cause a denial of service scenario. | |||||
| CVE-2021-30167 | 1 Meritlilin | 82 P2g1022, P2g1022 Firmware, P2g1022x and 79 more | 2022-10-25 | 9.0 HIGH | 9.8 CRITICAL |
| The manage users profile services of the network camera device allows an authenticated. Remote attackers can modify URL parameters and further amend user’s information and escalate privileges to control the devices. | |||||
| CVE-2021-21964 | 1 Sealevel | 2 Seaconnect 370w, Seaconnect 370w Firmware | 2022-10-25 | 7.1 HIGH | 7.4 HIGH |
| A denial of service vulnerability exists in the Modbus configuration functionality of Sealevel Systems, Inc. SeaConnect 370W v1.3.34. Specially-crafted network packets can lead to denial of service. An attacker can send a malicious packet to trigger this vulnerability. | |||||
| CVE-2021-22850 | 1 Hgiga | 1 Oaklouds Portal | 2022-10-25 | 7.5 HIGH | 9.8 CRITICAL |
| HGiga EIP product lacks ineffective access control in certain pages that allow attackers to access database or perform privileged functions. | |||||
| CVE-2020-23648 | 1 Asus | 2 Rt-n12e, Rt-n12e Firmware | 2022-10-24 | N/A | 7.5 HIGH |
| Asus RT-N12E 2.0.0.39 is affected by an incorrect access control vulnerability. Through system.asp / start_apply.htm, an attacker can change the administrator password without any authentication. | |||||
| CVE-2022-3327 | 1 Ikus-soft | 1 Rdiffweb | 2022-10-24 | N/A | 9.8 CRITICAL |
| Missing Authentication for Critical Function in GitHub repository ikus060/rdiffweb prior to 2.5.0a6. | |||||
| CVE-2020-25634 | 1 Redhat | 2 3scale, 3scale Api Management | 2022-10-21 | 5.5 MEDIUM | 5.4 MEDIUM |
| A flaw was found in Red Hat 3scale’s API docs URL, where it is accessible without credentials. This flaw allows an attacker to view sensitive information or modify service APIs. Versions before 3scale-2.10.0-ER1 are affected. | |||||
| CVE-2020-15798 | 1 Siemens | 20 Simatic Hmi Comfort Panels, Simatic Hmi Comfort Panels Firmware, Simatic Hmi Ktp Mobile Panels and 17 more | 2022-10-19 | 9.3 HIGH | 9.8 CRITICAL |
| A vulnerability has been identified in SIMATIC HMI Comfort Panels (incl. SIPLUS variants) (All versions < V16 Update 3a), SIMATIC HMI KTP Mobile Panels (All versions < V16 Update 3a), SINAMICS GH150 (All versions), SINAMICS GL150 (with option X30) (All versions), SINAMICS GM150 (with option X30) (All versions), SINAMICS SH150 (All versions), SINAMICS SL150 (All versions), SINAMICS SM120 (All versions), SINAMICS SM150 (All versions), SINAMICS SM150i (All versions). Affected devices with enabled telnet service do not require authentication for this service. This could allow a remote attacker to gain full access to the device. (ZDI-CAN-12046) | |||||
| CVE-2020-6294 | 2 Opengroup, Sap | 2 Unix, Businessobjects Business Intelligence Platform | 2022-10-19 | 6.4 MEDIUM | 9.1 CRITICAL |
| Xvfb of SAP Business Objects Business Intelligence Platform, versions - 4.2, 4.3, platform on Unix does not perform any authentication checks for functionalities that require user identity. | |||||