Total
1117 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-3738 | 1 Wago | 14 Cc100, Cc100 Firmware, Edge Controller and 11 more | 2023-11-07 | N/A | 5.9 MEDIUM |
| The vulnerability allows a remote unauthenticated attacker to download a backup file, if one exists. That backup file might contain sensitive information like credentials and cryptographic material. A valid user has to create a backup after the last reboot for this attack to be successfull. | |||||
| CVE-2023-34329 | 1 Ami | 1 Megarac Sp-x | 2023-11-07 | N/A | 8.0 HIGH |
| AMI MegaRAC SPx12 contains a vulnerability in BMC where a User may cause an authentication bypass by spoofing the HTTP header. A successful exploit of this vulnerability may lead to loss of confidentiality, integrity, and availability. | |||||
| CVE-2023-30744 | 1 Sap | 1 Netweaver Application Server For Java | 2023-11-07 | N/A | 9.1 CRITICAL |
| In SAP AS NetWeaver JAVA - versions SERVERCORE 7.50, J2EE-FRMW 7.50, CORE-TOOLS 7.50, an unauthenticated attacker can attach to an open interface and make use of an open naming and directory API to instantiate an object which has methods which can be called without further authorization and authentication. A subsequent call to one of these methods can read or change the state of existing services without any effect on availability. | |||||
| CVE-2023-30643 | 1 Samsung | 1 Android | 2023-11-07 | N/A | 7.1 HIGH |
| Missing authentication vulnerability in Galaxy Themes Service prior to SMR Jul-2023 Release 1 allows local attackers to delete arbitrary non-preloaded applications. | |||||
| CVE-2023-2834 | 1 Stylemixthemes | 1 Bookit | 2023-11-07 | N/A | 9.8 CRITICAL |
| The BookIt plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.3.7. This is due to insufficient verification on the user being supplied during booking an appointment through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email. | |||||
| CVE-2023-2781 | 1 Wisetr | 1 User Email Verification For Woocommerce | 2023-11-07 | N/A | 9.8 CRITICAL |
| The User Email Verification for WooCommerce plugin for WordPress is vulnerable to authentication bypass via authenticate_user_by_email in versions up to, and including, 3.5.0. This is due to a random token generation weakness in the resend_verification_email function. This allows unauthenticated attackers to impersonate users and trigger an email address verification for arbitrary accounts, including administrative accounts, and automatically be logged in as that user, including any site administrators. This requires the Allow Automatic Login After Successful Verification setting to be enabled, which it is not by default. | |||||
| CVE-2023-2704 | 1 Vibethemes | 1 Bp Social Connect | 2023-11-07 | N/A | 9.8 CRITICAL |
| The BP Social Connect plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.5. This is due to insufficient verification on the user being supplied during a Facebook login through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email. | |||||
| CVE-2023-28326 | 1 Apache | 1 Openmeetings | 2023-11-07 | N/A | 9.8 CRITICAL |
| Vendor: The Apache Software Foundation Versions Affected: Apache OpenMeetings from 2.0.0 before 7.0.0 Description: Attacker can elevate their privileges in any room | |||||
| CVE-2023-22804 | 1 Ls-electric | 2 Xbc-dn32u, Xbc-dn32u Firmware | 2023-11-07 | N/A | 9.8 CRITICAL |
| LS ELECTRIC XBC-DN32U with operating system version 01.80 is missing authentication to create users on the PLC. This could allow an attacker to create and use an account with elevated privileges and take control of the device. | |||||
| CVE-2023-22803 | 1 Ls-electric | 2 Xbc-dn32u, Xbc-dn32u Firmware | 2023-11-07 | N/A | 7.5 HIGH |
| LS ELECTRIC XBC-DN32U with operating system version 01.80 is missing authentication to perform critical functions to the PLC. This could allow an attacker to change the PLC's mode arbitrarily. | |||||
| CVE-2023-20126 | 1 Cisco | 2 Spa112, Spa112 Firmware | 2023-11-07 | N/A | 9.8 CRITICAL |
| A vulnerability in the web-based management interface of Cisco SPA112 2-Port Phone Adapters could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device. This vulnerability is due to a missing authentication process within the firmware upgrade function. An attacker could exploit this vulnerability by upgrading an affected device to a crafted version of firmware. A successful exploit could allow the attacker to execute arbitrary code on the affected device with full privileges. Cisco has not released firmware updates to address this vulnerability. | |||||
| CVE-2023-20003 | 1 Cisco | 16 Business 140ac Access Point, Business 140ac Access Point Firmware, Business 141acm and 13 more | 2023-11-07 | N/A | 8.8 HIGH |
| A vulnerability in the social login configuration option for the guest users of Cisco Business Wireless Access Points (APs) could allow an unauthenticated, adjacent attacker to bypass social login authentication. This vulnerability is due to a logic error with the social login implementation. An attacker could exploit this vulnerability by attempting to authenticate to an affected device. A successful exploit could allow the attacker to access the Guest Portal without authentication. | |||||
| CVE-2023-1140 | 1 Deltaww | 1 Infrasuite Device Master | 2023-11-07 | N/A | 9.8 CRITICAL |
| Delta Electronics InfraSuite Device Master versions prior to 1.0.5 contain a vulnerability that could allow an attacker to achieve unauthenticated remote code execution in the context of an administrator. | |||||
| CVE-2023-0102 | 1 Ls-electric | 2 Xbc-dn32u, Xbc-dn32u Firmware | 2023-11-07 | N/A | 9.1 CRITICAL |
| LS ELECTRIC XBC-DN32U with operating system version 01.80 is missing authentication for its deletion command. This could allow an attacker to delete arbitrary files. | |||||
| CVE-2022-43761 | 1 Br-automation | 1 Industrial Automation Aprol | 2023-11-07 | N/A | 7.5 HIGH |
| Missing authentication when creating and managing the B&R APROL database in versions < R 4.2-07 allows reading and changing the system configuration. | |||||
| CVE-2022-41776 | 1 Deltaww | 1 Infrasuite Device Master | 2023-11-07 | N/A | 7.5 HIGH |
| Delta Electronics InfraSuite Device Master versions 00.00.01a and prior allow unauthenticated users to trigger the WriteConfiguration method, which could allow an attacker to provide new values for user configuration files such as UserListInfo.xml. This could lead to the changing of administrative passwords. | |||||
| CVE-2022-41688 | 1 Deltaww | 1 Infrasuite Device Master | 2023-11-07 | N/A | 7.5 HIGH |
| Delta Electronics InfraSuite Device Master versions 00.00.01a and prior lack proper authentication for functions that create and modify user groups. An attacker could provide malicious serialized objects that could run these functions without authentication to create a new user and add them to the administrator group. | |||||
| CVE-2022-41644 | 1 Deltaww | 1 Infrasuite Device Master | 2023-11-07 | N/A | 8.8 HIGH |
| Delta Electronics InfraSuite Device Master versions 00.00.01a and prior lacks authentication for a function that changes group privileges. An attacker could use this to create a denial-of-service state or escalate their own privileges. | |||||
| CVE-2022-41629 | 1 Deltaww | 1 Infrasuite Device Master | 2023-11-07 | N/A | 9.1 CRITICAL |
| Delta Electronics InfraSuite Device Master versions 00.00.01a and prior allow unauthenticated users to access the aprunning endpoint, which could allow an attacker to retrieve any file from the “RunningConfigs” directory. The attacker could then view and modify configuration files such as UserListInfo.xml, which would allow them to see existing administrative passwords. | |||||
| CVE-2022-41331 | 1 Fortinet | 1 Fortiproxy | 2023-11-07 | N/A | 9.8 CRITICAL |
| A missing authentication for critical function vulnerability [CWE-306] in FortiPresence infrastructure server before version 1.2.1 allows a remote, unauthenticated attacker to access the Redis and MongoDB instances via crafted authentication requests. | |||||