Total
3328 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2022-36436 | 1 Osuosl | 1 Twisted Vnc Authentication Proxy | 2024-08-01 | N/A | 9.8 CRITICAL |
OSU Open Source Lab VNCAuthProxy through 1.1.1 is affected by an vncap/vnc/protocol.py VNCServerAuthenticator authentication-bypass vulnerability that could allow a malicious actor to gain unauthorized access to a VNC session or to disconnect a legitimate user from a VNC session. A remote attacker with network access to the proxy server could leverage this vulnerability to connect to VNC servers protected by the proxy server without providing any authentication credentials. Exploitation of this issue requires that the proxy server is currently accepting connections for the target VNC server. | |||||
CVE-2019-20464 | 1 Sannce | 2 Smart Hd Wifi Security Camera Ean 2 950004 595317, Smart Hd Wifi Security Camera Ean 2 950004 595317 Firmware | 2024-08-01 | 5.0 MEDIUM | 7.5 HIGH |
An issue was discovered on Sannce Smart HD Wifi Security Camera EAN 2 950004 595317 devices. By default, a mobile application is used to stream over UDP. However, the device offers many more services that also enable streaming. Although the service used by the mobile application requires a password, the other streaming services do not. By initiating communication on the RTSP port, an attacker can obtain access to the video feed without authenticating. | |||||
CVE-2022-4001 | 2024-08-01 | N/A | 7.3 HIGH | ||
An authentication bypass vulnerability could allow an attacker to access API functions without authentication. | |||||
CVE-2023-45249 | 1 Acronis | 1 Cyber Infrastructure | 2024-07-30 | N/A | 9.8 CRITICAL |
Remote command execution due to use of default passwords. The following products are affected: Acronis Cyber Infrastructure (ACI) before build 5.0.1-61, Acronis Cyber Infrastructure (ACI) before build 5.1.1-71, Acronis Cyber Infrastructure (ACI) before build 5.2.1-69, Acronis Cyber Infrastructure (ACI) before build 5.3.1-53, Acronis Cyber Infrastructure (ACI) before build 5.4.4-132. | |||||
CVE-2021-38647 | 1 Microsoft | 10 Azure Automation State Configuration, Azure Automation Update Management, Azure Diagnostics \(lad\) and 7 more | 2024-07-29 | 7.5 HIGH | 9.8 CRITICAL |
Open Management Infrastructure Remote Code Execution Vulnerability | |||||
CVE-2021-38648 | 1 Microsoft | 10 Azure Automation State Configuration, Azure Automation Update Management, Azure Diagnostics \(lad\) and 7 more | 2024-07-29 | 4.6 MEDIUM | 7.8 HIGH |
Open Management Infrastructure Elevation of Privilege Vulnerability | |||||
CVE-2024-6576 | 2024-07-29 | N/A | 7.3 HIGH | ||
Improper Authentication vulnerability in Progress MOVEit Transfer (SFTP module) can lead to Privilege Escalation.This issue affects MOVEit Transfer: from 2023.0.0 before 2023.0.12, from 2023.1.0 before 2023.1.7, from 2024.0.0 before 2024.0.3. | |||||
CVE-2024-7050 | 2024-07-29 | N/A | N/A | ||
Improper Authentication vulnerability in OpenText OpenText Directory Services may allow Multi-factor Authentication Bypass in particular scenarios.This issue affects OpenText Directory Services: 24.2. | |||||
CVE-2022-45168 | 1 Liveboxcloud | 1 Vdesk | 2024-07-26 | N/A | 6.5 MEDIUM |
An issue was discovered in LIVEBOX Collaboration vDesk through v018. A Bypass of Two-Factor Authentication can occur under the /login/backup_code endpoint and the /api/v1/vdeskintegration/createbackupcodes endpoint, because the application allows a user to generate or regenerate the backup codes before checking the TOTP. | |||||
CVE-2023-46942 | 1 Evershop | 1 Evershop | 2024-07-25 | N/A | 7.5 HIGH |
Lack of authentication in NPM's package @evershop/evershop before version 1.0.0-rc.8, allows remote attackers to obtain sensitive information via improper authorization in GraphQL endpoints. | |||||
CVE-2021-33766 | 1 Microsoft | 1 Exchange Server | 2024-07-24 | 5.0 MEDIUM | 7.3 HIGH |
Microsoft Exchange Server Information Disclosure Vulnerability | |||||
CVE-2022-23134 | 3 Debian, Fedoraproject, Zabbix | 3 Debian Linux, Fedora, Zabbix | 2024-07-24 | 5.0 MEDIUM | 5.3 MEDIUM |
After the initial setup process, some steps of setup.php file are reachable not only by super-administrators, but by unauthenticated users as well. Malicious actor can pass step checks and potentially change the configuration of Zabbix Frontend. | |||||
CVE-2024-40648 | 2024-07-19 | N/A | 5.4 MEDIUM | ||
matrix-rust-sdk is an implementation of a Matrix client-server library in Rust. The `UserIdentity::is_verified()` method in the matrix-sdk-crypto crate before version 0.7.2 doesn't take into account the verification status of the user's own identity while performing the check and may as a result return a value contrary to what is implied by its name and documentation. If the method is used to decide whether to perform sensitive operations towards a user identity, a malicious homeserver could manipulate the outcome in order to make the identity appear trusted. This is not a typical usage of the method, which lowers the impact. The method itself is not used inside the `matrix-sdk-crypto` crate. The 0.7.2 release of the `matrix-sdk-crypto` crate includes a fix. All users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
CVE-2024-39767 | 1 Mattermost | 1 Mattermost Mobile | 2024-07-16 | N/A | 6.5 MEDIUM |
Mattermost Mobile Apps versions <=2.16.0 fail to validate that the push notifications received for a server actually came from this serve that which allows a malicious server to send push notifications with another server’s diagnostic ID or server URL and have them show up in mobile apps as that server’s push notifications. | |||||
CVE-2013-0625 | 4 Adobe, Apple, Microsoft and 1 more | 4 Coldfusion, Mac Os X, Windows and 1 more | 2024-07-16 | 6.8 MEDIUM | 9.8 CRITICAL |
Adobe ColdFusion 9.0, 9.0.1, and 9.0.2, when a password is not configured, allows remote attackers to bypass authentication and possibly execute arbitrary code via unspecified vectors, as exploited in the wild in January 2013. | |||||
CVE-2024-38433 | 1 Nuvoton | 8 Npcm705r, Npcm705r Firmware, Npcm710r and 5 more | 2024-07-15 | N/A | 6.7 MEDIUM |
Nuvoton - CWE-305: Authentication Bypass by Primary Weakness An attacker with write access to the SPI-Flash on an NPCM7xx BMC subsystem that uses the Nuvoton BootBlock reference code can modify the u-boot image header on flash parsed by the BootBlock which could lead to arbitrary code execution. | |||||
CVE-2024-30299 | 1 Adobe | 1 Framemaker Publishing Server | 2024-07-15 | N/A | 9.8 CRITICAL |
Adobe Framemaker Publishing Server versions 2020.3, 2022.2 and earlier are affected by an Improper Authentication vulnerability that could result in privilege escalation. An attacker could exploit this vulnerability to gain unauthorized access or elevated privileges within the application. Exploitation of this issue does not require user interaction. | |||||
CVE-2024-5432 | 1 Webinane | 1 Lifeline Donation | 2024-07-15 | N/A | 9.8 CRITICAL |
The Lifeline Donation plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.2.6. This is due to insufficient verification on the user being supplied during the checkout through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email. | |||||
CVE-2024-6397 | 1 Instawp | 1 Instawp Connect | 2024-07-12 | N/A | 9.8 CRITICAL |
The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 0.1.0.44. This is due to insufficient verification of the API key. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username, and to perform a variety of other administrative tasks. NOTE: This vulnerability was partially fixed in 0.1.0.44, but was still exploitable via Cross-Site Request Forgery. | |||||
CVE-2024-38099 | 1 Microsoft | 6 Windows Server 2008, Windows Server 2012, Windows Server 2016 and 3 more | 2024-07-11 | N/A | 5.9 MEDIUM |
Windows Remote Desktop Licensing Service Denial of Service Vulnerability |