Total
3376 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-16464 | 1 Nextcloud | 1 Nextcloud Server | 2024-11-21 | 3.5 LOW | 5.7 MEDIUM |
| A missing access check in Nextcloud Server prior to 14.0.0 could lead to continued access to password protected link shares when the owner had changed the password. | |||||
| CVE-2018-16286 | 1 Lg | 1 Supersign Cms | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
| LG SuperSign CMS allows authentication bypass because the CAPTCHA requirement is skipped if a captcha:pass cookie is sent, and because the PIN is limited to four digits. | |||||
| CVE-2018-16219 | 1 Audiocodes | 2 405hd, 405hd Firmware | 2024-11-21 | 3.3 LOW | 8.8 HIGH |
| A missing password verification in the web interface in AudioCodes 405HD VoIP phone with firmware 2.2.12 allows an remote attacker (in the same network as the device) to change the admin password without authentication via a POST request. | |||||
| CVE-2018-16160 | 2 Ftsafe, Microsoft | 3 Securecore, Windows 8, Windows 8.1 | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
| SecureCore Standard Edition Version 2.x allows an attacker to bypass the product 's authentication to log in to a Windows PC. | |||||
| CVE-2018-15819 | 1 Easyio | 2 Easyio 30p, Easyio 30p Firmware | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| EasyIO EasyIO-30P devices before 2.0.5.27 have Incorrect Access Control, related to webuser.js. | |||||
| CVE-2018-15751 | 1 Saltstack | 1 Salt | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| SaltStack Salt before 2017.7.8 and 2018.3.x before 2018.3.3 allow remote attackers to bypass authentication and execute arbitrary commands via salt-api(netapi). | |||||
| CVE-2018-15727 | 2 Grafana, Redhat | 2 Grafana, Ceph Storage | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Grafana 2.x, 3.x, and 4.x before 4.6.4 and 5.x before 5.2.3 allows authentication bypass because an attacker can generate a valid "remember me" cookie knowing only a username of an LDAP or OAuth user. | |||||
| CVE-2018-15721 | 1 Logitech | 2 Harmony Hub, Harmony Hub Firmware | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The XMPP server in Logitech Harmony Hub before version 4.15.206 is vulnerable to authentication bypass via a crafted XMPP request. Remote attackers can use this vulnerability to gain access to the local API. | |||||
| CVE-2018-15667 | 1 Airmailapp | 1 Airmail | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in Bloop Airmail 3 3.5.9 for macOS. It registers and uses the airmail:// URL scheme. The "send" command in the URL scheme allows an external application to send arbitrary emails from an active account without authentication. The handler has no restriction on who can use its functionality. The handler can be invoked using any method that invokes the URL handler such as a hyperlink in an email. The user is not prompted when the handler processes the "send" command, thus leading to automatic transmission of an attacker crafted email from the target account. | |||||
| CVE-2018-15598 | 1 Traefik | 1 Traefik | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Containous Traefik 1.6.x before 1.6.6, when --api is used, exposes the configuration and secret if authentication is missing and the API's port is publicly reachable. | |||||
| CVE-2018-15556 | 1 Actiontec | 2 Web6000q, Web6000q Firmware | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| The Quantenna WiFi Controller on Telus Actiontec WEB6000Q v1.1.02.22 allows login with root level access with the user "root" and an empty password by using the enabled onboard UART headers. | |||||
| CVE-2018-15543 | 1 Telegram | 1 Telegram | 2024-11-21 | 4.6 MEDIUM | 6.8 MEDIUM |
| An issue was discovered in the org.telegram.messenger application 4.8.11 for Android. The FingerprintManager class for Biometric validation allows authentication bypass through the callback method from onAuthenticationFailed to onAuthenticationSucceeded with null, because the fingerprint API in conjunction with the Android keyGenerator class is not implemented. In other words, an attacker could authenticate with an arbitrary fingerprint. NOTE: the vendor indicates that this is not an attack of interest within the context of their threat model, which excludes Android devices on which rooting has occurred | |||||
| CVE-2018-15542 | 1 Telegram | 1 Telegram | 2024-11-21 | 4.4 MEDIUM | 6.4 MEDIUM |
| An issue was discovered in the org.telegram.messenger application 4.8.11 for Android. The Passcode feature allows authentication bypass via runtime manipulation that forces a certain method's return value to true. In other words, an attacker could authenticate with an arbitrary passcode. NOTE: the vendor indicates that this is not an attack of interest within the context of their threat model, which excludes Android devices on which rooting has occurred | |||||
| CVE-2018-15485 | 1 Kone | 2 Group Controller, Group Controller Firmware | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
| An issue was discovered on KONE Group Controller (KGC) devices before 4.6.5. FTP does not require authentication or authorization, aka KONE-03. | |||||
| CVE-2018-15479 | 1 Mystrom | 12 Wifi Bulb, Wifi Bulb Firmware, Wifi Button and 9 more | 2024-11-21 | 6.4 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in myStrom WiFi Switch V1 before 2.66, WiFi Switch V2 before 3.80, WiFi Switch EU before 3.80, WiFi Bulb before 2.58, WiFi LED Strip before 3.80, WiFi Button before 2.73, and WiFi Button Plus before 2.73. Devices did not authenticate themselves to the cloud in device to cloud communication. This lack of device authentication allowed an attacker to impersonate any device by guessing or learning their MAC address. | |||||
| CVE-2018-15478 | 1 Mystrom | 12 Wifi Bulb, Wifi Bulb Firmware, Wifi Button and 9 more | 2024-11-21 | 6.8 MEDIUM | 8.1 HIGH |
| An issue was discovered in myStrom WiFi Switch V1 before 2.66, WiFi Switch V2 before 3.80, WiFi Switch EU before 3.80, WiFi Bulb before 2.58, WiFi LED Strip before 3.80, WiFi Button before 2.73, and WiFi Button Plus before 2.73. The process of registering a device with a cloud account was based on an activation code derived from the device MAC address. By guessing valid MAC addresses or using MAC addresses printed on devices in shops and reverse engineering the protocol, an attacker would have been able to register previously unregistered devices to their account. When the rightful owner would have connected them after purchase to their WiFi network, the devices would not have registered with their account, would subsequently not have been controllable from the owner's mobile app, and would not have been visible in the owner's account. Instead, they would have been under control of the attacker. | |||||
| CVE-2018-15371 | 1 Cisco | 1 Ios Xe | 2024-11-21 | 7.2 HIGH | 6.7 MEDIUM |
| A vulnerability in the shell access request mechanism of Cisco IOS XE Software could allow an authenticated, local attacker to bypass authentication and gain unrestricted access to the root shell of an affected device. The vulnerability exists because the affected software has insufficient authentication mechanisms for certain commands. An attacker could exploit this vulnerability by requesting access to the root shell of an affected device, after the shell access feature has been enabled. A successful exploit could allow the attacker to bypass authentication and gain unrestricted access to the root shell of the affected device. | |||||
| CVE-2018-15152 | 1 Open-emr | 1 Openemr | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
| Authentication bypass vulnerability in portal/account/register.php in versions of OpenEMR before 5.0.1.4 allows a remote attacker to access (1) portal/add_edit_event_user.php, (2) portal/find_appt_popup_user.php, (3) portal/get_allergies.php, (4) portal/get_amendments.php, (5) portal/get_lab_results.php, (6) portal/get_medications.php, (7) portal/get_patient_documents.php, (8) portal/get_problems.php, (9) portal/get_profile.php, (10) portal/portal_payment.php, (11) portal/messaging/messages.php, (12) portal/messaging/secure_chat.php, (13) portal/report/pat_ledger.php, (14) portal/report/portal_custom_report.php, or (15) portal/report/portal_patient_report.php without authenticating as a patient. | |||||
| CVE-2018-14868 | 1 Odoo | 1 Odoo | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| Incorrect access control in the Password Encryption module in Odoo Community 9.0 and Odoo Enterprise 9.0 allows authenticated users to change the password of other users without knowing their current password via a crafted RPC call. | |||||
| CVE-2018-14805 | 1 Hitachienergy | 1 Esoms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| ABB eSOMS version 6.0.2 may allow unauthorized access to the system when LDAP is set to allow anonymous authentication, and specific key values within the eSOMS web.config file are present. Both conditions are required to exploit this vulnerability. | |||||