Total
141 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2022-37011 | 1 Mendix | 1 Saml | 2024-02-28 | N/A | 9.8 CRITICAL |
A vulnerability has been identified in Mendix SAML (Mendix 7 compatible) (All versions < V1.17.0), Mendix SAML (Mendix 8 compatible) (All versions < V2.3.0), Mendix SAML (Mendix 9 compatible, New Track) (All versions < V3.3.1), Mendix SAML (Mendix 9 compatible, Upgrade Track) (All versions < V3.3.0). Affected versions of the module insufficiently protect from packet capture replay. This could allow unauthorized remote attackers to bypass authentication and get access to the application. For compatibility reasons, fix versions still contain this issue, but only when the not recommended, non default configuration option `'Allow Idp Initiated Authentication'` is enabled. | |||||
CVE-2022-40621 | 1 Wavlink | 2 Wn531g3, Wn531g3 Firmware | 2024-02-28 | N/A | 7.5 HIGH |
Because the WAVLINK Quantum D4G (WN531G3) running firmware version M31G3.V5030.200325 and earlier communicates over HTTP and not HTTPS, and because the hashing mechanism does not rely on a server-supplied key, it is possible for an attacker with sufficient network access to capture the hashed password of a logged on user and use it in a classic Pass-the-Hash style attack. | |||||
CVE-2022-33971 | 1 Omron | 104 Nj-pa3001, Nj-pa3001 Firmware, Nj-pd3001 and 101 more | 2024-02-28 | 5.4 MEDIUM | 7.5 HIGH |
Authentication bypass by capture-replay vulnerability exists in Machine automation controller NX7 series all models V1.28 and earlier, Machine automation controller NX1 series all models V1.48 and earlier, and Machine automation controller NJ series all models V 1.48 and earlier, which may allow an adjacent attacker who can analyze the communication between the controller and the specific software used by OMRON internally to cause a denial-of-service (DoS) condition or execute a malicious program. | |||||
CVE-2022-36089 | 1 Kubevela | 1 Kubevela | 2024-02-28 | N/A | 9.8 CRITICAL |
KubeVela is an application delivery platform Users using KubeVela's VelaUX APIServer could be affected by an authentication bypass vulnerability. In KubeVela prior to versions 1.4.11 and 1.5.4, VelaUX APIServer uses the `PlatformID` as the signed key to generate the JWT tokens for users. Another API called `getSystemInfo` exposes the platformID. This vulnerability allows users to use the platformID to re-generate the JWT tokens to bypass the authentication. Versions 1.4.11 and 1.5.4 contain a patch for this issue. | |||||
CVE-2022-31158 | 1 Packback | 1 Lti 1.3 Tool Library | 2024-02-28 | N/A | 7.5 HIGH |
LTI 1.3 Tool Library is a library used for building IMS-certified LTI 1.3 tool providers in PHP. Prior to version 5.0, the Nonce Claim Value was not being validated against the nonce value sent in the Authentication Request. Users should upgrade to version 5.0 to receive a patch. There are currently no known workarounds. | |||||
CVE-2022-29475 | 1 Goabode | 2 Iota All-in-one Security Kit, Iota All-in-one Security Kit Firmware | 2024-02-28 | N/A | 8.1 HIGH |
An information disclosure vulnerability exists in the XFINDER functionality of Abode Systems, Inc. iota All-In-One Security Kit 6.9X and 6.9Z. A specially-crafted man-in-the-middle attack can lead to increased privileges. An attacker can perform a man-in-the-middle attack to trigger this vulnerability. | |||||
CVE-2022-29593 | 1 Dingtian-tech | 2 Dt-r004, Dt-r004 Firmware | 2024-02-28 | N/A | 5.9 MEDIUM |
relay_cgi.cgi on Dingtian DT-R002 2CH relay devices with firmware 3.1.276A allows an attacker to replay HTTP post requests without the need for authentication or a valid signed/authorized request. | |||||
CVE-2022-37418 | 3 Hyundai, Kia, Nissan | 6 Hyundai, Hyundai Firmware, Kia and 3 more | 2024-02-28 | N/A | 6.4 MEDIUM |
The Remote Keyless Entry (RKE) receiving unit on certain Nissan, Kia, and Hyundai vehicles through 2017 allows remote attackers to perform unlock operations and force a resynchronization after capturing two consecutive valid key fob signals over the radio, aka a RollBack attack. The attacker retains the ability to unlock indefinitely. | |||||
CVE-2022-42731 | 1 Django-mfa2 Project | 1 Django-mfa2 | 2024-02-28 | N/A | 7.5 HIGH |
mfa/FIDO2.py in django-mfa2 before 2.5.1 and 2.6.x before 2.6.1 allows a replay attack that could be used to register another device for a user. The device registration challenge is not invalidated after usage. | |||||
CVE-2022-44457 | 1 Mendix | 1 Saml | 2024-02-28 | N/A | 9.8 CRITICAL |
A vulnerability has been identified in Mendix SAML (Mendix 7 compatible) (All versions < V1.17.0), Mendix SAML (Mendix 7 compatible) (All versions >= V1.17.0 < V1.17.2), Mendix SAML (Mendix 8 compatible) (All versions < V2.3.0), Mendix SAML (Mendix 8 compatible) (All versions >= V2.3.0 < V2.3.2), Mendix SAML (Mendix 9 compatible, New Track) (All versions < V3.3.1), Mendix SAML (Mendix 9 compatible, New Track) (All versions >= V3.3.1 < V3.3.5), Mendix SAML (Mendix 9 compatible, Upgrade Track) (All versions < V3.3.0), Mendix SAML (Mendix 9 compatible, Upgrade Track) (All versions >= V3.3.0 < V3.3.4). Affected versions of the module insufficiently protect from packet capture replay, only when the not recommended, non default configuration option `'Allow Idp Initiated Authentication'` is enabled. This CVE entry describes the incomplete fix for CVE-2022-37011 in a specific non default configuration. | |||||
CVE-2022-31277 | 1 Mi | 2 Xiaomi Lamp 1, Xiaomi Lamp 1 Firmware | 2024-02-28 | 5.8 MEDIUM | 8.8 HIGH |
Xiaomi Lamp 1 v2.0.4_0066 was discovered to be vulnerable to replay attacks. This allows attackers to to bypass the expected access restrictions and gain control of the switch and other functions via a crafted POST request. | |||||
CVE-2022-25838 | 1 Laravel | 1 Fortify | 2024-02-28 | 6.8 MEDIUM | 8.1 HIGH |
Laravel Fortify before 1.11.1 allows reuse within a short time window, thus calling into question the "OT" part of the "TOTP" concept. | |||||
CVE-2022-27254 | 1 Honda | 2 Civic 2018, Civic 2018 Firmware | 2024-02-28 | 2.9 LOW | 5.3 MEDIUM |
The remote keyless system on Honda Civic 2018 vehicles sends the same RF signal for each door-open request, which allows for a replay attack, a related issue to CVE-2019-20626. | |||||
CVE-2022-30466 | 1 Joybike | 2 Wolf, Wolf Firmware | 2024-02-28 | 3.3 LOW | 6.5 MEDIUM |
joyebike Joy ebike Wolf Manufacturing year 2022 is vulnerable to Authentication Bypass by Capture-replay. | |||||
CVE-2022-22936 | 1 Saltstack | 1 Salt | 2024-02-28 | 5.4 MEDIUM | 8.8 HIGH |
An issue was discovered in SaltStack Salt in versions before 3002.8, 3003.4, 3004.1. Job publishes and file server replies are susceptible to replay attacks, which can result in an attacker replaying job publishes causing minions to run old jobs. File server replies can also be re-played. A sufficient craft attacker could gain root access on minion under certain scenarios. | |||||
CVE-2021-39364 | 1 Honeywell | 4 Hbw2per1, Hbw2per1 Firmware, Hdzp252di and 1 more | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
Honeywell HDZP252DI 1.00.HW02.4 and HBW2PER1 1.000.HW01.3 devices allow command spoofing (for camera control) after ARP cache poisoning has been achieved. | |||||
CVE-2022-30467 | 1 Joyebike | 2 Wolf 2022, Wolf 2022 Firmware | 2024-02-28 | 4.3 MEDIUM | 6.8 MEDIUM |
Joy ebike Wolf Manufacturing year 2022 is vulnerable to Denial of service, which allows remote attackers to jam the key fob request via RF. | |||||
CVE-2020-27374 | 1 Drtrustusa | 2 Icheck Connect Bp Monitor Bp Testing 118, Icheck Connect Bp Monitor Bp Testing 118 Firmware | 2024-02-28 | 7.9 HIGH | 7.5 HIGH |
Dr Trust USA iCheck Connect BP Monitor BP Testing 118 1.2.1 is vulnerable to a Replay Attack to BP Monitoring. | |||||
CVE-2022-29334 | 1 H Project | 1 H | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
An issue in H v1.0 allows attackers to bypass authentication via a session replay attack. | |||||
CVE-2022-31265 | 1 Wargaming | 1 World Of Warships | 2024-02-28 | 6.8 MEDIUM | 8.8 HIGH |
The replay feature in the client in Wargaming World of Warships 0.11.4 allows remote attackers to execute code when a user launches a replay from an untrusted source. |