Total
2926 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-34839 | 1 Codexshaper | 1 Wp Oauth2 Server | 2022-07-26 | N/A | 9.8 CRITICAL |
| Authentication Bypass vulnerability in CodexShaper's WP OAuth2 Server plugin <= 1.0.1 at WordPress. | |||||
| CVE-2021-40874 | 2 Debian, Lemonldap-ng | 2 Debian Linux, Lemonldap\ | 2022-07-25 | N/A | 9.8 CRITICAL |
| An issue was discovered in LemonLDAP::NG (aka lemonldap-ng) 2.0.13. When using the RESTServer plug-in to operate a REST password validation service (for another LemonLDAP::NG instance, for example) and using the Kerberos authentication method combined with another method with the Combination authentication plug-in, any password will be recognized as valid for an existing user. | |||||
| CVE-2021-43935 | 1 Baxter | 10 Welch Allyn Connex Cardio, Welch Allyn Diagnostic Cardiology Suite, Welch Allyn Hscribe Holter Analysis System and 7 more | 2022-07-25 | 6.8 MEDIUM | 9.8 CRITICAL |
| The impacted products, when configured to use SSO, are affected by an improper authentication vulnerability. This vulnerability allows the application to accept manual entry of any active directory (AD) account provisioned in the application without supplying a password, resulting in access to the application as the supplied AD account, with all associated privileges. | |||||
| CVE-2020-14504 | 1 Rockwellautomation | 4 1734-aentr Point I\/o Dual Port Network Adaptor Series B, 1734-aentr Point I\/o Dual Port Network Adaptor Series B Firmware, 1734-aentr Point I\/o Dual Port Network Adaptor Series C and 1 more | 2022-07-25 | 5.0 MEDIUM | 5.3 MEDIUM |
| The web interface of the 1734-AENTR communication module mishandles authentication for HTTP POST requests. A remote, unauthenticated attacker can send a crafted request that may allow for modification of the configuration settings. | |||||
| CVE-2022-30623 | 1 Chcnav | 2 P5e Gnss, P5e Gnss Firmware | 2022-07-22 | N/A | 9.8 CRITICAL |
| The server checks the user's cookie in a non-standard way, and a value is entered in the cookie value name of the status and its value is set to true to bypass the identification with the system using a username and password. | |||||
| CVE-2022-30624 | 1 Chcnav | 2 P5e Gnss, P5e Gnss Firmware | 2022-07-22 | N/A | 7.5 HIGH |
| Browsing the admin.html page allows the user to reset the admin password. Also appears in the JS code for the password. | |||||
| CVE-2022-28771 | 1 Sap | 1 Business One License Service Api | 2022-07-22 | 5.0 MEDIUM | 7.5 HIGH |
| Due to missing authentication check, SAP Business one License service API - version 10.0 allows an unauthenticated attacker to send malicious http requests over the network. On successful exploitation, an attacker can break the whole application making it inaccessible. | |||||
| CVE-2019-5317 | 2 Arubanetworks, Siemens | 3 Instant, Scalance W1750d, Scalance W1750d Firmware | 2022-07-22 | 4.6 MEDIUM | 6.8 MEDIUM |
| A local authentication bypass vulnerability was discovered in some Aruba Instant Access Point (IAP) products in version(s): Aruba Instant 6.4.x: 6.4.4.8-4.2.4.18 and below; Aruba Instant 6.5.x: 6.5.4.15 and below; Aruba Instant 8.3.x: 8.3.0.11 and below; Aruba Instant 8.4.x: 8.4.0.5 and below; Aruba Instant 8.5.x: 8.5.0.6 and below; Aruba Instant 8.6.x: 8.6.0.2 and below. Aruba has released patches for Aruba Instant that address this security vulnerability. | |||||
| CVE-2017-20133 | 1 Itechscripts | 1 Job Portal Script | 2022-07-21 | N/A | 9.8 CRITICAL |
| A vulnerability, which was classified as critical, was found in Itech Job Portal Script 9.13. This affects an unknown part of the file /admin. The manipulation leads to improper authentication. It is possible to initiate the attack remotely. | |||||
| CVE-2022-33736 | 1 Siemens | 1 Opcenter Quality | 2022-07-19 | 5.0 MEDIUM | 7.5 HIGH |
| A vulnerability has been identified in Opcenter Quality V13.1 (All versions < V13.1.20220624), Opcenter Quality V13.2 (All versions < V13.2.20220624). The affected applications do not properly validate login information during authentication. This could lead to denial of service condition for existing users or allow unauthenticated remote attackers to successfully login without credentials. | |||||
| CVE-2022-2302 | 1 Lenze | 6 C520, C520 Firmware, C550 and 3 more | 2022-07-18 | 9.3 HIGH | 9.8 CRITICAL |
| Multiple Lenze products of the cabinet series skip the password verification upon second login. After a user has been logged on to the device once, a remote attacker can get full access without knowledge of the password. | |||||
| CVE-2022-2133 | 1 Miniorange | 1 Oauth Single Sign On | 2022-07-18 | 5.0 MEDIUM | 5.3 MEDIUM |
| The OAuth Single Sign On WordPress plugin before 6.22.6 doesn't validate that OAuth access token requests are legitimate, which allows attackers to log onto the site with the only knowledge of a user's email address. | |||||
| CVE-2021-40013 | 1 Huawei | 2 Emui, Magic Ui | 2022-07-15 | 3.3 LOW | 6.5 MEDIUM |
| Improper permission control vulnerability in the Bluetooth module.Successful exploitation of this vulnerability will affect integrity. | |||||
| CVE-2015-5298 | 1 Jenkins | 1 Google Login | 2022-07-15 | 4.0 MEDIUM | 6.5 MEDIUM |
| The Google Login Plugin (versions 1.0 and 1.1) allows malicious anonymous users to authenticate successfully against Jenkins instances that are supposed to be locked down to a particular Google Apps domain through client-side request modification. | |||||
| CVE-2021-41995 | 2 Apple, Pingidentity | 2 Macos, Pingid Integration For Mac Login | 2022-07-15 | 5.0 MEDIUM | 7.5 HIGH |
| A misconfiguration of RSA in PingID Mac Login prior to 1.1 is vulnerable to pre-computed dictionary attacks, leading to an offline MFA bypass. | |||||
| CVE-2021-46825 | 1 Broadcom | 2 Advanced Secure Gateway, Proxysg | 2022-07-14 | 6.4 MEDIUM | 9.1 CRITICAL |
| Symantec Advanced Secure Gateway (ASG) and ProxySG are susceptible to an HTTP desync vulnerability. When a remote unauthenticated attacker and other web clients communicate through the proxy with the same web server, the attacker can send crafted HTTP requests and cause the proxy to forward web server responses to unintended clients. Severity/CVSSv3: High / 8.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N | |||||
| CVE-2022-31125 | 1 Roxy-wi | 1 Roxy-wi | 2022-07-14 | 7.5 HIGH | 9.8 CRITICAL |
| Roxy-wi is an open source web interface for managing Haproxy, Nginx, Apache and Keepalived servers. A vulnerability in Roxy-wi allows a remote, unauthenticated attacker to bypass authentication and access admin functionality by sending a specially crafted HTTP request. This affects Roxywi versions before 6.1.1.0. Users are advised to upgrade. There are no known workarounds for this issue. | |||||
| CVE-2022-31131 | 1 Nextcloud | 1 Nextcloud Mail | 2022-07-14 | 4.0 MEDIUM | 4.3 MEDIUM |
| Nextcloud mail is a Mail app for the Nextcloud home server product. Versions of Nextcloud mail prior to 1.12.2 were found to be missing user account ownership checks when performing tasks related to mail attachments. Attachments may have been exposed to incorrect system users. It is recommended that the Nextcloud Mail app is upgraded to 1.12.2. There are no known workarounds for this issue. ### Workarounds No workaround available ### References * [Pull request](https://github.com/nextcloud/mail/pull/6600) * [HackerOne](https://hackerone.com/reports/1579820) ### For more information If you have any questions or comments about this advisory: * Create a post in [nextcloud/security-advisories](https://github.com/nextcloud/security-advisories/discussions) * Customers: Open a support ticket at [support.nextcloud.com](https://support.nextcloud.com) | |||||
| CVE-2022-2197 | 1 Exemys | 2 Rme1, Rme1 Firmware | 2022-07-13 | 10.0 HIGH | 9.8 CRITICAL |
| By using a specific credential string, an attacker with network access to the device’s web interface could circumvent the authentication scheme and perform administrative operations. | |||||
| CVE-2021-43116 | 1 Alibaba | 1 Nacos | 2022-07-12 | 6.5 MEDIUM | 8.8 HIGH |
| An Access Control vulnerability exists in Nacos 2.0.3 in the access prompt page; enter username and password, click on login to capture packets and then change the returned package, which lets a malicious user login. | |||||