Total
2926 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-20168 | 1 Netgear | 2 Rax43, Rax43 Firmware | 2022-07-12 | 7.2 HIGH | 6.8 MEDIUM |
| Netgear RAX43 version 1.0.3.96 does not have sufficient protections to the UART interface. A malicious actor with physical access to the device is able to connect to the UART port via a serial connection, login with default credentials, and execute commands as the root user. These default credentials are admin:admin. | |||||
| CVE-2021-27734 | 1 Belden | 2 Hirschmann Hios, Hisecos | 2022-07-12 | 7.5 HIGH | 9.8 CRITICAL |
| Hirschmann HiOS 07.1.01, 07.1.02, and 08.1.00 through 08.5.xx and HiSecOS 03.3.00 through 03.5.01 allow remote attackers to change the credentials of existing users. | |||||
| CVE-2021-20092 | 1 Buffalo | 4 Wsr-2533dhp3-bk, Wsr-2533dhp3-bk Firmware, Wsr-2533dhpl2-bk and 1 more | 2022-07-12 | 5.0 MEDIUM | 7.5 HIGH |
| The web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 do not properly restrict access to sensitive information from an unauthorized actor. | |||||
| CVE-2021-31326 | 1 Dlink | 2 Dir-816, Dir-816 Firmware | 2022-07-12 | 9.0 HIGH | 9.8 CRITICAL |
| D-Link DIR-816 A2 1.10 B05 allows unauthenticated attackers to arbitrarily reset the device via a crafted tokenid parameter to /goform/form2Reboot.cgi. | |||||
| CVE-2022-23725 | 1 Pingidentity | 1 Pingid Integration For Windows Login | 2022-07-12 | 2.1 LOW | 5.5 MEDIUM |
| PingID Windows Login prior to 2.8 does not properly set permissions on the Windows Registry entries used to store sensitive API keys under some circumstances. | |||||
| CVE-2022-23719 | 1 Pingidentity | 1 Pingid Integration For Windows Login | 2022-07-11 | 6.9 MEDIUM | 6.4 MEDIUM |
| PingID Windows Login prior to 2.8 does not authenticate communication with a local Java service used to capture security key requests. An attacker with the ability to execute code on the target machine maybe able to exploit and spoof the local Java service using multiple attack vectors. A successful attack can lead to code executed as SYSTEM by the PingID Windows Login application, or even a denial of service for offline security key authentication. | |||||
| CVE-2022-1955 | 1 Opft | 1 Session | 2022-07-11 | 2.1 LOW | 4.6 MEDIUM |
| Session 1.13.0 allows an attacker with physical access to the victim's device to bypass the application's password/pin lock to access user data. This is possible due to lack of adequate security controls to prevent dynamic code manipulation. | |||||
| CVE-2021-1561 | 1 Cisco | 1 Secure Email And Web Manager | 2022-07-08 | 5.5 MEDIUM | 5.4 MEDIUM |
| A vulnerability in the spam quarantine feature of Cisco Secure Email and Web Manager, formerly Cisco Security Management Appliance (SMA), could allow an authenticated, remote attacker to gain unauthorized access and modify the spam quarantine settings of another user. This vulnerability exists because access to the spam quarantine feature is not properly restricted. An attacker could exploit this vulnerability by sending malicious requests to an affected system. A successful exploit could allow the attacker to modify another user's spam quarantine settings, possibly disabling security controls or viewing email messages stored on the spam quarantine interfaces. | |||||
| CVE-2022-31463 | 1 Owllabs | 2 Meeting Owl Pro, Meeting Owl Pro Firmware | 2022-07-08 | 4.3 MEDIUM | 7.1 HIGH |
| Owl Labs Meeting Owl 5.2.0.15 does not require a password for Bluetooth commands, because only client-side authentication is used. | |||||
| CVE-2022-29858 | 1 Silverstripe | 1 Assets | 2022-07-07 | 4.0 MEDIUM | 4.3 MEDIUM |
| Silverstripe silverstripe/assets through 1.10 is vulnerable to improper access control that allows protected images to be published by changing an existing image short code on website content. | |||||
| CVE-2022-33202 | 1 Softcreate | 1 L2blocker | 2022-07-07 | 4.8 MEDIUM | 8.1 HIGH |
| Authentication bypass vulnerability in the setup screen of L2Blocker(on-premise) Ver4.8.5 and earlier and L2Blocker(Cloud) Ver4.8.5 and earlier allows an adjacent attacker to perform an unauthorized login and obtain the stored information or cause a malfunction of the device by using alternative paths or channels for Sensor. | |||||
| CVE-2022-22487 | 3 Ibm, Linux, Microsoft | 4 Aix, Spectrum Protect Server, Linux Kernel and 1 more | 2022-07-07 | 5.0 MEDIUM | 9.8 CRITICAL |
| An IBM Spectrum Protect storage agent could allow a remote attacker to perform a brute force attack by allowing unlimited attempts to login to the storage agent without locking the administrative ID. A remote attacker could exploit this vulnerability using brute force techniques to gain unauthorized administrative access to both the IBM Spectrum Protect storage agent and the IBM Spectrum Protect Server 8.1.0.000 through 8.1.14 with which it communicates. IBM X-Force ID: 226326. | |||||
| CVE-2022-29578 | 1 Meridian | 1 Meridian | 2022-07-06 | 5.0 MEDIUM | 5.3 MEDIUM |
| Meridian Cooperative Utility Software versions 22.02 and 22.03 allows remote attackers to obtain sensitive information such as name, address, and daily energy usage. | |||||
| CVE-2022-28620 | 1 Hpe | 10 Cray Ex Supercomputers, Cray Ex Supercomputers Firmware, Cray Sh Supercomputer Air Cooled Base System Code and 7 more | 2022-07-05 | 7.5 HIGH | 9.8 CRITICAL |
| A remote authentication bypass vulnerability was discovered in HPE Cray Legacy Shasta System Solutions; HPE Slingshot; and HPE Cray EX supercomputers versions: Prior to node controller firmware associated with HPE Cray EX liquid cooled blades, and all versions of chassis controller firmware associated with HPE Cray EX liquid cooled cabinets prior to 1.6.27/1.5.33/1.4.27; All Slingshot versions prior to 1.7.2; All versions of node controller firmware associated with HPE Cray EX liquid cooled blades, and all versions of chassis controller firmware associated with HPE Cray EX liquid cooled cabinets prior to 1.6.27/1.5.33/1.4.27. HPE has provided a software update to resolve this vulnerability in HPE Cray Legacy Shasta System Solutions, HPE Slingshot, and HPE Cray EX Supercomputers. | |||||
| CVE-2021-32691 | 1 Apollosapp | 1 Data-connector-rock | 2022-07-02 | 7.5 HIGH | 9.8 CRITICAL |
| Apollos Apps is an open source platform for launching church-related apps. In Apollos Apps versions prior to 2.20.0, new user registrations are able to access anyone's account by only knowing their basic profile information (name, birthday, gender, etc). This includes all app functionality within the app, as well as any authenticated links to Rock-based webpages (such as giving and events). There is a patch in version 2.20.0. As a workaround, one can patch one's server by overriding the `create` data source method on the `People` class. | |||||
| CVE-2021-32967 | 1 Deltaww | 1 Diaenergie | 2022-07-02 | 10.0 HIGH | 9.8 CRITICAL |
| Delta Electronics DIAEnergie Version 1.7.5 and prior may allow an attacker to add a new administrative user without being authenticated or authorized, which may allow the attacker to log in and use the device with administrative privileges. | |||||
| CVE-2021-37172 | 1 Siemens | 10 Cpu 1211c, Cpu 1212c, Cpu 1212fc and 7 more | 2022-07-01 | 5.0 MEDIUM | 7.5 HIGH |
| A vulnerability has been identified in SIMATIC S7-1200 CPU family (incl. SIPLUS variants) (V4.5.0). Affected devices fail to authenticate against configured passwords when provisioned using TIA Portal V13. This could allow an attacker using TIA Portal V13 or later versions to bypass authentication and download arbitrary programs to the PLC. The vulnerability does not occur when TIA Portal V13 SP1 or any later version was used to provision the device. | |||||
| CVE-2021-36368 | 2 Debian, Openbsd | 2 Debian Linux, Openssh | 2022-07-01 | 2.6 LOW | 3.7 LOW |
| ** DISPUTED ** An issue was discovered in OpenSSH before 8.9. If a client is using public-key authentication with agent forwarding but without -oLogLevel=verbose, and an attacker has silently modified the server to support the None authentication option, then the user cannot determine whether FIDO authentication is going to confirm that the user wishes to connect to that server, or that the user wishes to allow that server to connect to a different server on the user's behalf. NOTE: the vendor's position is "this is not an authentication bypass, since nothing is being bypassed." | |||||
| CVE-2020-7297 | 1 Mcafee | 1 Web Gateway | 2022-07-01 | 2.7 LOW | 5.7 MEDIUM |
| Privilege Escalation vulnerability in McAfee Web Gateway (MWG) prior to 9.2.1 allows authenticated user interface user to access protected dashboard data via improper access control in the user interface. | |||||
| CVE-2021-41638 | 1 Melag | 1 Ftp Server | 2022-07-01 | 5.0 MEDIUM | 7.5 HIGH |
| The authentication checks of the MELAG FTP Server in version 2.2.0.4 are incomplete, which allows a remote attacker to access local files only by using a valid username. | |||||