Total
2926 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-34676 | 1 Basixonline | 1 Nex-forms | 2021-07-29 | 5.0 MEDIUM | 7.5 HIGH |
| Basix NEX-Forms through 7.8.7 allows authentication bypass for Excel report generation. | |||||
| CVE-2021-34675 | 1 Basixonline | 1 Nex-forms | 2021-07-29 | 5.0 MEDIUM | 7.5 HIGH |
| Basix NEX-Forms through 7.8.7 allows authentication bypass for stored PDF reports. | |||||
| CVE-2018-15598 | 1 Traefik | 1 Traefik | 2021-07-28 | 5.0 MEDIUM | 7.5 HIGH |
| Containous Traefik 1.6.x before 1.6.6, when --api is used, exposes the configuration and secret if authentication is missing and the API's port is publicly reachable. | |||||
| CVE-2021-33539 | 1 Weidmueller | 16 Ie-wl-bl-ap-cl-eu, Ie-wl-bl-ap-cl-eu Firmware, Ie-wl-bl-ap-cl-us and 13 more | 2021-07-27 | 6.5 MEDIUM | 7.2 HIGH |
| In Weidmueller Industrial WLAN devices in multiple versions an exploitable authentication bypass vulnerability exists in the hostname processing. A specially configured device hostname can cause the device to interpret selected remote traffic as local traffic, resulting in a bypass of web authentication. An attacker can send authenticated SNMP requests to trigger this vulnerability. | |||||
| CVE-2009-2069 | 1 Microsoft | 2 Ie, Internet Explorer | 2021-07-23 | 5.8 MEDIUM | N/A |
| Microsoft Internet Explorer before 8 displays a cached certificate for a (1) 4xx or (2) 5xx CONNECT response page returned by a proxy server, which allows man-in-the-middle attackers to spoof an arbitrary https site by letting a browser obtain a valid certificate from this site during one request, and then sending the browser a crafted 502 response page upon a subsequent request. | |||||
| CVE-2009-2057 | 1 Microsoft | 2 Ie, Internet Explorer | 2021-07-23 | 5.8 MEDIUM | N/A |
| Microsoft Internet Explorer before 8 uses the HTTP Host header to determine the context of a document provided in a (1) 4xx or (2) 5xx CONNECT response from a proxy server, which allows man-in-the-middle attackers to execute arbitrary web script by modifying this CONNECT response, aka an "SSL tampering" attack. | |||||
| CVE-2020-0460 | 1 Google | 1 Android | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| In createNameCredentialDialog of CertInstaller.java, there exists the possibility of improperly installed certificates due to a logic error. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-163413737 | |||||
| CVE-2020-28874 | 1 Projectsend | 1 Projectsend | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| reset-password.php in ProjectSend before r1295 allows remote attackers to reset a password because of incorrect business logic. Errors are not properly considered (an invalid token parameter). | |||||
| CVE-2020-19888 | 1 Dbhcms Project | 1 Dbhcms | 2021-07-21 | 4.3 MEDIUM | 5.9 MEDIUM |
| DBHcms v1.2.0 has an unauthorized operation vulnerability because there's no access control at line 175 of dbhcms\page.php for empty cache operation. This vulnerability can be exploited to empty a table. | |||||
| CVE-2020-9077 | 1 Huawei | 2 P30, P30 Firmware | 2021-07-21 | 4.3 MEDIUM | 3.3 LOW |
| HUAWEI P30 smart phones with versions earlier than 10.1.0.160(C00E160R2P11) have an information exposure vulnerability. The system does not properly authenticate the application that access a specified interface. Attackers can trick users into installing malicious software to exploit this vulnerability and obtain some information about the device. Successful exploit may cause information disclosure. | |||||
| CVE-2019-10562 | 1 Qualcomm | 56 Ipq6018, Ipq6018 Firmware, Kamorta and 53 more | 2021-07-21 | 7.2 HIGH | 7.8 HIGH |
| u'Improper authentication and signature verification of debug polices in secure boot loader will allow unverified debug policies to be loaded into secure memory and leads to memory corruption' in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wired Infrastructure and Networking in IPQ6018, Kamorta, MSM8998, Nicobar, QCS404, QCS605, QCS610, Rennell, SA415M, SA6155P, SC7180, SDA660, SDA845, SDM630, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130 | |||||
| CVE-2019-8978 | 1 Ellucian | 2 Banner Enterprise Identity Services, Banner Web Tailor | 2021-07-21 | 6.8 MEDIUM | 8.1 HIGH |
| An improper authentication vulnerability can be exploited through a race condition that occurs in Ellucian Banner Web Tailor 8.8.3, 8.8.4, and 8.9 and Banner Enterprise Identity Services 8.3, 8.3.1, 8.3.2, and 8.4, in conjunction with SSO Manager. This vulnerability allows remote attackers to steal a victim's session (and cause a denial of service) by repeatedly requesting the initial Banner Web Tailor main page with the IDMSESSID cookie set to the victim's UDCID, which in the case tested is the institutional ID. During a login attempt by a victim, the attacker can leverage the race condition and will be issued the SESSID that was meant for this victim. | |||||
| CVE-2020-24641 | 1 Arubanetworks | 1 Airwave Glass | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| In Aruba AirWave Glass before 1.3.3, there is a Server-Side Request Forgery vulnerability through an unauthenticated endpoint that if successfully exploited can result in disclosure of sensitive information. This can be used to perform an authentication bypass and ultimately gain administrative access on the web administrative interface. | |||||
| CVE-2020-26511 | 1 Wpo365 | 1 Wordpress \+ Azure Ad \/ Microsoft Office 365 | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| The wpo365-login plugin before v11.7 for WordPress allows use of a symmetric algorithm to decrypt a JWT token. This leads to authentication bypass. | |||||
| CVE-2020-28896 | 3 Debian, Mutt, Neomutt | 3 Debian Linux, Mutt, Neomutt | 2021-07-21 | 2.6 LOW | 5.3 MEDIUM |
| Mutt before 2.0.2 and NeoMutt before 2020-11-20 did not ensure that $ssl_force_tls was processed if an IMAP server's initial server response was invalid. The connection was not properly closed, and the code could continue attempting to authenticate. This could result in authentication credentials being exposed on an unencrypted connection, or to a machine-in-the-middle. | |||||
| CVE-2019-19519 | 1 Openbsd | 1 Openbsd | 2021-07-21 | 4.6 MEDIUM | 7.8 HIGH |
| In OpenBSD 6.6, local users can use the su -L option to achieve any login class (often excluding root) because there is a logic error in the main function in su/su.c. | |||||
| CVE-2020-26921 | 1 Netgear | 8 Gs110emx, Gs110emx Firmware, Gs810emx and 5 more | 2021-07-21 | 5.8 MEDIUM | 8.8 HIGH |
| Certain NETGEAR devices are affected by authentication bypass. This affects GS110EMX before 1.0.1.7, GS810EMX before 1.7.1.3, XS512EM before 1.0.1.3, and XS724EM before 1.0.1.3. | |||||
| CVE-2020-8465 | 1 Trendmicro | 1 Interscan Web Security Virtual Appliance | 2021-07-21 | 10.0 HIGH | 9.8 CRITICAL |
| A vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 SP2 could allow an attacker to manipulate system updates using a combination of CSRF bypass (CVE-2020-8461) and authentication bypass (CVE-2020-8464) to execute code as user root. | |||||
| CVE-2020-4494 | 3 Ibm, Linux, Microsoft | 5 Aix, Spectrum Protect Client, Spectrum Protect For Space Management and 2 more | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| IBM Spectrum Protect Client 8.1.7.0 through 8.1.9.1 (Linux and Windows), 8.1.9.0 trough 8.1.9.1 (AIX) and IBM Spectrum Protect for Space Management 8.1.7.0 through 8.1.9.1 (Linux), 8.1.9.0 through 8.1.9.1 (AIX) web user interfaces could allow an attacker to bypass authentication due to improper session validation which can result in access to unauthorized resources. IBM X-Force ID: 182019. | |||||
| CVE-2019-14510 | 1 Kaseya | 1 Vsa | 2021-07-21 | 7.2 HIGH | 6.7 MEDIUM |
| An issue was discovered in Kaseya VSA RMM through 9.5.0.22. When using the default configuration, the LAN Cache feature creates a local account FSAdminxxxxxxxxx (e.g., FSAdmin123456789) on the server that hosts the LAN Cache and all clients that are assigned to a LAN Cache. This account is placed into the local Administrators group of all clients assigned to the LAN Cache. When the assigned client is a Domain Controller, the FSAdminxxxxxxxxx account is created as a domain account and automatically added as a member of the domain BUILTIN\Administrators group. Using the well known Pass-the-Hash techniques, an attacker can use the same FSAdminxxxxxxxxx hash from any LAN Cache client and pass this to a Domain Controller, providing administrative rights to the attacker on any Domain Controller. (Local account Pass-the-Hash mitigations do not protect domain accounts.) | |||||