Total
2926 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-35231 | 1 Netgear | 4 Gs116e, Gs116e Firmware, Jgs516pe and 1 more | 2021-03-17 | 8.3 HIGH | 8.8 HIGH |
| The NSDP protocol implementation on NETGEAR JGS516PE/GS116Ev2 v2.6.0.43 devices was affected by an authentication issue that allows an attacker to bypass access controls and obtain full control of the device. | |||||
| CVE-2020-5148 | 1 Sonicwall | 1 Directory Services Connector | 2021-03-15 | 6.4 MEDIUM | 8.2 HIGH |
| SonicWall SSO-agent default configuration uses NetAPI to probe the associated IP's in the network, this client probing method allows a potential attacker to capture the password hash of the privileged user and potentially forces the SSO Agent to authenticate allowing an attacker to bypass firewall access controls. | |||||
| CVE-2020-27838 | 1 Redhat | 2 Keycloak, Single Sign-on | 2021-03-15 | 4.3 MEDIUM | 6.5 MEDIUM |
| A flaw was found in keycloak in versions prior to 13.0.0. The client registration endpoint allows fetching information about PUBLIC clients (like client secret) without authentication which could be an issue if the same PUBLIC client changed to CONFIDENTIAL later. The highest threat from this vulnerability is to data confidentiality. | |||||
| CVE-2021-21335 | 1 Spnego Http Authentication Module Project | 1 Spnego Http Authentication Module | 2021-03-12 | 7.5 HIGH | 9.8 CRITICAL |
| In the SPNEGO HTTP Authentication Module for nginx (spnego-http-auth-nginx-module) before version 1.1.1 basic Authentication can be bypassed using a malformed username. This affects users of spnego-http-auth-nginx-module that have enabled basic authentication. This is fixed in version 1.1.1 of spnego-http-auth-nginx-module. As a workaround, one may disable basic authentication. | |||||
| CVE-2021-21329 | 1 Ratcf | 1 Ratcf | 2021-03-12 | 6.8 MEDIUM | 9.8 CRITICAL |
| RATCF is an open-source framework for hosting Cyber-Security Capture the Flag events. In affected versions of RATCF users with multi factor authentication enabled are able to log in without a valid token. This is fixed in commit cebb67b. | |||||
| CVE-2021-25343 | 2 Google, Samsung | 2 Android, Members | 2021-03-11 | 2.1 LOW | 3.3 LOW |
| Calling of non-existent provider in Samsung Members prior to version 2.4.81.13 (in Android O(8.1) and below) and 3.8.00.13 (in Android P(9.0) and above) allows unauthorized actions including denial of service attack by hijacking the provider. | |||||
| CVE-2021-25342 | 2 Google, Samsung | 2 Android, Members | 2021-03-11 | 2.1 LOW | 3.3 LOW |
| Calling of non-existent provider in SMP sdk prior to version 3.0.9 allows unauthorized actions including denial of service attack by hijacking the provider. | |||||
| CVE-2013-4471 | 1 Openstack | 1 Horizon | 2021-03-09 | 5.5 MEDIUM | N/A |
| The Identity v3 API in OpenStack Dashboard (Horizon) before 2013.2 does not require the current password when changing passwords for user accounts, which makes it easier for remote attackers to change a user password by leveraging the authentication token for that user. | |||||
| CVE-2021-25341 | 1 Samsung | 1 S Assistant | 2021-03-05 | 2.1 LOW | 3.3 LOW |
| Calling of non-existent provider in S Assistant prior to version 6.5.01.22 allows unauthorized actions including denial of service attack by hijacking the provider. | |||||
| CVE-2021-21308 | 1 Prestashop | 1 Prestashop | 2021-03-05 | 6.4 MEDIUM | 9.1 CRITICAL |
| PrestaShop is a fully scalable open source e-commerce solution. In PrestaShop before version 1.7.2 the soft logout system is not complete and an attacker is able to foreign request and executes customer commands. The problem is fixed in 1.7.7.2 | |||||
| CVE-2008-6714 | 1 Xecms Project | 1 Xecms | 2021-03-05 | 7.5 HIGH | N/A |
| admin.php in xeCMS 1.0.0 RC2 and earlier allows remote attackers to bypass authentication and access the admin panel by setting the xecms_username cookie. | |||||
| CVE-2017-1000433 | 2 Debian, Pysaml2 Project | 2 Debian Linux, Pysaml2 | 2021-03-04 | 6.8 MEDIUM | 8.1 HIGH |
| pysaml2 version 4.4.0 and older accept any password when run with python optimizations enabled. This allows attackers to log in as any user without knowing their password. | |||||
| CVE-2021-21126 | 2 Google, Microsoft | 2 Chrome, Edge Chromium | 2021-03-04 | 4.3 MEDIUM | 6.5 MEDIUM |
| Insufficient policy enforcement in extensions in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to bypass site isolation via a crafted Chrome Extension. | |||||
| CVE-2021-3339 | 1 Microsoft | 1 Modernflow | 2021-02-25 | 4.0 MEDIUM | 4.3 MEDIUM |
| ModernFlow before 1.3.00.208 does not constrain web-page access to members of a security group, as demonstrated by the Search Screen and the Profile Screen. | |||||
| CVE-2020-13185 | 1 Teradici | 1 Cloud Access Connector | 2021-02-25 | 4.3 MEDIUM | 6.5 MEDIUM |
| Certain web application pages in the authenticated section of the Teradici Cloud Access Connector prior to v18 were accessible without the need to specify authentication tokens, which allowed an attacker in the ability to execute sensitive functions without credentials. | |||||
| CVE-2020-10254 | 1 Owncloud | 1 Owncloud | 2021-02-25 | 4.3 MEDIUM | 5.9 MEDIUM |
| An issue was discovered in ownCloud before 10.4. An attacker can bypass authentication on a password-protected image by displaying its preview. | |||||
| CVE-2020-10048 | 1 Siemens | 2 Simatic Pcs 7, Simatic Wincc | 2021-02-10 | 2.1 LOW | 5.5 MEDIUM |
| A vulnerability has been identified in SIMATIC PCS 7 (All versions), SIMATIC WinCC (All versions < V7.5 SP2). Due to an insecure password verification process, an attacker could bypass the password protection set on protected files, thus being granted access to the protected content, circumventing authentication. | |||||
| CVE-2021-25910 | 1 Zivautomation | 2 4cct-ea6-334126bf, 4cct-ea6-334126bf Firmware | 2021-02-05 | 3.3 LOW | 6.5 MEDIUM |
| Improper Authentication vulnerability in the cookie parameter of ZIV AUTOMATION 4CCT-EA6-334126BF allows a local attacker to perform modifications in several parameters of the affected device as an authenticated user. | |||||
| CVE-2021-3297 | 1 Zyxel | 2 Nbg2105, Nbg2105 Firmware | 2021-02-03 | 7.2 HIGH | 7.8 HIGH |
| On Zyxel NBG2105 V1.00(AAGU.2)C0 devices, setting the login cookie to 1 provides administrator access. | |||||
| CVE-2020-15835 | 1 Mofinetwork | 2 Mofi4500-4gxelte, Mofi4500-4gxelte Firmware | 2021-02-03 | 10.0 HIGH | 9.8 CRITICAL |
| An issue was discovered on Mofi Network MOFI4500-4GXeLTE 4.1.5-std devices. The authentication function contains undocumented code that provides the ability to authenticate as root without knowing the actual root password. An adversary with the private key can remotely authenticate to the management interface as root. | |||||