Total
2926 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-1000489 | 2 Acquia, Mautic | 2 Mautic, Mautic | 2021-01-25 | 6.8 MEDIUM | 8.1 HIGH |
| Mautic versions 2.0.0 - 2.11.0 with a SSO plugin installed could allow a disabled user to still login using email address | |||||
| CVE-2021-22171 | 1 Gitlab | 1 Gitlab | 2021-01-22 | 4.3 MEDIUM | 6.5 MEDIUM |
| Insufficient validation of authentication parameters in GitLab Pages for GitLab 11.5+ allows an attacker to steal a victim's API token if they click on a maliciously crafted link | |||||
| CVE-2020-5633 | 1 Nec | 7 Baseboard Management Controller, Express5800\/gt110j, Express5800\/t110j and 4 more | 2021-01-21 | 9.0 HIGH | 9.8 CRITICAL |
| Multiple NEC products (Express5800/T110j, Express5800/T110j-S, Express5800/T110j (2nd-Gen), Express5800/T110j-S (2nd-Gen), iStorage NS100Ti, and Express5800/GT110j) where Baseboard Management Controller (BMC) firmware Rev1.09 and earlier is applied allows remote attackers to bypass authentication and then obtain/modify BMC setting information, obtain monitoring information, or reboot/shut down the vulnerable product via unspecified vectors. | |||||
| CVE-2020-5686 | 1 Nec | 4 Univerge Sv8500, Univerge Sv8500 Firmware, Univerge Sv9500 and 1 more | 2021-01-21 | 5.0 MEDIUM | 7.5 HIGH |
| Incorrect implementation of authentication algorithm issue in UNIVERGE SV9500 series from V1 to V7and SV8500 series from S6 to S8 allows an attacker to access the remote system maintenance feature and obtain the information by sending a specially crafted request to a specific URL. | |||||
| CVE-2020-27488 | 1 Loxone | 2 Miniserver Gen 1, Miniserver Gen 1 Firmware | 2021-01-21 | 7.5 HIGH | 9.8 CRITICAL |
| Loxone Miniserver devices with firmware before 11.1 (aka 11.1.9.3) are unable to use an authentication method that is based on the "signature of the update package." Therefore, these devices (or attackers who are spoofing these devices) can continue to use an unauthenticated cloud service for an indeterminate time period (possibly forever). Once an individual device's firmware is updated, and authentication occurs once, the cloud service recategorizes the device so that authentication is subsequently always required, and spoofing cannot occur. | |||||
| CVE-2017-8028 | 2 Debian, Pivotal Software | 2 Debian Linux, Spring-ldap | 2021-01-20 | 5.1 MEDIUM | 8.1 HIGH |
| In Pivotal Spring-LDAP versions 1.3.0 - 2.3.1, when connected to some LDAP servers, when no additional attributes are bound, and when using LDAP BindAuthenticator with org.springframework.ldap.core.support.DefaultTlsDirContextAuthenticationStrategy as the authentication strategy, and setting userSearch, authentication is allowed with an arbitrary password when the username is correct. This occurs because some LDAP vendors require an explicit operation for the LDAP bind to take effect. | |||||
| CVE-2015-6926 | 1 Oxid-esales | 1 Eshop | 2021-01-19 | 5.0 MEDIUM | 7.5 HIGH |
| The OpenID Single Sign-On authentication functionality in OXID eShop before 4.5.0 allows remote attackers to impersonate users via the email address in a crafted authentication token. | |||||
| CVE-2014-6387 | 1 Mantisbt | 1 Mantisbt | 2021-01-12 | 5.0 MEDIUM | N/A |
| gpc_api.php in MantisBT 1.2.17 and earlier allows remote attackers to bypass authenticated via a password starting will a null byte, which triggers an unauthenticated bind. | |||||
| CVE-2012-1123 | 1 Mantisbt | 1 Mantisbt | 2021-01-12 | 7.5 HIGH | N/A |
| The mci_check_login function in api/soap/mc_api.php in the SOAP API in MantisBT before 1.2.9 allows remote attackers to bypass authentication via a null password. | |||||
| CVE-2012-10001 | 1 Limit Login Attempts Project | 1 Limit Login Attempts | 2021-01-08 | 5.0 MEDIUM | 9.8 CRITICAL |
| The Limit Login Attempts plugin before 1.7.1 for WordPress does not clear auth cookies upon a lockout, which might make it easier for remote attackers to conduct brute-force authentication attempts. | |||||
| CVE-2020-9207 | 1 Huawei | 8 Cloudengine 12800, Cloudengine 12800 Firmware, Cloudengine 5800 and 5 more | 2020-12-31 | 6.8 MEDIUM | 7.8 HIGH |
| There is an improper authentication vulnerability in some verisons of Huawei CloudEngine product. A module does not verify the input file properly. Attackers can exploit this vulnerability by crafting malicious files to bypass current verification mechanism. This can compromise normal service. | |||||
| CVE-2020-35785 | 1 Netgear | 2 Dgn2200, Dgn2200 Firmware | 2020-12-31 | 5.8 MEDIUM | 8.8 HIGH |
| NETGEAR DGN2200v1 devices before v1.0.0.60 mishandle HTTPd authentication (aka PSV-2020-0363, PSV-2020-0364, and PSV-2020-0365). | |||||
| CVE-2020-26030 | 1 Zammad | 1 Zammad | 2020-12-29 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Zammad before 3.4.1. There is an authentication bypass in the SSO endpoint via a crafted header, when SSO is not configured. An attacker can create a valid and authenticated session that can be used to perform any actions in the name of other users. | |||||
| CVE-2020-27780 | 1 Linux-pam | 1 Linux-pam | 2020-12-28 | 10.0 HIGH | 9.8 CRITICAL |
| A flaw was found in Linux-Pam in versions prior to 1.5.1 in the way it handle empty passwords for non-existing users. When the user doesn't exist PAM try to authenticate with root and in the case of an empty password it successfully authenticate. | |||||
| CVE-2020-24579 | 1 D-link | 2 Dsl2888a, Dsl2888a Firmware | 2020-12-22 | 5.8 MEDIUM | 8.8 HIGH |
| An issue was discovered on D-Link DSL-2888A devices with firmware prior to AU_2.31_V1.1.47ae55. An unauthenticated attacker could bypass authentication to access authenticated pages and functionality. | |||||
| CVE-2020-27254 | 1 Emerson | 8 X-stream Enhanced Xefd, X-stream Enhanced Xefd Firmware, X-stream Enhanced Xegk and 5 more | 2020-12-22 | 5.0 MEDIUM | 7.5 HIGH |
| Emerson Rosemount X-STREAM Gas AnalyzerX-STREAM enhanced XEGP, XEGK, XEFD, XEXF – all revisions, The affected products are vulnerable to improper authentication for accessing log and backup data, which could allow an attacker with a specially crafted URL to obtain access to sensitive information. | |||||
| CVE-2020-27199 | 1 Magic Home Pro Project | 1 Magic Home Pro | 2020-12-22 | 5.0 MEDIUM | 7.5 HIGH |
| The Magic Home Pro application 1.5.1 for Android allows Authentication Bypass. The security control that the application currently has in place is a simple Username and Password authentication function. Using enumeration, an attacker is able to forge a User specific token without the need for correct password to gain access to the mobile application as that victim user. | |||||
| CVE-2019-5453 | 1 Nextcloud | 1 Nextcloud | 2020-12-17 | 3.6 LOW | 6.1 MEDIUM |
| Bypass lock protection in the Nextcloud Android app prior to version 3.3.0 allowed access to files when being prompted for the lock protection and switching to the Nextcloud file provider. | |||||
| CVE-2020-4747 | 1 Ibm | 1 Connect\ | 2020-12-17 | 7.5 HIGH | 9.8 CRITICAL |
| IBM Connect:Direct for UNIX 6.1.0, 6.0.0, 4.3.0, and 4.2.0 can allow a local or remote user to obtain an authenticated CLI session due to improper authentication methods. IBM X-Force ID: 188516. | |||||
| CVE-2020-29669 | 1 Macally | 2 Wifisd2-2a82, Wifisd2-2a82 Firmware | 2020-12-15 | 9.0 HIGH | 8.8 HIGH |
| In the Macally WIFISD2-2A82 Media and Travel Router 2.000.010, the Guest user is able to reset its own password. This process has a vulnerability which can be used to take over the administrator account and results in shell access. As the admin user may read the /etc/shadow file, the password hashes of each user (including root) can be dumped. The root hash can be cracked easily which results in a complete system compromise. | |||||