Total
801 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-6820 | 1 Schneider-electric | 24 Atv Imc Drive Controller, Atv Imc Drive Controller Firmware, Modicon Lmc058 and 21 more | 2022-02-03 | 6.4 MEDIUM | 8.2 HIGH |
| A CWE-306: Missing Authentication for Critical Function vulnerability exists which could cause a modification of device IP configuration (IP address, network mask and gateway IP address) when a specific Ethernet frame is received in all versions of: Modicon M100, Modicon M200, Modicon M221, ATV IMC drive controller, Modicon M241, Modicon M251, Modicon M258, Modicon LMC058, Modicon LMC078, PacDrive Eco ,PacDrive Pro, PacDrive Pro2 | |||||
| CVE-2019-6808 | 1 Schneider-electric | 8 Modicon M340, Modicon M340 Firmware, Modicon M580 and 5 more | 2022-02-03 | 7.5 HIGH | 9.8 CRITICAL |
| A CWE-284: Improper Access Control vulnerability exists in all versions of the Modicon M580, Modicon M340, Modicon Quantum, and Modicon Premium which could cause a remote code execution by overwriting configuration settings of the controller over Modbus. | |||||
| CVE-2021-26264 | 1 Emerson | 2 Deltav Distributed Control System, Deltav Workstation | 2022-02-02 | 4.9 MEDIUM | 5.5 MEDIUM |
| A specially crafted script could cause the DeltaV Distributed Control System Controllers (All Versions) to restart and cause a denial-of-service condition. | |||||
| CVE-2014-2590 | 1 Siemens | 3 Ruggedcom Rs950g, Ruggedcom Rsg2488, Ruggedcom Rugged Operating System | 2022-02-01 | 5.0 MEDIUM | N/A |
| The web management interface in Siemens RuggedCom ROS before 3.11, ROS 3.11 before 3.11.5 for RS950G, ROS 3.12, and ROS 4.0 for RSG2488 allows remote attackers to cause a denial of service (interface outage) via crafted HTTP packets. | |||||
| CVE-2022-23945 | 1 Apache | 1 Shenyu | 2022-02-01 | 5.0 MEDIUM | 7.5 HIGH |
| Missing authentication on ShenYu Admin when register by HTTP. This issue affected Apache ShenYu 2.4.0 and 2.4.1. | |||||
| CVE-2022-23944 | 1 Apache | 1 Shenyu | 2022-02-01 | 6.4 MEDIUM | 9.1 CRITICAL |
| User can access /plugin api without authentication. This issue affected Apache ShenYu 2.4.0 and 2.4.1. | |||||
| CVE-2021-22784 | 1 Schneider-electric | 1 C-bus Toolkit | 2022-01-31 | 3.5 LOW | 5.7 MEDIUM |
| A CWE-306: Missing Authentication for Critical Function vulnerability exists in C-Bus Toolkit v1.15.8 and prior that could allow an attacker to use a crafted webpage to obtain remote access to the system. | |||||
| CVE-2021-34870 | 1 Netgear | 1 Xr1000 | 2022-01-31 | 3.3 LOW | 6.5 MEDIUM |
| This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of NETGEAR XR1000 1.0.0.52_1.0.38 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the processing of SOAP messages. The issue results from a lack of authentication required for a privileged request. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-13325. | |||||
| CVE-2021-23843 | 1 Bosch | 5 Access Management System, Access Professional Edition, Amc2 and 2 more | 2022-01-28 | 4.6 MEDIUM | 7.8 HIGH |
| The Bosch software tools AccessIPConfig.exe and AmcIpConfig.exe are used to configure certains settings in AMC2 devices. The tool allows putting a password protection on configured devices to restrict access to the configuration of an AMC2. An attacker can circumvent this protection and make unauthorized changes to configuration data on the device. An attacker can exploit this vulnerability to manipulate the device\'s configuration or make it unresponsive in the local network. The attacker needs to have access to the local network, typically even the same subnet. | |||||
| CVE-2022-21691 | 1 Onionshare | 1 Onionshare | 2022-01-24 | 4.0 MEDIUM | 4.3 MEDIUM |
| OnionShare is an open source tool that lets you securely and anonymously share files, host websites, and chat with friends using the Tor network. In affected versions chat participants can spoof their channel leave message, tricking others into assuming they left the chatroom. | |||||
| CVE-2022-23227 | 1 Nuuo | 2 Nvrmini2, Nvrmini2 Firmware | 2022-01-21 | 10.0 HIGH | 9.8 CRITICAL |
| NUUO NVRmini2 through 3.11 allows an unauthenticated attacker to upload an encrypted TAR archive, which can be abused to add arbitrary users because of the lack of handle_import_user.php authentication. When combined with another flaw (CVE-2011-5325), it is possible to overwrite arbitrary files under the web root and achieve code execution as root. | |||||
| CVE-2021-43832 | 1 Linuxfoundation | 1 Spinnaker | 2022-01-13 | 7.5 HIGH | 9.8 CRITICAL |
| Spinnaker is an open source, multi-cloud continuous delivery platform. Spinnaker has improper permissions allowing pipeline creation & execution. This lets an arbitrary user with access to the gate endpoint to create a pipeline and execute it without authentication. If users haven't setup Role-based access control (RBAC) with-in spinnaker, this enables remote execution and access to deploy almost any resources on any account. Patches are available on the latest releases of the supported branches and users are advised to upgrade as soon as possible. Users unable to upgrade should enable RBAC on ALL accounts and applications. This mitigates the ability of a pipeline to affect any accounts. Block application access unless permission are enabled. Users should make sure ALL application creation is restricted via appropriate wildcards. | |||||
| CVE-2021-20152 | 1 Trendnet | 2 Tew-827dru, Tew-827dru Firmware | 2022-01-07 | 5.8 MEDIUM | 6.5 MEDIUM |
| Trendnet AC2600 TEW-827DRU version 2.08B01 lacks proper authentication to the bittorrent functionality. If enabled, anyone is able to visit and modify settings and files via the Bittorent web client by visiting: http://192.168.10.1:9091/transmission/web/ | |||||
| CVE-2021-45232 | 1 Apache | 1 Apisix Dashboard | 2022-01-07 | 7.5 HIGH | 9.8 CRITICAL |
| In Apache APISIX Dashboard before 2.10.1, the Manager API uses two frameworks and introduces framework `droplet` on the basis of framework `gin`, all APIs and authentication middleware are developed based on framework `droplet`, but some API directly use the interface of framework `gin` thus bypassing the authentication. | |||||
| CVE-2019-10919 | 1 Siemens | 2 Logo\!8 Bm, Logo\!8 Bm Firmware | 2022-01-04 | 7.5 HIGH | 9.4 CRITICAL |
| A vulnerability has been identified in LOGO! 8 BM (incl. SIPLUS variants) (All versions < V8.3). Attackers with access to port 10005/tcp could perform device reconfigurations and obtain project files from the devices. The system manual recommends to protect access to this port. The security vulnerability could be exploited by an unauthenticated attacker with network access to port 10005/tcp. No user interaction is required to exploit this security vulnerability. The vulnerability impacts confidentiality, integrity, and availability of the device. At the time of advisory publication no public exploitation of this security vulnerability was known. | |||||
| CVE-2019-8449 | 1 Atlassian | 1 Jira | 2022-01-01 | 5.0 MEDIUM | 5.3 MEDIUM |
| The /rest/api/latest/groupuserpicker resource in Jira before version 8.4.0 allows remote attackers to enumerate usernames via an information disclosure vulnerability. | |||||
| CVE-2020-6170 | 1 Genexis | 2 Platinum-4410, Platinum-4410 Firmware | 2022-01-01 | 5.0 MEDIUM | 9.8 CRITICAL |
| An authentication bypass vulnerability on Genexis Platinum-4410 v2.1 P4410-V2 1.28 devices allows attackers to obtain cleartext credentials from the HTML source code of the cgi-bin/index2.asp URI. | |||||
| CVE-2020-24217 | 3 Jtechdigital, Provideoinstruments, Szuray | 105 H.264 Iptv Encoder 1080p\@60hz, H.264 Iptv Encoder 1080p\@60hz Firmware, Vecaster-4k-hevc and 102 more | 2022-01-01 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in the box application on HiSilicon based IPTV/H.264/H.265 video encoders. The file-upload endpoint does not enforce authentication. Attackers can send an unauthenticated HTTP request to upload a custom firmware component, possibly in conjunction with command injection, to achieve arbitrary code execution. | |||||
| CVE-2021-1499 | 1 Cisco | 8 Hyperflex Hx220c Af M5, Hyperflex Hx220c All Nvme M5, Hyperflex Hx220c Edge M5 and 5 more | 2022-01-01 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability in the web-based management interface of Cisco HyperFlex HX Data Platform could allow an unauthenticated, remote attacker to upload files to an affected device. This vulnerability is due to missing authentication for the upload function. An attacker could exploit this vulnerability by sending a specific HTTP request to an affected device. A successful exploit could allow the attacker to upload files to the affected device with the permissions of the tomcat8 user. | |||||
| CVE-2020-10641 | 1 Inductiveautomation | 1 Ignition Gateway | 2021-12-20 | 5.0 MEDIUM | 7.5 HIGH |
| An unprotected logging route may allow an attacker to write endless log statements into the database without space limits or authentication. This results in consuming the entire available hard-disk space on the Ignition 8 Gateway (versions prior to 8.0.10), causing a denial-of-service condition. | |||||