Total
97 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2019-20484 | 1 Vikisolutions | 1 Vera | 2021-07-21 | 5.5 MEDIUM | 8.1 HIGH |
An issue was discovered in Viki Vera 4.9.1.26180. A user without access to a project could download or upload project files by opening the Project URL directly in the browser after logging in. | |||||
CVE-2019-25012 | 1 Webform Report Project | 1 Webform Report | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
The Webform Report project 7.x-1.x-dev for Drupal allows remote attackers to view submissions by visiting the /rss.xml page. NOTE: This project is not covered by Drupal's security advisory policy. | |||||
CVE-2019-9552 | 1 Eloan Project | 1 Eloan | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
Eloan V3.0 through 2018-09-20 allows remote attackers to list files via a direct request to the p2p/api/ or p2p/lib/ or p2p/images/ URI. | |||||
CVE-2020-10248 | 1 Meinbwa | 2 Direx-pro, Direx-pro Firmware | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
BWA DiREX-Pro 1.2181 devices allow remote attackers to discover passwords via a direct request to val_users.php3. | |||||
CVE-2020-11561 | 1 Nchsoftware | 1 Express Invoice | 2021-07-21 | 6.5 MEDIUM | 8.8 HIGH |
In NCH Express Invoice 7.25, an authenticated low-privilege user can enter a crafted URL to access higher-privileged functionalities such as the "Add New Item" screen. | |||||
CVE-2020-13474 | 1 Nchsoftware | 1 Express Accounts | 2021-07-21 | 4.0 MEDIUM | 6.5 MEDIUM |
In NCH Express Accounts 8.24 and earlier, an authenticated low-privilege user can enter a crafted URL to access higher-privileged functionalities such as Add/Edit users. | |||||
CVE-2020-13850 | 1 Pandorafms | 1 Pandora Fms | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
Artica Pandora FMS 7.44 has inadequate access controls on a web folder. | |||||
CVE-2020-24765 | 1 Mind | 1 Imind Server | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
InterMind iMind Server through 3.13.65 allows remote unauthenticated attackers to read the self-diagnostic archive via a direct api/rs/monitoring/rs/api/system/dump-diagnostic-info?server=127.0.0.1 request. | |||||
CVE-2020-26150 | 1 Logaritmo | 1 Aware Callmanager | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
info.php in Logaritmo Aware CallManager 2012 allows remote attackers to obtain sensitive information via a direct request, which calls the phpinfo function. | |||||
CVE-2020-28937 | 1 Openclinic Project | 1 Openclinic | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
OpenClinic version 0.8.2 is affected by a missing authentication vulnerability that allows unauthenticated users to access any patient's medical test results, possibly resulting in disclosure of Protected Health Information (PHI) stored in the application, via a direct request for the /tests/ URI. | |||||
CVE-2020-29656 | 1 Asus | 2 Rt-ac88u, Rt-ac88u Firmware | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
An information disclosure vulnerability exists in RT-AC88U Download Master before 3.1.0.108. A direct access to /downloadmaster/dm_apply.cgi?action_mode=initial&download_type=General&special_cgi=get_language makes it possible to reach "unknown functionality" in a "known to be easy" manner via an unspecified "public exploit." | |||||
CVE-2020-35391 | 1 Tenda | 2 F3, F3 Firmware | 2021-07-21 | 3.3 LOW | 6.5 MEDIUM |
Tenda N300 F3 12.01.01.48 devices allow remote attackers to obtain sensitive information (possibly including an http_passwd line) via a direct request for cgi-bin/DownloadCfg/RouterCfm.cfg, a related issue to CVE-2017-14942. NOTE: the vulnerability report may suggest that either a ? character must be placed after the RouterCfm.cfg filename, or that the HTTP request headers must be unusual, but it is not known why these are relevant to the device's HTTP response behavior. | |||||
CVE-2020-8439 | 1 Monstra | 1 Monstra | 2021-07-21 | 4.0 MEDIUM | 6.5 MEDIUM |
Monstra CMS through 3.0.4 allows remote authenticated users to take over arbitrary user accounts via a modified login parameter to an edit URI, as demonstrated by login=victim to the users/21/edit URI. | |||||
CVE-2017-14244 | 1 Iball | 2 Ib-wra150n, Ib-wra150n Firmware | 2021-06-21 | 10.0 HIGH | 9.8 CRITICAL |
An authentication bypass vulnerability on iBall Baton ADSL2+ Home Router FW_iB-LR7011A_1.0.2 devices potentially allows attackers to directly access administrative router settings by crafting URLs with a .cgi extension, as demonstrated by /info.cgi and /password.cgi. | |||||
CVE-2020-7541 | 1 Schneider-electric | 40 140cpu65150, 140cpu65150 Firmware, 140noc77101 and 37 more | 2020-12-14 | 5.0 MEDIUM | 5.3 MEDIUM |
A CWE-425: Direct Request ('Forced Browsing') vulnerability exists in the Web Server on Modicon M340, Legacy Offers Modicon Quantum and Modicon Premium and associated Communication Modules (see security notification for affected versions), that could cause disclosure of sensitive data when sending a specially crafted request to the controller over HTTP. | |||||
CVE-2019-3917 | 1 Nokia | 2 I-240w-q Gpon Ont, I-240w-q Gpon Ont Firmware | 2020-10-19 | 5.0 MEDIUM | 7.5 HIGH |
The Alcatel Lucent I-240W-Q GPON ONT using firmware version 3FE54567BOZJ19 allows a remote, unauthenticated attacker to enable telnetd on the router via a crafted HTTP request. | |||||
CVE-2019-3934 | 1 Crestron | 4 Am-100, Am-100 Firmware, Am-101 and 1 more | 2020-10-16 | 5.0 MEDIUM | 5.3 MEDIUM |
Crestron AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 allows anyone to bypass the presentation code sending a crafted HTTP POST request to login.cgi. A remote, unauthenticated attacker can use this vulnerability to download the current slide image without knowing the access code. | |||||
CVE-2019-3933 | 1 Crestron | 4 Am-100, Am-100 Firmware, Am-101 and 1 more | 2020-10-16 | 5.0 MEDIUM | 5.3 MEDIUM |
Crestron AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 allows anyone to bypass the presentation code simply by requesting /images/browserslide.jpg via HTTP. A remote, unauthenticated attacker can use this vulnerability to watch a slideshow without knowing the access code. | |||||
CVE-2019-1899 | 1 Cisco | 6 Rv110w, Rv110w Firmware, Rv130w and 3 more | 2020-10-16 | 5.0 MEDIUM | 5.3 MEDIUM |
A vulnerability in the web interface of Cisco RV110W, RV130W, and RV215W Routers could allow an unauthenticated, remote attacker to acquire the list of devices that are connected to the guest network. The vulnerability is due to improper authorization of an HTTP request. An attacker could exploit this vulnerability by accessing a specific URI on the web interface of the router. | |||||
CVE-2019-1898 | 1 Cisco | 6 Rv110w, Rv110w Firmware, Rv130w and 3 more | 2020-10-16 | 5.0 MEDIUM | 5.3 MEDIUM |
A vulnerability in the web-based management interface of Cisco RV110W, RV130W, and RV215W Routers could allow an unauthenticated, remote attacker to access the syslog file on an affected device. The vulnerability is due to improper authorization of an HTTP request. An attacker could exploit this vulnerability by accessing the URL for the syslog file. A successful exploit could allow the attacker to access the information contained in the file. |