Total
1281 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-42845 | 1 Apple | 3 Ipados, Iphone Os, Macos | 2024-09-10 | 5.3 Medium |
| An authentication issue was addressed with improved state management. This issue is fixed in macOS Sonoma 14.1, iOS 17.1 and iPadOS 17.1. Photos in the Hidden Photos Album may be viewed without authentication. | ||||
| CVE-2023-46978 | 1 Totolink | 2 X6000r, X6000r Firmware | 2024-09-06 | 7.5 High |
| TOTOLINK X6000R V9.4.0cu.852_B20230719 is vulnerable to Incorrect Access Control.Attackers can reset login password & WIFI passwords without authentication. | ||||
| CVE-2024-31218 | 2024-09-06 | 9.8 Critical | ||
| Webhood is a self-hosted URL scanner used analyzing phishing and malicious sites. Webhood's backend container images in versions 0.9.0 and earlier are subject to Missing Authentication for Critical Function vulnerability. This vulnerability allows an unauthenticated attacker to send a HTTP request to the database (Pocketbase) admin API to create an admin account. The Pocketbase admin API does not check for authentication/authorization when creating an admin account when no admin accounts have been added. In its default deployment, Webhood does not create a database admin account. Therefore, unless users have manually created an admin account in the database, an admin account will not exist in the deployment and the deployment is vulnerable. Versions starting from 0.9.1 are patched. The patch creates a randomly generated admin account if admin accounts have not already been created i.e. the vulnerability is exploitable in the deployment. As a workaround, users can disable access to URL path starting with `/api/admins` entirely. With this workaround, the vulnerability is not exploitable via network. | ||||
| CVE-2023-5881 | 1 Geniecompany | 2 Aladdin Connect Garage Door Opener, Aladdin Connect Garage Door Opener Firmware | 2024-09-05 | 8.2 High |
| Unauthenticated access permitted to web interface page The Genie Company Aladdin Connect (Retrofit-Kit Model ALDCM) "Garage Door Control Module Setup" and modify the Garage door's SSID settings. | ||||
| CVE-2022-43554 | 1 Ivanti | 1 Avalanche | 2024-09-05 | 7.8 High |
| Ivanti Avalanche Smart Device Service Missing Authentication Local Privilege Escalation Vulnerability | ||||
| CVE-2024-6422 | 1 Pepperl-fuchs | 8 Oit1500-f113-b12-cb, Oit1500-f113-b12-cb Firmware, Oit200-f113-b12-cb and 5 more | 2024-09-05 | 9.8 Critical |
| An unauthenticated remote attacker can manipulate the device via Telnet, stop processes, read, delete and change data. | ||||
| CVE-2023-46249 | 1 Goauthentik | 1 Authentik | 2024-09-05 | 9.7 Critical |
| authentik is an open-source Identity Provider. Prior to versions 2023.8.4 and 2023.10.2, when the default admin user has been deleted, it is potentially possible for an attacker to set the password of the default admin user without any authentication. authentik uses a blueprint to create the default admin user, which can also optionally set the default admin users' password from an environment variable. When the user is deleted, the `initial-setup` flow used to configure authentik after the first installation becomes available again. authentik 2023.8.4 and 2023.10.2 fix this issue. As a workaround, ensure the default admin user (Username `akadmin`) exists and has a password set. It is recommended to use a very strong password for this user, and store it in a secure location like a password manager. It is also possible to deactivate the user to prevent any logins as akadmin. | ||||
| CVE-2022-43555 | 1 Ivanti | 1 Avalanche | 2024-09-04 | 7.8 High |
| Ivanti Avalanche Printer Device Service Missing Authentication Local Privilege Escalation Vulnerability | ||||
| CVE-2023-41351 | 1 Nokia | 2 G-040w-q, G-040w-q Firmware | 2024-09-04 | 9.8 Critical |
| Chunghwa Telecom NOKIA G-040W-Q has a vulnerability of authentication bypass, which allows an unauthenticated remote attacker to bypass the authentication mechanism to log in to the device by an alternative URL. This makes it possible for unauthenticated remote attackers to log in as any existing users, such as an administrator, to perform arbitrary system operations or disrupt service. | ||||
| CVE-2023-46819 | 1 Apache | 1 Ofbiz | 2024-09-04 | 5.3 Medium |
| Missing Authentication in Apache Software Foundation Apache OFBiz when using the Solr plugin. This issue affects Apache OFBiz: before 18.12.09. Users are recommended to upgrade to version 18.12.09 | ||||
| CVE-2024-38437 | 1 Dlink | 2 Dsl-225, Dsl-225 Firmware | 2024-08-29 | 9.8 Critical |
| D-Link - CWE-288:Authentication Bypass Using an Alternate Path or Channel | ||||
| CVE-2024-3661 | 2024-08-28 | 7.6 High | ||
| DHCP can add routes to a client’s routing table via the classless static route option (121). VPN-based security solutions that rely on routes to redirect traffic can be forced to leak traffic over the physical interface. An attacker on the same local network can read, disrupt, or possibly modify network traffic that was expected to be protected by the VPN. | ||||
| CVE-2024-7940 | 1 Hitachienergy | 1 Microscada X Sys600 | 2024-08-28 | 8.3 High |
| The product exposes a service that is intended for local only to all network interfaces without any authentication. | ||||
| CVE-2024-45049 | 1 Nixos | 1 Hydra | 2024-08-28 | 7.5 High |
| Hydra is a Continuous Integration service for Nix based projects. It is possible to trigger evaluations in Hydra without any authentication. Depending on the size of evaluations, this can impact the availability of systems. The problem can be fixed by applying https://github.com/NixOS/hydra/commit/f73043378907c2c7e44f633ad764c8bdd1c947d5 to any Hydra package. Users are advised to upgrade. Users unable to upgrade should deny the `/api/push` route in a reverse proxy. This also breaks the "Evaluate jobset" button in the frontend. | ||||
| CVE-2023-51571 | 2024-08-27 | N/A | ||
| Voltronic Power ViewPower Pro SocketService Missing Authentication Denial-of-Service Vulnerability. This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of Voltronic Power ViewPower Pro. Authentication is not required to exploit this vulnerability. The specific flaw exists within the SocketService module, which listens on UDP port 41222 by default. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage this vulnerability to create a denial-of-service condition on the system. Was ZDI-CAN-21162. | ||||
| CVE-2023-6949 | 2024-08-27 | 5.2 Medium | ||
| A Missing Authentication for Critical Function issue affecting the HTTP service running on the DJI Mavic Mini 3 Pro on the standard port 80 could allow an attacker to enumerate and download videos and pictures saved on the drone internal or external memory without requiring any kind of authentication. | ||||
| CVE-2024-43798 | 1 Jpillora | 1 Chisel | 2024-08-27 | 8.6 High |
| Chisel is a fast TCP/UDP tunnel, transported over HTTP, secured via SSH. The Chisel server doesn't ever read the documented `AUTH` environment variable used to set credentials, which allows any unauthenticated user to connect, even if credentials were set. Anyone running the Chisel server that is using the `AUTH` environment variable to specify credentials to authenticate against is affected by this vulnerability. Chisel is often used to provide an entrypoint to a private network, which means services that are gated by Chisel may be affected. Additionally, Chisel is often used for exposing services to the internet. An attacker could MITM requests by connecting to a Chisel server and requesting to forward traffic from a remote port. This issue has been addressed in release version 1.10.0. All users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2024-7007 | 1 Positron | 2 Tra7005, Tra7005 Firmware | 2024-08-26 | 9.8 Critical |
| Positron Broadcast Signal Processor TRA7005 v1.20 is vulnerable to an authentication bypass exploit that could allow an attacker to have unauthorized access to protected areas of the application. | ||||
| CVE-2024-24578 | 2024-08-26 | 10 Critical | ||
| RaspberryMatic is an open-source operating system for HomeMatic internet-of-things devices. RaspberryMatic / OCCU prior to version 3.75.6.20240316 contains a unauthenticated remote code execution (RCE) vulnerability, caused by multiple issues within the Java based `HMIPServer.jar` component. RaspberryMatric includes a Java based `HMIPServer`, that can be accessed through URLs starting with `/pages/jpages`. The `FirmwareController` class does however not perform any session id checks, thus this feature can be accessed without a valid session. Due to this issue, attackers can gain remote code execution as root user, allowing a full system compromise. Version 3.75.6.20240316 contains a patch. | ||||
| CVE-2024-36445 | 2024-08-23 | 9.8 Critical | ||
| Swissphone DiCal-RED 4009 devices allow a remote attacker to gain a root shell via TELNET without authentication. | ||||