Total
1281 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2017-3209 | 2 Busybox, Dbpower | 3 Busybox, U818a, U818a Firmware | 2024-08-05 | 8.1 High |
| The DBPOWER U818A WIFI quadcopter drone provides FTP access over its own local access point, and allows full file permissions to the anonymous user. The DBPower U818A WIFI quadcopter drone runs an FTP server that by default allows anonymous access without a password, and provides full filesystem read/write permissions to the anonymous user. A remote user within range of the open access point on the drone may utilize the anonymous user of the FTP server to read arbitrary files, such as images and video recorded by the device, or to replace system files such as /etc/shadow to gain further access to the device. Furthermore, the DBPOWER U818A WIFI quadcopter drone uses BusyBox 1.20.2, which was released in 2012, and may be vulnerable to other known BusyBox vulnerabilities. | ||||
| CVE-2017-3217 | 1 Calamp | 6 Lmu 3030 Cdma, Lmu 3030 Cdma Firmware, Lmu 3030 Gsm and 3 more | 2024-08-05 | N/A |
| CalAmp LMU 3030 series OBD-II CDMA and GSM devices has an SMS (text message) interface that can be deployed where no password is configured for this interface by the integrator / reseller. This interface must be password protected, otherwise, the attacker only needs to know the phone number of the device (via an IMSI Catcher, for example) to send administrative commands to the device. These commands can be used to provide ongoing, real-time access to the device and can configure parameters such as IP addresses, firewall rules, and passwords. | ||||
| CVE-2017-3216 | 5 Greenpacket, Huawei, Mada and 2 more | 28 Ox350, Ox350 Firmware, Bm2022 and 25 more | 2024-08-05 | N/A |
| WiMAX routers based on the MediaTek SDK (libmtk) that use a custom httpd plugin are vulnerable to an authentication bypass allowing a remote, unauthenticated attacker to gain administrator access to the device by performing an administrator password change on the device via a crafted POST request. | ||||
| CVE-2017-3184 | 1 Acti | 1 Camera Firmware | 2024-08-05 | N/A |
| ACTi cameras including the D, B, I, and E series using firmware version A1D-500-V6.11.31-AC fail to properly restrict access to the factory reset page. An unauthenticated, remote attacker can exploit this vulnerability by directly accessing the http://x.x.x.x/setup/setup_maintain_firmware-default.html page. This will allow an attacker to perform a factory reset on the device, leading to a denial of service condition or the ability to make use of default credentials (CVE-2017-3186). | ||||
| CVE-2017-2637 | 1 Redhat | 2 Openstack, Openstack-director | 2024-08-05 | N/A |
| A design flaw issue was found in the Red Hat OpenStack Platform director use of TripleO to enable libvirtd based live-migration. Libvirtd is deployed by default (by director) listening on 0.0.0.0 (all interfaces) with no-authentication or encryption. Anyone able to make a TCP connection to any compute host IP address, including 127.0.0.1, other loopback interface addresses, or in some cases possibly addresses that have been exposed beyond the management interface, could use this to open a virsh session to the libvirtd instance and gain control of virtual machine instances or possibly take over the host. | ||||
| CVE-2017-2638 | 2 Infinispan, Redhat | 2 Infinispan, Jboss Data Grid | 2024-08-05 | N/A |
| It was found that the REST API in Infinispan before version 9.0.0 did not properly enforce auth constraints. An attacker could use this vulnerability to read or modify data in the default cache or a known cache name. | ||||
| CVE-2017-1523 | 1 Ibm | 1 Infosphere Master Data Management | 2024-08-05 | N/A |
| IBM InfoSphere Master Data Management - Collaborative Edition 11.5 could allow an unauthorized user to download reports without authentication. IBM X-Force ID: 129892. | ||||
| CVE-2018-1000226 | 1 Cobblerd | 1 Cobbler | 2024-08-05 | N/A |
| Cobbler version Verified as present in Cobbler versions 2.6.11+, but code inspection suggests at least 2.0.0+ or possibly even older versions may be vulnerable contains a Incorrect Access Control vulnerability in XMLRPC API (/cobbler_api) that can result in Privilege escalation, data manipulation or exfiltration, LDAP credential harvesting. This attack appear to be exploitable via "network connectivity". Taking advantage of improper validation of security tokens in API endpoints. Please note this is a different issue than CVE-2018-10931. | ||||
| CVE-2018-21132 | 1 Netgear | 4 Wac505, Wac505 Firmware, Wac510 and 1 more | 2024-08-05 | 9.8 Critical |
| Certain NETGEAR devices are affected by authentication bypass. This affects WAC505 before 5.0.0.17 and WAC510 before 5.0.0.17. | ||||
| CVE-2018-21041 | 1 Google | 1 Android | 2024-08-05 | 7.5 High |
| An issue was discovered on Samsung mobile devices with O(8.x) software. Access to Gallery in the Secure Folder can occur without authentication. The Samsung ID is SVE-2018-13057 (December 2018). | ||||
| CVE-2018-20507 | 1 Gitlab | 1 Gitlab | 2024-08-05 | 5.3 Medium |
| An issue was discovered in GitLab Enterprise Edition 11.2.x through 11.4.x before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It has Incorrect Access Control. | ||||
| CVE-2018-20220 | 1 Teracue | 6 Enc-400 Hdmi, Enc-400 Hdmi2, Enc-400 Hdmi2 Firmware and 3 more | 2024-08-05 | N/A |
| An issue was discovered on Teracue ENC-400 devices with firmware 2.56 and below. While the web interface requires authentication before it can be interacted with, a large portion of the HTTP endpoints are missing authentication. An attacker is able to view these pages before being authenticated, and some of these pages may disclose sensitive information. | ||||
| CVE-2018-19248 | 1 Epson | 2 Epson Workforce Wf-2861, Epson Workforce Wf-2861 Firmware | 2024-08-05 | N/A |
| The web service on Epson WorkForce WF-2861 10.48 LQ22I3(Recovery-mode), WF-2861 10.51.LQ20I6, and WF-2861 10.52.LQ17IA devices allows remote attackers to upload a firmware file and reset the printer without authentication by making a request to the /DOWN/FIRMWAREUPDATE/ROM1 URI and a POST request to the /FIRMWAREUPDATE URI. | ||||
| CVE-2018-19079 | 2 Foscam, Opticam | 6 C2, C2 Application Firmware, C2 System Firmware and 3 more | 2024-08-05 | N/A |
| An issue was discovered on Foscam Opticam i5 devices with System Firmware 1.5.2.11 and Application Firmware 2.21.1.128. The ONVIF devicemgmt SystemReboot method allows unauthenticated reboot. | ||||
| CVE-2018-18995 | 1 Abb | 4 Gate-e1, Gate-e1 Firmware, Gate-e2 and 1 more | 2024-08-05 | N/A |
| Pluto Safety PLC Gateway Ethernet devices ABB GATE-E1 and GATE-E2 all versions do not allow authentication to be configured on administrative telnet or web interfaces, which could enable various effects vectors, including conducting device resets, reading or modifying registers, and changing configuration settings such as IP addresses. | ||||
| CVE-2018-18264 | 1 Kubernetes | 1 Dashboard | 2024-08-05 | N/A |
| Kubernetes Dashboard before 1.10.1 allows attackers to bypass authentication and use Dashboard's Service Account for reading secrets within the cluster. | ||||
| CVE-2018-17906 | 1 Philips | 2 Intellispace Pacs, Isite Pacs | 2024-08-05 | 8.8 High |
| Philips iSite and IntelliSpace PACS, iSite PACS, all versions, and IntelliSpace PACS, all versions. Default credentials and no authentication within third party software may allow an attacker to compromise a component of the system. | ||||
| CVE-2018-17924 | 1 Rockwellautomation | 32 1756-en2f Series A, 1756-en2f Series A Firmware, 1756-en2f Series B and 29 more | 2024-08-05 | 8.6 High |
| Rockwell Automation MicroLogix 1400 Controllers and 1756 ControlLogix Communications Modules An unauthenticated, remote threat actor could send a CIP connection request to an affected device, and upon successful connection, send a new IP configuration to the affected device even if the controller in the system is set to Hard RUN mode. When the affected device accepts this new IP configuration, a loss of communication occurs between the device and the rest of the system as the system traffic is still attempting to communicate with the device via the overwritten IP address. | ||||
| CVE-2018-17880 | 2 D-link, Dlink | 2 Dir-823g Firmware, Dir-823g | 2024-08-05 | N/A |
| On D-Link DIR-823G 2018-09-19 devices, the GoAhead configuration allows /HNAP1 RunReboot commands without authentication to trigger a reboot. | ||||
| CVE-2018-16758 | 3 Debian, Starwindsoftware, Tinc-vpn | 3 Debian Linux, Starwind Virtual San, Tinc | 2024-08-05 | 5.9 Medium |
| Missing message authentication in the meta-protocol in Tinc VPN version 1.0.34 and earlier allows a man-in-the-middle attack to disable the encryption of VPN packets. | ||||