Total
1281 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2019-3948 | 2 Amcrest, Dahua | 13 Ip2m-841b, Ip2m-841b Firmware, Dh-ipc-hx863x and 10 more | 2024-08-04 | N/A |
| The Amcrest IP2M-841B V2.520.AC00.18.R, Dahua IPC-XXBXX V2.622.0000000.9.R, Dahua IPC HX5X3X and HX4X3X V2.800.0000008.0.R, Dahua DH-IPC HX883X and DH-IPC-HX863X V2.622.0000000.7.R, Dahua DH-SD4XXXXX V2.623.0000000.7.R, Dahua DH-SD5XXXXX V2.623.0000000.1.R, Dahua DH-SD6XXXXX V2.640.0000000.2.R and V2.623.0000000.1.R, Dahua NVR5XX-4KS2 V3.216.0000006.0.R, Dahua NVR4XXX-4KS2 V3.216.0000006.0.R, and NVR2XXX-4KS2 do not require authentication to access the HTTP endpoint /videotalk. An unauthenticated, remote person can connect to this endpoint and potentionally listen to the audio of the capturing device. | ||||
| CVE-2019-3941 | 1 Advantech | 1 Webaccess | 2024-08-04 | N/A |
| Advantech WebAccess 8.3.4 allows unauthenticated, remote attackers to delete arbitrary files via IOCTL 10005 RPC. | ||||
| CVE-2019-3978 | 1 Mikrotik | 1 Routeros | 2024-08-04 | 7.5 High |
| RouterOS versions 6.45.6 Stable, 6.44.5 Long-term, and below allow remote unauthenticated attackers to trigger DNS queries via port 8291. The queries are sent from the router to a server of the attacker's choice. The DNS responses are cached by the router, potentially resulting in cache poisoning | ||||
| CVE-2019-3899 | 2 Heketi Project, Redhat | 3 Heketi, Openshift Container Platform, Storage | 2024-08-04 | 9.8 Critical |
| It was found that default configuration of Heketi does not require any authentication potentially exposing the management interface to misuse. This isue only affects heketi as shipped with Openshift Container Platform 3.11. | ||||
| CVE-2019-3411 | 1 Zte | 2 Mf920, Mf920 Firmware | 2024-08-04 | 7.5 High |
| All versions up to BD_R218V2.4 of ZTE MF920 product are impacted by information leak vulnerability. Due to some interfaces can obtain the WebUI login password without login, an attacker can exploit the vulnerability to obtain sensitive information about the affected components. | ||||
| CVE-2019-0379 | 1 Sap | 1 Process Integration | 2024-08-04 | 5.3 Medium |
| SAP Process Integration, business-to-business add-on, versions 1.0, 2.0, does not perform authentication check properly when the default security provider is changed to BouncyCastle (BC), leading to Missing Authentication Check | ||||
| CVE-2019-0312 | 1 Sap | 1 Netweaver Process Integration | 2024-08-04 | N/A |
| Several web pages provided SAP NetWeaver Process Integration (versions: SAP_XIESR: 7.10 to 7.11, 7.20, 7.30, 7.31, 7.40, 7.50 and SAP_XITOOL: 7.10 to 7.11, 7.30, 7.31, 7.40, 7.50) are not password protected. An attacker could access landscape information like host names, ports or other technical data in the absence of restrictive firewall and port settings. | ||||
| CVE-2019-0261 | 1 Sap | 1 Landscape Management | 2024-08-04 | N/A |
| Under certain circumstances, SAP HANA Extended Application Services, advanced model (XS advanced) does not perform authentication checks properly for XS advanced platform and business users. Fixed in 1.0.97 to 1.0.99 (running on SAP HANA 1 or SAP HANA 2 SPS0 (second S stands for stack)). | ||||
| CVE-2019-0246 | 1 Sap | 1 Cloud Connector | 2024-08-04 | N/A |
| SAP Cloud Connector, before version 2.11.3, does not perform any authentication checks for functionalities that require user identity. | ||||
| CVE-2020-36724 | 1 Wordable | 1 Wordable | 2024-08-04 | 9.8 Critical |
| The Wordable plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.1.1. This is due to the use of a user supplied hashing algorithm passed to the hash_hmac() function and the use of a loose comparison on the hash which allows an attacker to trick the function into thinking it has a valid hash. This makes it possible for unauthenticated attackers to gain administrator privileges. | ||||
| CVE-2020-36713 | 1 Inspireui | 1 Mstore Api | 2024-08-04 | 9.8 Critical |
| The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.1.5. This is due to unrestricted access to the 'register' and 'update_user_profile' routes. This makes it possible for unauthenticated attackers to create new administrator accounts, delete existing administrator accounts, or escalate privileges on any account. | ||||
| CVE-2020-36333 | 1 Themegrill | 1 Themegrill Demo Importer | 2024-08-04 | 9.1 Critical |
| themegrill-demo-importer before 1.6.2 does not require authentication for wiping the database, because of a reset_wizard_actions hook. | ||||
| CVE-2020-36245 | 1 Gramaddict | 1 Gramaddict | 2024-08-04 | 8.8 High |
| GramAddict through 1.2.3 allows remote attackers to execute arbitrary code because of use of UIAutomator2 and ATX-Agent. The attacker must be able to reach TCP port 7912, e.g., by being on the same Wi-Fi network. | ||||
| CVE-2020-36125 | 1 Paxtechnology | 1 Paxstore | 2024-08-04 | 7.1 High |
| Pax Technology PAXSTORE v7.0.8_20200511171508 and lower is affected by incorrect access control where password revalidation in sensitive operations can be bypassed remotely by an authenticated attacker through requesting the endpoint directly. | ||||
| CVE-2020-35951 | 1 Expresstech | 1 Quiz And Survey Master | 2024-08-04 | 9.9 Critical |
| An issue was discovered in the Quiz and Survey Master plugin before 7.0.1 for WordPress. It allows users to delete arbitrary files such as wp-config.php file, which could effectively take a site offline and allow an attacker to reinstall with a WordPress instance under their control. This occurred via qsm_remove_file_fd_question, which allowed unauthenticated deletions (even though it was only intended for a person to delete their own quiz-answer files). | ||||
| CVE-2020-27986 | 1 Sonarsource | 1 Sonarqube | 2024-08-04 | 7.5 High |
| SonarQube 8.4.2.36762 allows remote attackers to discover cleartext SMTP, SVN, and GitLab credentials via the api/settings/values URI. NOTE: reportedly, the vendor's position for SMTP and SVN is "it is the administrator's responsibility to configure it. | ||||
| CVE-2020-35756 | 1 Librewireless | 2 Ls9, Ls9 Firmware | 2024-08-04 | 7.5 High |
| An issue was discovered on Libre Wireless LS9 LS1.5/p7040 devices. There is a luci_service GETPASS Configuration Password Information Leak. The luci_service daemon running on port 7777 does not require authentication to return the device configuration password in cleartext when using the GETPASS command. As such, any unauthenticated person with access to port 7777 on the device will be able to leak the user's personal device configuration password by issuing the GETPASS command. | ||||
| CVE-2020-35758 | 1 Librewireless | 2 Ls9, Ls9 Firmware | 2024-08-04 | 9.8 Critical |
| An issue was discovered on Libre Wireless LS9 LS1.5/p7040 devices. There is a Authentication Bypass in the Web Interface. This interface does not properly restrict access to internal functionality. Despite presenting a password login page on first access, authentication is not required to access privileged functionality. As such, it's possible to directly access APIs that should not be exposed to an unauthenticated user. | ||||
| CVE-2020-35757 | 1 Librewireless | 2 Ls9, Ls9 Firmware | 2024-08-04 | 9.8 Critical |
| An issue was discovered on Libre Wireless LS9 LS1.5/p7040 devices. There is Unauthenticated Root ADB Access Over TCP. The LS9 web interface provides functionality to access ADB over TCP. This is not enabled by default, but can be enabled by sending a crafted request to a web management interface endpoint. Requests made to this endpoint do not require authentication. As such, any unauthenticated user who is able to access the web interface will be able to gain root privileges on the LS9 module. | ||||
| CVE-2020-35755 | 1 Librewireless | 2 Ls9, Ls9 Firmware | 2024-08-04 | 7.5 High |
| An issue was discovered on Libre Wireless LS9 LS1.5/p7040 devices. There is a luci_service Read_ NVRAM Direct Access Information Leak. The luci_service deamon running on port 7777 provides a sub-category of commands for which Read_ is prepended. Commands in this category are able to directly read the contents of the device configuration NVRAM. The NVRAM contains sensitive information, such as the Wi-Fi password (in cleartext), as well as connected account tokens for services such as Spotify. | ||||