Total
1280 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-37062 | 1 Flir | 2 Flir Ax8, Flir Ax8 Firmware | 2024-08-03 | 7.5 High |
| All FLIR AX8 thermal sensor cameras version up to and including 1.46.16 are affected by an insecure design vulnerability due to an improper directory access restriction. An unauthenticated, remote attacker can exploit this by sending a URI that contains the path of the SQLite users database and download it. A successful exploit could allow the attacker to extract usernames and hashed passwords. | ||||
| CVE-2022-36983 | 1 Ivanti | 1 Avalanche | 2024-08-03 | 9.8 Critical |
| This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche. Authentication is not required to exploit this vulnerability. The specific flaw exists within the SetSettings class. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-15919. | ||||
| CVE-2022-36884 | 2 Jenkins, Redhat | 2 Git, Openshift | 2024-08-03 | 5.3 Medium |
| The webhook endpoint in Jenkins Git Plugin 4.11.3 and earlier provide unauthenticated attackers information about the existence of jobs configured to use an attacker-specified Git repository. | ||||
| CVE-2022-36619 | 1 Dlink | 2 Dir-816, Dir-816 Firmware | 2024-08-03 | 7.5 High |
| In D-link DIR-816 A2_v1.10CNB04.img,the network can be reset without authentication via /goform/setMAC. | ||||
| CVE-2022-36604 | 1 Canaan | 2 Avalon Asic Miner, Avalon Asic Miner Firmware | 2024-08-03 | 7.5 High |
| An access control issue in Canaan Avalon ASIC Miner 2020.3.30 and below allows unauthenticated attackers to arbitrarily change user passwords via a crafted POST request. | ||||
| CVE-2022-36521 | 1 Cskefu | 1 Cskefu | 2024-08-03 | 7.5 High |
| Insecure permissions in cskefu v7.0.1 allows unauthenticated attackers to arbitrarily add administrator accounts. | ||||
| CVE-2022-36249 | 1 Shopbeat | 1 Shop Beat Media Player | 2024-08-03 | 5.4 Medium |
| Shop Beat Solutions (Pty) LTD Shop Beat Media Player 2.5.95 up to 3.2.57 is vulnerable to Bypass 2FA via APIs. For Controlpanel Lite. "After login we are directly able to use the bearer token or jsession ID to access the apis instead of entering the 2FA code. Thus, leading to bypass of 2FA on API level. | ||||
| CVE-2022-36129 | 1 Hashicorp | 1 Vault | 2024-08-03 | 9.1 Critical |
| HashiCorp Vault Enterprise 1.7.0 through 1.9.7, 1.10.4, and 1.11.0 clusters using Integrated Storage expose an unauthenticated API endpoint that could be abused to override the voter status of a node within a Vault HA cluster, introducing potential for future data loss or catastrophic failure. Fixed in Vault Enterprise 1.9.8, 1.10.5, and 1.11.1. | ||||
| CVE-2022-35871 | 1 Inductiveautomation | 1 Ignition | 2024-08-03 | 7.8 High |
| This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition 8.1.15 (b2022030114). Authentication is not required to exploit this vulnerability. The specific flaw exists within the authenticateAdSso method. The issue results from the lack of authentication prior to allowing the execution of python code. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-17206. | ||||
| CVE-2022-35865 | 1 Bmc | 1 Track-it\! | 2024-08-03 | 9.8 Critical |
| This vulnerability allows remote attackers to execute arbitrary code on affected installations of BMC Track-It! 20.21.2.109. Authentication is not required to exploit this vulnerability. The specific flaw exists within the authorization of HTTP requests. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-16709. | ||||
| CVE-2022-35733 | 1 Unimo | 6 Udr-ja1004, Udr-ja1004 Firmware, Udr-ja1008 and 3 more | 2024-08-03 | 9.8 Critical |
| Missing authentication for critical function vulnerability in UNIMO Technology digital video recorders (UDR-JA1004/JA1008/JA1016 firmware versions v1.0.20.13 and earlier, and UDR-JA1016 firmware versions v2.0.20.13 and earlier) allows a remote unauthenticated attacker to execute an arbitrary OS command by sending a specially crafted request to the affected device web interface. | ||||
| CVE-2022-35572 | 1 Linksys | 2 E5350, E5350 Firmware | 2024-08-03 | 7.5 High |
| On Linksys E5350 WiFi Router with firmware version 1.0.00.037 and lower, (and potentially other vendors/devices due to code reuse), the /SysInfo.htm URI does not require a session ID. This web page calls a show_sysinfo function which retrieves WPA passwords, SSIDs, MAC Addresses, serial numbers, WPS Pins, and hardware/firmware versions, and prints this information into the web page. This web page is visible when remote management is enabled. A user who has access to the web interface of the device can extract these secrets. If the device has remote management enabled and is connected directly to the internet, this vulnerability is exploitable over the internet without interaction. | ||||
| CVE-2022-35136 | 1 Boodskap | 1 Iot Platform | 2024-08-03 | 6.5 Medium |
| Boodskap IoT Platform v4.4.9-02 allows attackers to make unauthenticated API requests. | ||||
| CVE-2022-35122 | 1 Ecowitt | 2 Gw1100, Gw1100 Firmware | 2024-08-03 | 9.1 Critical |
| An access control issue in Ecowitt GW1100 Series Weather Stations <=GW1100B_v2.1.5 allows unauthenticated attackers to access sensitive information including device and local WiFi passwords. | ||||
| CVE-2022-34767 | 1 Allnet | 2 All-wr0500ac, All-wr0500ac Firmware | 2024-08-03 | 5.9 Medium |
| Web page which "wizardpwd.asp" ALLNET Router model WR0500AC is prone to Authorization bypass vulnerability – the password, located at "admin" allows changing the http[s]://wizardpwd.asp/cgi-bin. Does not validate the user's identity and can be accessed publicly. | ||||
| CVE-2022-33138 | 1 Siemens | 12 Simatic Mv540 H, Simatic Mv540 H Firmware, Simatic Mv540 S and 9 more | 2024-08-03 | 7.5 High |
| A vulnerability has been identified in SIMATIC MV540 H (All versions < V3.3), SIMATIC MV540 S (All versions < V3.3), SIMATIC MV550 H (All versions < V3.3), SIMATIC MV550 S (All versions < V3.3), SIMATIC MV560 U (All versions < V3.3), SIMATIC MV560 X (All versions < V3.3). Affected devices do not perform authentication for several web API endpoints. This could allow an unauthenticated remote attacker to read and download data from the device. | ||||
| CVE-2022-32528 | 1 Schneider-electric | 1 Interactive Graphical Scada System | 2024-08-03 | 8.6 High |
| A CWE-306: Missing Authentication for Critical Function vulnerability exists that could cause access to manipulate and read specific files in the IGSS project report directory, potentially leading to a denial-of-service condition when an attacker sends specific messages. Affected Products: IGSS Data Server - IGSSdataServer.exe (Versions prior to V15.0.0.22170) | ||||
| CVE-2022-32557 | 1 Couchbase | 1 Couchbase Server | 2024-08-03 | 7.5 High |
| An issue was discovered in Couchbase Server before 7.0.4. The Index Service does not enforce authentication for TCP/TLS servers. | ||||
| CVE-2022-32251 | 1 Siemens | 1 Sinema Remote Connect Server | 2024-08-03 | 8.8 High |
| A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.1). There is a missing authentication verification for a resource used to change the roles and permissions of a user. This could allow an attacker to change the permissions of any user and gain the privileges of an administrative user. | ||||
| CVE-2022-31701 | 2 Linux, Vmware | 4 Linux Kernel, Access, Cloud Foundation and 1 more | 2024-08-03 | 5.3 Medium |
| VMware Workspace ONE Access and Identity Manager contain a broken authentication vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.3. | ||||