Total
3455 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-17213 | 1 Printeron | 1 Central Print Services | 2019-08-05 | 4.0 MEDIUM | 8.8 HIGH |
| An issue was discovered in PrinterOn Central Print Services (CPS) through 4.1.4. A user without valid credentials can bypass the authentication process, obtaining a valid session cookie with guest/pseudo-guest level privileges. This cookie can then be further used to perform other attacks. | |||||
| CVE-2005-4851 | 1 Ez | 1 Ez Publish | 2019-07-31 | 4.0 MEDIUM | N/A |
| eZ publish 3.4.4 through 3.7 before 20050722 applies certain permissions on the node level, which allows remote authenticated users to bypass the original permissions on embedded objects in XML fields and read these objects. | |||||
| CVE-2018-13927 | 1 Qualcomm | 48 Mdm9206, Mdm9206 Firmware, Mdm9607 and 45 more | 2019-07-24 | 7.2 HIGH | 7.8 HIGH |
| Debug policy with invalid signature can be loaded when the debug policy functionality is disabled by using the parallel image loading in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wired Infrastructure and Networking in MDM9206, MDM9607, MDM9650, MDM9655, MSM8996AU, QCS404, QCS605, SD 410/12, SD 636, SD 712 / SD 710 / SD 670, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SD 8CX, SDA660, SDM630, SDM660, SXR1130 | |||||
| CVE-2005-3979 | 1 Coppermine-gallery | 1 Coppermine Photo Gallery | 2019-07-16 | 5.0 MEDIUM | N/A |
| relocate_server.php in Coppermine Photo Gallery (CPG) 1.4.2 and 1.4 beta is not removed after installation and does not use authentication, which allows remote attackers to obtain sensitive information, such as database configuration, via a direct request. | |||||
| CVE-2014-1984 | 1 Cybozu | 1 Remote Service Manager | 2019-07-16 | 6.8 MEDIUM | N/A |
| Session fixation vulnerability in the management screen in Cybozu Remote Service Manager through 2.3.0 and 3.x before 3.1.1 allows remote attackers to hijack web sessions via unspecified vectors. | |||||
| CVE-2013-4965 | 1 Puppet | 1 Puppet Enterprise | 2019-07-10 | 5.0 MEDIUM | N/A |
| Puppet Enterprise before 3.1.0 does not properly restrict the number of authentication attempts by a console account, which makes it easier for remote attackers to bypass intended access restrictions via a brute-force attack. | |||||
| CVE-2013-4958 | 1 Puppet | 1 Puppet Enterprise | 2019-07-10 | 6.9 MEDIUM | N/A |
| Puppet Enterprise before 3.0.1 does not use a session timeout, which makes it easier for attackers to gain privileges by leveraging an unattended workstation. | |||||
| CVE-2013-4966 | 1 Puppet | 1 Puppet Enterprise | 2019-07-10 | 6.4 MEDIUM | N/A |
| The master external node classification script in Puppet Enterprise before 3.2.0 does not verify the identity of consoles, which allows remote attackers to create arbitrary classifications on the master by spoofing a console. | |||||
| CVE-2012-5158 | 2 Puppet, Puppetlabs | 2 Puppet Enterprise, Puppet | 2019-07-10 | 4.0 MEDIUM | N/A |
| Puppet Enterprise (PE) before 2.6.1 does not properly invalidate sessions when the session secret has changed, which allows remote authenticated users to retain access via unspecified vectors. | |||||
| CVE-2018-11426 | 1 Moxa | 4 Oncell G3150-hspa, Oncell G3150-hspa-t, Oncell G3150-hspa-t Firmware and 1 more | 2019-07-10 | 7.5 HIGH | 9.8 CRITICAL |
| A weak Cookie parameter is used in the web application of Moxa OnCell G3100-HSPA Series version 1.4 Build 16062919 and prior. An attacker can brute force parameters required to bypass authentication and access the web interface to use all its functions except for password change. | |||||
| CVE-2019-5964 | 1 Idoors | 1 Idoors Reader | 2019-07-10 | 5.8 MEDIUM | 8.8 HIGH |
| iDoors Reader 2.10.17 and earlier allows an attacker on the same network segment to bypass authentication to access the management console and operate the product via unspecified vectors. | |||||
| CVE-2019-7218 | 1 Citrix | 1 Sharefile | 2019-07-09 | 4.3 MEDIUM | 5.9 MEDIUM |
| Citrix ShareFile before 19.23 allows a downgrade from two-factor authentication to one-factor authentication. An attacker with access to the offline victim's otp physical token or virtual app (like google authenticator) is able to bypass the first authentication phase (username/password mechanism) and log-in using username/otp combination only (phase 2 of 2FA). | |||||
| CVE-2019-10689 | 1 Polycom | 2 Better Together Over Ethernet Connector, Unified Communications Software | 2019-06-27 | 3.3 LOW | 6.5 MEDIUM |
| VVX products using UCS software version 5.9.2 and earlier with Better Together over Ethernet Connector (BToE) application version 3.9.1 and earlier provides insufficient authentication between the BToE application and the BToE component, resulting in leakage of sensitive information. | |||||
| CVE-2019-10998 | 1 Phoenixcontact | 4 Axc F 2152, Axc F 2152 Firmware, Axc F 2152 Starterkit and 1 more | 2019-06-20 | 4.6 MEDIUM | 6.8 MEDIUM |
| An issue was discovered on Phoenix Contact AXC F 2152 (No.2404267) before 2019.0 LTS and AXC F 2152 STARTERKIT (No.1046568) before 2019.0 LTS devices. Unlimited physical access to the PLC may lead to a manipulation of SD cards data. SD card manipulation may lead to an authentication bypass opportunity. | |||||
| CVE-2017-9383 | 1 Getvera | 4 Veraedge, Veraedge Firmware, Veralite and 1 more | 2019-06-20 | 6.5 MEDIUM | 9.9 CRITICAL |
| An issue was discovered on Vera VeraEdge 1.7.19 and Veralite 1.7.481 devices. The device provides UPnP services that are available on port 3480 and can also be accessed via port 80 using the url "/port_3480". It seems that the UPnP services provide "wget" as one of the service actions for a normal user to connect the device to an external website. It retrieves the parameter "URL" from the query string and then passes it to an internal function that uses the curl module on the device to retrieve the contents of the website. | |||||
| CVE-2017-9389 | 1 Getvera | 4 Veraedge, Veraedge Firmware, Veralite and 1 more | 2019-06-20 | 9.0 HIGH | 8.8 HIGH |
| An issue was discovered on Vera VeraEdge 1.7.19 and Veralite 1.7.481 devices. The device provides a web user interface that allows a user to manage the device. As a part of the functionality the device allows a user to install applications written in the Lua programming language. Also the interface allows any user to write his/her application in the Lua language. However, this functionality is not protected by authentication and this allows an attacker to run arbitrary Lua code on the device. The POST request is forwarded to LuaUPNP daemon on the device. This binary handles the received Lua code in the function "LU::JobHandler_LuaUPnP::RunLua(LU::JobHandler_LuaUPnP *__hidden this, LU::UPnPActionWrapper *)". The value in the "code" parameter is then passed to the function "LU::LuaInterface::RunCode(char const*)" which actually loads the Lua engine and runs the code. | |||||
| CVE-2018-18877 | 1 Columbiaweather | 2 Weather Microserver, Weather Microserver Firmware | 2019-06-18 | 6.5 MEDIUM | 8.8 HIGH |
| In firmware version MS_2.6.9900 of Columbia Weather MicroServer, an authenticated web user can access an alternative configuration page config_main.php that allows manipulation of the device. | |||||
| CVE-2015-0653 | 1 Cisco | 3 Expressway Software, Telepresence Conductor, Telepresence Video Communication Server Software | 2019-06-11 | 10.0 HIGH | N/A |
| The management interface in Cisco TelePresence Video Communication Server (VCS) and Cisco Expressway before X7.2.4, X8 before X8.1.2, and X8.2 before X8.2.2 and Cisco TelePresence Conductor before X2.3.1 and XC2.4 before XC2.4.1 allows remote attackers to bypass authentication via crafted login parameters, aka Bug IDs CSCur02680 and CSCur05556. | |||||
| CVE-2018-19999 | 1 Solarwinds | 1 Serv-u Ftp Server | 2019-06-10 | 7.2 HIGH | 7.8 HIGH |
| The local management interface in SolarWinds Serv-U FTP Server 15.1.6.25 has incorrect access controls that permit local users to bypass authentication in the application and execute code in the context of the Windows SYSTEM account, leading to privilege escalation. To exploit this vulnerability, an attacker must have local access the the host running Serv-U, and a Serv-U administrator have an active management console session. | |||||
| CVE-2018-7123 | 1 Hp | 1 Intelligent Management Center | 2019-06-06 | 7.8 HIGH | 7.5 HIGH |
| A remote denial of service vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09. | |||||