Total
3455 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-7076 | 1 Hp | 1 Intelligent Management Center | 2018-12-03 | 10.0 HIGH | 9.8 CRITICAL |
| A remote code execution vulnerability was identified in HPE Intelligent Management Center (iMC) prior to iMC PLAT 7.3 E0605P04. | |||||
| CVE-2018-12455 | 1 Intelbras | 2 Nplug, Nplug Firmware | 2018-11-28 | 9.3 HIGH | 8.1 HIGH |
| Intelbras NPLUG 1.0.0.14 wireless repeater devices have a critical vulnerability that allows an attacker to authenticate in the web interface just by using "admin:" as the name of a cookie. | |||||
| CVE-2018-18061 | 1 Tecrail | 1 Responsive Filemanager | 2018-11-28 | 6.4 MEDIUM | 7.5 HIGH |
| An issue was discovered in dialog.php in tecrail Responsive FileManager 9.8.1. Attackers can access the file manager interface that provides them with the ability to upload and delete files. | |||||
| CVE-2017-7660 | 1 Apache | 1 Solr | 2018-11-28 | 5.0 MEDIUM | 7.5 HIGH |
| Apache Solr uses a PKI based mechanism to secure inter-node communication when security is enabled. It is possible to create a specially crafted node name that does not exist as part of the cluster and point it to a malicious node. This can trick the nodes in cluster to believe that the malicious node is a member of the cluster. So, if Solr users have enabled BasicAuth authentication mechanism using the BasicAuthPlugin or if the user has implemented a custom Authentication plugin, which does not implement either "HttpClientInterceptorPlugin" or "HttpClientBuilderPlugin", his/her servers are vulnerable to this attack. Users who only use SSL without basic authentication or those who use Kerberos are not affected. | |||||
| CVE-2018-7572 | 1 Pulsesecure | 1 Pulse Secure Desktop | 2018-11-27 | 7.2 HIGH | 6.8 MEDIUM |
| Pulse Secure Client 9.0R1 and 5.3RX before 5.3R5, when configured to authenticate VPN users during Windows Logon, can allow attackers to bypass Windows authentication and execute commands on the system with the privileges of Pulse Secure Client. The attacker must interrupt the client's network connectivity, and trigger a connection to a crafted proxy server with an invalid SSL certificate that allows certification-manager access, leading to the ability to browse local files and execute local programs. | |||||
| CVE-2018-17341 | 2 Bigtreecms, Microsoft | 2 Bigtree Cms, Windows | 2018-11-21 | 6.8 MEDIUM | 8.1 HIGH |
| BigTree 4.2.23 on Windows, when Advanced or Simple Rewrite routing is enabled, allows remote attackers to bypass authentication via a ..\ substring, as demonstrated by a launch.php?bigtree_htaccess_url=admin/images/..\ URI. | |||||
| CVE-2013-0282 | 1 Openstack | 1 Keystone | 2018-11-16 | 5.0 MEDIUM | N/A |
| OpenStack Keystone Grizzly before 2013.1, Folsom 2012.1.3 and earlier, and Essex does not properly check if the (1) user, (2) tenant, or (3) domain is enabled when using EC2-style authentication, which allows context-dependent attackers to bypass access restrictions. | |||||
| CVE-2012-4457 | 1 Openstack | 1 Keystone | 2018-11-16 | 4.0 MEDIUM | N/A |
| OpenStack Keystone Essex before 2012.1.2 and Folsom before folsom-3 does not properly handle authorization tokens for disabled tenants, which allows remote authenticated users to access the tenant's resources by requesting a token for the tenant. | |||||
| CVE-2018-16590 | 1 Furuno | 4 Felcom 250, Felcom 250 Firmware, Felcom 500 and 1 more | 2018-11-14 | 10.0 HIGH | 9.8 CRITICAL |
| FURUNO FELCOM 250 and 500 devices use only client-side JavaScript in login.js for authentication. | |||||
| CVE-2018-15485 | 1 Kone | 2 Group Controller, Group Controller Firmware | 2018-11-13 | 6.4 MEDIUM | 9.1 CRITICAL |
| An issue was discovered on KONE Group Controller (KGC) devices before 4.6.5. FTP does not require authentication or authorization, aka KONE-03. | |||||
| CVE-2016-7141 | 2 Haxx, Opensuse | 2 Libcurl, Leap | 2018-11-13 | 5.0 MEDIUM | 7.5 HIGH |
| curl and libcurl before 7.50.2, when built with NSS and the libnsspem.so library is available at runtime, allow remote attackers to hijack the authentication of a TLS connection by leveraging reuse of a previously loaded client certificate from file for a connection for which no certificate has been set, a different vulnerability than CVE-2016-5420. | |||||
| CVE-2018-15479 | 1 Mystrom | 12 Wifi Bulb, Wifi Bulb Firmware, Wifi Button and 9 more | 2018-11-09 | 6.4 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in myStrom WiFi Switch V1 before 2.66, WiFi Switch V2 before 3.80, WiFi Switch EU before 3.80, WiFi Bulb before 2.58, WiFi LED Strip before 3.80, WiFi Button before 2.73, and WiFi Button Plus before 2.73. Devices did not authenticate themselves to the cloud in device to cloud communication. This lack of device authentication allowed an attacker to impersonate any device by guessing or learning their MAC address. | |||||
| CVE-2009-0614 | 1 Cisco | 1 Unified Meetingplace Web Conferencing | 2018-11-08 | 9.0 HIGH | N/A |
| Unspecified vulnerability in the Web Server in Cisco Unified MeetingPlace Web Conferencing 6.0 before 6.0(517.0) (aka 6.0 MR4) and 7.0 before 7.0(2) (aka 7.0 MR1) allows remote attackers to bypass authentication and obtain administrative access via a crafted URL. | |||||
| CVE-2018-16670 | 1 Circontrol | 1 Circarlife Scada | 2018-11-07 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in CIRCONTROL CirCarLife before 4.3. There is PLC status disclosure due to lack of authentication for /html/devstat.html. | |||||
| CVE-2018-16286 | 1 Lg | 1 Supersign Cms | 2018-11-07 | 5.0 MEDIUM | 9.8 CRITICAL |
| LG SuperSign CMS allows authentication bypass because the CAPTCHA requirement is skipped if a captcha:pass cookie is sent, and because the PIN is limited to four digits. | |||||
| CVE-2018-13821 | 1 Ca | 1 Unified Infrastructure Management | 2018-11-05 | 7.5 HIGH | 9.8 CRITICAL |
| A lack of authentication, in CA Unified Infrastructure Management 8.5.1, 8.5, and 8.4.7, allows remote attackers to conduct a variety of attacks, including file reading/writing. | |||||
| CVE-2008-5022 | 3 Canonical, Debian, Mozilla | 5 Ubuntu Linux, Debian Linux, Firefox and 2 more | 2018-11-02 | 7.5 HIGH | N/A |
| The nsXMLHttpRequest::NotifyEventListeners method in Firefox 3.x before 3.0.4, Firefox 2.x before 2.0.0.18, Thunderbird 2.x before 2.0.0.18, and SeaMonkey 1.x before 1.1.13 allows remote attackers to bypass the same-origin policy and execute arbitrary script via multiple listeners, which bypass the inner window check. | |||||
| CVE-2017-9820 | 1 Npci | 1 Bharat Interface For Money \(bhim\) | 2018-11-01 | 7.5 HIGH | 9.8 CRITICAL |
| The National Payments Corporation of India BHIM application 1.3 for Android uses a custom keypad for which the input element is available to the Accessibility service, which makes it easier for attackers to bypass authentication. | |||||
| CVE-2017-9819 | 1 Npci | 1 Bharat Interface For Money \(bhim\) | 2018-11-01 | 7.5 HIGH | 9.8 CRITICAL |
| The National Payments Corporation of India BHIM application 1.3 for Android does not properly restrict use of the OTP feature, which makes it easier for attackers to bypass authentication. | |||||
| CVE-2017-10784 | 1 Ruby-lang | 1 Ruby | 2018-10-31 | 9.3 HIGH | 8.8 HIGH |
| The Basic authentication code in WEBrick library in Ruby before 2.2.8, 2.3.x before 2.3.5, and 2.4.x through 2.4.1 allows remote attackers to inject terminal emulator escape sequences into its log and possibly execute arbitrary commands via a crafted user name. | |||||