Total
3455 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-7943 | 1 Huawei | 40 1288h V5, 1288h V5 Firmware, 2288h V5 and 37 more | 2018-07-20 | 6.5 MEDIUM | 8.8 HIGH |
| There is an authentication bypass vulnerability in some Huawei servers. A remote attacker with low privilege may bypass the authentication by some special operations. Due to insufficient authentication, an attacker may exploit the vulnerability to get some sensitive information and high-level users' privilege. | |||||
| CVE-2017-7639 | 1 Qnap | 1 Nas Proxy Server | 2018-07-12 | 5.0 MEDIUM | 5.3 MEDIUM |
| QNAP NAS application Proxy Server through version 1.2.0 does not authenticate requests properly. Successful exploitation can lead to change of the settings of Proxy Server. | |||||
| CVE-2014-10067 | 1 Paypal-ipn Project | 1 Paypal-ipn | 2018-07-09 | 4.3 MEDIUM | 5.9 MEDIUM |
| paypal-ipn before 3.0.0 uses the `test_ipn` parameter (which is set by the PayPal IPN simulator) to determine if it should use the production PayPal site or the sandbox. With a bit of time, an attacker could craft a request using the simulator that would fool any application which does not explicitly check for test_ipn in production. | |||||
| CVE-2018-11478 | 1 Vgate | 2 Icar 2 Wi-fi Obd2, Icar 2 Wi-fi Obd2 Firmware | 2018-07-05 | 5.8 MEDIUM | 8.8 HIGH |
| An issue was discovered on Vgate iCar 2 Wi-Fi OBD2 Dongle devices. The OBD port is used to receive measurement data and debug information from the car. This on-board diagnostics feature can also be used to send commands to the car (different for every vendor / car product line / car). No authentication is needed, which allows attacks from the local Wi-Fi network. | |||||
| CVE-2018-11579 | 1 Multidots | 1 Woocommerce Category Banner Management | 2018-07-05 | 5.0 MEDIUM | 5.3 MEDIUM |
| class-woo-banner-management.php in the MULTIDOTS WooCommerce Category Banner Management plugin 1.1.0 for WordPress has an Unauthenticated Settings Change Vulnerability, related to certain wp_ajax_nopriv_ usage. Anyone can change the plugin's setting by simply sending a request with a wbm_save_shop_page_banner_data action. | |||||
| CVE-2018-7949 | 1 Huawei | 40 1288h V5, 1288h V5 Firmware, 2288h V5 and 37 more | 2018-07-05 | 4.0 MEDIUM | 8.8 HIGH |
| The iBMC (Intelligent Baseboard Management Controller) of some Huawei servers have a privilege escalation vulnerability. A remote attacker may send some specially crafted login messages to the affected products. Due to improper authentication design, successful exploit enables low privileged users to get or modify passwords of highly privileged users. | |||||
| CVE-2016-10525 | 1 Dwyl | 1 Hapi-auth-jwt2 | 2018-07-02 | 7.5 HIGH | 9.8 CRITICAL |
| When attempting to allow authentication mode `try` in hapi, hapi-auth-jwt2 version 5.1.1 introduced an issue whereby people could bypass authentication. | |||||
| CVE-2017-9421 | 1 Accellion | 1 Kiteworks | 2018-06-27 | 6.4 MEDIUM | 6.5 MEDIUM |
| Authentication Bypass vulnerability in Accellion kiteworks before 2017.01.00 allows remote attackers to execute certain API calls on behalf of a web user using a gathered token via a POST request to /oauth/token. | |||||
| CVE-2018-7941 | 1 Huawei | 40 1288h V5, 1288h V5 Firmware, 2288h V5 and 37 more | 2018-06-14 | 6.5 MEDIUM | 8.8 HIGH |
| Huawei iBMC V200R002C60 have an authentication bypass vulnerability. A remote attacker with low privilege may craft specific messages to upload authentication certificate to the affected products. Due to improper validation of the upload authority, successful exploit may cause privilege elevation. | |||||
| CVE-2017-3775 | 1 Lenovo | 22 Flex System X240 M5, Flex System X240 M5 Bios, Flex System X280 X6 and 19 more | 2018-06-13 | 6.9 MEDIUM | 6.4 MEDIUM |
| Some Lenovo System x server BIOS/UEFI versions, when Secure Boot mode is enabled by a system administrator, do not properly authenticate signed code before booting it. As a result, an attacker with physical access to the system could boot unsigned code. | |||||
| CVE-2018-6020 | 1 Silextechnology | 8 Geh-500, Geh-500 Firmware, Geh-sd-320an and 5 more | 2018-06-13 | 6.4 MEDIUM | 6.5 MEDIUM |
| In Silex SX-500 all versions and GE MobileLink(GEH-500) version 1.54 and prior, authentication is not verified when making certain POST requests, which may allow attackers to modify system settings. | |||||
| CVE-2018-10544 | 1 Meross | 2 Mss110, Mss110 Firmware | 2018-06-13 | 5.0 MEDIUM | 9.8 CRITICAL |
| Meross MSS110 devices through 1.1.24 contain an unauthenticated admin.htm administrative interface. | |||||
| CVE-2018-9232 | 1 Twsz | 2 Be126, Be126 Firmware | 2018-06-13 | 9.3 HIGH | 7.8 HIGH |
| Due to the lack of firmware authentication in the upgrade process of T&W WIFI Repeater BE126 devices, an attacker can craft a malicious firmware and use it as an update. | |||||
| CVE-2018-7940 | 1 Huawei | 4 Mate 9, Mate 9 Firmware, Mate 9 Pro and 1 more | 2018-06-13 | 7.2 HIGH | 6.2 MEDIUM |
| Huawei smart phones Mate 10 and Mate 10 Pro with earlier versions than 8.0.0.129(SP2C00) and earlier versions than 8.0.0.129(SP2C01) have an authentication bypass vulnerability. An attacker with high privilege obtains the smart phone and bypass the activation function by some specific operations. | |||||
| CVE-2018-6960 | 1 Vmware | 1 Horizon Daas | 2018-05-22 | 6.5 MEDIUM | 8.8 HIGH |
| VMware Horizon DaaS (7.x before 8.0.0) contains a broken authentication vulnerability that may allow an attacker to bypass two-factor authentication. Note: In order to exploit this issue, an attacker must have a legitimate account on Horizon DaaS. | |||||
| CVE-2014-0927 | 1 Ibm | 2 Sterling B2b Integrator, Sterling File Gateway | 2018-05-22 | 4.3 MEDIUM | 8.1 HIGH |
| The ActiveMQ admin user interface in IBM Sterling B2B Integrator 5.1 and 5.2 and Sterling File Gateway 2.1 and 2.2 allows remote attackers to bypass authentication by leveraging knowledge of the port number and webapp path. IBM X-Force ID: 92259. | |||||
| CVE-2018-6547 | 1 Plays.tv | 1 Plays.tv | 2018-05-21 | 9.4 HIGH | 9.1 CRITICAL |
| plays_service.exe in the plays.tv service before 1.27.7.0, as distributed in AMD driver-installation packages and Gaming Evolved products, contains an HTTP message parsing function that takes a user-defined path and writes non-user controlled data as SYSTEM to the file when the extract_files parameter is used. This occurs without properly authenticating the user. | |||||
| CVE-2018-6546 | 1 Plays.tv | 1 Plays.tv | 2018-05-21 | 10.0 HIGH | 9.8 CRITICAL |
| plays_service.exe in the plays.tv service before 1.27.7.0, as distributed in AMD driver-installation packages and Gaming Evolved products, executes code at a user-defined (local or SMB) path as SYSTEM when the execute_installer parameter is used in an HTTP message. This occurs without properly authenticating the user. | |||||
| CVE-2018-9249 | 1 Fiberhome | 2 Vdsl2 Modem Hg 150-ub, Vdsl2 Modem Hg 150-ub Firmware | 2018-05-21 | 7.5 HIGH | 9.8 CRITICAL |
| FiberHome VDSL2 Modem HG 150-UB devices allow authentication bypass by ignoring the parent.location='login.html' JavaScript code in the response to an unauthenticated request. | |||||
| CVE-2018-9248 | 1 Fiberhome | 2 Vdsl2 Modem Hg 150-ub, Vdsl2 Modem Hg 150-ub Firmware | 2018-05-21 | 7.5 HIGH | 9.8 CRITICAL |
| FiberHome VDSL2 Modem HG 150-UB devices allow authentication bypass via a "Cookie: Name=0admin" header. | |||||