Total
3455 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-24175 | 1 Posimyth | 1 The Plus Addons For Elementor | 2021-04-09 | 7.5 HIGH | 9.8 CRITICAL |
| The Plus Addons for Elementor Page Builder WordPress plugin before 4.1.7 was being actively exploited to by malicious actors to bypass authentication, allowing unauthenticated users to log in as any user (including admin) by just providing the related username, as well as create accounts with arbitrary roles, such as admin. These issues can be exploited even if registration is disabled, and the Login widget is not active. | |||||
| CVE-2007-5006 | 2 Broadcom, Ca | 3 Brightstor Arcserve Backup Laptops Desktops, Desktop Management Suite, Protection Suites | 2021-04-08 | 10.0 HIGH | N/A |
| Multiple command handlers in CA (Computer Associates) BrightStor ARCserve Backup for Laptops and Desktops r11.0 through r11.5 do not verify if a peer is authenticated, which allows remote attackers to add and delete users, and start client restores. | |||||
| CVE-2019-18252 | 1 Biotronik | 4 Cardiomessenger Ii-s Gsm, Cardiomessenger Ii-s Gsm Firmware, Cardiomessenger Ii-s T-line and 1 more | 2021-04-06 | 3.3 LOW | 4.3 MEDIUM |
| BIOTRONIK CardioMessenger II, The affected products allow credential reuse for multiple authentication purposes. An attacker with adjacent access to the CardioMessenger can disclose its credentials used for connecting to the BIOTRONIK Remote Communication infrastructure. | |||||
| CVE-2019-18246 | 1 Biotronik | 4 Cardiomessenger Ii-s Gsm, Cardiomessenger Ii-s Gsm Firmware, Cardiomessenger Ii-s T-line and 1 more | 2021-04-06 | 3.3 LOW | 4.3 MEDIUM |
| BIOTRONIK CardioMessenger II, The affected products do not properly enforce mutual authentication with the BIOTRONIK Remote Communication infrastructure. | |||||
| CVE-2021-21982 | 2 Linux, Vmware | 2 Linux Kernel, Carbon Black Cloud Workload | 2021-04-06 | 6.4 MEDIUM | 9.1 CRITICAL |
| VMware Carbon Black Cloud Workload appliance 1.0.0 and 1.01 has an authentication bypass vulnerability that may allow a malicious actor with network access to the administrative interface of the VMware Carbon Black Cloud Workload appliance to obtain a valid authentication token. Successful exploitation of this issue would result in the attacker being able to view and alter administrative configuration settings. | |||||
| CVE-2021-23923 | 1 Devolutions | 1 Devolutions Server | 2021-04-06 | 4.9 MEDIUM | 8.1 HIGH |
| An issue was discovered in Devolutions Server before 2020.3. There is Broken Authentication with Windows domain users. | |||||
| CVE-2016-4422 | 2 Debian, Libpam-sshauth Project | 2 Debian Linux, Libpam-sshauth | 2021-04-05 | 10.0 HIGH | 9.8 CRITICAL |
| The pam_sm_authenticate function in pam_sshauth.c in libpam-sshauth might allow context-dependent attackers to bypass authentication or gain privileges via a system user account. | |||||
| CVE-2021-25368 | 1 Samsung | 1 Cloud | 2021-03-30 | 5.0 MEDIUM | 7.5 HIGH |
| Hijacking vulnerability in Samsung Cloud prior to version 4.7.0.3 allows attackers to intercept when the provider is executed. | |||||
| CVE-2020-27866 | 1 Netgear | 38 Ac2100, Ac2100 Firmware, Ac2400 and 35 more | 2021-03-26 | 8.3 HIGH | 8.8 HIGH |
| This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of NETGEAR R6020, R6080, R6120, R6220, R6260, R6700v2, R6800, R6900v2, R7450, JNR3210, WNR2020, Nighthawk AC2100, and Nighthawk AC2400 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the mini_httpd service, which listens on TCP port 80 by default. The issue results from incorrect string matching logic when accessing protected pages. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of root. Was ZDI-CAN-11355. | |||||
| CVE-2020-27865 | 1 Dlink | 2 Dap-1860, Dap-1860 Firmware | 2021-03-25 | 8.3 HIGH | 8.8 HIGH |
| This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DAP-1860 firmware version 1.04B03 WiFi extenders. Authentication is not required to exploit this vulnerability. The specific flaw exists within the uhttpd service, which listens on TCP port 80 by default. The issue results from incorrect string matching logic when accessing protected pages. An attacker can leverage this vulnerability to escalate privileges and execute code in the context of the device. Was ZDI-CAN-10894. | |||||
| CVE-2021-24148 | 1 Inspireui | 1 Mstore Api | 2021-03-23 | 10.0 HIGH | 9.8 CRITICAL |
| A business logic issue in the MStore API WordPress plugin, versions before 3.2.0, had an authentication bypass with Sign In With Apple allowing unauthenticated users to recover an authentication cookie with only an email address. | |||||
| CVE-2021-22860 | 1 Eic | 1 E-document System | 2021-03-23 | 7.5 HIGH | 9.8 CRITICAL |
| EIC e-document system does not perform completed identity verification for sorting and filtering personnel data. The vulnerability allows remote attacker to obtain users’ credential information without logging in the system, and further acquire the privileged permissions and execute arbitrary commends. | |||||
| CVE-2021-20018 | 1 Sonicwall | 2 Sma100, Sma100 Firmware | 2021-03-19 | 4.0 MEDIUM | 4.9 MEDIUM |
| A post-authenticated vulnerability in SonicWall SMA100 allows an attacker to export the configuration file to the specified email address. This vulnerability impacts SMA100 version 10.2.0.5 and earlier. | |||||
| CVE-2020-35231 | 1 Netgear | 4 Gs116e, Gs116e Firmware, Jgs516pe and 1 more | 2021-03-17 | 8.3 HIGH | 8.8 HIGH |
| The NSDP protocol implementation on NETGEAR JGS516PE/GS116Ev2 v2.6.0.43 devices was affected by an authentication issue that allows an attacker to bypass access controls and obtain full control of the device. | |||||
| CVE-2020-5148 | 1 Sonicwall | 1 Directory Services Connector | 2021-03-15 | 6.4 MEDIUM | 8.2 HIGH |
| SonicWall SSO-agent default configuration uses NetAPI to probe the associated IP's in the network, this client probing method allows a potential attacker to capture the password hash of the privileged user and potentially forces the SSO Agent to authenticate allowing an attacker to bypass firewall access controls. | |||||
| CVE-2020-27838 | 1 Redhat | 2 Keycloak, Single Sign-on | 2021-03-15 | 4.3 MEDIUM | 6.5 MEDIUM |
| A flaw was found in keycloak in versions prior to 13.0.0. The client registration endpoint allows fetching information about PUBLIC clients (like client secret) without authentication which could be an issue if the same PUBLIC client changed to CONFIDENTIAL later. The highest threat from this vulnerability is to data confidentiality. | |||||
| CVE-2021-25347 | 1 Google | 1 Android | 2021-03-12 | 4.6 MEDIUM | 5.3 MEDIUM |
| Hijacking vulnerability in Samsung Email application version prior to SMR Feb-2021 Release 1 allows attackers to intercept when the provider is executed. | |||||
| CVE-2021-21335 | 1 Spnego Http Authentication Module Project | 1 Spnego Http Authentication Module | 2021-03-12 | 7.5 HIGH | 9.8 CRITICAL |
| In the SPNEGO HTTP Authentication Module for nginx (spnego-http-auth-nginx-module) before version 1.1.1 basic Authentication can be bypassed using a malformed username. This affects users of spnego-http-auth-nginx-module that have enabled basic authentication. This is fixed in version 1.1.1 of spnego-http-auth-nginx-module. As a workaround, one may disable basic authentication. | |||||
| CVE-2021-21329 | 1 Ratcf | 1 Ratcf | 2021-03-12 | 6.8 MEDIUM | 9.8 CRITICAL |
| RATCF is an open-source framework for hosting Cyber-Security Capture the Flag events. In affected versions of RATCF users with multi factor authentication enabled are able to log in without a valid token. This is fixed in commit cebb67b. | |||||
| CVE-2021-25343 | 2 Google, Samsung | 2 Android, Members | 2021-03-11 | 2.1 LOW | 3.3 LOW |
| Calling of non-existent provider in Samsung Members prior to version 2.4.81.13 (in Android O(8.1) and below) and 3.8.00.13 (in Android P(9.0) and above) allows unauthorized actions including denial of service attack by hijacking the provider. | |||||