Total
1125 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-7079 | 1 Redhat | 1 Openshift Container Platform | 2024-07-26 | N/A | 6.5 MEDIUM |
| A flaw was found in the Openshift console. The /API/helm/verify endpoint is tasked to fetch and verify the installation of a Helm chart from a URI that is remote HTTP/HTTPS or local. Access to this endpoint is gated by the authHandlerWithUser() middleware function. Contrary to its name, this middleware function does not verify the validity of the user's credentials. As a result, unauthenticated users can access this endpoint. | |||||
| CVE-2024-39601 | 2024-07-24 | N/A | 6.5 MEDIUM | ||
| A vulnerability has been identified in CPCI85 Central Processing/Communication (All versions < V5.40), SICORE Base system (All versions < V1.4.0). Affected devices allow a remote authenticated user or an unauthenticated user with physical access to downgrade the firmware of the device. This could allow an attacker to downgrade the device to older versions with known vulnerabilities. | |||||
| CVE-2024-6895 | 2024-07-22 | N/A | N/A | ||
| Insufficient authentication in user account management in Yugabyte Platform allows local network attackers with a compromised user session to change critical security information without re-authentication. An attacker with user session and access to application can modify settings such as password and email without being prompted for the current password, enabling account takeover. | |||||
| CVE-2022-45378 | 1 Apache | 1 Soap | 2024-07-19 | N/A | 9.8 CRITICAL |
| In the default configuration of Apache SOAP, an RPCRouterServlet is available without authentication. This gives an attacker the possibility to invoke methods on the classpath that meet certain criteria. Depending on what classes are available on the classpath this might even lead to arbitrary remote code execution. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2024-5910 | 2024-07-11 | N/A | N/A | ||
| Missing authentication for a critical function in Palo Alto Networks Expedition can lead to an Expedition admin account takeover for attackers with network access to Expedition. Note: Expedition is a tool aiding in configuration migration, tuning, and enrichment. Configuration secrets, credentials, and other data imported into Expedition is at risk due to this issue. | |||||
| CVE-2024-6422 | 2024-07-11 | N/A | 9.8 CRITICAL | ||
| An unauthenticated remote attacker can manipulate the device via Telnet, stop processes, read, delete and change data. | |||||
| CVE-2022-32251 | 1 Siemens | 1 Sinema Remote Connect Server | 2024-07-09 | 7.5 HIGH | 9.8 CRITICAL |
| A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.1). There is a missing authentication verification for a resource used to change the roles and permissions of a user. This could allow an attacker to change the permissions of any user and gain the privileges of an administrative user. | |||||
| CVE-2023-35854 | 1 Zohocorp | 1 Manageengine Adselfservice Plus | 2024-07-08 | N/A | 9.8 CRITICAL |
| Zoho ManageEngine ADSelfService Plus through 6113 has an authentication bypass that can be exploited to steal the domain controller session token for identity spoofing, thereby achieving the privileges of the domain controller administrator. NOTE: the vendor's perspective is that they have "found no evidence or detail of a security vulnerability." | |||||
| CVE-2024-27169 | 2024-07-04 | N/A | 8.4 HIGH | ||
| Toshiba printers provides API without authentication for internal access. A local attacker can bypass authentication in applications, providing administrative access. As for the affected products/models/versions, see the reference URL. | |||||
| CVE-2024-32752 | 2024-07-03 | N/A | 9.1 CRITICAL | ||
| Under certain circumstances communications between the ICU tool and an iSTAR Pro door controller is susceptible to Machine-in-the-Middle attacks which could impact door control and configuration. | |||||
| CVE-2024-32735 | 2024-07-03 | N/A | 9.8 CRITICAL | ||
| An issue regarding missing authentication for certain utilities exists in CyberPower PowerPanel Enterprise prior to v2.8.3. An unauthenticated remote attacker can access the PDNU REST APIs, which may result in compromise of the application. | |||||
| CVE-2021-34983 | 2024-07-03 | N/A | 6.5 MEDIUM | ||
| NETGEAR Multiple Routers httpd Missing Authentication for Critical Function Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of multiple NETGEAR routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the httpd service, which listens on TCP port 80 by default. The issue results from the lack of authentication prior to allowing access to system configuration information. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-13708. | |||||
| CVE-2021-26928 | 1 Nic | 1 Bird | 2024-07-03 | 4.9 MEDIUM | 6.8 MEDIUM |
| BIRD through 2.0.7 does not provide functionality for password authentication of BGP peers. Because of this, products that use BIRD (which may, for example, include Tigera products in some configurations, as well as products of other vendors) may have been susceptible to route redirection for Denial of Service and/or Information Disclosure. NOTE: a researcher has asserted that the behavior is within Tigera’s area of responsibility; however, Tigera disagrees | |||||
| CVE-2020-27986 | 1 Sonarsource | 1 Sonarqube | 2024-07-03 | 5.0 MEDIUM | 7.5 HIGH |
| SonarQube 8.4.2.36762 allows remote attackers to discover cleartext SMTP, SVN, and GitLab credentials via the api/settings/values URI. NOTE: reportedly, the vendor's position for SMTP and SVN is "it is the administrator's responsibility to configure it. | |||||
| CVE-2023-41918 | 2024-07-02 | N/A | 10.0 CRITICAL | ||
| A vulnerability allows unauthorized access to functionality inadequately constrained by ACLs. Attackers may exploit this to unauthenticated execute commands potentially leading to unauthorized data manipulation, access to privileged functions, or even the execution of arbitrary code. | |||||
| CVE-2024-3661 | 2024-07-01 | N/A | 7.6 HIGH | ||
| DHCP can add routes to a client’s routing table via the classless static route option (121). VPN-based security solutions that rely on routes to redirect traffic can be forced to leak traffic over the physical interface. An attacker on the same local network can read, disrupt, or possibly modify network traffic that was expected to be protected by the VPN. | |||||
| CVE-2023-49115 | 1 Machinesense | 2 Feverwarn, Feverwarn Firmware | 2024-06-28 | N/A | 7.5 HIGH |
| MachineSense devices use unauthenticated MQTT messaging to monitor devices and remote viewing of sensor data by users. | |||||
| CVE-2022-26925 | 1 Microsoft | 17 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 14 more | 2024-06-28 | 4.3 MEDIUM | 5.9 MEDIUM |
| Windows LSA Spoofing Vulnerability | |||||
| CVE-2022-21587 | 1 Oracle | 1 E-business Suite | 2024-06-28 | N/A | 9.8 CRITICAL |
| Vulnerability in the Oracle Web Applications Desktop Integrator product of Oracle E-Business Suite (component: Upload). Supported versions that are affected are 12.2.3-12.2.11. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Web Applications Desktop Integrator. Successful attacks of this vulnerability can result in takeover of Oracle Web Applications Desktop Integrator. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). | |||||
| CVE-2022-24990 | 1 Terra-master | 30 F2-210, F2-221, F2-223 and 27 more | 2024-06-28 | N/A | 7.5 HIGH |
| TerraMaster NAS 4.2.29 and earlier allows remote attackers to discover the administrative password by sending "User-Agent: TNAS" to module/api.php?mobile/webNasIPS and then reading the PWD field in the response. | |||||