Total
1125 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-1246 | 1 Cisco | 1 Finesse | 2023-11-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple vulnerabilities in the web-based management interface of Cisco Finesse could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack and obtain potentially confidential information by leveraging a flaw in the authentication mechanism. For more information about these vulnerabilities, see the Details section of this advisory. | |||||
| CVE-2021-1245 | 1 Cisco | 1 Finesse | 2023-11-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple vulnerabilities in the web-based management interface of Cisco Finesse could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack and obtain potentially confidential information by leveraging a flaw in the authentication mechanism. For more information about these vulnerabilities, see the Details section of this advisory. | |||||
| CVE-2020-9480 | 2 Apache, Oracle | 2 Spark, Business Intelligence | 2023-11-07 | 9.3 HIGH | 9.8 CRITICAL |
| In Apache Spark 2.4.5 and earlier, a standalone resource manager's master may be configured to require authentication (spark.authenticate) via a shared secret. When enabled, however, a specially-crafted RPC to the master can succeed in starting an application's resources on the Spark cluster, even without the shared key. This can be leveraged to execute shell commands on the host machine. This does not affect Spark clusters using other resource managers (YARN, Mesos, etc). | |||||
| CVE-2020-8636 | 1 Opservices | 1 Opmon | 2023-11-07 | 10.0 HIGH | 9.8 CRITICAL |
| An issue was discovered in OpServices OpMon 9.3.2 that allows Remote Code Execution . | |||||
| CVE-2020-7954 | 1 Opservices | 1 Opmon | 2023-11-07 | 7.2 HIGH | 7.8 HIGH |
| An issue was discovered in OpServices OpMon 9.3.2. Starting from the apache user account, it is possible to perform privilege escalation through the lack of correct configuration in the server's sudoers file, which by default allows the execution of programs (e.g. nmap) without the need for a password with sudo. | |||||
| CVE-2020-7953 | 1 Opservices | 1 Opmon | 2023-11-07 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in OpServices OpMon 9.3.2. Without authentication, it is possible to read server files (e.g., /etc/passwd) due to the use of the nmap -iL (aka input file) option. | |||||
| CVE-2020-6170 | 1 Genexis | 2 Platinum-4410, Platinum-4410 Firmware | 2023-11-07 | 5.0 MEDIUM | 9.8 CRITICAL |
| An authentication bypass vulnerability on Genexis Platinum-4410 v2.1 P4410-V2 1.28 devices allows attackers to obtain cleartext credentials from the HTML source code of the cgi-bin/index2.asp URI. | |||||
| CVE-2020-3598 | 1 Cisco | 1 Vision Dynamic Signage Director | 2023-11-07 | 6.4 MEDIUM | 6.5 MEDIUM |
| A vulnerability in the web-based management interface of Cisco Vision Dynamic Signage Director could allow an unauthenticated, remote attacker to access confidential information or make configuration changes. The vulnerability is due to missing authentication for a specific section of the web-based management interface. An attacker could exploit this vulnerability by accessing a crafted URL. A successful exploit could allow the attacker to obtain access to a section of the interface, which they could use to read confidential information or make configuration changes. | |||||
| CVE-2020-3376 | 1 Cisco | 1 Data Center Network Manager | 2023-11-07 | 7.5 HIGH | 9.8 CRITICAL |
| A vulnerability in the Device Manager application of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions on an affected device. The vulnerability is due to a failure in the software to perform proper authentication. An attacker could exploit this vulnerability by browsing to one of the hosted URLs in Cisco DCNM. A successful exploit could allow the attacker to interact with and use certain functions within the Cisco DCNM. | |||||
| CVE-2020-36724 | 1 Wordable | 1 Wordable | 2023-11-07 | N/A | 9.8 CRITICAL |
| The Wordable plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.1.1. This is due to the use of a user supplied hashing algorithm passed to the hash_hmac() function and the use of a loose comparison on the hash which allows an attacker to trick the function into thinking it has a valid hash. This makes it possible for unauthenticated attackers to gain administrator privileges. | |||||
| CVE-2020-36713 | 1 Inspireui | 1 Mstore Api | 2023-11-07 | N/A | 9.8 CRITICAL |
| The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.1.5. This is due to unrestricted access to the 'register' and 'update_user_profile' routes. This makes it possible for unauthenticated attackers to create new administrator accounts, delete existing administrator accounts, or escalate privileges on any account. | |||||
| CVE-2020-29138 | 1 Sagemcom | 2 F\@st 3486 Router, F\@st 3486 Router Firmware | 2023-11-07 | 5.0 MEDIUM | 5.3 MEDIUM |
| Incorrect Access Control in the configuration backup path in SAGEMCOM F@ST3486 NET DOCSIS 3.0, software NET_4.109.0, allows remote unauthenticated users to download the router configuration file via the /backupsettings.conf URI, when any valid session is running. | |||||
| CVE-2020-15136 | 2 Fedoraproject, Redhat | 2 Fedora, Etcd | 2023-11-07 | 5.8 MEDIUM | 6.5 MEDIUM |
| In ectd before versions 3.4.10 and 3.3.23, gateway TLS authentication is only applied to endpoints detected in DNS SRV records. When starting a gateway, TLS authentication will only be attempted on endpoints identified in DNS SRV records for a given domain, which occurs in the discoverEndpoints function. No authentication is performed against endpoints provided in the --endpoints flag. This has been fixed in versions 3.4.10 and 3.3.23 with improved documentation and deprecation of the functionality. | |||||
| CVE-2020-15078 | 4 Canonical, Debian, Fedoraproject and 1 more | 4 Ubuntu Linux, Debian Linux, Fedora and 1 more | 2023-11-07 | 5.0 MEDIUM | 7.5 HIGH |
| OpenVPN 2.5.1 and earlier versions allows a remote attackers to bypass authentication and access control channel data on servers configured with deferred authentication, which can be used to potentially trigger further information leaks. | |||||
| CVE-2020-11969 | 1 Apache | 1 Tomee | 2023-11-07 | 6.8 MEDIUM | 9.8 CRITICAL |
| If Apache TomEE is configured to use the embedded ActiveMQ broker, and the broker URI includes the useJMX=true parameter, a JMX port is opened on TCP port 1099, which does not include authentication. This affects Apache TomEE 8.0.0-M1 - 8.0.1, Apache TomEE 7.1.0 - 7.1.2, Apache TomEE 7.0.0-M1 - 7.0.7, Apache TomEE 1.0.0 - 1.7.5. | |||||
| CVE-2020-11856 | 1 Microfocus | 1 Operation Bridge Reporter | 2023-11-07 | 10.0 HIGH | 9.8 CRITICAL |
| Arbitrary code execution vulnerability on Micro Focus Operation Bridge Reporter, affecting version 10.40 and earlier. The vulnerability could allow remote attackers to execute arbitrary code on affected installations of OBR. | |||||
| CVE-2020-11539 | 1 Titan | 2 Sf Rush Smart Band, Sf Rush Smart Band Firmware | 2023-11-07 | 4.8 MEDIUM | 8.1 HIGH |
| An issue was discovered on Tata Sonata Smart SF Rush 1.12 devices. It has been identified that the smart band has no pairing (mode 0 Bluetooth LE security level) The data being transmitted over the air is not encrypted. Adding to this, the data being sent to the smart band doesn't have any authentication or signature verification. Thus, any attacker can control a parameter of the device. | |||||
| CVE-2020-10754 | 2 Fedoraproject, Gnome | 2 Fedora, Networkmanager | 2023-11-07 | 4.0 MEDIUM | 4.3 MEDIUM |
| It was found that nmcli, a command line interface to NetworkManager did not honour 802-1x.ca-path and 802-1x.phase2-ca-path settings, when creating a new profile. When a user connects to a network using this profile, the authentication does not happen and the connection is made insecurely. | |||||
| CVE-2019-9484 | 1 Carel | 2 Pcoweb Card, Pcoweb Card Firmware | 2023-11-07 | 5.0 MEDIUM | 7.5 HIGH |
| The Glen Dimplex Deutschland GmbH implementation of the Carel pCOWeb configuration tool allows remote attackers to obtain access via an HTTP session on port 10000, as demonstrated by reading the modem password (which is 1234), or reconfiguring "party mode" or "vacation mode." | |||||
| CVE-2019-6652 | 1 F5 | 1 Big-iq Centralized Management | 2023-11-07 | 6.4 MEDIUM | 6.5 MEDIUM |
| In BIG-IQ 6.0.0-6.1.0, services for stats do not require authentication nor do they implement any form of Transport Layer Security (TLS). | |||||