Total
1125 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-17532 | 1 Belkin | 2 Wemo Switch 28b, Wemo Switch 28b Firmware | 2021-07-21 | 7.8 HIGH | 7.5 HIGH |
| An issue was discovered on Belkin Wemo Switch 28B WW_2.00.11057.PVT-OWRT-SNS devices. They allow remote attackers to cause a denial of service (persistent rules-processing outage) via a crafted ruleDbBody element in a StoreRules request to the upnp/control/rules1 URI, because database corruption occurs. | |||||
| CVE-2019-18939 | 2 Eq-3, Hm-print Project | 5 Homematic Ccu2, Homematic Ccu2 Firmware, Homematic Ccu3 and 2 more | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| eQ-3 Homematic CCU2 2.47.20 and CCU3 3.47.18 with the HM-Print AddOn through 1.2a installed allow Remote Code Execution by unauthenticated attackers with access to the web interface via the exec.cgi and exec1.cgi scripts, which execute TCL script content from an HTTP POST request. | |||||
| CVE-2019-12120 | 1 Onap | 1 Open Network Automation Platform | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in ONAP VNFSDK through Dublin. By accessing port 8000 of demo-vnfsdk-vnfsdk, an unauthenticated attacker (who already has access to pod-to-pod communication) may execute arbitrary code inside that pod. All ONAP Operations Manager (OOM) setups are affected. | |||||
| CVE-2019-11684 | 1 Bosch | 4 Divar Ip 5000, Divar Ip 5000 Firmware, Video Management System and 1 more | 2021-07-21 | 10.0 HIGH | 9.8 CRITICAL |
| Improper Access Control in the RCP+ server of the Bosch Video Recording Manager (VRM) component allows arbitrary and unauthenticated access to a limited subset of certificates, stored in the underlying Microsoft Windows operating system. The fixed versions implement modified authentication checks. Prior releases of VRM software version 3.70 are considered unaffected. This vulnerability affects VRM v3.70.x, v3.71 < v3.71.0034 and v3.81 < 3.81.0050; DIVAR IP 5000 3.80 < 3.80.0039; BVMS all versions using VRM. | |||||
| CVE-2020-15391 | 1 Devspace | 1 Devspace | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| The UI in DevSpace 4.13.0 allows web sites to execute actions on pods (on behalf of a victim) because of a lack of authentication for the WebSocket protocol. This leads to remote code execution. | |||||
| CVE-2019-20598 | 1 Google | 1 Android | 2021-07-21 | 2.1 LOW | 2.4 LOW |
| An issue was discovered on Samsung mobile devices with O(8.x) software. Bixby leaks the keyboard's learned words, and the clipboard contents, via the lock screen. The Samsung IDs are SVE-2018-12896, SVE-2018-12897 (May 2019). | |||||
| CVE-2020-13856 | 1 Mofinetwork | 2 Mofi4500-4gxelte, Mofi4500-4gxelte Firmware | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered on Mofi Network MOFI4500-4GXeLTE 4.0.8-std devices. Authentication is not required to download the support file that contains sensitive information such as cleartext credentials and password hashes. | |||||
| CVE-2019-13205 | 1 Kyocera | 2 Ecosys M5526cdw, Ecosys M5526cdw Firmware | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| All configuration parameters of certain Kyocera printers (such as the ECOSYS M5526cdw 2R7_2000.001.701) were accessible by unauthenticated users. This information was only presented in the menus when authenticated, and the pages that loaded this information were also protected. However, all files that contained the configuration parameters were accessible. These files contained sensitive information, such as users, community strings, and other passwords configured in the printer. | |||||
| CVE-2020-25048 | 1 Google | 1 Android | 2021-07-21 | 2.1 LOW | 4.6 MEDIUM |
| An issue was discovered on Samsung mobile devices with Q(10.0) (with ONEUI 2.1) software. In the Lockscreen state, the Quick Share feature allows unauthenticated downloads, aka file injection. The Samsung ID is SVE-2020-17760 (August 2020). | |||||
| CVE-2020-1955 | 1 Apache | 1 Couchdb | 2021-07-21 | 6.8 MEDIUM | 9.8 CRITICAL |
| CouchDB version 3.0.0 shipped with a new configuration setting that governs access control to the entire database server called `require_valid_user_except_for_up`. It was meant as an extension to the long standing setting `require_valid_user`, which in turn requires that any and all requests to CouchDB will have to be made with valid credentials, effectively forbidding any anonymous requests. The new `require_valid_user_except_for_up` is an off-by-default setting that was meant to allow requiring valid credentials for all endpoints except for the `/_up` endpoint. However, the implementation of this made an error that lead to not enforcing credentials on any endpoint, when enabled. CouchDB versions 3.0.1[1] and 3.1.0[2] fix this issue. | |||||
| CVE-2018-4840 | 1 Siemens | 17 Digsi 4, En100 Ethernet Module Dnp3, En100 Ethernet Module Dnp3 Firmware and 14 more | 2021-07-13 | 5.0 MEDIUM | 7.5 HIGH |
| A vulnerability has been identified in DIGSI 4 (All versions < V4.92), EN100 Ethernet module DNP3 variant (All versions < V1.05.00), EN100 Ethernet module IEC 104 variant (All versions), EN100 Ethernet module IEC 61850 variant (All versions < V4.30), EN100 Ethernet module Modbus TCP variant (All versions), EN100 Ethernet module PROFINET IO variant (All versions). The device engineering mechanism allows an unauthenticated remote user to upload a modified device configuration overwriting access authorization passwords. | |||||
| CVE-2021-28809 | 1 Qnap | 2 Hybrid Backup Sync, Qts | 2021-07-12 | 10.0 HIGH | 9.8 CRITICAL |
| An improper access control vulnerability has been reported to affect certain legacy versions of HBS 3. If exploited, this vulnerability allows attackers to compromise the security of the operating system.QNAP have already fixed this vulnerability in the following versions of HBS 3: QTS 4.3.6: HBS 3 v3.0.210507 and later QTS 4.3.4: HBS 3 v3.0.210506 and later QTS 4.3.3: HBS 3 v3.0.210506 and later | |||||
| CVE-2021-20474 | 1 Ibm | 1 Guardium Data Encryption | 2021-07-12 | 5.0 MEDIUM | 7.5 HIGH |
| IBM Guardium Data Encryption (GDE) 3.0.0.2 and 4.0.0.4 does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. | |||||
| CVE-2021-32659 | 1 Matrix | 1 Matrix-appservice-bridge | 2021-07-09 | 3.5 LOW | 4.9 MEDIUM |
| Matrix-appservice-bridge is the bridging service for the Matrix communication program's application services. In versions 2.6.0 and earlier, if a bridge has room upgrade handling turned on in the configuration (the `roomUpgradeOpts` key when instantiating a new `Bridge` instance.), any `m.room.tombstone` event it encounters will be used to unbridge the current room and bridge into the target room. However, the target room `m.room.create` event is not checked to verify if the `predecessor` field contains the previous room. This means that any malicious admin of a bridged room can repoint the traffic to a different room without the new room being aware. Versions 2.6.1 and greater are patched. As a workaround, disabling the automatic room upgrade handling can be done by removing the `roomUpgradeOpts` key from the `Bridge` class options. | |||||
| CVE-2021-33221 | 1 Commscope | 1 Ruckus Iot Controller | 2021-07-09 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in CommScope Ruckus IoT Controller 1.7.1.0 and earlier. There are Unauthenticated API Endpoints. | |||||
| CVE-2020-35184 | 1 Docker | 1 Composer Docker Image | 2021-07-08 | 10.0 HIGH | 9.8 CRITICAL |
| The official composer docker images before 1.8.3 contain a blank password for a root user. System using the composer docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank password. | |||||
| CVE-2021-31337 | 1 Siemens | 6 Sinamics Sl150, Sinamics Sl150 Firmware, Sinamics Sm150 and 3 more | 2021-07-02 | 6.8 MEDIUM | 9.8 CRITICAL |
| The Telnet service of the SIMATIC HMI Comfort Panels system component in affected products does not require authentication, which may allow a remote attacker to gain access to the device if the service is enabled. Telnet is disabled by default on the SINAMICS Medium Voltage Products (SINAMICS SL150: All versions, SINAMICS SM150: All versions, SINAMICS SM150i: All versions). | |||||
| CVE-2021-32709 | 1 Shopware | 1 Shopware | 2021-07-01 | 4.0 MEDIUM | 4.9 MEDIUM |
| Shopware is an open source eCommerce platform. Creation of order credits was not validated by ACL in admin orders. Users are recommend to update to the current version 6.4.1.1. You can get the update to 6.4.1.1 regularly via the Auto-Updater or directly via the download overview. For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version. | |||||
| CVE-2021-32700 | 1 Ballerina | 2 Ballerina, Swan Lake | 2021-06-29 | 5.8 MEDIUM | 7.4 HIGH |
| Ballerina is an open source programming language and platform for cloud application programmers. Ballerina versions 1.2.x and SL releases up to alpha 3 have a potential for a supply chain attack via MiTM against users. Http connections did not make use of TLS and certificate checking was ignored. The vulnerability allows an attacker to substitute or modify packages retrieved from BC thus allowing to inject malicious code into ballerina executables. This has been patched in Ballerina 1.2.14 and Ballerina SwanLake alpha4. | |||||
| CVE-2020-20472 | 1 White Shark Systems Project | 1 White Shark Systems | 2021-06-23 | 5.0 MEDIUM | 5.3 MEDIUM |
| White Shark System (WSS) 1.3.2 has a sensitive information disclosure vulnerability. The if_get_addbook.php file does not have an authentication operation. Remote attackers can obtain username information for all users of the current site. | |||||