Total
1125 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-12390 | 1 Anviz | 1 Anviz Firmware | 2020-08-24 | 5.0 MEDIUM | 5.3 MEDIUM |
| Anviz access control devices expose private Information (pin code and name) by allowing remote attackers to query this information without credentials via port tcp/5010. | |||||
| CVE-2019-7389 | 1 Dlink | 2 Dir-823g, Dir-823g Firmware | 2020-08-24 | 7.8 HIGH | 7.5 HIGH |
| An issue was discovered in /bin/goahead on D-Link DIR-823G devices with the firmware 1.02B03. There is incorrect access control allowing remote attackers to reset the router without authentication via the SetFactoryDefault HNAP API. Consequently, an attacker can achieve a denial-of-service attack without authentication. | |||||
| CVE-2019-17505 | 1 Dlink | 2 Dap-1320 A2, Dap-1320 A2 Firmware | 2020-08-24 | 5.0 MEDIUM | 7.5 HIGH |
| D-Link DAP-1320 A2-V1.21 routers have some web interfaces without authentication requirements, as demonstrated by uplink_info.xml. An attacker can remotely obtain a user's Wi-Fi SSID and password, which could be used to connect to Wi-Fi or perform a dictionary attack. | |||||
| CVE-2019-12130 | 1 Onap | 1 Open Network Automation Platform | 2020-08-24 | 10.0 HIGH | 9.8 CRITICAL |
| In ONAP CLI through Dublin, by accessing an applicable port (30234, 30290, 32010, 30270, 30224, 30281, 30254, 30285, and/or 30271), an attacker gains full access to the respective ONAP services without any authentication. All ONAP Operations Manager (OOM) setups are affected. | |||||
| CVE-2019-13344 | 1 Crudlab | 1 Wp Like Button | 2020-08-24 | 5.0 MEDIUM | 5.3 MEDIUM |
| An authentication bypass vulnerability in the CRUDLab WP Like Button plugin through 1.6.0 for WordPress allows unauthenticated attackers to change settings. The contains() function in wp_like_button.php did not check if the current request is made by an authorized user, thus allowing any unauthenticated user to successfully update settings, as demonstrated by the wp-admin/admin.php?page=facebook-like-button each_page_url or code_snippet parameter. | |||||
| CVE-2019-20595 | 1 Google | 1 Android | 2020-08-24 | 2.1 LOW | 2.4 LOW |
| An issue was discovered on Samsung mobile devices with P(9.0) software. Quick Panel allows enabling or disabling the Bluetooth stack without authentication. The Samsung ID is SVE-2019-14545 (July 2019). | |||||
| CVE-2018-19079 | 2 Foscam, Opticam | 6 C2, C2 Application Firmware, C2 System Firmware and 3 more | 2020-08-24 | 7.8 HIGH | 7.5 HIGH |
| An issue was discovered on Foscam Opticam i5 devices with System Firmware 1.5.2.11 and Application Firmware 2.21.1.128. The ONVIF devicemgmt SystemReboot method allows unauthenticated reboot. | |||||
| CVE-2018-13114 | 1 Keruigroup | 2 Ypc99, Ypc99 Firmware | 2020-08-24 | 7.5 HIGH | 9.8 CRITICAL |
| Missing authentication and improper input validation in KERUI Wifi Endoscope Camera (YPC99) allow an attacker to execute arbitrary commands (with a length limit of 19 characters) via the "ssid" value, as demonstrated by ssid:;ping 192.168.1.2 in the body of a SETSSID command. | |||||
| CVE-2019-12500 | 1 Mi | 2 M365, M365 Firmware | 2020-08-24 | 3.3 LOW | 6.5 MEDIUM |
| The Xiaomi M365 scooter 2019-02-12 before 1.5.1 allows spoofing of "suddenly accelerate" commands. This occurs because Bluetooth Low Energy commands have no server-side authentication check. Other affected commands include suddenly braking, locking, and unlocking. | |||||
| CVE-2019-1010136 | 1 Chinamobileltd | 2 Gpn2.4p21-c-cn, Gpn2.4p21-c-cn Firmware | 2020-08-24 | 7.8 HIGH | 7.5 HIGH |
| ChinaMobile GPN2.4P21-C-CN W2001EN-00 is affected by: Incorrect Access Control - Unauthenticated Remote Reboot. The impact is: PLC Wireless Router's are vulnerable to an unauthenticated remote reboot due. The component is: Reboot settings are available to unauthenticated users instead of only authenticaed users. The attack vector is: Remote. | |||||
| CVE-2018-19248 | 1 Epson | 2 Epson Workforce Wf-2861, Epson Workforce Wf-2861 Firmware | 2020-08-24 | 6.4 MEDIUM | 9.1 CRITICAL |
| The web service on Epson WorkForce WF-2861 10.48 LQ22I3(Recovery-mode), WF-2861 10.51.LQ20I6, and WF-2861 10.52.LQ17IA devices allows remote attackers to upload a firmware file and reset the printer without authentication by making a request to the /DOWN/FIRMWAREUPDATE/ROM1 URI and a POST request to the /FIRMWAREUPDATE URI. | |||||
| CVE-2019-12129 | 1 Onap | 1 Open Network Automation Platform | 2020-08-24 | 10.0 HIGH | 9.8 CRITICAL |
| In ONAP MSB through Dublin, by accessing an applicable port (30234, 30290, 32010, 30270, 30224, 30281, 30254, 30285, and/or 30271), an attacker gains full access to the respective ONAP services without any authentication. All ONAP Operations Manager (OOM) setups are affected. | |||||
| CVE-2019-7390 | 1 Dlink | 2 Dir-823g, Dir-823g Firmware | 2020-08-24 | 5.0 MEDIUM | 8.6 HIGH |
| An issue was discovered in /bin/goahead on D-Link DIR-823G devices with firmware 1.02B03. There is incorrect access control allowing remote attackers to hijack the DNS service configuration of all clients in the WLAN, without authentication, via the SetWanSettings HNAP API. | |||||
| CVE-2019-15102 | 1 Sahipro | 1 Sahi Pro | 2020-08-24 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Tyto Sahi Pro 6.x through 8.0.0. TestRunner_Non_distributed (and distributed end points) does not have any authentication mechanism. This allow an attacker to execute an arbitrary script on the remote Sahi Pro server. There is also a password-protected web interface intended for remote access to scripts. This web interface lacks server-side validation, which allows an attacker to create/modify/delete a script remotely without any password. Chaining both of these issues results in remote code execution on the Sahi Pro server. | |||||
| CVE-2019-14984 | 1 Eq-3 | 4 Homematic Ccu2, Homematic Ccu2 Firmware, Homematic Ccu3 and 1 more | 2020-08-24 | 6.8 MEDIUM | 8.1 HIGH |
| eQ-3 Homematic CCU2 and CCU3 with the XML-API through 1.2.0 AddOn installed allow Remote Code Execution by unauthenticated attackers with access to the web interface, because the undocumented addons/xmlapi/exec.cgi script uses CMD_EXEC to execute TCL code from a POST request. | |||||
| CVE-2019-0261 | 1 Sap | 1 Landscape Management | 2020-08-24 | 7.5 HIGH | 9.8 CRITICAL |
| Under certain circumstances, SAP HANA Extended Application Services, advanced model (XS advanced) does not perform authentication checks properly for XS advanced platform and business users. Fixed in 1.0.97 to 1.0.99 (running on SAP HANA 1 or SAP HANA 2 SPS0 (second S stands for stack)). | |||||
| CVE-2019-16906 | 1 Infosysta | 1 In-app \& Desktop Notifications | 2020-08-24 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in the Infosysta "In-App & Desktop Notifications" app 1.6.13_J8 for Jira. By using plugins/servlet/nfj/PushNotification?username= with a modified username, a different user's notifications can be read without authentication/authorization. These notifications are then no longer displayed to the normal user. | |||||
| CVE-2019-10119 | 1 Eq-3 | 4 Ccu2, Ccu2 Firmware, Ccu3 and 1 more | 2020-08-24 | 7.5 HIGH | 9.8 CRITICAL |
| eQ-3 HomeMatic CCU2 devices before 2.41.8 and CCU3 devices before 3.43.16 use session IDs for authentication but lack authorization checks. An attacker can obtain a session ID via an invalid login attempt to the RemoteApi account, aka HMCCU-154. This leads to automatic login as admin. | |||||
| CVE-2019-20105 | 1 Atlassian | 1 Application Links | 2020-08-24 | 4.0 MEDIUM | 4.9 MEDIUM |
| The EditApplinkServlet resource in the Atlassian Application Links plugin before version 5.4.20, from version 6.0.0 before version 6.0.12, from version 6.1.0 before version 6.1.2, from version 7.0.0 before version 7.0.1, and from version 7.1.0 before version 7.1.3 allows remote attackers who have obtained access to administrator's session to access the EditApplinkServlet resource without needing to re-authenticate to pass "WebSudo" in products that support "WebSudo" through an improper access control vulnerability. | |||||
| CVE-2019-15895 | 1 Search Exclude Project | 1 Search Exclude | 2020-08-24 | 5.0 MEDIUM | 7.5 HIGH |
| search-exclude.php in the "Search Exclude" plugin before 1.2.4 for WordPress allows unauthenticated options changes. | |||||