Total
446 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-13418 | 1 Search-guard | 1 Search Guard | 2023-03-02 | 5.0 MEDIUM | 7.5 HIGH |
| Search Guard versions before 24.0 had an issue that values of string arrays in documents are not properly anonymized. | |||||
| CVE-2018-10690 | 1 Moxa | 2 Awk-3121, Awk-3121 Firmware | 2023-02-28 | 4.3 MEDIUM | 8.1 HIGH |
| An issue was discovered on Moxa AWK-3121 1.14 devices. The device by default allows HTTP traffic thus providing an insecure communication mechanism for a user connecting to the web server. This allows an attacker to sniff the traffic easily and allows an attacker to compromise sensitive data such as credentials. | |||||
| CVE-2018-10694 | 1 Moxa | 2 Awk-3121, Awk-3121 Firmware | 2023-02-28 | 4.3 MEDIUM | 8.1 HIGH |
| An issue was discovered on Moxa AWK-3121 1.14 devices. The device provides a Wi-Fi connection that is open and does not use any encryption mechanism by default. An administrator who uses the open wireless connection to set up the device can allow an attacker to sniff the traffic passing between the user's computer and the device. This can allow an attacker to steal the credentials passing over the HTTP connection as well as TELNET traffic. Also an attacker can MITM the response and infect a user's computer very easily as well. | |||||
| CVE-2018-10698 | 1 Moxa | 2 Awk-3121, Awk-3121 Firmware | 2023-02-28 | 10.0 HIGH | 9.8 CRITICAL |
| An issue was discovered on Moxa AWK-3121 1.14 devices. The device enables an unencrypted TELNET service by default. This allows an attacker who has been able to gain an MITM position to easily sniff the traffic between the device and the user. Also an attacker can easily connect to the TELNET daemon using the default credentials if they have not been changed by the user. | |||||
| CVE-2019-10139 | 1 Ovirt | 1 Cockpit-ovirt | 2023-02-12 | 2.1 LOW | 7.8 HIGH |
| During HE deployment via cockpit-ovirt, cockpit-ovirt generates an ansible variable file `/var/lib/ovirt-hosted-engine-setup/cockpit/ansibleVarFileXXXXXX.var` which contains the admin and the appliance passwords as plain-text. At the of the deployment procedure, these files are deleted. | |||||
| CVE-2022-47715 | 1 Lastyard | 1 Last Yard | 2023-02-08 | N/A | 5.3 MEDIUM |
| In Last Yard 22.09.8-1, the cookie can be stolen via via unencrypted traffic. | |||||
| CVE-2018-16879 | 1 Redhat | 1 Ansible Tower | 2023-02-03 | 7.5 HIGH | 9.8 CRITICAL |
| Ansible Tower before version 3.3.3 does not set a secure channel as it is using the default insecure configuration channel settings for messaging celery workers from RabbitMQ. This could lead in data leak of sensitive information such as passwords as well as denial of service attacks by deleting projects or inventory files. | |||||
| CVE-2021-4239 | 1 Noiseprotocol | 1 Noise | 2023-01-06 | N/A | 7.5 HIGH |
| The Noise protocol implementation suffers from weakened cryptographic security after encrypting 2^64 messages, and a potential denial of service attack. After 2^64 (~18.4 quintillion) messages are encrypted with the Encrypt function, the nonce counter will wrap around, causing multiple messages to be encrypted with the same key and nonce. In a separate issue, the Decrypt function increments the nonce state even when it fails to decrypt a message. If an attacker can provide an invalid input to the Decrypt function, this will cause the nonce state to desynchronize between the peers, resulting in a failure to encrypt all subsequent messages. | |||||
| CVE-2019-4171 | 1 Ibm | 1 Cognos Controller | 2022-12-09 | 4.3 MEDIUM | 3.7 LOW |
| IBM Cognos Controller 10.3.0, 10.3.1, 10.4.0, and 10.4.1 does not set the secure attribute on authorization tokens or session cookies. This could allow an attacker to obtain sensitive information using man in the middle techniques. IBM X-Force ID: 158876. | |||||
| CVE-2021-32001 | 1 Suse | 2 Rancher K3s, Rancher Rke2 | 2022-11-14 | 4.0 MEDIUM | 6.5 MEDIUM |
| K3s in SUSE Rancher allows any user with direct access to the datastore, or a copy of a datastore backup, to extract the cluster's confidential keying material (cluster certificate authority private keys, secrets encryption configuration passphrase, etc.) and decrypt it, without having to know the token value. This issue affects: SUSE Rancher K3s version v1.19.12+k3s1, v1.20.8+k3s1, v1.21.2+k3s1 and prior versions; RKE2 version v1.19.12+rke2r1, v1.20.8+rke2r1, v1.21.2+rke2r1 and prior versions. | |||||
| CVE-2020-15331 | 1 Zyxel | 1 Cloudcnm Secumanager | 2022-10-27 | N/A | 9.8 CRITICAL |
| Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a hardcoded OAUTH_SECRET_KEY in /opt/axess/etc/default/axess. | |||||
| CVE-2020-15330 | 1 Zyxel | 1 Cloudcnm Secumanager | 2022-10-27 | N/A | 5.3 MEDIUM |
| Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a hardcoded APP_KEY in /opt/axess/etc/default/axess. | |||||
| CVE-2020-15344 | 1 Zyxel | 1 Cloudcnm Secumanager | 2022-10-27 | N/A | 5.3 MEDIUM |
| Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has an unauthenticated zy_get_user_id_and_key API. | |||||
| CVE-2020-15343 | 1 Zyxel | 1 Cloudcnm Secumanager | 2022-10-27 | N/A | 5.3 MEDIUM |
| Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has an unauthenticated zy_install_user_key API. | |||||
| CVE-2020-15342 | 1 Zyxel | 1 Cloudcnm Secumanager | 2022-10-27 | N/A | 5.3 MEDIUM |
| Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has an unauthenticated zy_install_user API. | |||||
| CVE-2020-15340 | 1 Zyxel | 1 Cloudcnm Secumanager | 2022-10-27 | N/A | 7.5 HIGH |
| Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a hardcoded opt/axess/AXAssets/default_axess/axess/TR69/Handlers/turbolink/sshkeys/id_rsa SSH key. | |||||
| CVE-2020-15345 | 1 Zyxel | 1 Cloudcnm Secumanager | 2022-10-27 | N/A | 5.3 MEDIUM |
| Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has an unauthenticated zy_get_instances_for_update API. | |||||
| CVE-2020-15346 | 1 Zyxel | 1 Cloudcnm Secumanager | 2022-10-27 | N/A | 5.3 MEDIUM |
| Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a /live/GLOBALS API with the CLOUDCNM key. | |||||
| CVE-2021-35236 | 1 Solarwinds | 1 Kiwi Syslog Server | 2022-10-27 | 5.0 MEDIUM | 5.3 MEDIUM |
| The Secure flag is not set in the SSL Cookie of Kiwi Syslog Server 9.7.2 and previous versions. The Secure attribute tells the browser to only send the cookie if the request is being sent over a secure channel such as HTTPS. This will help protect the cookie from being passed over unencrypted requests. If the application can be accessed over both HTTP, there is a potential for the cookie can be sent in clear text. | |||||
| CVE-2021-33900 | 1 Apache | 1 Directory Studio | 2022-10-27 | 5.0 MEDIUM | 7.5 HIGH |
| While investigating DIRSTUDIO-1219 it was noticed that configured StartTLS encryption was not applied when any SASL authentication mechanism (DIGEST-MD5, GSSAPI) was used. While investigating DIRSTUDIO-1220 it was noticed that any configured SASL confidentiality layer was not applied. This issue affects Apache Directory Studio version 2.0.0.v20210213-M16 and prior versions. | |||||