CWE:
 

Tytuł
Data
Autor
Med.
SAP Netweaver JAVA 7.50 Missing Authorization
17.06.2021
Ignacio D. Favro
Med.
URVE Software Build 24.03.2020 Authentication Bypass / Remote Code Execution
30.12.2020
Erik Steltzner
Med.
IBM Cognos TM1 / IBM Planning Analytics Server Configuration Overwrite / Code Execution
29.03.2020
Pedro Ribeiro
Med.
Sophos UTM 9.410 loginuser confd Service Privilege Escalation
06.03.2018
KoreLogic
Med.
JD Edwards 9.1 EnterpriseOne Server Denial Of Service
28.08.2016
Fernando Russ and Mati...
Med.
JD Edwards 9.1 EnterpriseOne Server Create Users
28.08.2016
Fernando Russ and Mati...
High
SAP TREX 7.10 Revision 63 Remote Command Execution
22.08.2016
Multiple
Med.
Davolink DV-2051 Missing Access Control
06.08.2016
Eric Flokstra
High
InFocus IN3128HD Projector Missing Authentication
28.04.2015
CORE
High
Allied Telesis AT-RG634A ADSL router unauthenticated webshell
26.03.2014
Sebastian Muniz
High
INSTEON Hub 2242-222 Lack Of Authentication
02.08.2013
David Bryan


Common Weakness Enumeration (CWE)

CVE
Szczegóły
Opis
2021-11-15
Medium
CVE-2021-41266

Vendor: MIN
Software: Minio console
 

 
Minio console is a graphical user interface for the for MinIO operator. Minio itself is a multi-cloud object storage project. Affected versions are subject to an authentication bypass issue in the Operator Console when an external IDP is enabled. All users on release v0.12.2 and before are affected and are advised to update to 0.12.3 or newer. Users unable to upgrade should add automountServiceAccountToken: false to the operator-console deployment in Kubernetes so no service account token will get mounted inside the pod, then disable the external identity provider authentication by unset the CONSOLE_IDP_URL, CONSOLE_IDP_CLIENT_ID, CONSOLE_IDP_SECRET and CONSOLE_IDP_CALLBACK environment variable and instead use the Kubernetes service account token.

 
2021-10-22
Medium
CVE-2021-42539

Updating...
 

 
The affected product is vulnerable to a missing permission validation on system backup restore, which could lead to account take over and unapproved settings change.

 
2021-10-12
Medium
CVE-2021-27395

Vendor: Siemens
Software: Simatic proc...
 

 
A vulnerability has been identified in SIMATIC Process Historian 2013 and earlier (All versions), SIMATIC Process Historian 2014 (All versions < SP3 Update 6), SIMATIC Process Historian 2019 (All versions), SIMATIC Process Historian 2020 (All versions). An interface in the software that is used for critical functionalities lacks authentication, which could allow a malicious user to maliciously insert, modify or delete data.

 
2021-10-04
Low
CVE-2021-39879

Vendor: Gitlab
Software: Gitlab
 

 
Missing authentication in all versions of GitLab CE/EE since version 7.11.0 allows an attacker with access to a victim's session to disable two-factor authentication

 
2021-10-01
Medium
CVE-2021-3825

Vendor: Pardus
Software: Liderahenk
 

 
On 2.1.15 version and below of Lider module in LiderAhenk software is leaking it's configurations via an unsecured API. An attacker with an access to the configurations API could get valid LDAP credentials.

 
2021-09-28
Waiting for details
CVE-2021-41104

Updating...
 

 
ESPHome is a system to control the ESP8266/ESP32. Anyone with web_server enabled and HTTP basic auth configured on version 2021.9.1 or older is vulnerable to an issue in which `web_server` allows over-the-air (OTA) updates without checking user defined basic auth username & password. This issue is patched in version 2021.9.2. As a workaround, one may disable or remove `web_server`.

 
2021-09-13
Waiting for details
CVE-2021-33543

Updating...
 

 
Multiple camera devices by UDP Technology, Geutebr??ck and other vendors allow unauthenticated remote access to sensitive files due to default user authentication settings.

 
2021-09-07
Medium
CVE-2021-32800

Vendor: Nextcloud
Software: Nextcloud
 

 
Nextcloud server is an open source, self hosted personal cloud. In affected versions an attacker is able to bypass Two Factor Authentication in Nextcloud. Thus knowledge of a password, or access to a WebAuthN trusted device of a user was sufficient to gain access to an account. It is recommended that the Nextcloud Server is upgraded to 20.0.12, 21.0.4 or 22.1.0. There are no workaround for this vulnerability.

 
2021-08-25
Medium
CVE-2021-33882

Updating...
 

 
A Missing Authentication for Critical Function vulnerability in B. Braun SpaceCom2 prior to 012U000062 allows a remote attacker to reconfigure the device from an unknown source because of lack of authentication on proprietary networking commands.

 
2021-08-19
Medium
CVE-2021-31868

Vendor: Rapid7
Software: Nexpose
 

 
Rapid7 Nexpose version 6.6.95 and earlier allows authenticated users of the Security Console to view and edit any ticket in the legacy ticketing feature, regardless of the assignment of the ticket. This issue was resolved in version 6.6.96, released on August 4, 2021.

 

 


Copyright 2021, cxsecurity.com

 

Back to Top