Total
4065 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-37054 | 1 Huawei | 3 Emui, Harmonyos, Magic Ui | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
There is an Identity spoofing and authentication bypass vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may affect service confidentiality.
|
|||||
| CVE-2021-37043 | 1 Huawei | 3 Emui, Harmonyos, Magic Ui | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
There is a Stack-based Buffer Overflow vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may lead to malicious application processes occupy system resources.
|
|||||
| CVE-2021-36949 | 1 Microsoft | 2 Azure Active Directory Connect, Azure Active Directory Connect Provisioning Agent | 2024-11-21 | 4.9 MEDIUM | 7.1 HIGH |
|
Microsoft Azure Active Directory Connect Authentication Bypass Vulnerability
|
|||||
| CVE-2021-36921 | 1 Monitorapp | 2 Application Insight Manager, Application Insight Web Application Firewall | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
AIMANAGER before B115 on MONITORAPP Application Insight Web Application Firewall (AIWAF) devices with Manager 2.1.0 has Improper Authentication. An attacker can gain administrative access by modifying the response to an authentication check request.
|
|||||
| CVE-2021-36718 | 1 Synel | 2 Eharmonynew, Synel Reports | 2024-11-21 | 6.8 MEDIUM | 6.1 MEDIUM |
|
SYNEL - eharmonynew / Synel Reports - The attacker can log in to the system with default credentials and export a report of eharmony system with sensetive data (Employee name, Employee ID number, Working hours etc') The vulnerabilety has been addressed and fixed on version 11. Default credentials , Security miscommunication , Sensetive data exposure vulnerability in Synel Reports of SYNEL eharmonynew, Synel Reports allows an attacker to log into the system with default credentials. This issue af ...
Show More |
|||||
| CVE-2021-36460 | 1 Veryfitpro Project | 1 Veryfitpro | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
|
VeryFitPro (com.veryfit2hr.second) 3.2.8 hashes the account's password locally on the device and uses the hash to authenticate in all communication with the backend API, including login, registration and changing of passwords. This allows an attacker in possession of a hash to takeover a user's account, rendering the benefits of storing hashed passwords in the database useless.
|
|||||
| CVE-2021-36370 | 1 Midnight-commander | 1 Midnight Commander | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
An issue was discovered in Midnight Commander through 4.8.26. When establishing an SFTP connection, the fingerprint of the server is neither checked nor displayed. As a result, a user connects to the server without the ability to verify its authenticity.
|
|||||
| CVE-2021-36368 | 2 Debian, Openbsd | 2 Debian Linux, Openssh | 2024-11-21 | 2.6 LOW | 3.7 LOW |
|
An issue was discovered in OpenSSH before 8.9. If a client is using public-key authentication with agent forwarding but without -oLogLevel=verbose, and an attacker has silently modified the server to support the None authentication option, then the user cannot determine whether FIDO authentication is going to confirm that the user wishes to connect to that server, or that the user wishes to allow that server to connect to a different server on the user's behalf. NOTE: the vendor's position is "t ...
Show More |
|||||
| CVE-2021-36350 | 1 Dell | 1 Powerscale Onefs | 2024-11-21 | 5.0 MEDIUM | 5.9 MEDIUM |
|
Dell PowerScale OneFS, versions 8.2.2-9.3.0.x, contain an authentication bypass by primary weakness in one of the authentication factors. A remote unauthenticated attacker may potentially exploit this vulnerability and bypass one of the factors of authentication.
|
|||||
| CVE-2021-36346 | 1 Dell | 2 Integrated Dell Remote Access Controller 8, Integrated Dell Remote Access Controller 8 Firmware | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
Dell iDRAC 8 prior to version 2.82.82.82 contain a denial of service vulnerability. An unauthenticated remote attacker could potentially exploit this vulnerability to deny access to the iDRAC webserver.
|
|||||
| CVE-2021-36308 | 1 Dell | 1 Networking Os10 | 2024-11-21 | 9.3 HIGH | 5.9 MEDIUM |
|
Networking OS10, versions prior to October 2021 with Smart Fabric Services enabled, contains an authentication bypass vulnerability. A remote unauthenticated attacker could exploit this vulnerability to gain access and perform actions on the affected system.
|
|||||
| CVE-2021-36306 | 1 Dell | 1 Networking Os10 | 2024-11-21 | 9.3 HIGH | 8.1 HIGH |
|
Networking OS10, versions prior to October 2021 with RESTCONF API enabled, contains an authentication bypass vulnerability. A remote unauthenticated attacker could exploit this vulnerability to gain access and perform actions on the affected system.
|
|||||
| CVE-2021-35964 | 1 Learningdigital | 1 Orca Hcm | 2024-11-21 | 7.5 HIGH | 7.3 HIGH |
|
The management page of the Orca HCM digital learning platform does not perform identity verification, which allows remote attackers to execute the management function without logging in, access members’ information, modify and delete the courses in system, thus causing users fail to access the learning content.
|
|||||
| CVE-2021-35943 | 1 Couchbase | 1 Couchbase Server | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
Couchbase Server 6.5.x and 6.6.x through 6.6.2 has Incorrect Access Control. Externally managed users are not prevented from using an empty password, per RFC4513.
|
|||||
| CVE-2021-35296 | 1 Ptcl | 2 Hg150-ub, Hg150-ub Firmware | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
An issue in the administrator authentication panel of PTCL HG150-Ub v3.0 allows attackers to bypass authentication via modification of the cookie value and Response Path.
|
|||||
| CVE-2021-35252 | 1 Solarwinds | 1 Serv-u | 2024-11-21 | N/A | 7.5 HIGH |
|
Common encryption key appears to be used across all deployed instances of Serv-U FTP Server. Because of this an encrypted value that is exposed to an attacker can be simply recovered to plaintext.
|
|||||
| CVE-2021-35094 | 1 Qualcomm | 162 Aqt1000, Aqt1000 Firmware, Qca6390 and 159 more | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
|
Improper verification of timeout-based authentication in identity credential can lead to invalid authorization in HLOS in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Industrial IOT, Snapdragon Mobile
|
|||||
| CVE-2021-35033 | 1 Zyxel | 12 Nbg6818, Nbg6818 Firmware, Nbg7815 and 9 more | 2024-11-21 | 6.9 MEDIUM | 7.8 HIGH |
|
A vulnerability in specific versions of Zyxel NBG6818, NBG7815, WSQ20, WSQ50, WSQ60, and WSR30 firmware with pre-configured password management could allow an attacker to obtain root access of the device, if the local attacker dismantles the device and uses a USB-to-UART cable to connect the device, or if the remote assistance feature had been enabled by an authenticated user.
|
|||||
| CVE-2021-35029 | 1 Zyxel | 74 Usg100, Usg1000, Usg1000 Firmware and 71 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
An authentication bypasss vulnerability in the web-based management interface of Zyxel USG/Zywall series firmware versions 4.35 through 4.64 and USG Flex, ATP, and VPN series firmware versions 4.35 through 5.01, which could allow a remote attacker to execute arbitrary commands on an affected device.
|
|||||
| CVE-2021-34993 | 1 Commvault | 1 Commcell | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
This vulnerability allows remote attackers to bypass authentication on affected installations of Commvault CommCell 11.22.22. Authentication is not required to exploit this vulnerability. The specific flaw exists within the CVSearchService service. The issue results from the lack of proper validation prior to authentication. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-13706.
|
|||||
| CVE-2021-34977 | 1 Netgear | 2 R7000, R7000 Firmware | 2024-11-21 | 5.8 MEDIUM | 8.8 HIGH |
|
This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of NETGEAR R7000 1.0.11.116_10.2.100 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the processing of SOAP requests. The issue results from the lack of proper authentication verification before performing a password reset. An attacker can leverage this vulnerability to reset the admin password. Was ZDI-CAN-13483.
|
|||||
| CVE-2021-34865 | 1 Netgear | 34 Ac2100, Ac2100 Firmware, Ac2400 and 31 more | 2024-11-21 | 8.3 HIGH | 8.8 HIGH |
|
This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of multiple NETGEAR routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the mini_httpd service, which listens on TCP port 80 by default. The issue results from incorrect string matching logic when accessing protected pages. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of root. Was ...
Show More |
|||||
| CVE-2021-34786 | 1 Cisco | 1 Broadworks Commpilot Application Software | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
Multiple vulnerabilities in Cisco BroadWorks CommPilot Application Software could allow an authenticated, remote attacker to delete arbitrary user accounts or gain elevated privileges on an affected system.
|
|||||
| CVE-2021-34785 | 1 Cisco | 1 Broadworks Commpilot Application Software | 2024-11-21 | 6.5 MEDIUM | 6.5 MEDIUM |
|
Multiple vulnerabilities in Cisco BroadWorks CommPilot Application Software could allow an authenticated, remote attacker to delete arbitrary user accounts or gain elevated privileges on an affected system.
|
|||||
| CVE-2021-34746 | 1 Cisco | 1 Enterprise Nfv Infrastructure Software | 2024-11-21 | 9.3 HIGH | 9.8 CRITICAL |
|
A vulnerability in the TACACS+ authentication, authorization and accounting (AAA) feature of Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an unauthenticated, remote attacker to bypass authentication and log in to an affected device as an administrator. This vulnerability is due to incomplete validation of user-supplied input that is passed to an authentication script. An attacker could exploit this vulnerability by injecting parameters into an authentication request. A succes ...
Show More |
|||||
| CVE-2021-34690 | 2 Idrive, Microsoft | 2 Remotepc, Windows | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
iDrive RemotePC before 7.6.48 on Windows allows authentication bypass. A remote and unauthenticated attacker can bypass cloud authentication to connect and control a system via TCP port 5970 and 5980.
|
|||||
| CVE-2021-34676 | 1 Basixonline | 1 Nex-forms | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
Basix NEX-Forms through 7.8.7 allows authentication bypass for Excel report generation.
|
|||||
| CVE-2021-34675 | 1 Basixonline | 1 Nex-forms | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
Basix NEX-Forms through 7.8.7 allows authentication bypass for stored PDF reports.
|
|||||
| CVE-2021-34578 | 1 Wago | 24 750-362, 750-362 Firmware, 750-363 and 21 more | 2024-11-21 | 6.8 MEDIUM | 9.8 CRITICAL |
|
This vulnerability allows an attacker who has access to the WBM to read and write settings-parameters of the device by sending specifically constructed requests without authentication on multiple WAGO PLCs in firmware versions up to FW07.
|
|||||
| CVE-2021-34546 | 1 Netsetman | 1 Netsetman | 2024-11-21 | 7.2 HIGH | 6.8 MEDIUM |
|
An unauthenticated attacker with physical access to a computer with NetSetMan Pro before 5.0 installed, that has the pre-logon profile switch button within the Windows logon screen enabled, is able to drop to an administrative shell and execute arbitrary commands as SYSTEM via the "save log to file" feature. To accomplish this, the attacker can navigate to cmd.exe.
|
|||||
| CVE-2021-33895 | 2 Etinet, Hpe | 4 Backbox E4.09, Backbox E4.09 Firmware, Backbox H4.09 and 1 more | 2024-11-21 | 6.8 MEDIUM | 8.1 HIGH |
|
ETINET BACKBOX E4.09 and H4.09 mismanages password access control. When a user uses the User ID of the process running BBSV to login to the Backbox UI application, the system procedure (USER_AUTHENTICATE_) used for verifying the Password returns 0 (no error). The reason is that the user is not running the XYGate application. Hence, BBSV assumes the Password is correct. For H4.09, the affected version isT0954V04^AAO. For E4.09, the affected version is 22SEP2020. Note: If your current version is E ...
Show More |
|||||
| CVE-2021-33700 | 1 Sap | 1 Business One | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
|
SAP Business One, version - 10.0, allows a local attacker with access to the victim's browser under certain circumstances, to login as the victim without knowing his/her password. The attacker could so obtain highly sensitive information which the attacker could use to take substantial control of the vulnerable application.
|
|||||
| CVE-2021-33539 | 1 Weidmueller | 16 Ie-wl-bl-ap-cl-eu, Ie-wl-bl-ap-cl-eu Firmware, Ie-wl-bl-ap-cl-us and 13 more | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
|
In Weidmueller Industrial WLAN devices in multiple versions an exploitable authentication bypass vulnerability exists in the hostname processing. A specially configured device hostname can cause the device to interpret selected remote traffic as local traffic, resulting in a bypass of web authentication. An attacker can send authenticated SNMP requests to trigger this vulnerability.
|
|||||
| CVE-2021-33210 | 1 Fimer | 1 Aurora Vision | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
|
An issue was discovered in Fimer Aurora Vision before 2.97.10. An attacker can (in the WebUI) obtain plant information without authentication by reading the response of APIs from a kiosk view of a plant.
|
|||||
| CVE-2021-33087 | 1 Intel | 3 Nuc M15 Laptop Kit Lapbc510, Nuc M15 Laptop Kit Lapbc710, Nuc M15 Laptop Kit Management Engine Driver Pack | 2024-11-21 | 4.9 MEDIUM | 5.5 MEDIUM |
|
Improper authentication in the installer for the Intel(R) NUC M15 Laptop Kit Management Engine driver pack before version 15.0.10.1508 may allow an authenticated user to potentially enable denial of service via local access.
|
|||||
| CVE-2021-33083 | 1 Intel | 14 Optane Memory H10 With Solid State Storage, Optane Memory H10 With Solid State Storage Firmware, Optane Memory H20 With Solid State Storage and 11 more | 2024-11-21 | 2.1 LOW | 4.4 MEDIUM |
|
Improper authentication in firmware for some Intel(R) SSD, Intel(R) Optane(TM) SSD, Intel(R) Optane(TM) SSD DC and Intel(R) SSD DC Products may allow an privileged user to potentially enable information disclosure via local access.
|
|||||
| CVE-2021-33046 | 1 Dahuasecurity | 56 Asc2204c, Asc2204c Firmware, Hcvr7xxx and 53 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
Some Dahua products have access control vulnerability in the password reset process. Attackers can exploit this vulnerability through specific deployments to reset device passwords.
|
|||||
| CVE-2021-32984 | 1 Automationdirect | 40 C0-10are-d, C0-10are-d Firmware, C0-10dd1e-d and 37 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
All programming connections receive the same unlocked privileges, which can result in a privilege escalation. During the time Automation Direct CLICK PLC CPU Modules: C0-1x CPUs with firmware prior to v3.00 is unlocked by an authorized user, an attacker can connect to the PLC and read the project without authorization.
|
|||||
| CVE-2021-32980 | 1 Automationdirect | 40 C0-10are-d, C0-10are-d Firmware, C0-10dd1e-d and 37 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
Automation Direct CLICK PLC CPU Modules: C0-1x CPUs with firmware prior to v3.00 does not protect against additional software programming connections. An attacker can connect to the PLC while an existing connection is already active.
|
|||||
| CVE-2021-32967 | 1 Deltaww | 1 Diaenergie | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
|
Delta Electronics DIAEnergie Version 1.7.5 and prior may allow an attacker to add a new administrative user without being authenticated or authorized, which may allow the attacker to log in and use the device with administrative privileges.
|
|||||