Total
2009 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-35342 | 2024-12-05 | N/A | 4.6 MEDIUM | ||
|
Certain Anpviz products allow unauthenticated users to modify or disable camera related settings such as microphone volume, speaker volume, LED lighting, NTP, motion detection, etc. This affects IPC-D250, IPC-D260, IPC-B850, IPC-D850, IPC-D350, IPC-D3150, IPC-D4250, IPC-D380, IPC-D880, IPC-D280, IPC-D3180, MC800N, YM500L, YM800N_N2, YMF50B, YM800SV2, YM500L8, and YM200E10 firmware v3.2.2.2 and lower and possibly more vendors/models of IP camera.
|
|||||
| CVE-2024-53623 | 2024-12-02 | N/A | 7.5 HIGH | ||
|
Incorrect access control in the component l_0_0.xml of TP-Link ARCHER-C7 v5 allows attackers to access sensitive information.
|
|||||
| CVE-2024-50381 | 2024-12-02 | N/A | N/A | ||
|
A vulnerability exists in Snap One OVRC cloud where an attacker can impersonate a Hub device and send requests to claim and unclaim devices. The attacker only needs to provide the MAC address of the targeted device and can make a request to unclaim it from its original connection and make a request to claim it.
|
|||||
| CVE-2024-11980 | 2024-11-29 | N/A | 8.6 HIGH | ||
|
Certain modes of routers from Billion Electric have a Missing Authentication vulnerability, allowing unauthenticated remote attackers to directly access the specific functionality to obtain partial device information, modify the WiFi SSID, and restart the device.
|
|||||
| CVE-2024-53701 | 2024-11-29 | N/A | 3.1 LOW | ||
|
Multiple FCNT Android devices provide the original security features such as "privacy mode" where arbitrary applications can be set not to be displayed, etc.
Under certain conditions, and when an attacker can directly operate the device which its screen is unlocked by a user, the provided security features' setting pages may be exposed and/or the settings may be altered, without authentication. For example, specific applications in the device configured to be hidden may be displayed and/or acti ...
Show More |
|||||
| CVE-2024-39707 | 2024-11-27 | N/A | 5.3 MEDIUM | ||
|
Insyde IHISI function 0x49 can restore factory defaults for certain UEFI variables without further authentication by default, which could lead to a possible roll-back attack in certain platforms. This is fixed in: kernel 5.2, version 05.29.19; kernel 5.3, version 05.38.19; kernel 5.4, version 05.46.19; kernel 5.5, version 05.54.19; kernel 5.6, version 05.61.19.
|
|||||
| CVE-2023-35830 | 1 Stw-mobile-machines | 4 Tcg-4, Tcg-4 Firmware, Tcg-4lite and 1 more | 2024-11-27 | N/A | 9.8 CRITICAL |
|
STW (aka Sensor-Technik Wiedemann) TCG-4 Connectivity Module DeploymentPackage_v3.03r0-Impala and DeploymentPackage_v3.04r2-Jellyfish and TCG-4lite Connectivity Module DeploymentPackage_v3.04r2-Jellyfish allow an attacker to gain full remote access with root privileges without the need for authentication, giving an attacker arbitrary remote code execution over LTE / 4G network via SMS.
|
|||||
| CVE-2023-34761 | 1 7-eleven | 2 Hello Cup, Led Message Cup | 2024-11-27 | N/A | 6.5 MEDIUM |
|
An unauthenticated attacker within BLE proximity can remotely connect to a 7-Eleven LED Message Cup, Hello Cup 1.3.1 for Android, and bypass the application's client-side chat censor filter.
|
|||||
| CVE-2020-12492 | 2024-11-25 | N/A | N/A | ||
|
Improper handling of WiFi information by framework services can allow certain malicious applications to obtain sensitive information.
|
|||||
| CVE-2020-12491 | 2024-11-25 | N/A | N/A | ||
|
Improper control of framework service permissions with possibility of some sensitive device information leakage.
|
|||||
| CVE-2024-47138 | 2024-11-22 | N/A | 9.8 CRITICAL | ||
|
The administrative interface listens by default on all interfaces on a TCP port and does not require authentication when being accessed.
|
|||||
| CVE-2024-33622 | 2024-11-21 | N/A | 6.5 MEDIUM | ||
|
Missing authentication for critical function vulnerability exists in ID Link Manager and FUJITSU Software TIME CREATOR. If this vulnerability is exploited, sensitive information may be obtained and/or the information stored in the database may be altered by a remote authenticated attacker.
|
|||||
| CVE-2024-52437 | 2024-11-21 | N/A | 8.8 HIGH | ||
|
Missing Authentication for Critical Function vulnerability in Saul Morales Pacheco Banner System allows Privilege Escalation.This issue affects Banner System: from n/a through 1.0.0.
|
|||||
| CVE-2024-52438 | 2024-11-21 | N/A | 8.8 HIGH | ||
|
Missing Authentication for Critical Function vulnerability in deco.Agency de:branding allows Privilege Escalation.This issue affects de:branding: from n/a through 1.0.2.
|
|||||
| CVE-2024-47865 | 2024-11-21 | N/A | 5.3 MEDIUM | ||
|
Missing authentication for critical function vulnerability exists in Rakuten Turbo 5G firmware version V1.3.18 and earlier. If this vulnerability is exploited, a remote unauthenticated attacker may update or downgrade the firmware on the device.
|
|||||
| CVE-2024-7154 | 1 Totolink | 2 A3700r, A3700r Firmware | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
A vulnerability, which was classified as problematic, was found in TOTOLINK A3700R 9.1.2u.5822_B20200513. Affected is an unknown function of the file /wizard.html of the component Password Reset Handler. The manipulation leads to improper access controls. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-272568. NOTE: The vendor was contacted early about this disclosure but did not respond in an ...
Show More |
|||||
| CVE-2024-7079 | 1 Redhat | 1 Openshift Container Platform | 2024-11-21 | N/A | 6.5 MEDIUM |
|
A flaw was found in the Openshift console. The /API/helm/verify endpoint is tasked to fetch and verify the installation of a Helm chart from a URI that is remote HTTP/HTTPS or local. Access to this endpoint is gated by the authHandlerWithUser() middleware function. Contrary to its name, this middleware function does not verify the validity of the user's credentials. As a result, unauthenticated users can access this endpoint.
|
|||||
| CVE-2024-7007 | 1 Positron | 2 Tra7005, Tra7005 Firmware | 2024-11-21 | N/A | 9.8 CRITICAL |
|
Positron Broadcast Signal Processor TRA7005 v1.20 is vulnerable to an authentication bypass exploit that could allow an attacker to have unauthorized access to protected areas of the application.
|
|||||
| CVE-2024-6895 | 2024-11-21 | N/A | N/A | ||
|
Insufficient authentication in user account management in Yugabyte Platform allows local network attackers with a compromised user session to change critical security information without re-authentication. An attacker with user session and access to application can modify settings such as password and email without being prompted for the current password, enabling account takeover.
|
|||||
| CVE-2024-6422 | 1 Pepperl-fuchs | 8 Oit1500-f113-b12-cb, Oit1500-f113-b12-cb Firmware, Oit200-f113-b12-cb and 5 more | 2024-11-21 | N/A | 9.8 CRITICAL |
|
An unauthenticated remote attacker can manipulate the device via Telnet, stop processes, read, delete and change data.
|
|||||
| CVE-2024-5952 | 1 Deepseaelectronics | 2 Dse855, Dse855 Firmware | 2024-11-21 | N/A | 6.5 MEDIUM |
|
Deep Sea Electronics DSE855 Restart Missing Authentication Denial-of-Service Vulnerability. This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of Deep Sea Electronics DSE855 devices. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the web-based UI. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage this vulnerability to create a de ...
Show More |
|||||
| CVE-2024-5951 | 1 Deepseaelectronics | 2 Dse855, Dse855 Firmware | 2024-11-21 | N/A | 6.5 MEDIUM |
|
Deep Sea Electronics DSE855 Factory Reset Missing Authentication Denial-of-Service Vulnerability. This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of Deep Sea Electronics DSE855 devices. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the web-based UI. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage this vulnerability to creat ...
Show More |
|||||
| CVE-2024-5947 | 1 Deepseaelectronics | 2 Dse855, Dse855 Firmware | 2024-11-21 | N/A | 6.5 MEDIUM |
|
Deep Sea Electronics DSE855 Configuration Backup Missing Authentication Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of Deep Sea Electronics DSE855 devices. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the web-based UI. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage this v ...
Show More |
|||||
| CVE-2024-48774 | 2024-11-21 | N/A | 7.5 HIGH | ||
|
An issue in Fermax Asia Pacific Pte Ltd com.fermax.vida 2.4.6 allows a remote attacker to obtain sensitve information via the firmware update process.
|
|||||
| CVE-2024-38437 | 1 Dlink | 2 Dsl-225, Dsl-225 Firmware | 2024-11-21 | N/A | 9.8 CRITICAL |
|
D-Link - CWE-288:Authentication Bypass Using an Alternate Path or Channel
|
|||||
| CVE-2024-38279 | 1 Motorola | 2 Vigilant Fixed Lpr Coms Box, Vigilant Fixed Lpr Coms Box Firmware | 2024-11-21 | N/A | 4.6 MEDIUM |
|
The affected product is vulnerable to an attacker modifying the bootloader by using custom arguments to bypass authentication and gain access to the file system and obtain password hashes.
|
|||||
| CVE-2024-37152 | 1 Argoproj | 1 Argo Cd | 2024-11-21 | N/A | 5.3 MEDIUM |
|
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The vulnerability allows unauthorized access to the sensitive settings exposed by /api/v1/settings endpoint without authentication. All sensitive settings are hidden except passwordPattern. This vulnerability is fixed in 2.11.3, 2.10.12, and 2.9.17.
|
|||||
| CVE-2024-36457 | 2024-11-21 | N/A | N/A | ||
|
The vulnerability allows an attacker to bypass the authentication requirements for a specific PAM endpoint.
|
|||||
| CVE-2024-36445 | 2024-11-21 | N/A | 9.8 CRITICAL | ||
|
Swissphone DiCal-RED 4009 devices allow a remote attacker to gain a root shell via TELNET without authentication.
|
|||||
| CVE-2024-34800 | 2024-11-21 | N/A | 7.6 HIGH | ||
|
Missing Authentication for Critical Function vulnerability in Aruphash Crafthemes Demo Import allows Functionality Misuse.This issue affects Crafthemes Demo Import: from n/a through 3.3.
|
|||||
| CVE-2024-31916 | 1 Ibm | 1 Openbmc | 2024-11-21 | N/A | 7.5 HIGH |
|
IBM OpenBMC FW1050.00 through FW1050.10 BMCWeb HTTPS server component could disclose sensitive URI content to an unauthorized actor that bypasses authentication channels. IBM X-ForceID: 290026.
|
|||||
| CVE-2024-31684 | 2024-11-21 | N/A | 3.5 LOW | ||
|
Incorrect access control in the fingerprint authentication mechanism of Bitdefender Mobile Security v4.11.3-gms allows attackers to bypass fingerprint authentication due to the use of a deprecated API.
|
|||||
| CVE-2024-31218 | 2024-11-21 | N/A | 9.8 CRITICAL | ||
|
Webhood is a self-hosted URL scanner used analyzing phishing and malicious sites. Webhood's backend container images in versions 0.9.0 and earlier are subject to Missing Authentication for Critical Function vulnerability. This vulnerability allows an unauthenticated attacker to send a HTTP request to the database (Pocketbase) admin API to create an admin account. The Pocketbase admin API does not check for authentication/authorization when creating an admin account when no admin accounts have be ...
Show More |
|||||
| CVE-2024-2013 | 1 Hitachienergy | 2 Foxman-un, Unem | 2024-11-21 | N/A | 10.0 CRITICAL |
|
An authentication bypass vulnerability exists in the FOXMAN-UN/UNEM server /
API Gateway component that if exploited allows attackers without
any access to interact with the services and the post-authentication
attack surface.
|
|||||
| CVE-2024-27758 | 2024-11-21 | N/A | 8.4 HIGH | ||
|
In RPyC before 6.0.0, when a server exposes a method that calls the attribute named __array__ for a client-provided netref (e.g., np.array(client_netref)), a remote attacker can craft a class that results in remote code execution.
|
|||||
| CVE-2024-27169 | 2024-11-21 | N/A | 8.4 HIGH | ||
|
Toshiba printers provides API without authentication for internal access. A local attacker can bypass authentication in applications, providing administrative access. As for the affected products/models/versions, see the reference URL.
|
|||||
| CVE-2024-23917 | 1 Jetbrains | 1 Teamcity | 2024-11-21 | N/A | 9.8 CRITICAL |
|
In JetBrains TeamCity before 2023.11.3 authentication bypass leading to RCE was possible
|
|||||
| CVE-2024-23618 | 1 Commscope | 2 Arris Surfboard Sbg6950ac2, Arris Surfboard Sbg6950ac2 Firmware | 2024-11-21 | 8.3 HIGH | 9.6 CRITICAL |
|
An arbitrary code execution vulnerability exists in Arris SURFboard SGB6950AC2 devices. An unauthenticated attacker can exploit this vulnerability to achieve code execution as root.
|
|||||
| CVE-2024-22513 | 2024-11-21 | N/A | 5.5 MEDIUM | ||
|
djangorestframework-simplejwt version 5.3.1 and before is vulnerable to information disclosure. A user can access web application resources even after their account has been disabled due to missing user validation checks via the for_user method.
|
|||||
| CVE-2024-22415 | 1 Jupyter | 1 Language Server Protocol Integration | 2024-11-21 | N/A | 7.3 HIGH |
|
jupyter-lsp is a coding assistance tool for JupyterLab (code navigation + hover suggestions + linters + autocompletion + rename) using Language Server Protocol. Installations of jupyter-lsp running in environments without configured file system access control (on the operating system level), and with jupyter-server instances exposed to non-trusted network are vulnerable to unauthorised access and modification of file system beyond the jupyter root directory. This issue has been patched in versio ...
Show More |
|||||