Total
2009 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-32528 | 1 Schneider-electric | 1 Interactive Graphical Scada System | 2024-11-21 | N/A | 8.6 HIGH |
|
A CWE-306: Missing Authentication for Critical Function vulnerability exists that could
cause access to manipulate and read specific files in the IGSS project report directory,
potentially leading to a denial-of-service condition when an attacker sends specific messages.
Affected Products: IGSS Data Server - IGSSdataServer.exe (Versions prior to V15.0.0.22170)
|
|||||
| CVE-2022-32503 | 2024-11-21 | N/A | 7.6 HIGH | ||
|
An issue was discovered on certain Nuki Home Solutions devices. An attacker with physical access to this JTAG port may be able to connect to the device and bypass both hardware and software security protections. This affects Nuki Keypad before 1.9.2 and Nuki Fob before 1.8.1.
|
|||||
| CVE-2022-32251 | 1 Siemens | 1 Sinema Remote Connect Server | 2024-11-21 | 7.5 HIGH | 8.8 HIGH |
|
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.1). There is a missing authentication verification for a resource used to change the roles and permissions of a user. This could allow an attacker to change the permissions of any user and gain the privileges of an administrative user.
|
|||||
| CVE-2022-32157 | 1 Splunk | 1 Splunk | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
Splunk Enterprise deployment servers in versions before 9.0 allow unauthenticated downloading of forwarder bundles. Remediation requires you to update the deployment server to version 9.0 and Configure authentication for deployment servers and clients (https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/ConfigDSDCAuthEnhancements#Configure_authentication_for_deployment_servers_and_clients). Once enabled, deployment servers can manage only Universal Forwarder versions 9.0 and higher. Thou ...
Show More |
|||||
| CVE-2022-31461 | 1 Owllabs | 2 Meeting Owl Pro, Meeting Owl Pro Firmware | 2024-11-21 | 3.3 LOW | 7.4 HIGH |
|
Owl Labs Meeting Owl 5.2.0.15 allows attackers to deactivate the passcode protection mechanism via a certain c 11 message.
|
|||||
| CVE-2022-31260 | 1 Montala | 1 Resourcespace | 2024-11-21 | N/A | 6.5 MEDIUM |
|
In Montala ResourceSpace through 9.8 before r19636, csv_export_results_metadata.php allows attackers to export collection metadata via a non-NULL k value.
|
|||||
| CVE-2022-31176 | 1 Grafana | 1 Grafana-image-renderer | 2024-11-21 | N/A | 8.3 HIGH |
|
Grafana Image Renderer is a Grafana backend plugin that handles rendering of panels & dashboards to PNGs using a headless browser (Chromium/Chrome). An internal security review identified an unauthorized file disclosure vulnerability. It is possible for a malicious user to retrieve unauthorized files under some network conditions or via a fake datasource (if user has admin permissions in Grafana). All Grafana installations should be upgraded to version 3.6.1 as soon as possible. As a workaround ...
Show More |
|||||
| CVE-2022-30317 | 1 Honeywell | 2 Experion Lx, Experion Lx Firmware | 2024-11-21 | N/A | 9.1 CRITICAL |
|
Honeywell Experion LX through 2022-05-06 has Missing Authentication for a Critical Function. According to FSCT-2022-0055, there is a Honeywell Experion LX Control Data Access (CDA) EpicMo protocol with unauthenticated functionality issue. The affected components are characterized as: Honeywell Control Data Access (CDA) EpicMo (55565/TCP). The potential impact is: Firmware manipulation, Denial of service. The Honeywell Experion LX Distributed Control System (DCS) utilizes the Control Data Access ...
Show More |
|||||
| CVE-2022-30313 | 1 Honeywell | 2 Safety Manager, Safety Manager Firmware | 2024-11-21 | N/A | 7.5 HIGH |
|
Honeywell Experion PKS Safety Manager through 2022-05-06 has Missing Authentication for a Critical Function. According to FSCT-2022-0051, there is a Honeywell Experion PKS Safety Manager multiple proprietary protocols with unauthenticated functionality issue. The affected components are characterized as: Honeywell Experion TCP (51000/TCP), Safety Builder (51010/TCP). The potential impact is: Manipulate controller state, Manipulate controller configuration, Manipulate controller logic, Manipulate ...
Show More |
|||||
| CVE-2022-30276 | 1 Motorola | 4 Ace Ip Gateway \(4600\), Ace Ip Gateway \(4600\) Firmware, Moscad Ip Gateway and 1 more | 2024-11-21 | N/A | 7.5 HIGH |
|
The Motorola MOSCAD and ACE line of RTUs through 2022-05-02 omit an authentication requirement. They feature IP Gateway modules which allow for interfacing between Motorola Data Link Communication (MDLC) networks (potentially over a variety of serial, RF and/or Ethernet links) and TCP/IP networks. Communication with RTUs behind the gateway is done by means of the proprietary IPGW protocol (5001/TCP). This protocol does not have any authentication features, allowing any attacker capable of commun ...
Show More |
|||||
| CVE-2022-2765 | 1 Company Website Cms Project | 1 Company Website Cms | 2024-11-21 | N/A | 6.3 MEDIUM |
|
A vulnerability was found in SourceCodester Company Website CMS 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /dashboard/settings. The manipulation leads to improper authentication. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-206161 was assigned to this vulnerability.
|
|||||
| CVE-2022-2474 | 1 Haascnc | 2 Haas Controller, Haas Controller Firmware | 2024-11-21 | N/A | 9.8 CRITICAL |
|
Authentication is currently unsupported in Haas Controller version 100.20.000.1110 when using the “Ethernet Q Commands” service, which allows any user on the same network segment as the controller (even while connected remotely) to access the service and write unauthorized macros to the device.
|
|||||
| CVE-2022-2242 | 1 Kuka | 1 Systemsoftware V\/kss | 2024-11-21 | N/A | 9.8 CRITICAL |
|
The KUKA SystemSoftware V/KSS in versions prior to 8.6.5 is prone to improper access control as an unauthorized attacker can directly read and write robot configurations when access control is not available or not enabled (default).
|
|||||
| CVE-2022-2141 | 1 Micodus | 2 Mv720, Mv720 Firmware | 2024-11-21 | N/A | 9.8 CRITICAL |
|
SMS-based GPS commands can be executed by MiCODUS MV720 GPS tracker without authentication.
|
|||||
| CVE-2022-2138 | 1 Advantech | 1 Iview | 2024-11-21 | N/A | 8.2 HIGH |
|
The affected product is vulnerable due to missing authentication, which may allow an attacker to read or modify sensitive data and execute arbitrary code, resulting in a denial-of-service condition.
|
|||||
| CVE-2022-29957 | 1 Emerson | 1 Deltav Distributed Control System | 2024-11-21 | N/A | 7.8 HIGH |
|
The Emerson DeltaV Distributed Control System (DCS) through 2022-04-29 mishandles authentication. It utilizes several proprietary protocols for a wide variety of functionality. These protocols include Firmware upgrade (18508/TCP, 18518/TCP); Plug-and-Play (18510/UDP); Hawk services (18507/UDP); Management (18519/TCP); Cold restart (18512/UDP); SIS communications (12345/TCP); and Wireless Gateway Protocol (18515/UDP). None of these protocols have any authentication features, allowing any attacker ...
Show More |
|||||
| CVE-2022-29952 | 1 Bakerhughes | 8 Bently Nevada 3701\/40, Bently Nevada 3701\/40 Firmware, Bently Nevada 3701\/44 and 5 more | 2024-11-21 | N/A | 9.1 CRITICAL |
|
Bently Nevada condition monitoring equipment through 2022-04-29 mishandles authentication. It utilizes the TDI command and data protocols (60005/TCP, 60007/TCP) for communications between the monitoring controller and System 1 and/or Bently Nevada Monitor Configuration (BNMC) software. These protocols provide configuration management and historical data related functionality. Neither protocol has any authentication features, allowing any attacker capable of communicating with the ports in questi ...
Show More |
|||||
| CVE-2022-29951 | 1 Jtekt | 34 Nano 10gx Tuc-1157, Nano 10gx Tuc-1157 Firmware, Nano Cpu Tuc-6941 and 31 more | 2024-11-21 | N/A | 9.1 CRITICAL |
|
JTEKT TOYOPUC PLCs through 2022-04-29 mishandle authentication. They utilize the CMPLink/TCP protocol (configurable on ports 1024-65534 on either TCP or UDP) for a wide variety of engineering purposes such as starting and stopping the PLC, downloading and uploading projects, and changing configuration settings. This protocol does not have any authentication features, allowing any attacker capable of communicating with the port in question to invoke (a subset of) desired functionality.
|
|||||
| CVE-2022-29934 | 1 Usu | 1 Oracle Optimization | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
|
USU Oracle Optimization before 5.17.5 lacks Polkit authentication, which allows smartcollector users to achieve root access via pkexec. NOTE: this is not an Oracle Corporation product.
|
|||||
| CVE-2022-29877 | 1 Siemens | 72 7kg8500-0aa00-0aa0, 7kg8500-0aa00-0aa0 Firmware, 7kg8500-0aa00-2aa0 and 69 more | 2024-11-21 | 6.4 MEDIUM | 6.5 MEDIUM |
|
A vulnerability has been identified in SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM ...
Show More |
|||||
| CVE-2022-29402 | 1 Tp-link | 2 Tl-wr840n, Tl-wr840n Firmware | 2024-11-21 | 7.2 HIGH | 6.8 MEDIUM |
|
TP-Link TL-WR840N EU v6.20 was discovered to contain insecure protections for its UART console. This vulnerability allows attackers to connect to the UART port via a serial connection and execute commands as the root user without authentication.
|
|||||
| CVE-2022-29270 | 1 Nagios | 1 Nagios Xi | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
In Nagios XI through 5.8.5, it is possible for a user without password verification to change his e-mail address.
|
|||||
| CVE-2022-29226 | 1 Envoyproxy | 1 Envoy | 2024-11-21 | 6.4 MEDIUM | 10.0 CRITICAL |
|
Envoy is a cloud-native high-performance proxy. In versions prior to 1.22.1 the OAuth filter implementation does not include a mechanism for validating access tokens, so by design when the HMAC signed cookie is missing a full authentication flow should be triggered. However, the current implementation assumes that access tokens are always validated thus allowing access in the presence of any access token attached to the request. Users are advised to upgrade. There is no known workaround for this ...
Show More |
|||||
| CVE-2022-28809 | 1 Opendesign | 1 Drawings Sdk | 2024-11-21 | N/A | 7.8 HIGH |
|
An issue was discovered in Open Design Alliance Drawings SDK before 2023.3. An Out-of-Bounds Read vulnerability exists when reading a DWG file with an invalid vertex number in a recovery mode. An attacker can leverage this vulnerability to execute code in the context of the current process.
|
|||||
| CVE-2022-28719 | 1 Hammock | 1 Assetview | 2024-11-21 | 9.3 HIGH | 9.8 CRITICAL |
|
Missing authentication for critical function in AssetView prior to Ver.13.2.0 allows a remote unauthenticated attacker with some knowledge on the system configuration to upload a crafted configuration file to the managing server, which may result in the managed clients to execute arbitrary code with the administrative privilege.
|
|||||
| CVE-2022-28660 | 1 Grafana | 1 Grafana | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
The querier component in Grafana Enterprise Logs 1.1.x through 1.3.x before 1.4.0 does not require authentication when X-Scope-OrgID is used. Versions 1.2.1, 1.3.1, and 1.4.0 contain the bugfix. This affects -auth.type=enterprise in microservices mode
|
|||||
| CVE-2022-27891 | 1 Palantir | 1 Gotham | 2024-11-21 | N/A | 5.3 MEDIUM |
|
Palantir Gotham included an unauthenticated endpoint that listed all active usernames on the stack with an active session. The affected services have been patched and automatically deployed to all Apollo-managed Gotham instances. It is highly recommended that customers upgrade all affected services to the latest version. This issue affects: Palantir Gotham versions prior to 103.30221005.0.
|
|||||
| CVE-2022-27645 | 1 Netgear | 46 Lax20, Lax20 Firmware, R6400 and 43 more | 2024-11-21 | N/A | 8.8 HIGH |
|
This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of NETGEAR R6700v3 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within readycloud_control.cgi. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-15762.
|
|||||
| CVE-2022-27495 | 1 F5 | 1 Nginx Service Mesh | 2024-11-21 | 3.3 LOW | 6.5 MEDIUM |
|
On all versions 1.3.x (fixed in 1.4.0) NGINX Service Mesh control plane endpoints are exposed to the cluster overlay network. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
|
|||||
| CVE-2022-27332 | 1 Zammad | 1 Zammad | 2024-11-21 | 5.8 MEDIUM | 9.1 CRITICAL |
|
An access control issue in Zammad v5.0.3 allows attackers to write entries to the CTI caller log without authentication. This vulnerability can allow attackers to execute phishing attacks or cause a Denial of Service (DoS).
|
|||||
| CVE-2022-27169 | 1 Openautomationsoftware | 1 Oas Platform | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
An information disclosure vulnerability exists in the OAS Engine SecureBrowseFile functionality of Open Automation Software OAS Platform V16.00.0112. A specially-crafted network request can lead to a disclosure of sensitive information. An attacker can send a network request to trigger this vulnerability.
|
|||||
| CVE-2022-26971 | 1 Barco | 1 Control Room Management Suite | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
Barco Control Room Management Suite web application, which is part of TransForm N before 3.14, is exposing a license file upload mechanism. This upload can be executed without authentication.
|
|||||
| CVE-2022-26833 | 1 Openautomationsoftware | 1 Oas Platform | 2024-11-21 | 7.5 HIGH | 9.4 CRITICAL |
|
An improper authentication vulnerability exists in the REST API functionality of Open Automation Software OAS Platform V16.00.0121. A specially-crafted series of HTTP requests can lead to unauthenticated use of the REST API. An attacker can send a series of HTTP requests to trigger this vulnerability.
|
|||||
| CVE-2022-26394 | 1 Baxter | 8 Baxter Spectrum Iq 35700bax3, Baxter Spectrum Iq 35700bax3 Firmware, Sigma Spectrum 35700bax and 5 more | 2024-11-21 | N/A | 5.5 MEDIUM |
|
The Baxter Spectrum WBM does not perform mutual authentication with the gateway server host. This may allow an attacker to perform a man in the middle attack that modifies parameters making the network connection fail.
|
|||||
| CVE-2022-26303 | 1 Openautomationsoftware | 1 Oas Platform | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
An external config control vulnerability exists in the OAS Engine SecureAddUser functionality of Open Automation Software OAS Platform V16.00.0112. A specially-crafted series of network requests can lead to the creation of an OAS user account. An attacker can send a sequence of requests to trigger this vulnerability.
|
|||||
| CVE-2022-26267 | 1 Piwigo | 1 Piwigo | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
Piwigo v12.2.0 was discovered to contain an information leak via the action parameter in /admin/maintenance_actions.php.
|
|||||
| CVE-2022-26082 | 1 Openautomationsoftware | 1 Oas Platform | 2024-11-21 | 7.5 HIGH | 9.1 CRITICAL |
|
A file write vulnerability exists in the OAS Engine SecureTransferFiles functionality of Open Automation Software OAS Platform V16.00.0112. A specially-crafted series of network requests can lead to remote code execution. An attacker can send a sequence of requests to trigger this vulnerability.
|
|||||
| CVE-2022-26067 | 1 Openautomationsoftware | 1 Oas Platform | 2024-11-21 | 5.0 MEDIUM | 4.9 MEDIUM |
|
An information disclosure vulnerability exists in the OAS Engine SecureTransferFiles functionality of Open Automation Software OAS Platform V16.00.0112. A specially-crafted series of network requests can lead to arbitrary file read. An attacker can send a sequence of requests to trigger this vulnerability.
|
|||||
| CVE-2022-26043 | 1 Openautomationsoftware | 1 Oas Platform | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
An external config control vulnerability exists in the OAS Engine SecureAddSecurity functionality of Open Automation Software OAS Platform V16.00.0112. A specially-crafted series of network requests can lead to the creation of a custom Security Group. An attacker can send a sequence of requests to trigger this vulnerability.
|
|||||
| CVE-2022-26026 | 1 Openautomationsoftware | 1 Oas Platform | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
A denial of service vulnerability exists in the OAS Engine SecureConfigValues functionality of Open Automation Software OAS Platform V16.00.0112. A specially-crafted network request can lead to loss of communications. An attacker can send a network request to trigger this vulnerability.
|
|||||