Total
2009 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-25922 | 1 Hegemonelectronics | 2 Plc4trucks, Plc4trucks Firmware | 2024-11-21 | 6.4 MEDIUM | 6.1 MEDIUM |
|
Power Line Communications PLC4TRUCKS J2497 trailer brake controllers implement diagnostic functions which can be invoked by replaying J2497 messages. There is no authentication or authorization for these functions.
|
|||||
| CVE-2022-25508 | 1 Freetakserver-ui Project | 1 Freetakserver-ui | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
An access control issue in the component /ManageRoute/postRoute of FreeTAKServer v1.9.8 allows unauthenticated attackers to cause a Denial of Service (DoS) via an unusually large amount of created routes, or create unsafe or false routes for legitimate users.
|
|||||
| CVE-2022-25359 | 1 Iclinks | 3 Scadaflex Ii, Scadaflex Ii Firmware, Weblib | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
|
On ICL ScadaFlex II SCADA Controller SC-1 and SC-2 1.03.07 devices, unauthenticated remote attackers can overwrite, delete, or create files.
|
|||||
| CVE-2022-25251 | 1 Ptc | 2 Axeda Agent, Axeda Desktop Server | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
When connecting to a certain port Axeda agent (All versions) and Axeda Desktop Server for Windows (All versions) may allow an attacker to send certain XML messages to a specific port without proper authentication. Successful exploitation of this vulnerability could allow a remote unauthenticated attacker to read and modify the affected product’s configuration.
|
|||||
| CVE-2022-25250 | 1 Ptc | 2 Axeda Agent, Axeda Desktop Server | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
When connecting to a certain port Axeda agent (All versions) and Axeda Desktop Server for Windows (All versions) may allow an attacker to send a certain command to a specific port without authentication. Successful exploitation of this vulnerability could allow a remote unauthenticated attacker to shut down a specific service.
|
|||||
| CVE-2022-25247 | 1 Ptc | 2 Axeda Agent, Axeda Desktop Server | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
|
Axeda agent (All versions) and Axeda Desktop Server for Windows (All versions) may allow an attacker to send certain commands to a specific port without authentication. Successful exploitation of this vulnerability could allow a remote unauthenticated attacker to obtain full file-system access and remote code execution.
|
|||||
| CVE-2022-25245 | 1 Zohocorp | 1 Manageengine Servicedesk Plus | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
Zoho ManageEngine ServiceDesk Plus before 13001 allows anyone to know the organisation's default currency name.
|
|||||
| CVE-2022-25008 | 1 Totolink | 4 Ex1200t, Ex1200t Firmware, Ex300 V2 and 1 more | 2024-11-21 | 5.8 MEDIUM | 8.8 HIGH |
|
totolink EX300_v2 V4.0.3c.140_B20210429 and EX1200T V4.1.2cu.5230_B20210706 does not contain an authentication mechanism.
|
|||||
| CVE-2022-24935 | 1 Lexmark | 2 Lexmark, Lexmark Firmware | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
Lexmark products through 2022-02-10 have Incorrect Access Control.
|
|||||
| CVE-2022-24829 | 1 Garden | 1 Garden | 2024-11-21 | 4.3 MEDIUM | 8.1 HIGH |
|
Garden is an automation platform for Kubernetes development and testing. In versions prior to 0.12.39 multiple endpoints did not require authentication. In some operating modes this allows for an attacker to gain access to the application erroneously. The configuration is leaked through the /api endpoint on the local server that is responsible for serving the Garden dashboard. At the moment, this server is accessible to 0.0.0.0 which makes it accessible to anyone on the same network (or anyone o ...
Show More |
|||||
| CVE-2022-24820 | 1 Xwiki | 1 Xwiki | 2024-11-21 | 4.3 MEDIUM | 5.3 MEDIUM |
|
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. A guest user without the right to view pages of the wiki can still list documents by rendering some velocity documents. The problem has been patched in XWiki versions 12.10.11, 13.4.4, and 13.9-rc-1. There is no known workaround for this problem.
|
|||||
| CVE-2022-24562 | 1 Iobit | 1 Iotransfer | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
|
In IOBit IOTransfer 4.3.1.1561, an unauthenticated attacker can send GET and POST requests to Airserv and gain arbitrary read/write access to the entire file-system (with admin privileges) on the victim's endpoint, which can result in data theft and remote code execution.
|
|||||
| CVE-2022-24396 | 1 Sap | 1 Simple Diagnostics Agent | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
|
The Simple Diagnostics Agent - versions 1.0 up to version 1.57, does not perform any authentication checks for functionalities that can be accessed via localhost on http port 3005. Due to lack of authentication checks, an attacker could access administrative or other privileged functionalities and read, modify, or delete sensitive information and configurations.
|
|||||
| CVE-2022-24111 | 1 Mahara | 1 Mahara | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
In Mahara 21.04 before 21.04.3 and 21.10 before 21.10.1, portfolios created in groups that have not been shared with non-group members and portfolios created on the site and institution levels can be viewed without requiring a login if the URL to these portfolios is known.
|
|||||
| CVE-2022-23945 | 1 Apache | 1 Shenyu | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
Missing authentication on ShenYu Admin when register by HTTP. This issue affected Apache ShenYu 2.4.0 and 2.4.1.
|
|||||
| CVE-2022-23944 | 1 Apache | 1 Shenyu | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
|
User can access /plugin api without authentication. This issue affected Apache ShenYu 2.4.0 and 2.4.1.
|
|||||
| CVE-2022-23719 | 1 Pingidentity | 1 Pingid Integration For Windows Login | 2024-11-21 | 6.9 MEDIUM | 7.2 HIGH |
|
PingID Windows Login prior to 2.8 does not authenticate communication with a local Java service used to capture security key requests. An attacker with the ability to execute code on the target machine maybe able to exploit and spoof the local Java service using multiple attack vectors. A successful attack can lead to code executed as SYSTEM by the PingID Windows Login application, or even a denial of service for offline security key authentication.
|
|||||
| CVE-2022-23345 | 1 Bigantsoft | 1 Bigant Server | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
BigAnt Software BigAnt Server v5.6.06 was discovered to contain incorrect access control.
|
|||||
| CVE-2022-23220 | 4 Canonical, Debian, Gentoo and 1 more | 4 Ubuntu Linux, Debian Linux, Linux and 1 more | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
|
USBView 2.1 before 2.2 allows some local users (e.g., ones logged in via SSH) to execute arbitrary code as root because certain Polkit settings (e.g., allow_any=yes) for pkexec disable the authentication requirement. Code execution can, for example, use the --gtk-module option. This affects Ubuntu, Debian, and Gentoo.
|
|||||
| CVE-2022-22809 | 1 Schneider-electric | 6 Fellerlynk, Fellerlynk Firmware, Spacelynk and 3 more | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
A CWE-306: Missing Authentication for Critical Function vulnerability exists that could allow modifications of the touch configurations in an unauthorized manner when an attacker attempts to modify the touch configurations. Affected Product: spaceLYnk (V2.6.2 and prior), Wiser for KNX (formerly homeLYnk) (V2.6.2 and prior), fellerLYnk (V2.6.2 and prior)
|
|||||
| CVE-2022-22652 | 1 Apple | 2 Ipados, Iphone Os | 2024-11-21 | 3.6 LOW | 6.1 MEDIUM |
|
The GSMA authentication panel could be presented on the lock screen. The issue was resolved by requiring device unlock to interact with the GSMA authentication panel. This issue is fixed in iOS 15.4 and iPadOS 15.4. A person with physical access may be able to view and modify the carrier account information and settings from the lock screen.
|
|||||
| CVE-2022-22576 | 5 Brocade, Debian, Haxx and 2 more | 17 Fabric Operating System, Debian Linux, Curl and 14 more | 2024-11-21 | 5.5 MEDIUM | 8.1 HIGH |
|
An improper authentication vulnerability exists in curl 7.33.0 to and including 7.82.0 which might allow reuse OAUTH2-authenticated connections without properly making sure that the connection was authenticated with the same credentials as set for this transfer. This affects SASL-enabled protocols: SMPTP(S), IMAP(S), POP3(S) and LDAP(S) (openldap only).
|
|||||
| CVE-2022-22526 | 1 Gavazziautomation | 3 Cpy Car Park Server, Uwp 3.0 Monitoring Gateway And Controller, Uwp 3.0 Monitoring Gateway And Controller Firmware | 2024-11-21 | N/A | 9.8 CRITICAL |
|
In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in Version 2.8.3 a missing authentication allows for full access via API.
|
|||||
| CVE-2022-22309 | 1 Ibm | 2 Power System S922, Power System S922 Firmware | 2024-11-21 | 4.6 MEDIUM | 6.8 MEDIUM |
|
The POWER systems FSP is vulnerable to unauthenticated logins through the serial port/TTY interface. This vulnerability can be more critical if the serial port is connected to a serial-over-lan device. IBM X-Force ID: 217095.
|
|||||
| CVE-2022-21952 | 1 Suse | 1 Manager Server | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
A Missing Authentication for Critical Function vulnerability in spacewalk-java of SUSE Manager Server 4.1, SUSE Manager Server 4.2 allows remote attackers to easily exhaust available disk resources leading to DoS. This issue affects: SUSE Manager Server 4.1 spacewalk-java versions prior to 4.1.46. SUSE Manager Server 4.2 spacewalk-java versions prior to 4.2.37.
|
|||||
| CVE-2022-21816 | 1 Nvidia | 2 Cloud Gaming Virtual Gpu, Virtual Gpu | 2024-11-21 | 4.9 MEDIUM | 5.5 MEDIUM |
|
NVIDIA vGPU software contains a vulnerability in the Virtual GPU Manager (nvidia.ko), where a user in the guest OS can cause a GPU interrupt storm on the hypervisor host, leading to a denial of service.
|
|||||
| CVE-2022-21691 | 1 Onionshare | 1 Onionshare | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
OnionShare is an open source tool that lets you securely and anonymously share files, host websites, and chat with friends using the Tor network. In affected versions chat participants can spoof their channel leave message, tricking others into assuming they left the chatroom.
|
|||||
| CVE-2022-20861 | 1 Cisco | 1 Nexus Dashboard | 2024-11-21 | N/A | 9.8 CRITICAL |
|
Multiple vulnerabilities in Cisco Nexus Dashboard could allow an unauthenticated, remote attacker to execute arbitrary commands, read or upload container image files, or perform a cross-site request forgery attack. For more information about these vulnerabilities, see the Details section of this advisory.
|
|||||
| CVE-2022-20858 | 1 Cisco | 1 Nexus Dashboard | 2024-11-21 | N/A | 9.8 CRITICAL |
|
Multiple vulnerabilities in Cisco Nexus Dashboard could allow an unauthenticated, remote attacker to execute arbitrary commands, read or upload container image files, or perform a cross-site request forgery attack. For more information about these vulnerabilities, see the Details section of this advisory.
|
|||||
| CVE-2022-20857 | 1 Cisco | 1 Nexus Dashboard | 2024-11-21 | N/A | 9.8 CRITICAL |
|
Multiple vulnerabilities in Cisco Nexus Dashboard could allow an unauthenticated, remote attacker to execute arbitrary commands, read or upload container image files, or perform a cross-site request forgery attack. For more information about these vulnerabilities, see the Details section of this advisory.
|
|||||
| CVE-2022-20830 | 1 Cisco | 2 Catalyst Sd-wan Manager, Sd-wan Vmanage | 2024-11-21 | N/A | 5.3 MEDIUM |
|
A vulnerability in authentication mechanism of Cisco Software-Defined Application Visibility and Control (SD-AVC) on Cisco vManage could allow an unauthenticated, remote attacker to access the GUI of Cisco SD-AVC without authentication. This vulnerability exists because the GUI is accessible on self-managed cloud installations or local server installations of Cisco vManage. An attacker could exploit this vulnerability by accessing the exposed GUI of Cisco SD-AVC. A successful exploit could allow ...
Show More |
|||||
| CVE-2022-20060 | 2 Google, Mediatek | 34 Android, Mt6761, Mt6762 and 31 more | 2024-11-21 | 4.4 MEDIUM | 6.6 MEDIUM |
|
In preloader (usb), there is a possible permission bypass due to a missing proper image authentication. This could lead to local escalation of privilege, for an attacker who has physical access to the device, with no additional execution privileges needed. User interaction is needed for exploitation. Patch ID: ALPS06160806; Issue ID: ALPS06137462.
|
|||||
| CVE-2022-1598 | 1 2code | 1 Wpqa Builder | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
The WPQA Builder WordPress plugin before 5.5 which is a companion to the Discy and Himer , lacks authentication in a REST API endpoint, allowing unauthenticated users to discover private questions sent between users on the site.
|
|||||
| CVE-2022-1521 | 1 Illumina | 8 Iseq 100, Local Run Manager, Miniseq and 5 more | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
|
LRM does not implement authentication or authorization by default. A malicious actor can inject, replay, modify, and/or intercept sensitive data.
|
|||||
| CVE-2022-1368 | 1 Cognex | 2 3d-a1000 Dimensioning System, 3d-a1000 Dimensioning System Firmware | 2024-11-21 | N/A | 9.8 CRITICAL |
|
The Cognex 3D-A1000 Dimensioning System in firmware version 1.0.3 (3354) and prior is vulnerable to CWE-306: Missing Authentication for Critical Function, which allows unauthorized users to change the operator account password via webserver commands by monitoring web socket communications from an unauthenticated session. This could allow an attacker to escalate privileges to match those of the compromised account.
|
|||||
| CVE-2022-1300 | 1 Trumpf | 3 Trutops Boost, Trutops Fab, Trutops Monitor | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
Multiple Version of TRUMPF TruTops products expose a service function without necessary authentication. Execution of this function may result in unauthorized access to change of data or disruption of the whole service.
|
|||||
| CVE-2022-1248 | 1 Sap Information System Project | 1 Sap Information System | 2024-11-21 | 7.5 HIGH | 7.3 HIGH |
|
A vulnerability was found in SAP Information System 1.0 which has been rated as critical. Affected by this issue is the file /SAP_Information_System/controllers/add_admin.php. An unauthenticated attacker is able to create a new admin account for the web application with a simple POST request. Exploit details were disclosed.
|
|||||
| CVE-2022-0993 | 1 Siteground | 1 Siteground Security | 2024-11-21 | 7.5 HIGH | 8.1 HIGH |
|
The SiteGround Security plugin for WordPress is vulnerable to authentication bypass that allows unauthenticated users to log in as administrative users due to missing identity verification on the 2FA back-up code implementation that logs users in upon success. This affects versions up to, and including, 1.2.5.
|
|||||
| CVE-2022-0922 | 1 Philips | 2 E-alert, E-alert Firmware | 2024-11-21 | 5.7 MEDIUM | 6.5 MEDIUM |
|
The software does not perform any authentication for critical system functionality.
|
|||||
| CVE-2022-0878 | 1 Combined Charging System Project | 2 Combined Charging System, Combined Charging System Firmware | 2024-11-21 | 3.3 LOW | 4.6 MEDIUM |
|
Electric Vehicle (EV) commonly utilises the Combined Charging System (CCS) for DC rapid charging. To exchange important messages such as the State of Charge (SoC) with the Electric Vehicle Supply Equipment (EVSE) CCS uses a high-bandwidth IP link provided by the HomePlug Green PHY (HPGP) power-line communication (PLC) technology. The attack interrupts necessary control communication between the vehicle and charger, causing charging sessions to abort. The attack can be conducted wirelessly from a ...
Show More |
|||||