Total
2009 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-24580 | 1 Dlink | 2 Dsl2888a, Dsl2888a Firmware | 2024-11-21 | 5.4 MEDIUM | 7.5 HIGH |
|
An issue was discovered on D-Link DSL-2888A devices with firmware prior to AU_2.31_V1.1.47ae55. Lack of authentication functionality allows an attacker to assign a static IP address that was once used by a valid user.
|
|||||
| CVE-2020-24217 | 3 Jtechdigital, Provideoinstruments, Szuray | 105 H.264 Iptv Encoder 1080p\@60hz, H.264 Iptv Encoder 1080p\@60hz Firmware, Vecaster-4k-hevc and 102 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
An issue was discovered in the box application on HiSilicon based IPTV/H.264/H.265 video encoders. The file-upload endpoint does not enforce authentication. Attackers can send an unauthenticated HTTP request to upload a custom firmware component, possibly in conjunction with command injection, to achieve arbitrary code execution.
|
|||||
| CVE-2020-24051 | 1 Moog | 4 Exvf5c-2, Exvf5c-2 Firmware, Exvp7c2-3 and 1 more | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
|
The Moog EXO Series EXVF5C-2 and EXVP7C2-3 units support the ONVIF interoperability IP-based physical security protocol, which requires authentication for some of its operations. It was found that the authentication check for those ONVIF operations can be bypassed. An attacker can abuse this issue to execute privileged operations without authentication, for instance, to create a new Administrator user.
|
|||||
| CVE-2020-23512 | 1 Vr Cam | 2 P1, P1 Firmware | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
|
VR CAM P1 Model P1 v1 has an incorrect access control vulnerability where an attacker can obtain complete access of the device from web (remote) without authentication.
|
|||||
| CVE-2020-23448 | 1 Newbee-mall Project | 1 Newbee-mall | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
newbee-mall all versions are affected by incorrect access control to remotely gain privileges through AdminLoginInterceptor.java. The authentication logic of the system's background /admin is in code AdminLoginInterceptor, which can be bypassed.
|
|||||
| CVE-2020-21997 | 1 Smartwares | 2 Home Easy, Home Easy Firmware | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
Smartwares HOME easy <=1.0.9 is vulnerable to an unauthenticated database backup download and information disclosure vulnerability. An attacker could disclose sensitive and clear-text information resulting in authentication bypass, session hijacking and full system control.
|
|||||
| CVE-2020-21996 | 1 Ave | 13 53ab-wbs, 53ab-wbs Firmware, Dominaplus and 10 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
AVE DOMINAplus <=1.10.x suffers from an unauthenticated reboot command execution. Attackers can exploit this issue to cause a denial of service scenario.
|
|||||
| CVE-2020-21936 | 1 Motorola | 2 Cx2, Cx2 Firmware | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
An issue in HNAP1/GetMultipleHNAPs of Motorola CX2 router CX 1.0.2 Build 20190508 Rel.97360n allows attackers to access the components GetStationSettings, GetWebsiteFilterSettings and GetNetworkSettings without authentication.
|
|||||
| CVE-2020-21934 | 1 Motorola | 2 Cx2, Cx2 Firmware | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
An issue was discovered in Motorola CX2 router CX 1.0.2 Build 20190508 Rel.97360n where authentication to download the Syslog could be bypassed.
|
|||||
| CVE-2020-20627 | 1 Givewp | 1 Givewp | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
The includes/gateways/stripe/includes/admin/admin-actions.php in GiveWP plugin through 2.5.9 for WordPress allows unauthenticated settings change.
|
|||||
| CVE-2020-20472 | 1 White Shark Systems Project | 1 White Shark Systems | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
White Shark System (WSS) 1.3.2 has a sensitive information disclosure vulnerability. The if_get_addbook.php file does not have an authentication operation. Remote attackers can obtain username information for all users of the current site.
|
|||||
| CVE-2020-1955 | 1 Apache | 1 Couchdb | 2024-11-21 | 6.8 MEDIUM | 9.8 CRITICAL |
|
CouchDB version 3.0.0 shipped with a new configuration setting that governs access control to the entire database server called `require_valid_user_except_for_up`. It was meant as an extension to the long standing setting `require_valid_user`, which in turn requires that any and all requests to CouchDB will have to be made with valid credentials, effectively forbidding any anonymous requests. The new `require_valid_user_except_for_up` is an off-by-default setting that was meant to allow requirin ...
Show More |
|||||
| CVE-2020-1813 | 1 Huawei | 2 P30, P30 Firmware | 2024-11-21 | 4.6 MEDIUM | 6.8 MEDIUM |
|
HUAWEI P30 smart phone with versions earlier than 10.1.0.135(C00E135R2P11) have an improper authentication vulnerability. Due to improper authentication of specific interface, in specific scenario attackers could access specific interface without authentication. Successful exploit could allow the attacker to perform unauthorized operations.
|
|||||
| CVE-2020-19670 | 1 Niushop | 1 Niushop | 2024-11-21 | 4.0 MEDIUM | 4.9 MEDIUM |
|
In Niushop B2B2C Multi-Business Basic Edition V1.11, authentication can be bypassed, causing administrators to reset any passwords.
|
|||||
| CVE-2020-19419 | 1 Emerson | 2 Smart Wireless Gateway 1420, Smart Wireless Gateway 1420 Firmware | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
Incorrect Access Control in Emerson Smart Wireless Gateway 1420 4.6.59 allows remote attackers to obtain sensitive device information from the administrator console without authentication.
|
|||||
| CVE-2020-17517 | 1 Apache | 1 Ozone | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
The S3 buckets and keys in a secure Apache Ozone Cluster must be inaccessible to anonymous access by default. The current security vulnerability allows access to keys and buckets through a curl command or an unauthenticated HTTP request. This enables unauthorized access to buckets and keys thereby exposing data to anonymous clients or users. This affected Apache Ozone prior to the 1.1.0 release.
|
|||||
| CVE-2020-17475 | 1 Megvii | 2 Koala, Koala Firmware | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
Lack of authentication in the network relays used in MEGVII Koala 2.9.1-c3s allows attackers to grant physical access to anyone by sending packet data to UDP port 5000.
|
|||||
| CVE-2020-16167 | 1 Robotemi | 1 Launcher Os | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
|
Missing Authentication for Critical Function in temi Robox OS prior to 120, temi Android app up to 1.3.7931 allows remote attackers to receive and answer calls intended for another temi user. Answering the call this way grants motor control of the temi in addition to audio/video via unspecified vectors.
|
|||||
| CVE-2020-16102 | 1 Gallagher | 1 Command Centre | 2024-11-21 | 6.4 MEDIUM | 7.1 HIGH |
|
Improper Authentication vulnerability in Gallagher Command Centre Server allows an unauthenticated remote attacker to create items with invalid configuration, potentially causing the server to crash and fail to restart. This issue affects: Gallagher Command Centre 8.30 versions prior to 8.30.1299(MR2); 8.20 versions prior to 8.20.1218(MR4); 8.10 versions prior to 8.10.1253(MR6); 8.00 versions prior to 8.00.1252(MR7); version 7.90 and prior versions.
|
|||||
| CVE-2020-16098 | 1 Gallagher | 1 Command Centre | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
It is possible to enumerate access card credentials via an unauthenticated network connection to the server in versions of Command Centre v8.20 prior to v8.20.1166(MR3), versions of 8.10 prior to v8.10.1211(MR5), versions of 8.00 prior to v8.00.1228(MR6), all versions of 7.90 and earlier. These credentials can then be used to encode low security cards to be used by the system where insecure card technologies are supported.
|
|||||
| CVE-2020-15894 | 1 Dlink | 2 Dir-816l, Dir-816l Firmware | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
An issue was discovered on D-Link DIR-816L devices 2.x before 1.10b04Beta02. There exists an exposed administration function in getcfg.php, which can be used to call various services. It can be utilized by an attacker to retrieve various sensitive information, such as admin login credentials, by setting the value of _POST_SERVICES in the query string to DEVICE.ACCOUNT.
|
|||||
| CVE-2020-15851 | 1 Nakivo | 1 Backup \& Replication Transporter | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
Lack of access control in Nakivo Backup & Replication Transporter version 9.4.0.r43656 allows remote users to access unencrypted backup repositories and the Nakivo Controller configuration via a network accessible transporter service. It is also possible to create or delete backup repositories.
|
|||||
| CVE-2020-15834 | 1 Mofinetwork | 2 Mofi4500-4gxelte, Mofi4500-4gxelte Firmware | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
An issue was discovered on Mofi Network MOFI4500-4GXeLTE 4.1.5-std devices. The wireless network password is exposed in a QR encoded picture that an unauthenticated adversary can download via the web-management interface.
|
|||||
| CVE-2020-15799 | 1 Siemens | 132 Scalance X200-4pirt, Scalance X200-4pirt Firmware, Scalance X201-3pirt and 129 more | 2024-11-21 | 7.1 HIGH | 6.5 MEDIUM |
|
A vulnerability has been identified in SCALANCE X-200 switch family (incl. SIPLUS NET variants) (All versions < V5.2.5), SCALANCE X-200IRT switch family (incl. SIPLUS NET variants) (All versions < V5.5.0). The vulnerability could allow an unauthenticated attacker to reboot the device over the network by using special urls from integrated web server of the affected products.
|
|||||
| CVE-2020-15798 | 1 Siemens | 20 Simatic Hmi Comfort Panels, Simatic Hmi Comfort Panels Firmware, Simatic Hmi Ktp Mobile Panels and 17 more | 2024-11-21 | 9.3 HIGH | 9.8 CRITICAL |
|
A vulnerability has been identified in SIMATIC HMI Comfort Panels (incl. SIPLUS variants) (All versions < V16 Update 3a), SIMATIC HMI KTP Mobile Panels (All versions < V16 Update 3a), SINAMICS GH150 (All versions), SINAMICS GL150 (with option X30) (All versions), SINAMICS GM150 (with option X30) (All versions), SINAMICS SH150 (All versions), SINAMICS SL150 (All versions), SINAMICS SM120 (All versions), SINAMICS SM150 (All versions), SINAMICS SM150i (All versions). Affected devices with enabled t ...
Show More |
|||||
| CVE-2020-15483 | 1 Niscomed | 2 M1000 Multipara Patient Monitor, M1000 Multipara Patient Monitor Firmware | 2024-11-21 | 7.2 HIGH | 6.8 MEDIUM |
|
An issue was discovered on Nescomed Multipara Monitor M1000 devices. The physical UART debug port provides a shell, without requiring a password, with complete access.
|
|||||
| CVE-2020-15391 | 1 Devspace | 1 Devspace | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
The UI in DevSpace 4.13.0 allows web sites to execute actions on pods (on behalf of a victim) because of a lack of authentication for the WebSocket protocol. This leads to remote code execution.
|
|||||
| CVE-2020-15336 | 1 Zyxel | 1 Cloudcnm Secumanager | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has no authentication for /cnr requests.
|
|||||
| CVE-2020-15335 | 1 Zyxel | 1 Cloudcnm Secumanager | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has no authentication for /registerCpe requests.
|
|||||
| CVE-2020-15243 | 1 Smartstore | 1 Smartstore | 2024-11-21 | 7.5 HIGH | 9.1 CRITICAL |
|
Affected versions of Smartstore have a missing WebApi Authentication attribute. This vulnerability affects Smartstore shops in version 4.0.0 & 4.0.1 which have installed and activated the Web API plugin. Users of Smartstore 4.0.0 and 4.0.1 must merge their repository with 4.0.x or overwrite the file SmartStore.Web.Framework in the */bin* directory of the deployed shop with this file. As a workaround without updating uninstall the Web API plugin to close this vulnerability.
|
|||||
| CVE-2020-15136 | 2 Fedoraproject, Redhat | 2 Fedora, Etcd | 2024-11-21 | 5.8 MEDIUM | 6.5 MEDIUM |
|
In ectd before versions 3.4.10 and 3.3.23, gateway TLS authentication is only applied to endpoints detected in DNS SRV records. When starting a gateway, TLS authentication will only be attempted on endpoints identified in DNS SRV records for a given domain, which occurs in the discoverEndpoints function. No authentication is performed against endpoints provided in the --endpoints flag. This has been fixed in versions 3.4.10 and 3.3.23 with improved documentation and deprecation of the functional ...
Show More |
|||||
| CVE-2020-15127 | 1 Projectcontour | 1 Contour | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
In Contour ( Ingress controller for Kubernetes) before version 1.7.0, a bad actor can shut down all instances of Envoy, essentially killing the entire ingress data plane. GET requests to /shutdown on port 8090 of the Envoy pod initiate Envoy's shutdown procedure. The shutdown procedure includes flipping the readiness endpoint to false, which removes Envoy from the routing pool. When running Envoy (For example on the host network, pod spec hostNetwork=true), the shutdown manager's endpoint is acc ...
Show More |
|||||
| CVE-2020-15078 | 4 Canonical, Debian, Fedoraproject and 1 more | 4 Ubuntu Linux, Debian Linux, Fedora and 1 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
OpenVPN 2.5.1 and earlier versions allows a remote attackers to bypass authentication and access control channel data on servers configured with deferred authentication, which can be used to potentially trigger further information leaks.
|
|||||
| CVE-2020-14501 | 1 Advantech | 1 Iview | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
|
Advantech iView, versions 5.6 and prior, has an improper authentication for critical function (CWE-306) issue. Successful exploitation of this vulnerability may allow an attacker to obtain the information of the user table, including the administrator credentials in plain text. An attacker may also delete the administrator account.
|
|||||
| CVE-2020-14479 | 1 Inductiveautomation | 1 Ignition | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
Sensitive information can be obtained through the handling of serialized data. The issue results from the lack of proper authentication required to query the server
|
|||||
| CVE-2020-14245 | 1 Hcltechsw | 1 Onetest Performance | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
HCL OneTest UI V9.5, V10.0, and V10.1 does not perform authentication for functionality that either requires a provable user identity or consumes a significant amount of resources.
|
|||||
| CVE-2020-14048 | 1 Zohocorp | 1 Manageengine Servicedesk Plus | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
Zoho ManageEngine ServiceDesk Plus before 11.1 build 11115 allows remote unauthenticated attackers to change the installation status of deployed agents.
|
|||||
| CVE-2020-13920 | 3 Apache, Debian, Oracle | 4 Activemq, Debian Linux, Communications Diameter Signaling Router and 1 more | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
|
Apache ActiveMQ uses LocateRegistry.createRegistry() to create the JMX RMI registry and binds the server to the "jmxrmi" entry. It is possible to connect to the registry without authentication and call the rebind method to rebind jmxrmi to something else. If an attacker creates another server to proxy the original, and bound that, he effectively becomes a man in the middle and is able to intercept the credentials when an user connects. Upgrade to Apache ActiveMQ 5.15.12.
|
|||||
| CVE-2020-13856 | 1 Mofinetwork | 2 Mofi4500-4gxelte, Mofi4500-4gxelte Firmware | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
An issue was discovered on Mofi Network MOFI4500-4GXeLTE 4.0.8-std devices. Authentication is not required to download the support file that contains sensitive information such as cleartext credentials and password hashes.
|
|||||
| CVE-2020-13838 | 1 Google | 1 Android | 2024-11-21 | 3.6 LOW | 3.5 LOW |
|
An issue was discovered on Samsung mobile devices with P(9.0) and Q(10.0) software. The DeX Lockscreen feature does not block access to Quick Panel and notifications. The Samsung ID is SVE-2020-17187 (June 2020).
|
|||||