Total
2009 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-50486 | 1 Acnoo | 1 Flutter Api | 2024-10-29 | N/A | 9.8 CRITICAL |
|
Authentication Bypass Using an Alternate Path or Channel vulnerability in Acnoo Acnoo Flutter API allows Authentication Bypass.This issue affects Acnoo Flutter API: from n/a through 1.0.5.
|
|||||
| CVE-2024-42017 | 2024-10-29 | N/A | 10.0 CRITICAL | ||
|
An issue was discovered in Atos Eviden iCare 2.7.1 through 2.7.11. The application exposes a web interface locally. In the worst-case scenario, if the application is remotely accessible, it allows an attacker to execute arbitrary commands with system privilege on the endpoint hosting the application, without any authentication.
|
|||||
| CVE-2024-10002 | 1 Roveridx | 1 Rover Idx | 2024-10-25 | N/A | 8.8 HIGH |
|
The Rover IDX plugin for WordPress is vulnerable to Authentication Bypass in versions up to, and including, 3.0.0.2905. This is due to insufficient validation and capability check on the 'rover_idx_refresh_social_callback' function. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to log in to administrator. The vulnerability is partially patched in version 3.0.0.2905 and fully patched in version 3.0.0.2906.
|
|||||
| CVE-2024-48442 | 2024-10-25 | N/A | 6.5 MEDIUM | ||
|
Incorrect access control in Shenzhen Tuoshi Network Communications Co.,Ltd 5G CPE Router NR500-EA RG500UEAABxCOMSLICv3.2.2543.12.18 allows attackers to access the SSH protocol without authentication.
|
|||||
| CVE-2024-26519 | 2024-10-23 | N/A | 9.0 CRITICAL | ||
|
An issue in Casa Systems NTC-221 version 2.0.99.0 and before allows a remote attacker to execute arbitrary code via a crafted payload to the /www/cgi-bin/nas.cgi component.
|
|||||
| CVE-2024-49328 | 1 Vivektamrakar | 1 Wp Rest Api Fns | 2024-10-23 | N/A | 9.8 CRITICAL |
|
Authentication Bypass Using an Alternate Path or Channel vulnerability in Vivek Tamrakar WP REST API FNS allows Authentication Bypass.This issue affects WP REST API FNS: from n/a through 1.0.0.
|
|||||
| CVE-2024-49604 | 1 Najeebmedia | 1 Simple User Registration | 2024-10-23 | N/A | 9.8 CRITICAL |
|
Authentication Bypass Using an Alternate Path or Channel vulnerability in Najeeb Ahmad Simple User Registration allows Authentication Bypass.This issue affects Simple User Registration: from n/a through 5.5.
|
|||||
| CVE-2024-43488 | 1 Microsoft | 1 Visual Studio Code | 2024-10-21 | N/A | 9.8 CRITICAL |
|
Missing authentication for critical function in Visual Studio Code extension for Arduino allows an unauthenticated attacker to perform remote code execution through network attack vector.
|
|||||
| CVE-2024-21272 | 1 Oracle | 1 Mysql | 2024-10-21 | N/A | 7.5 HIGH |
|
Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/Python). Supported versions that are affected are 9.0.0 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI: ...
Show More |
|||||
| CVE-2024-48920 | 2024-10-18 | N/A | 9.1 CRITICAL | ||
|
PutongOJ is online judging software. Prior to version 2.1.0-beta.1, unprivileged users can escalate privileges by constructing requests. This can lead to unauthorized access, enabling users to perform admin-level operations, potentially compromising sensitive data and system integrity. This problem has been fixed in v2.1.0.beta.1. As a workaround, one may apply the patch from commit `211dfe9` manually.
|
|||||
| CVE-2024-49399 | 2024-10-18 | N/A | N/A | ||
|
The affected product is vulnerable to an attacker being able to use commands without providing a password which may allow an attacker to leak information.
|
|||||
| CVE-2024-47130 | 1 Gotenna | 1 Gotenna Pro | 2024-10-17 | N/A | 6.5 MEDIUM |
|
The goTenna Pro App allows unauthenticated attackers to remotely update
the local public keys used for P2P and group messages. It is advised to
update your app to the current release for enhanced encryption
protocols.
|
|||||
| CVE-2024-9984 | 1 Ragic | 1 Enterprise Cloud Database | 2024-10-16 | N/A | 9.8 CRITICAL |
|
Enterprise Cloud Database from Ragic does not authenticate access to specific functionality, allowing unauthenticated remote attackers to use this functionality to obtain any user's session cookie.
|
|||||
| CVE-2023-22650 | 2024-10-16 | N/A | 8.8 HIGH | ||
|
A vulnerability has been identified in which Rancher does not automatically clean up a user which has been deleted from the configured authentication provider (AP). This characteristic also applies to disabled or revoked users, Rancher will not reflect these modifications which may leave the user’s tokens still usable.
|
|||||
| CVE-2024-48771 | 2024-10-15 | N/A | 7.5 HIGH | ||
|
An issue in almando GmbH Almando Play APP (com.almando.play) 1.8.2 allows a remote attacker to obtain sensitive information via the firmware update process
|
|||||
| CVE-2024-48768 | 2024-10-15 | N/A | 7.5 HIGH | ||
|
An issue in almaodo GmbH appinventor.ai_google.almando_control 2.3.1 allows a remote attacker to obtain sensitive information via the firmware update process
|
|||||
| CVE-2024-48776 | 2024-10-15 | N/A | 7.5 HIGH | ||
|
An issue in Shelly com.home.shelly 1.0.4 allows a remote attacker to obtain sensitive information via the firmware update process
|
|||||
| CVE-2024-48775 | 2024-10-15 | N/A | 7.5 HIGH | ||
|
An issue in Plug n Play Camera com.ezset.delaney 1.2.0 allows a remote attacker to obtain sensitive information via the firmware update process.
|
|||||
| CVE-2024-48773 | 2024-10-15 | N/A | 7.5 HIGH | ||
|
An issue in WoFit v.7.2.3 allows a remote attacker to obtain sensitive information via the firmware update process
|
|||||
| CVE-2024-48777 | 2024-10-15 | N/A | 7.5 HIGH | ||
|
LEDVANCE com.ledvance.smartplus.eu 2.1.10 allows a remote attacker to obtain sensitive information via the firmware update process.
|
|||||
| CVE-2024-9522 | 1 Lagunaisw | 1 Wp Users Masquerade | 2024-10-15 | N/A | 8.8 HIGH |
|
The WP Users Masquerade plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.0.0. This is due to incorrect authentication and capability checking in the 'ajax_masq_login' function. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to log in as any existing user on the site, such as an administrator.
|
|||||
| CVE-2024-8530 | 2024-10-15 | N/A | 5.9 MEDIUM | ||
|
CWE-306: Missing Authentication for Critical Function vulnerability exists that could
cause exposure of private data when an already generated “logcaptures” archive is accessed
directly by HTTPS.
|
|||||
| CVE-2024-47555 | 2024-10-10 | N/A | 8.3 HIGH | ||
|
Missing Authentication - User & System Configuration
|
|||||
| CVE-2024-9289 | 1 Redefiningtheweb | 1 Affiliate Pro | 2024-10-07 | N/A | 9.8 CRITICAL |
|
The WordPress & WooCommerce Affiliate Program plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 8.4.1. This is due to the rtwwwap_login_request_callback() function not properly validating a user's identity prior to authenticating them to the site. This makes it possible for unauthenticated attackers to log in as any user, including administrators, granted they have access to the administrator's email.
|
|||||
| CVE-2024-8456 | 1 Planet | 4 Gs-4210-24p2s, Gs-4210-24p2s Firmware, Gs-4210-24pl4c and 1 more | 2024-10-04 | N/A | 9.8 CRITICAL |
|
Certain switch models from PLANET Technology lack proper access control in firmware upload and download functionality, allowing unauthenticated remote attackers to download and upload firmware and system configurations, ultimately gaining full control of the devices.
|
|||||
| CVE-2024-41988 | 2024-10-04 | N/A | N/A | ||
|
TEM Opera Plus FM Family Transmitter allows access to an unprotected endpoint that allows MPFS File System binary image upload without authentication. This file system serves as the basis for the HTTP2 web server module but is also used by the SNMP module and is available to other applications that require basic read-only storage capabilities. This can be exploited to overwrite the flash program memory that holds the web server's main interfaces and execute arbitrary code.
|
|||||
| CVE-2024-35294 | 2024-10-04 | N/A | 6.5 MEDIUM | ||
|
An unauthenticated remote attacker may use the devices traffic capture without authentication to grab plaintext administrative credentials.
|
|||||
| CVE-2024-35293 | 2024-10-04 | N/A | 9.1 CRITICAL | ||
|
An unauthenticated remote attacker may use a missing authentication for critical function vulnerability to reboot or erase the affected devices resulting in data loss and/or a DoS.
|
|||||
| CVE-2024-7781 | 1 Artbees | 1 Jupiter X Core | 2024-10-02 | N/A | 9.8 CRITICAL |
|
The Jupiter X Core plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 4.7.5. This is due to improper authentication via the Social Login widget. This makes it possible for unauthenticated attackers to log in as the first user to have logged in with a social media account, including administrator accounts. Attackers can exploit the vulnerability even if the Social Login element has been disabled, as long as it was previously enabled and used. The vul ...
Show More |
|||||
| CVE-2023-52949 | 1 Synology | 1 Active Backup For Business Agent | 2024-10-02 | N/A | 5.5 MEDIUM |
|
Missing authentication for critical function vulnerability in proxy settings functionality in Synology Active Backup for Business Agent before 2.7.0-3221 allows local users to obtain user credential via unspecified vectors.
|
|||||
| CVE-2023-52947 | 1 Synology | 1 Active Backup For Business Agent | 2024-10-02 | N/A | 3.3 LOW |
|
Missing authentication for critical function vulnerability in logout functionality in Synology Active Backup for Business Agent before 2.6.3-3101 allows local users to logout the client via unspecified vectors. The backup functionality will continue to operate and will not be affected by the logout.
|
|||||
| CVE-2024-39364 | 2024-09-30 | N/A | 6.3 MEDIUM | ||
|
Advantech ADAM-5630
has built-in commands that can be executed without authenticating the
user. These commands allow for restarting the operating system,
rebooting the hardware, and stopping the execution. The commands can be
sent to a simple HTTP request and are executed by the device
automatically, without discrimination of origin or level of privileges
of the user sending the commands.
|
|||||
| CVE-2024-6981 | 2024-09-30 | N/A | 9.8 CRITICAL | ||
|
OMNTEC Proteus Tank Monitoring OEL8000III Series
could allow an attacker to perform administrative actions without proper authentication.
|
|||||
| CVE-2024-8310 | 2024-09-30 | N/A | 9.8 CRITICAL | ||
|
OPW Fuel Management Systems SiteSentinel
could allow an attacker to bypass authentication to the server and obtain full admin privileges.
|
|||||
| CVE-2024-8277 | 1 Villatheme | 1 Woocommerce Photo Reviews | 2024-09-26 | N/A | 9.8 CRITICAL |
|
The WooCommerce Photo Reviews Premium plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.3.13.2. This is due to the plugin not properly validating what user transient is being used in the login() function and not properly verifying the user's identity. This makes it possible for unauthenticated attackers to log in as user that has dismissed an admin notice in the past 30 days, which is often an administrator. Alternatively, a user can log in as an ...
Show More |
|||||
| CVE-2024-45229 | 2024-09-26 | N/A | 6.6 MEDIUM | ||
|
The Versa Director offers REST APIs for orchestration and management. By design, certain APIs, such as the login screen, banner display, and device registration, do not require authentication. However, it was discovered that for Directors directly connected to the Internet, one of these APIs can be exploited by injecting invalid arguments into a GET request, potentially exposing the authentication tokens of other currently logged-in users. These tokens can then be used to invoke additional APIs ...
Show More |
|||||
| CVE-2024-37991 | 1 Siemens | 54 Simatic Reader Rf610r Cmiit, Simatic Reader Rf610r Cmiit Firmware, Simatic Reader Rf610r Etsi and 51 more | 2024-09-18 | N/A | 6.5 MEDIUM |
|
A vulnerability has been identified in SIMATIC Reader RF610R CMIIT (6GT2811-6BC10-2AA0) (All versions < V4.2), SIMATIC Reader RF610R ETSI (6GT2811-6BC10-0AA0) (All versions < V4.2), SIMATIC Reader RF610R FCC (6GT2811-6BC10-1AA0) (All versions < V4.2), SIMATIC Reader RF615R CMIIT (6GT2811-6CC10-2AA0) (All versions < V4.2), SIMATIC Reader RF615R ETSI (6GT2811-6CC10-0AA0) (All versions < V4.2), SIMATIC Reader RF615R FCC (6GT2811-6CC10-1AA0) (All versions < V4.2), SIMATIC Reader RF650R ARIB (6GT2811 ...
Show More |
|||||
| CVE-2024-8751 | 2024-09-13 | N/A | 7.5 HIGH | ||
|
A vulnerability in the MSC800 allows an unauthenticated attacker to modify the product’s IP
address over Sopas ET.
This can lead to Denial of Service.
Users are recommended to upgrade both
MSC800 and MSC800 LFT to version V4.26 and S2.93.20 respectively which fixes this issue.
|
|||||
| CVE-2024-8321 | 1 Ivanti | 1 Endpoint Manager | 2024-09-12 | N/A | 8.6 HIGH |
|
Missing authentication in Network Isolation of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to isolate managed devices from the network.
|
|||||
| CVE-2024-8320 | 1 Ivanti | 1 Endpoint Manager | 2024-09-12 | N/A | 5.3 MEDIUM |
|
Missing authentication in Network Isolation of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to spoof Network Isolation status of managed devices.
|
|||||