Total
930 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-51987 | 1 Dlink | 2 Dir-822, Dir-822 Firmware | 2024-01-18 | N/A | 9.8 CRITICAL |
| D-Link DIR-822+ V1.0.2 contains a login bypass in the HNAP1 interface, which allows attackers to log in to administrator accounts with empty passwords. | |||||
| CVE-2023-40393 | 1 Apple | 1 Macos | 2024-01-17 | N/A | 7.5 HIGH |
| An authentication issue was addressed with improved state management. This issue is fixed in macOS Sonoma 14. Photos in the Hidden Photos Album may be viewed without authentication. | |||||
| CVE-2022-0993 | 1 Siteground | 1 Siteground Security | 2024-01-11 | 7.5 HIGH | 9.8 CRITICAL |
| The SiteGround Security plugin for WordPress is vulnerable to authentication bypass that allows unauthenticated users to log in as administrative users due to missing identity verification on the 2FA back-up code implementation that logs users in upon success. This affects versions up to, and including, 1.2.5. | |||||
| CVE-2023-5881 | 1 Geniecompany | 2 Aladdin Connect Garage Door Opener, Aladdin Connect Garage Door Opener Firmware | 2024-01-10 | N/A | 8.2 HIGH |
| Unauthenticated access permitted to web interface page The Genie Company Aladdin Connect (Retrofit-Kit Model ALDCM) "Garage Door Control Module Setup" and modify the Garage door's SSID settings. | |||||
| CVE-2019-18339 | 1 Siemens | 2 Sinvr 3 Central Control Server, Sinvr 3 Video Server | 2024-01-09 | 7.5 HIGH | 9.8 CRITICAL |
| A vulnerability has been identified in SiNVR/SiVMS Video Server (All versions < V5.0.0). The HTTP service (default port 5401/tcp) of the SiVMS/SiNVR Video Server contains an authentication bypass vulnerability, even when properly configured with enforced authentication. A remote attacker with network access to the Video Server could exploit this vulnerability to read the SiVMS/SiNVR users database, including the passwords of all users in obfuscated cleartext. | |||||
| CVE-2023-29485 | 3 Apple, Heimdalsecurity, Microsoft | 3 Macos, Thor, Windows | 2023-12-29 | N/A | 9.8 CRITICAL |
| An issue was discovered in Heimdal Thor agent versions 3.4.2 and before on Windows and 2.6.9 and before on macOS, allows attackers to bypass network filtering, execute arbitrary code, and obtain sensitive information via DarkLayer Guard threat prevention module. | |||||
| CVE-2023-40401 | 1 Apple | 1 Macos | 2023-12-22 | N/A | 7.5 HIGH |
| The issue was addressed with additional permissions checks. This issue is fixed in macOS Ventura 13.6.1. An attacker may be able to access passkeys without authentication. | |||||
| CVE-2022-26925 | 1 Microsoft | 10 Windows 10, Windows 11, Windows 7 and 7 more | 2023-12-21 | 4.3 MEDIUM | 5.9 MEDIUM |
| Windows LSA Spoofing Vulnerability | |||||
| CVE-2023-6595 | 1 Progress | 1 Whatsup Gold | 2023-12-19 | N/A | 5.3 MEDIUM |
| In WhatsUp Gold versions released before 2023.1, an API endpoint was found to be missing an authentication mechanism. It is possible for an unauthenticated attacker to enumerate ancillary credential information stored within WhatsUp Gold. | |||||
| CVE-2023-6368 | 1 Progress | 1 Whatsup Gold | 2023-12-19 | N/A | 5.3 MEDIUM |
| In WhatsUp Gold versions released before 2023.1, an API endpoint was found to be missing an authentication mechanism. It is possible for an unauthenticated attacker to enumerate information related to a registered device being monitored by WhatsUp Gold. | |||||
| CVE-2023-50263 | 1 Networktocode | 1 Nautobot | 2023-12-18 | N/A | 5.3 MEDIUM |
| Nautobot is a Network Source of Truth and Network Automation Platform built as a web application atop the Django Python framework with a PostgreSQL or MySQL database. In Nautobot 1.x and 2.0.x prior to 1.6.7 and 2.0.6, the URLs `/files/get/?name=...` and `/files/download/?name=...` are used to provide admin access to files that have been uploaded as part of a run request for a Job that has FileVar inputs. Under normal operation these files are ephemeral and are deleted once the Job in question runs. In the default implementation used in Nautobot, as provided by `django-db-file-storage`, these URLs do not by default require any user authentication to access; they should instead be restricted to only users who have permissions to view Nautobot's `FileProxy` model instances. Note that no URL mechanism is provided for listing or traversal of the available file `name` values, so in practice an unauthenticated user would have to guess names to discover arbitrary files for download, but if a user knows the file name/path value, they can access it without authenticating, so we are considering this a vulnerability. Fixes are included in Nautobot 1.6.7 and Nautobot 2.0.6. No known workarounds are available other than applying the patches included in those versions. | |||||
| CVE-2023-6718 | 1 Europeana | 1 Repox | 2023-12-18 | N/A | 7.5 HIGH |
| An authentication bypass vulnerability has been found in Repox, which allows a remote user to send a specially crafted POST request, due to the lack of any authentication method, resulting in the alteration or creation of users. | |||||
| CVE-2023-46381 | 1 Loytec | 6 Linx-212, Linx-212 Firmware, Liob-586 and 3 more | 2023-12-14 | N/A | 8.2 HIGH |
| LOYTEC LINX-212 firmware 6.2.4 and LVIS-3ME12-A1 firmware 6.2.2 and LIOB-586 firmware 6.2.3 devices lack authentication for the preinstalled version of LWEB-802 via an lweb802_pre/ URI. An unauthenticated attacker can edit any project (or create a new project) and control its GUI. | |||||
| CVE-2023-47674 | 1 C-first | 56 Cfr-1004ea, Cfr-1004ea Firmware, Cfr-1008ea and 53 more | 2023-12-10 | N/A | 9.8 CRITICAL |
| Missing authentication for critical function vulnerability in First Corporation's DVRs allows a remote unauthenticated attacker to rewrite or obtain the configuration information of the affected device. Note that updates are provided only for Late model of CFR-4EABC, CFR-4EAB, CFR-8EAB, CFR-16EAB, MD-404AB, and MD-808AB. As for the other products, apply the workaround. | |||||
| CVE-2023-29060 | 2 Bd, Hp | 3 Facschorus, Hp Z2 Tower G5, Hp Z2 Tower G9 | 2023-12-10 | N/A | 5.7 MEDIUM |
| The FACSChorus workstation operating system does not restrict what devices can interact with its USB ports. If exploited, a threat actor with physical access to the workstation could gain access to system information and potentially exfiltrate data. | |||||
| CVE-2023-34060 | 1 Vmware | 2 Cloud Director, Photon Os | 2023-12-10 | N/A | 9.8 CRITICAL |
| VMware Cloud Director Appliance contains an authentication bypass vulnerability in case VMware Cloud Director Appliance was upgraded to 10.5 from an older version. On an upgraded version of VMware Cloud Director Appliance 10.5, a malicious actor with network access to the appliance can bypass login restrictions when authenticating on port 22 (ssh) or port 5480 (appliance management console) . This bypass is not present on port 443 (VCD provider and tenant login). On a new installation of VMware Cloud Director Appliance 10.5, the bypass is not present. VMware Cloud Director Appliance is impacted since it uses an affected version of sssd from the underlying Photon OS. The sssd issue is no longer present in versions of Photon OS that ship with sssd-2.8.1-11 or higher (Photon OS 3) or sssd-2.8.2-9 or higher (Photon OS 4 and 5). | |||||
| CVE-2023-29063 | 2 Bd, Hp | 3 Facschorus, Hp Z2 Tower G5, Hp Z2 Tower G9 | 2023-12-10 | N/A | 2.4 LOW |
| The FACSChorus workstation does not prevent physical access to its PCI express (PCIe) slots, which could allow a threat actor to insert a PCI card designed for memory capture. A threat actor can then isolate sensitive information such as a BitLocker encryption key from a dump of the workstation RAM during startup. | |||||
| CVE-2023-29061 | 2 Bd, Hp | 3 Facschorus, Hp Z2 Tower G5, Hp Z2 Tower G9 | 2023-12-10 | N/A | 5.2 MEDIUM |
| There is no BIOS password on the FACSChorus workstation. A threat actor with physical access to the workstation can potentially exploit this vulnerability to access the BIOS configuration and modify the drive boot order and BIOS pre-boot authentication. | |||||
| CVE-2023-42770 | 1 Redlioncontrols | 12 St-ipm-6350, St-ipm-6350 Firmware, St-ipm-8460 and 9 more | 2023-12-10 | N/A | 9.8 CRITICAL |
| Red Lion SixTRAK and VersaTRAK Series RTUs with authenticated users enabled (UDR-A) any Sixnet UDR message will meet an authentication challenge over UDP/IP. When the same message is received over TCP/IP the RTU will simply accept the message with no authentication challenge. | |||||
| CVE-2023-49693 | 1 Netgear | 1 Prosafe Network Management System | 2023-12-10 | N/A | 9.8 CRITICAL |
| NETGEAR ProSAFE Network Management System has Java Debug Wire Protocol (JDWP) listening on port 11611 and it is remotely accessible by unauthenticated users, allowing attackers to execute arbitrary code. | |||||