Total
282 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2020-15331 | 1 Zyxel | 1 Cloudcnm Secumanager | 2023-12-10 | N/A | 9.8 CRITICAL |
Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a hardcoded OAUTH_SECRET_KEY in /opt/axess/etc/default/axess. | |||||
CVE-2020-15342 | 1 Zyxel | 1 Cloudcnm Secumanager | 2023-12-10 | N/A | 5.3 MEDIUM |
Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has an unauthenticated zy_install_user API. | |||||
CVE-2020-15330 | 1 Zyxel | 1 Cloudcnm Secumanager | 2023-12-10 | N/A | 5.3 MEDIUM |
Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a hardcoded APP_KEY in /opt/axess/etc/default/axess. | |||||
CVE-2020-15345 | 1 Zyxel | 1 Cloudcnm Secumanager | 2023-12-10 | N/A | 5.3 MEDIUM |
Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has an unauthenticated zy_get_instances_for_update API. | |||||
CVE-2020-15344 | 1 Zyxel | 1 Cloudcnm Secumanager | 2023-12-10 | N/A | 5.3 MEDIUM |
Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has an unauthenticated zy_get_user_id_and_key API. | |||||
CVE-2022-3174 | 1 Ikus-soft | 1 Rdiffweb | 2023-12-10 | N/A | 7.5 HIGH |
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository ikus060/rdiffweb prior to 2.4.2. | |||||
CVE-2020-15343 | 1 Zyxel | 1 Cloudcnm Secumanager | 2023-12-10 | N/A | 5.3 MEDIUM |
Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has an unauthenticated zy_install_user_key API. | |||||
CVE-2020-15346 | 1 Zyxel | 1 Cloudcnm Secumanager | 2023-12-10 | N/A | 5.3 MEDIUM |
Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a /live/GLOBALS API with the CLOUDCNM key. | |||||
CVE-2022-3250 | 1 Ikus-soft | 1 Rdiffweb | 2023-12-10 | N/A | 5.3 MEDIUM |
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository ikus060/rdiffweb prior to 2.4.6. | |||||
CVE-2015-3207 | 1 Openshift | 1 Origin | 2023-12-10 | 5.0 MEDIUM | 5.3 MEDIUM |
In Openshift Origin 3 the cookies being set in console have no 'secure', 'HttpOnly' attributes. | |||||
CVE-2022-40295 | 1 Phppointofsale | 1 Php Point Of Sale | 2023-12-10 | N/A | 4.9 MEDIUM |
The application was vulnerable to an authenticated information disclosure, allowing administrators to view unsalted user passwords, which could lead to the compromise of plaintext passwords via offline attacks. | |||||
CVE-2020-15340 | 1 Zyxel | 1 Cloudcnm Secumanager | 2023-12-10 | N/A | 7.5 HIGH |
Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a hardcoded opt/axess/AXAssets/default_axess/axess/TR69/Handlers/turbolink/sshkeys/id_rsa SSH key. | |||||
CVE-2022-35860 | 1 Corsair | 2 K63, K63 Firmware | 2023-12-10 | N/A | 6.8 MEDIUM |
Missing AES encryption in Corsair K63 Wireless 3.1.3 allows physically proximate attackers to inject and sniff keystrokes via 2.4 GHz radio transmissions. | |||||
CVE-2022-38194 | 1 Esri | 1 Portal For Arcgis | 2023-12-10 | N/A | 5.5 MEDIUM |
In Esri Portal for ArcGIS versions 10.8.1, a system property is not properly encrypted. This may lead to a local user reading sensitive information from a properties file. | |||||
CVE-2021-27783 | 1 Hcltech | 2 Bigfix Mobile, Bigfix Modern Client Management | 2023-12-10 | 4.0 MEDIUM | 6.5 MEDIUM |
User generated PPKG file for Bulk Enroll may have unencrypted sensitive information exposed. | |||||
CVE-2022-30237 | 1 Schneider-electric | 4 Wiser Smart Eer21000, Wiser Smart Eer21000 Firmware, Wiser Smart Eer21001 and 1 more | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
A CWE-311: Missing Encryption of Sensitive Data vulnerability exists that could allow authentication credentials to be recovered when an attacker breaks the encoding. Affected Products: Wiser Smart, EER21000 & EER21001 (V4.5 and prior) | |||||
CVE-2021-40650 | 1 Softwareag | 1 Connx | 2023-12-10 | 4.3 MEDIUM | 6.5 MEDIUM |
In Connx Version 6.2.0.1269 (20210623), a cookie can be issued by the application and not have the secure flag set. | |||||
CVE-2022-27225 | 1 Gradle | 1 Enterprise | 2023-12-10 | 4.3 MEDIUM | 6.5 MEDIUM |
Gradle Enterprise before 2021.4.3 relies on cleartext data transmission in some situations. It uses Keycloak for identity management services. During the sign-in process, Keycloak sets browser cookies that effectively provide remember-me functionality. For backwards compatibility with older Safari versions, Keycloak sets a duplicate of the cookie without the Secure attribute, which allows the cookie to be sent when accessing the location that cookie is set for via HTTP. This creates the potential for an attacker (with the ability to impersonate the Gradle Enterprise host) to capture the login session of a user by having them click an http:// link to the server, despite the real server requiring HTTPS. | |||||
CVE-2022-24045 | 1 Siemens | 8 Desigo Dxr2, Desigo Dxr2 Firmware, Desigo Pxc3 and 5 more | 2023-12-10 | 4.0 MEDIUM | 6.5 MEDIUM |
A vulnerability has been identified in Desigo DXR2 (All versions < V01.21.142.5-22), Desigo PXC3 (All versions < V01.21.142.4-18), Desigo PXC4 (All versions < V02.20.142.10-10884), Desigo PXC5 (All versions < V02.20.142.10-10884). The application, after a successful login, sets the session cookie on the browser via client-side JavaScript code, without applying any security attributes (such as “Secure”, “HttpOnly”, or “SameSite”). Any attempts to browse the application via unencrypted HTTP protocol would lead to the transmission of all his/her session cookies in plaintext through the network. An attacker could then be able to sniff the network and capture sensitive information. | |||||
CVE-2022-26281 | 1 Bigantsoft | 1 Bigant Server | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
BigAnt Server v5.6.06 was discovered to contain an incorrect access control issue. |