Export limit exceeded: 355230 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (3373 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-15894 | 1 Dlink | 2 Dir-816l, Dir-816l Firmware | 2024-11-21 | 7.5 High |
| An issue was discovered on D-Link DIR-816L devices 2.x before 1.10b04Beta02. There exists an exposed administration function in getcfg.php, which can be used to call various services. It can be utilized by an attacker to retrieve various sensitive information, such as admin login credentials, by setting the value of _POST_SERVICES in the query string to DEVICE.ACCOUNT. | ||||
| CVE-2020-15851 | 1 Nakivo | 1 Backup \& Replication Transporter | 2024-11-21 | 9.8 Critical |
| Lack of access control in Nakivo Backup & Replication Transporter version 9.4.0.r43656 allows remote users to access unencrypted backup repositories and the Nakivo Controller configuration via a network accessible transporter service. It is also possible to create or delete backup repositories. | ||||
| CVE-2020-15834 | 1 Mofinetwork | 2 Mofi4500-4gxelte, Mofi4500-4gxelte Firmware | 2024-11-21 | 7.5 High |
| An issue was discovered on Mofi Network MOFI4500-4GXeLTE 4.1.5-std devices. The wireless network password is exposed in a QR encoded picture that an unauthenticated adversary can download via the web-management interface. | ||||
| CVE-2020-15799 | 1 Siemens | 132 Scalance X200-4pirt, Scalance X200-4pirt Firmware, Scalance X201-3pirt and 129 more | 2024-11-21 | 6.5 Medium |
| A vulnerability has been identified in SCALANCE X-200 switch family (incl. SIPLUS NET variants) (All versions < V5.2.5), SCALANCE X-200IRT switch family (incl. SIPLUS NET variants) (All versions < V5.5.0). The vulnerability could allow an unauthenticated attacker to reboot the device over the network by using special urls from integrated web server of the affected products. | ||||
| CVE-2020-15787 | 1 Siemens | 2 Simatic Hmi United Comfort Panels, Simatic Hmi United Comfort Panels Firmware | 2024-11-21 | 9.8 Critical |
| A vulnerability has been identified in SIMATIC HMI Unified Comfort Panels (All versions <= V16). Affected devices insufficiently validate authentication attempts as the information given can be truncated to match only a set number of characters versus the whole provided string. This could allow a remote attacker to discover user passwords and obtain access to the Sm@rt Server via a brute-force attack. | ||||
| CVE-2020-15770 | 1 Gradle | 1 Enterprise | 2024-11-21 | 5.5 Medium |
| An issue was discovered in Gradle Enterprise 2018.5. An attacker can potentially make repeated attempts to guess a local user's password, due to lack of lock-out after excessive failed logins. | ||||
| CVE-2020-15632 | 1 Dlink | 2 Dir-842, Dir-842 Firmware | 2024-11-21 | 8.8 High |
| This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DIR-842 3.13B05 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the processing of HNAP GetCAPTCHAsetting requests. The issue results from the lack of proper handling of sessions. An attacker can leverage this vulnerability to execute arbitrary code in the context of the device. Was ZDI-CAN-10083. | ||||
| CVE-2020-15483 | 1 Niscomed | 2 M1000 Multipara Patient Monitor, M1000 Multipara Patient Monitor Firmware | 2024-11-21 | 6.8 Medium |
| An issue was discovered on Nescomed Multipara Monitor M1000 devices. The physical UART debug port provides a shell, without requiring a password, with complete access. | ||||
| CVE-2020-15391 | 1 Devspace | 1 Devspace | 2024-11-21 | 9.8 Critical |
| The UI in DevSpace 4.13.0 allows web sites to execute actions on pods (on behalf of a victim) because of a lack of authentication for the WebSocket protocol. This leads to remote code execution. | ||||
| CVE-2020-15367 | 1 Venki | 1 Supravizio Bpm | 2024-11-21 | 9.8 Critical |
| Venki Supravizio BPM 10.1.2 does not limit the number of authentication attempts. An unauthenticated user may exploit this vulnerability to launch a brute-force authentication attack against the Login page. | ||||
| CVE-2020-15336 | 1 Zyxel | 1 Cloudcnm Secumanager | 2024-11-21 | 7.5 High |
| Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has no authentication for /cnr requests. | ||||
| CVE-2020-15335 | 1 Zyxel | 1 Cloudcnm Secumanager | 2024-11-21 | 7.5 High |
| Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has no authentication for /registerCpe requests. | ||||
| CVE-2020-15243 | 1 Smartstore | 1 Smartstore | 2024-11-21 | 9.1 Critical |
| Affected versions of Smartstore have a missing WebApi Authentication attribute. This vulnerability affects Smartstore shops in version 4.0.0 & 4.0.1 which have installed and activated the Web API plugin. Users of Smartstore 4.0.0 and 4.0.1 must merge their repository with 4.0.x or overwrite the file SmartStore.Web.Framework in the */bin* directory of the deployed shop with this file. As a workaround without updating uninstall the Web API plugin to close this vulnerability. | ||||
| CVE-2020-15136 | 2 Fedoraproject, Redhat | 4 Fedora, Etcd, Openshift and 1 more | 2024-11-21 | 6.5 Medium |
| In ectd before versions 3.4.10 and 3.3.23, gateway TLS authentication is only applied to endpoints detected in DNS SRV records. When starting a gateway, TLS authentication will only be attempted on endpoints identified in DNS SRV records for a given domain, which occurs in the discoverEndpoints function. No authentication is performed against endpoints provided in the --endpoints flag. This has been fixed in versions 3.4.10 and 3.3.23 with improved documentation and deprecation of the functionality. | ||||
| CVE-2020-15127 | 1 Projectcontour | 1 Contour | 2024-11-21 | 7.5 High |
| In Contour ( Ingress controller for Kubernetes) before version 1.7.0, a bad actor can shut down all instances of Envoy, essentially killing the entire ingress data plane. GET requests to /shutdown on port 8090 of the Envoy pod initiate Envoy's shutdown procedure. The shutdown procedure includes flipping the readiness endpoint to false, which removes Envoy from the routing pool. When running Envoy (For example on the host network, pod spec hostNetwork=true), the shutdown manager's endpoint is accessible to anyone on the network that can reach the Kubernetes node that's running Envoy. There is no authentication in place that prevents a rogue actor on the network from shutting down Envoy via the shutdown manager endpoint. Successful exploitation of this issue will lead to bad actors shutting down all instances of Envoy, essentially killing the entire ingress data plane. This is fixed in version 1.7.0. | ||||
| CVE-2020-15115 | 2 Fedoraproject, Redhat | 3 Fedora, Etcd, Openstack | 2024-11-21 | 5.8 Medium |
| etcd before versions 3.3.23 and 3.4.10 does not perform any password length validation, which allows for very short passwords, such as those with a length of one. This may allow an attacker to guess or brute-force users' passwords with little computational effort. | ||||
| CVE-2020-15078 | 4 Canonical, Debian, Fedoraproject and 1 more | 4 Ubuntu Linux, Debian Linux, Fedora and 1 more | 2024-11-21 | 7.5 High |
| OpenVPN 2.5.1 and earlier versions allows a remote attackers to bypass authentication and access control channel data on servers configured with deferred authentication, which can be used to potentially trigger further information leaks. | ||||
| CVE-2020-15077 | 1 Openvpn | 1 Openvpn Access Server | 2024-11-21 | 5.3 Medium |
| OpenVPN Access Server 2.8.7 and earlier versions allows a remote attackers to bypass authentication and access control channel data on servers configured with deferred authentication, which can be used to potentially trigger further information leaks. | ||||
| CVE-2020-15074 | 1 Openvpn | 1 Openvpn Access Server | 2024-11-21 | 7.5 High |
| OpenVPN Access Server older than version 2.8.4 and version 2.9.5 generates new user authentication tokens instead of reusing exiting tokens on reconnect making it possible to circumvent the initial token expiry timestamp. | ||||
| CVE-2020-14501 | 1 Advantech | 1 Iview | 2024-11-21 | 9.8 Critical |
| Advantech iView, versions 5.6 and prior, has an improper authentication for critical function (CWE-306) issue. Successful exploitation of this vulnerability may allow an attacker to obtain the information of the user table, including the administrator credentials in plain text. An attacker may also delete the administrator account. | ||||