Total
3746 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-1426 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 4.3 MEDIUM | 2.0 LOW |
| An issue has been discovered in GitLab affecting all versions starting from 12.6 before 14.8.6, all versions starting from 14.9 before 14.9.4, all versions starting from 14.10 before 14.10.1. GitLab was not correctly authenticating a user that had some certain amount of information which allowed an user to authenticate without a personal access token. | |||||
| CVE-2022-1101 | 1 Event Management System Project | 1 Event Management System | 2024-11-21 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability was found in SourceCodester Royale Event Management System 1.0. It has been rated as critical. This issue affects some unknown processing of the file /royal_event/userregister.php. The manipulation leads to improper authentication. The attack may be initiated remotely. The identifier VDB-195785 was assigned to this vulnerability. | |||||
| CVE-2022-1084 | 1 One Church Management System Project | 1 One Church Management System | 2024-11-21 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability classified as critical was found in SourceCodester One Church Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /one_church/userregister.php. The manipulation leads to authentication bypass. The attack can be launched remotely. | |||||
| CVE-2022-1067 | 1 Lifepoint | 1 Patient Portal | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| Navigating to a specific URL with a patient ID number will result in the server generating a PDF of a lab report without authentication and rate limiting. | |||||
| CVE-2022-1065 | 1 Abacus | 5 Abacus Erp 2018, Abacus Erp 2019, Abacus Erp 2020 and 2 more | 2024-11-21 | 9.0 HIGH | 8.1 HIGH |
| A vulnerability within the authentication process of Abacus ERP allows a remote attacker to bypass the second authentication factor. This issue affects: Abacus ERP v2022 versions prior to R1 of 2022-01-15; v2021 versions prior to R4 of 2022-01-15; v2020 versions prior to R6 of 2022-01-15; v2019 versions later than R5 (service pack); v2018 versions later than R5 (service pack). This issue does not affect: Abacus ERP v2019 versions prior to R5 of 2020-03-15; v2018 versions prior to R7 of 2020-04-15; v2017 version and prior versions and prior versions. | |||||
| CVE-2022-1049 | 2 Clusterlabs, Debian | 2 Pcs, Debian Linux | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| A flaw was found in the Pacemaker configuration tool (pcs). The pcs daemon was allowing expired accounts, and accounts with expired passwords to login when using PAM authentication. Therefore, unprivileged expired accounts that have been denied access could still login. | |||||
| CVE-2022-0910 | 1 Zyxel | 64 Atp100, Atp100 Firmware, Atp100w and 61 more | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| A downgrade from two-factor authentication to one-factor authentication vulnerability in the CGI program of Zyxel USG/ZyWALL series firmware versions 4.32 through 4.71, USG FLEX series firmware versions 4.50 through 5.21, ATP series firmware versions 4.32 through 5.21, and VPN series firmware versions 4.32 through 5.21, that could allow an authenticated attacker to bypass the second authentication phase to connect the IPsec VPN server even though the two-factor authentication (2FA) was enabled. | |||||
| CVE-2022-0862 | 1 Mcafee | 1 Epolicy Orchestrator | 2024-11-21 | 4.3 MEDIUM | 3.1 LOW |
| A lack of password change protection vulnerability in a depreciated API of McAfee Enterprise ePolicy Orchestrator (ePO) prior to 5.10 Update 13 allows a remote attacker to change the password of a compromised session without knowing the existing user's password. This functionality was removed from the User Interface in ePO 10 and the API has now been disabled. Other protection is in place to reduce the likelihood of this being successful through sending a link to a logged in user. | |||||
| CVE-2022-0730 | 3 Cacti, Debian, Fedoraproject | 3 Cacti, Debian Linux, Fedora | 2024-11-21 | 6.8 MEDIUM | 9.8 CRITICAL |
| Under certain ldap conditions, Cacti authentication can be bypassed with certain credential types. | |||||
| CVE-2022-0540 | 1 Atlassian | 3 Jira Data Center, Jira Server, Jira Service Management | 2024-11-21 | 6.8 MEDIUM | 9.8 CRITICAL |
| A vulnerability in Jira Seraph allows a remote, unauthenticated attacker to bypass authentication by sending a specially crafted HTTP request. This affects Atlassian Jira Server and Data Center versions before 8.13.18, versions 8.14.0 and later before 8.20.6, and versions 8.21.0 and later before 8.22.0. This also affects Atlassian Jira Service Management Server and Data Center versions before 4.13.18, versions 4.14.0 and later before 4.20.6, and versions 4.21.0 and later before 4.22.0. | |||||
| CVE-2022-0342 | 1 Zyxel | 46 Atp100, Atp100 Firmware, Atp100w and 43 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| An authentication bypass vulnerability in the CGI program of Zyxel USG/ZyWALL series firmware versions 4.20 through 4.70, USG FLEX series firmware versions 4.50 through 5.20, ATP series firmware versions 4.32 through 5.20, VPN series firmware versions 4.30 through 5.20, and NSG series firmware versions V1.20 through V1.33 Patch 4, which could allow an attacker to bypass the web authentication and obtain administrative access of the device. | |||||
| CVE-2021-4230 | 1 Airfield Online Project | 1 Airfield Online | 2024-11-21 | 5.0 MEDIUM | 3.7 LOW |
| A vulnerability has been found in Airfield Online and classified as problematic. This vulnerability affects the path /backups/ of the MySQL backup handler. An attacker is able to get access to sensitive data without proper authentication. It is recommended to the change the configuration settings. | |||||
| CVE-2021-4201 | 1 Forgerock | 1 Access Management | 2024-11-21 | 7.5 HIGH | 9.6 CRITICAL |
| Missing access control in ForgeRock Access Management 7.1.0 and earlier versions on all platforms allows remote unauthenticated attackers to hijack sessions, including potentially admin-level sessions. This issue affects: ForgeRock Access Management 7.1 versions prior to 7.1.1; 6.5 versions prior to 6.5.4; all previous versions. | |||||
| CVE-2021-4197 | 5 Broadcom, Debian, Linux and 2 more | 14 Brocade Fabric Operating System Firmware, Debian Linux, Linux Kernel and 11 more | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
| An unprivileged write to the file handler flaw in the Linux kernel's control groups and namespaces subsystem was found in the way users have access to some less privileged process that are controlled by cgroups and have higher privileged parent process. It is actually both for cgroup2 and cgroup1 versions of control groups. A local user could use this flaw to crash the system or escalate their privileges on the system. | |||||
| CVE-2021-4073 | 1 Metagauss | 1 Registrationmagic | 2024-11-21 | 6.8 MEDIUM | 9.8 CRITICAL |
| The RegistrationMagic WordPress plugin made it possible for unauthenticated users to log in as any site user, including administrators, if they knew a valid username on the site due to missing identity validation in the social login function social_login_using_email() of the plugin. This affects versions equal to, and less than, 5.0.1.7. | |||||
| CVE-2021-46740 | 1 Huawei | 2 Emui, Harmonyos | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| The device authentication service module has a defect vulnerability introduced in the design process.Successful exploitation of this vulnerability may affect data confidentiality. | |||||
| CVE-2021-46390 | 1 Lexar | 2 F35, F35 Firmware | 2024-11-21 | 7.2 HIGH | 6.8 MEDIUM |
| An access control issue in the authentication module of Lexar_F35 v1.0.34 allows attackers to access sensitive data and cause a Denial of Service (DoS). An attacker without access to securely protected data on a secure USB flash drive can bypass user authentication without having any information related to the password of the registered user. The secure USB flash drive transmits the password entered by the user to the authentication module in the drive after the user registers a password, and then the input password is compared with the registered password stored in the authentication module. Subsequently, the module returns the comparison result for the authentication decision. Therefore, an attacker can bypass password authentication by analyzing the functions that return the password verification or comparison results and manipulate the authentication result values. Accordingly, even if attackers enter an incorrect password, they can be authenticated as a legitimate user and can therefore exploit functions of the secure USB flash drive by manipulating the authentication result values. | |||||
| CVE-2021-45917 | 1 Sun Moon Jingyao | 2 Network Computer Terminal Protection System, Network Computer Terminal Protection System Firmware | 2024-11-21 | 7.7 HIGH | 8.0 HIGH |
| The server-request receiver function of Shockwall system has an improper authentication vulnerability. An authenticated attacker of an agent computer within the local area network can use the local registry information to launch server-side request forgery (SSRF) attack on another agent computer, resulting in arbitrary code execution for controlling the system or disrupting service. | |||||
| CVE-2021-45900 | 1 Vivoh | 1 Webinar Manager | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| Vivoh Webinar Manager before 3.6.3.0 has improper API authentication. When a user logs in to the administration configuration web portlet, a VIVOH_AUTH cookie is assigned so that they can be uniquely identified. Certain APIs can be successfully executed without proper authentication. This can let an attacker impersonate as victim and make state changing requests on their behalf. | |||||
| CVE-2021-45890 | 1 Authguard Project | 1 Authguard | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| basic/BasicAuthProvider.java in AuthGuard before 0.9.0 allows authentication via an inactive identifier. | |||||