Total
3672 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-15485 | 1 Kone | 2 Group Controller, Group Controller Firmware | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
| An issue was discovered on KONE Group Controller (KGC) devices before 4.6.5. FTP does not require authentication or authorization, aka KONE-03. | |||||
| CVE-2018-15479 | 1 Mystrom | 12 Wifi Bulb, Wifi Bulb Firmware, Wifi Button and 9 more | 2024-11-21 | 6.4 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in myStrom WiFi Switch V1 before 2.66, WiFi Switch V2 before 3.80, WiFi Switch EU before 3.80, WiFi Bulb before 2.58, WiFi LED Strip before 3.80, WiFi Button before 2.73, and WiFi Button Plus before 2.73. Devices did not authenticate themselves to the cloud in device to cloud communication. This lack of device authentication allowed an attacker to impersonate any device by guessing or learning their MAC address. | |||||
| CVE-2018-15478 | 1 Mystrom | 12 Wifi Bulb, Wifi Bulb Firmware, Wifi Button and 9 more | 2024-11-21 | 6.8 MEDIUM | 8.1 HIGH |
| An issue was discovered in myStrom WiFi Switch V1 before 2.66, WiFi Switch V2 before 3.80, WiFi Switch EU before 3.80, WiFi Bulb before 2.58, WiFi LED Strip before 3.80, WiFi Button before 2.73, and WiFi Button Plus before 2.73. The process of registering a device with a cloud account was based on an activation code derived from the device MAC address. By guessing valid MAC addresses or using MAC addresses printed on devices in shops and reverse engineering the protocol, an attacker would have been able to register previously unregistered devices to their account. When the rightful owner would have connected them after purchase to their WiFi network, the devices would not have registered with their account, would subsequently not have been controllable from the owner's mobile app, and would not have been visible in the owner's account. Instead, they would have been under control of the attacker. | |||||
| CVE-2018-15371 | 1 Cisco | 1 Ios Xe | 2024-11-21 | 7.2 HIGH | 6.7 MEDIUM |
| A vulnerability in the shell access request mechanism of Cisco IOS XE Software could allow an authenticated, local attacker to bypass authentication and gain unrestricted access to the root shell of an affected device. The vulnerability exists because the affected software has insufficient authentication mechanisms for certain commands. An attacker could exploit this vulnerability by requesting access to the root shell of an affected device, after the shell access feature has been enabled. A successful exploit could allow the attacker to bypass authentication and gain unrestricted access to the root shell of the affected device. | |||||
| CVE-2018-15152 | 1 Open-emr | 1 Openemr | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
| Authentication bypass vulnerability in portal/account/register.php in versions of OpenEMR before 5.0.1.4 allows a remote attacker to access (1) portal/add_edit_event_user.php, (2) portal/find_appt_popup_user.php, (3) portal/get_allergies.php, (4) portal/get_amendments.php, (5) portal/get_lab_results.php, (6) portal/get_medications.php, (7) portal/get_patient_documents.php, (8) portal/get_problems.php, (9) portal/get_profile.php, (10) portal/portal_payment.php, (11) portal/messaging/messages.php, (12) portal/messaging/secure_chat.php, (13) portal/report/pat_ledger.php, (14) portal/report/portal_custom_report.php, or (15) portal/report/portal_patient_report.php without authenticating as a patient. | |||||
| CVE-2018-14868 | 1 Odoo | 1 Odoo | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| Incorrect access control in the Password Encryption module in Odoo Community 9.0 and Odoo Enterprise 9.0 allows authenticated users to change the password of other users without knowing their current password via a crafted RPC call. | |||||
| CVE-2018-14805 | 1 Hitachienergy | 1 Esoms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| ABB eSOMS version 6.0.2 may allow unauthorized access to the system when LDAP is set to allow anonymous authentication, and specific key values within the eSOMS web.config file are present. Both conditions are required to exploit this vulnerability. | |||||
| CVE-2018-14786 | 1 Bd | 8 Alaris Cc, Alaris Cc Firmware, Alaris Gh and 5 more | 2024-11-21 | 7.5 HIGH | 9.4 CRITICAL |
| Becton, Dickinson and Company (BD) Alaris Plus medical syringe pumps (models Alaris GS, Alaris GH, Alaris CC, and Alaris TIVA) versions 2.3.6 and prior are affected by an improper authentication vulnerability where the software does not perform authentication for functionality that requires a provable user identity, where it may allow a remote attacker to gain unauthorized access to various Alaris Syringe pumps and impact the intended operation of the pump when it is connected to a terminal server via the serial port. | |||||
| CVE-2018-14782 | 1 Netcommwireless | 2 Nwl-25, Nwl-25 Firmware | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| NetComm Wireless G LTE Light Industrial M2M Router (NWL-25) with firmware 2.0.29.11 and prior. The device allows access to configuration files and profiles without authenticating the user. | |||||
| CVE-2018-14709 | 1 Drobo | 2 5n2, 5n2 Firmware | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
| Incorrect access control in the Dashboard API on Drobo 5N2 NAS version 4.0.5-13.28.96115 allows attackers to bypass authentication due to insecure token generation. | |||||
| CVE-2018-14708 | 1 Drobo | 2 5n2, 5n2 Firmware | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| An insecure transport protocol used by Drobo Dashboard API on Drobo 5N2 NAS version 4.0.5-13.28.96115 allows attackers to intercept network traffic. | |||||
| CVE-2018-14705 | 1 Drobo | 2 5n2, 5n2 Firmware | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| In Drobo 5N2 4.0.5, all optional applications lack any form of authentication/authorization validation. As a result, any user capable of accessing the device over the network may interact with and control these applications. This not only poses a severe risk to the availability of these applications, but also poses severe risks to the confidentiality and integrity of data stored within the applications and the device itself. | |||||
| CVE-2018-14637 | 1 Redhat | 1 Keycloak | 2024-11-21 | 6.8 MEDIUM | 6.1 MEDIUM |
| The SAML broker consumer endpoint in Keycloak before version 4.6.0.Final ignores expiration conditions on SAML assertions. An attacker can exploit this vulnerability to perform a replay attack. | |||||
| CVE-2018-14345 | 1 Sddm Project | 1 Sddm | 2024-11-21 | 6.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in SDDM through 0.17.0. If configured with ReuseSession=true, the password is not checked for users with an already existing session. Any user with access to the system D-Bus can therefore unlock any graphical session. This is related to daemon/Display.cpp and helper/backend/PamBackend.cpp. | |||||
| CVE-2018-14080 | 2 D-link, Dlink | 4 Dir-809 A1 Firmware, Dir-809 A2 Firmware, Dir-809 Guestzone Firmware and 1 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered on D-Link DIR-809 A1 through 1.09, A2 through 1.11, and Guest Zone through 1.09 devices. One can bypass authentication mechanisms to download the configuration file. | |||||
| CVE-2018-14078 | 1 Wi2be | 1 Smart Hp Wmt | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| Wi2be SMART HP WMT R1.2.20_201400922 allows unauthorized remote attackers to reset the admin password via the /ConfigWizard/ChangePwd.esp?2admin URL (Attackers can login using the "admin" username with password "admin" after a successful attack). | |||||
| CVE-2018-14008 | 1 Arista | 1 Eos | 2024-11-21 | 3.3 LOW | 6.5 MEDIUM |
| Arista EOS through 4.21.0F allows a crash because 802.1x authentication is mishandled. | |||||
| CVE-2018-13990 | 1 Phoenixcontact | 58 Fl Switch 3004t-fx, Fl Switch 3004t-fx Firmware, Fl Switch 3004t-fx St and 55 more | 2024-11-21 | 5.0 MEDIUM | 8.6 HIGH |
| The WebUI of PHOENIX CONTACT FL SWITCH 3xxx, 4xxx, 48xx versions prior to 1.35 is vulnerable to brute-force attacks, because of Improper Restriction of Excessive Authentication Attempts. | |||||
| CVE-2018-13927 | 1 Qualcomm | 48 Mdm9206, Mdm9206 Firmware, Mdm9607 and 45 more | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
| Debug policy with invalid signature can be loaded when the debug policy functionality is disabled by using the parallel image loading in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wired Infrastructure and Networking in MDM9206, MDM9607, MDM9650, MDM9655, MSM8996AU, QCS404, QCS605, SD 410/12, SD 636, SD 712 / SD 710 / SD 670, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SD 8CX, SDA660, SDM630, SDM660, SXR1130 | |||||
| CVE-2018-13821 | 1 Ca | 1 Unified Infrastructure Management | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| A lack of authentication, in CA Unified Infrastructure Management 8.5.1, 8.5, and 8.4.7, allows remote attackers to conduct a variety of attacks, including file reading/writing. | |||||