Total
1398 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-48768 | 2024-10-15 | N/A | 7.5 HIGH | ||
| An issue in almaodo GmbH appinventor.ai_google.almando_control 2.3.1 allows a remote attacker to obtain sensitive information via the firmware update process | |||||
| CVE-2024-48776 | 2024-10-15 | N/A | 7.5 HIGH | ||
| An issue in Shelly com.home.shelly 1.0.4 allows a remote attacker to obtain sensitive information via the firmware update process | |||||
| CVE-2024-48775 | 2024-10-15 | N/A | 7.5 HIGH | ||
| An issue in Plug n Play Camera com.ezset.delaney 1.2.0 allows a remote attacker to obtain sensitive information via the firmware update process. | |||||
| CVE-2024-48773 | 2024-10-15 | N/A | 7.5 HIGH | ||
| An issue in WoFit v.7.2.3 allows a remote attacker to obtain sensitive information via the firmware update process | |||||
| CVE-2024-48777 | 2024-10-15 | N/A | 7.5 HIGH | ||
| LEDVANCE com.ledvance.smartplus.eu 2.1.10 allows a remote attacker to obtain sensitive information via the firmware update process. | |||||
| CVE-2024-9522 | 1 Lagunaisw | 1 Wp Users Masquerade | 2024-10-15 | N/A | 8.8 HIGH |
| The WP Users Masquerade plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.0.0. This is due to incorrect authentication and capability checking in the 'ajax_masq_login' function. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to log in as any existing user on the site, such as an administrator. | |||||
| CVE-2024-8530 | 2024-10-15 | N/A | 5.9 MEDIUM | ||
| CWE-306: Missing Authentication for Critical Function vulnerability exists that could cause exposure of private data when an already generated “logcaptures” archive is accessed directly by HTTPS. | |||||
| CVE-2024-47555 | 2024-10-10 | N/A | 8.3 HIGH | ||
| Missing Authentication - User & System Configuration | |||||
| CVE-2024-9289 | 1 Redefiningtheweb | 1 Affiliate Pro | 2024-10-07 | N/A | 9.8 CRITICAL |
| The WordPress & WooCommerce Affiliate Program plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 8.4.1. This is due to the rtwwwap_login_request_callback() function not properly validating a user's identity prior to authenticating them to the site. This makes it possible for unauthenticated attackers to log in as any user, including administrators, granted they have access to the administrator's email. | |||||
| CVE-2024-8456 | 1 Planet | 4 Gs-4210-24p2s, Gs-4210-24p2s Firmware, Gs-4210-24pl4c and 1 more | 2024-10-04 | N/A | 9.8 CRITICAL |
| Certain switch models from PLANET Technology lack proper access control in firmware upload and download functionality, allowing unauthenticated remote attackers to download and upload firmware and system configurations, ultimately gaining full control of the devices. | |||||
| CVE-2024-35294 | 2024-10-04 | N/A | 6.5 MEDIUM | ||
| An unauthenticated remote attacker may use the devices traffic capture without authentication to grab plaintext administrative credentials. | |||||
| CVE-2024-35293 | 2024-10-04 | N/A | 9.1 CRITICAL | ||
| An unauthenticated remote attacker may use a missing authentication for critical function vulnerability to reboot or erase the affected devices resulting in data loss and/or a DoS. | |||||
| CVE-2024-41988 | 2024-10-04 | N/A | N/A | ||
| TEM Opera Plus FM Family Transmitter allows access to an unprotected endpoint that allows MPFS File System binary image upload without authentication. This file system serves as the basis for the HTTP2 web server module but is also used by the SNMP module and is available to other applications that require basic read-only storage capabilities. This can be exploited to overwrite the flash program memory that holds the web server's main interfaces and execute arbitrary code. | |||||
| CVE-2024-7781 | 1 Artbees | 1 Jupiter X Core | 2024-10-02 | N/A | 9.8 CRITICAL |
| The Jupiter X Core plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 4.7.5. This is due to improper authentication via the Social Login widget. This makes it possible for unauthenticated attackers to log in as the first user to have logged in with a social media account, including administrator accounts. Attackers can exploit the vulnerability even if the Social Login element has been disabled, as long as it was previously enabled and used. The vulnerability was partially patched in version 4.7.5, and fully patched in version 4.7.8. | |||||
| CVE-2023-52949 | 1 Synology | 1 Active Backup For Business Agent | 2024-10-02 | N/A | 5.5 MEDIUM |
| Missing authentication for critical function vulnerability in proxy settings functionality in Synology Active Backup for Business Agent before 2.7.0-3221 allows local users to obtain user credential via unspecified vectors. | |||||
| CVE-2023-52947 | 1 Synology | 1 Active Backup For Business Agent | 2024-10-02 | N/A | 3.3 LOW |
| Missing authentication for critical function vulnerability in logout functionality in Synology Active Backup for Business Agent before 2.6.3-3101 allows local users to logout the client via unspecified vectors. The backup functionality will continue to operate and will not be affected by the logout. | |||||
| CVE-2024-6981 | 2024-09-30 | N/A | 9.8 CRITICAL | ||
| OMNTEC Proteus Tank Monitoring OEL8000III Series could allow an attacker to perform administrative actions without proper authentication. | |||||
| CVE-2024-39364 | 2024-09-30 | N/A | 6.3 MEDIUM | ||
| Advantech ADAM-5630 has built-in commands that can be executed without authenticating the user. These commands allow for restarting the operating system, rebooting the hardware, and stopping the execution. The commands can be sent to a simple HTTP request and are executed by the device automatically, without discrimination of origin or level of privileges of the user sending the commands. | |||||
| CVE-2024-8310 | 2024-09-30 | N/A | 9.8 CRITICAL | ||
| OPW Fuel Management Systems SiteSentinel could allow an attacker to bypass authentication to the server and obtain full admin privileges. | |||||
| CVE-2024-8277 | 1 Villatheme | 1 Woocommerce Photo Reviews | 2024-09-26 | N/A | 9.8 CRITICAL |
| The WooCommerce Photo Reviews Premium plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.3.13.2. This is due to the plugin not properly validating what user transient is being used in the login() function and not properly verifying the user's identity. This makes it possible for unauthenticated attackers to log in as user that has dismissed an admin notice in the past 30 days, which is often an administrator. Alternatively, a user can log in as any user with any transient that has a valid user_id as the value, though it would be more difficult to exploit this successfully. | |||||