CVE Daily
← All tags

Tag: Unauthenticated/Unauthorized Access

All CVEs associated with "Unauthenticated/Unauthorized Access". Page 89/128 • 15326 CVEs.

Subscribe CVEs: RSS for “Unauthenticated/Unauthorized Access”  ·  RSS (High+Critical only)

About “Unauthenticated/Unauthorized Access”

A curated feed of “Unauthenticated/Unauthorized Access”-related CVEs appears below. We currently track 15326 CVEs for this tag (all time). In the last 365 days, 3832 were published. Average CVSS is 7.4 (all time; 7.4 over 365d), and 61% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-862 - Missing Authorization, CWE-306 - Missing Authentication for Critical Function, CWE-639 - Authorization Bypass Through User-Controlled Key.

In our taxonomy this topic maps to a HIGH impact class. Vendor advisories and release notes are key. Verify compatibility matrices, prefer supported long term versions, and stage rollouts with monitoring. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0
2020-10-12
High

CVE-2020-5139

A vulnerability in SonicOS SSLVPN service allows a remote unauthenticated attacker to cause Denial of Service (DoS) due to the release of Invalid pointer and leads to a firewall crash. This vulnerabi…

CVSS: 7.5 CWE: CWE-763 - Release of Invalid Pointer or Reference View on NVD
High

CVE-2020-5138

A Heap Overflow vulnerability in the SonicOS allows a remote unauthenticated attacker to cause Denial of Service (DoS) on the firewall SSLVPN service and leads to SonicOS crash. This vulnerability af…

CVSS: 7.5 CWE: CWE-122 - Heap-based Buffer Overflow View on NVD
High

CVE-2020-5137

A buffer overflow vulnerability in SonicOS allows a remote unauthenticated attacker to cause Denial of Service (DoS) on the firewall SSLVPN service and leads to firewall crash. This vulnerability aff…

CVSS: 7.5 CWE: CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') View on NVD
High

CVE-2020-5133

A vulnerability in SonicOS allows a remote unauthenticated attacker to cause Denial of Service due to buffer overflow, which leads to a firewall crash. This vulnerability affected SonicOS Gen 6 versi…

CVSS: 7.5 CWE: CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') View on NVD
2020-10-09
Critical

CVE-2020-26928

Certain NETGEAR devices are affected by authentication bypass. This affects CBR40 before 2.5.0.10, RBK752 before 3.2.15.25, RBR750 before 3.2.15.25, RBS750 before 3.2.15.25, RBK852 before 3.2.10.11,…

CVSS: 9.6 CWE: N/A View on NVD
Critical

CVE-2020-26927

Certain NETGEAR devices are affected by authentication bypass. This affects D6200 before 1.1.00.40, D7000 before 1.0.1.78, R6020 before 1.0.0.42, R6080 before 1.0.0.42, R6050 before 1.0.1.26, JR6150…

CVSS: 9.4 CWE: N/A View on NVD
Critical

CVE-2020-26926

Certain NETGEAR devices are affected by authentication bypass. This affects CBR40 before 2.5.0.10, RBK752 before 3.2.15.25, RBR750 before 3.2.15.25, RBS750 before 3.2.15.25, RBK852 before 3.2.10.11,…

CVSS: 9.6 CWE: N/A View on NVD
High

CVE-2020-26921

Certain NETGEAR devices are affected by authentication bypass. This affects GS110EMX before 1.0.1.7, GS810EMX before 1.7.1.3, XS512EM before 1.0.1.3, and XS724EM before 1.0.1.3.

CVSS: 8.3 CWE: CWE-287 - Improper Authentication View on NVD
High

CVE-2020-26920

Certain NETGEAR devices are affected by command injection by an unauthenticated attacker. This affects SRK60 before 2.5.3.110, SRR60 before 2.5.3.110, and SRS60 before 2.5.3.110.

CVSS: 8.8 CWE: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection') View on NVD
High

CVE-2020-26909

Certain NETGEAR devices are affected by command injection by an unauthenticated attacker. This affects D7800 before 1.0.1.58 and R7500v2 before 1.0.3.48.

CVSS: 8.8 CWE: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection') View on NVD
Critical

CVE-2020-26908

Certain NETGEAR devices are affected by authentication bypass. This affects D6200 before 1.1.00.36, D7000 before 1.0.1.74, PR2000 before 1.0.0.30, R6020 before 1.0.0.42, R6050 before 1.0.1.22, JR6150…

CVSS: 9.4 CWE: N/A View on NVD
Critical

CVE-2020-26907

Certain NETGEAR devices are affected by command injection by an unauthenticated attacker. This affects RBK852 before 3.2.16.6, RBR850 before 3.2.16.6, and RBS850 before 3.2.16.6.

CVSS: 9.6 CWE: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection') View on NVD
Critical

CVE-2020-26902

Certain NETGEAR devices are affected by command injection by an unauthenticated attacker. This affects RBK752 before 3.2.15.25, RBR750 before 3.2.15.25, RBS750 before 3.2.15.25, RBK852 before 3.2.15.…

CVSS: 9.6 CWE: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection') View on NVD
2020-10-08
High

CVE-2020-9048

A vulnerability in specified versions of American Dynamics victor Web Client and Software House CCURE Web Client could allow a remote unauthenticated attacker on the network to delete arbitrary files…

CVSS: 7.1 CWE: CWE-285 - Improper Authorization View on NVD
High

CVE-2020-10816

Zoho ManageEngine Applications Manager 14780 and before allows a remote unauthenticated attacker to register managed servers via AAMRequestProcessor servlet.

CVSS: 7.5 CWE: CWE-287 - Improper Authentication View on NVD
Medium

CVE-2020-26567

An issue was discovered on D-Link DSR-250N before 3.17B devices. The CGI script upgradeStatusReboot.cgi can be accessed without authentication. Any access reboots the device, rendering it therefore u…

CVSS: 5.5 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
Critical

CVE-2020-25273

In SourceCodester Online Bus Booking System 1.0, there is Authentication bypass on the Admin Login screen in admin.php via username or password SQL injection.

CVSS: 9.8 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
2020-10-07
Medium

CVE-2020-15501

Smarter Coffee Maker before 2nd generation allows firmware replacement without authentication or authorization. User interaction is required to press a button. NOTE: This vulnerability only affects p…

CVSS: 6.5 CWE: N/A View on NVD
Medium

CVE-2020-25867

SoPlanning before 1.47 doesn't correctly check the security key used to publicly share plannings. It allows a bypass to get access without authentication.

CVSS: 5.3 CWE: CWE-287 - Improper Authentication View on NVD
High

CVE-2020-24246

Peplink Balance before 8.1.0rc1 allows an unauthenticated attacker to download PHP configuration files (/filemanager/php/connector.php) from Web Admin.

CVSS: 7.5 CWE: N/A View on NVD
2020-10-06
Medium

CVE-2020-26599

An issue was discovered on Samsung mobile devices with Q(10.0) software. The DynamicLockscreen Terms and Conditions can be accepted without authentication. The Samsung ID is SVE-2020-17079 (October 2…

CVSS: 5.3 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
Critical

CVE-2020-26574

Leostream Connection Broker 8.2.x is affected by stored XSS. An unauthenticated attacker can inject arbitrary JavaScript code via the webquery.pl User-Agent HTTP header. It is rendered by the admins…

CVSS: 9.6 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2020-10-05
Critical

CVE-2020-4493

IBM Maximo Asset Management 7.6.0 and 7.6.1 could allow an attacker to bypass authentication and issue commands using a specially crafted HTTP command. IBM X-Force ID: 181995.

CVSS: 9.8 CWE: N/A View on NVD
High

CVE-2020-26061

ClickStudios Passwordstate Password Reset Portal prior to build 8501 is affected by an authentication bypass vulnerability. The ResetPassword function does not validate whether the user has successfu…

CVSS: 7.5 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
2020-10-02
Critical

CVE-2020-12676

FusionAuth fusionauth-samlv2 0.2.3 allows remote attackers to forge messages and bypass authentication via a SAML assertion that lacks a Signature element, aka a "Signature exclusion attack".

CVSS: 9.1 CWE: CWE-347 - Improper Verification of Cryptographic Signature View on NVD
Critical

CVE-2020-24698

An issue was discovered in PowerDNS Authoritative through 4.3.0 when --enable-experimental-gss-tsig is used. A remote, unauthenticated attacker might be able to cause a double-free, leading to a cras…

CVSS: 9.8 CWE: CWE-415 - Double Free View on NVD
High

CVE-2020-24697

An issue was discovered in PowerDNS Authoritative through 4.3.0 when --enable-experimental-gss-tsig is used. A remote, unauthenticated attacker can cause a denial of service by sending crafted querie…

CVSS: 7.5 CWE: N/A View on NVD
High

CVE-2020-24696

An issue was discovered in PowerDNS Authoritative through 4.3.0 when --enable-experimental-gss-tsig is used. A remote, unauthenticated attacker can trigger a race condition leading to a crash, or pos…

CVSS: 8.1 CWE: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') View on NVD
High

CVE-2020-12127

An information disclosure vulnerability in the /cgi-bin/ExportAllSettings.sh endpoint of the WAVLINK WN530H4 M30H4.V5030.190403 allows an attacker to leak router settings, including cleartext login d…

CVSS: 7.5 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
Critical

CVE-2020-12126

Multiple authentication bypass vulnerabilities in the /cgi-bin/ endpoint of the WAVLINK WN530H4 M30H4.V5030.190403 allow an attacker to leak router settings, change configuration variables, and cause…

CVSS: 9.8 CWE: CWE-287 - Improper Authentication View on NVD
Critical

CVE-2020-12125

A remote buffer overflow vulnerability in the /cgi-bin/makeRequest.cgi endpoint of the WAVLINK WN530H4 M30H4.V5030.190403 allows an attacker to execute arbitrary machine instructions as root without…

CVSS: 9.8 CWE: CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') View on NVD
Critical

CVE-2020-12124

A remote command-line injection vulnerability in the /cgi-bin/live_api.cgi endpoint of the WAVLINK WN530H4 M30H4.V5030.190403 allows an attacker to execute arbitrary Linux commands as root without au…

CVSS: 9.8 CWE: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') View on NVD
High

CVE-2020-26511

The wpo365-login plugin before v11.7 for WordPress allows use of a symmetric algorithm to decrypt a JWT token. This leads to authentication bypass.

CVSS: 7.5 CWE: CWE-287 - Improper Authentication View on NVD
2020-10-01
High

CVE-2020-9487

In Apache NiFi 1.0.0 to 1.11.4, the NiFi download token (one-time password) mechanism used a fixed cache size and did not authenticate a request to create a download token, only when attempting to us…

CVSS: 7.5 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
Medium

CVE-2020-5785

Insufficient output sanitization in Teltonika firmware TRB2_R_00.02.04.3 allows an unauthenticated attacker to conduct reflected cross-site scripting via a crafted ‘action’ or ‘pkg_name’ parameter.

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2020-09-30
High

CVE-2020-15849

Re:Desk 2.3 has a blind authenticated SQL injection vulnerability in the SettingsController class, in the actionEmailTemplates() method. A malicious actor with access to an administrative account cou…

CVSS: 7.2 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
Critical

CVE-2020-25762

An issue was discovered in SourceCodester Seat Reservation System 1.0. The file admin_class.php does not perform input validation on the username and password parameters. An attacker can send malicio…

CVSS: 9.1 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
Critical

CVE-2020-15487

Re:Desk 2.3 contains a blind unauthenticated SQL injection vulnerability in the getBaseCriteria() function in the protected/models/Ticket.php file. By modifying the folder GET parameter, it is possib…

CVSS: 9.8 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
High

CVE-2020-13322

A vulnerability was discovered in GitLab versions after 12.9. Due to improper verification of permissions, an unauthorized user can create and delete deploy tokens.

CVSS: 7.2 CWE: CWE-863 - Incorrect Authorization View on NVD
Medium

CVE-2019-18991

A partial authentication bypass vulnerability exists on Atheros AR9132 3.60(AMX.8), AR9283 1.85, and AR9285 1.0.0.12NA devices. The vulnerability allows sending an unencrypted data frame to a WPA2-pr…

CVSS: 5.4 CWE: CWE-290 - Authentication Bypass by Spoofing View on NVD
Medium

CVE-2019-18990

A partial authentication bypass vulnerability exists on Realtek RTL8812AR 1.21WW, RTL8196D 1.0.0, RTL8192ER 2.10, and RTL8881AN 1.09 devices. The vulnerability allows sending an unencrypted data fram…

CVSS: 5.4 CWE: CWE-290 - Authentication Bypass by Spoofing View on NVD
Medium

CVE-2019-18989

A partial authentication bypass vulnerability exists on Mediatek MT7620N 1.06 devices. The vulnerability allows sending an unencrypted data frame to a WPA2-protected WLAN router where the packet is r…

CVSS: 5.4 CWE: CWE-290 - Authentication Bypass by Spoofing View on NVD
High

CVE-2018-5354

The custom GINA/CP module in ANIXIS Password Reset Client before version 3.22 allows remote attackers to execute code and escalate privileges via spoofing. When the client is configured to use HTTP,…

CVSS: 8.8 CWE: CWE-290 - Authentication Bypass by Spoofing View on NVD
Critical

CVE-2018-5353

The custom GINA/CP module in Zoho ManageEngine ADSelfService Plus before 5.5 build 5517 allows remote attackers to execute code and escalate privileges via spoofing. It does not authenticate the inte…

CVSS: 9.8 CWE: CWE-290 - Authentication Bypass by Spoofing View on NVD
High

CVE-2018-11765

In Apache Hadoop versions 3.0.0-alpha2 to 3.0.0, 2.9.0 to 2.9.2, 2.8.0 to 2.8.5, any users can access some servlets without authentication when Kerberos authentication is enabled and SPNEGO through H…

CVSS: 7.5 CWE: CWE-287 - Improper Authentication View on NVD
Critical

CVE-2020-12506

Improper Authentication vulnerability in WAGO 750-8XX series with FW version <= FW03 allows an attacker to change the settings of the devices by sending specifically constructed requests without auth…

CVSS: 9.1 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
High

CVE-2020-12505

Improper Authentication vulnerability in WAGO 750-8XX series with FW version <= FW07 allows an attacker to change some special parameters without authentication. This issue affects: WAGO 750-852, WAG…

CVSS: 8.2 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
2020-09-25
Critical

CVE-2020-25132

An issue was discovered in Observium Professional, Enterprise & Community 20.8.10631. It is vulnerable to SQL Injection due to the fact that it is possible to inject malicious SQL statements in malfo…

CVSS: 9.8 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
Critical

CVE-2020-25747

The Telnet service of Rubetek RV-3406, RV-3409, and RV-3411 cameras (firmware versions v342, v339) can allow a remote attacker to gain access to RTSP and ONFIV services without authentication. Thus,…

CVSS: 9.4 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
Critical

CVE-2020-24594

Mitel MiCloud Management Portal before 6.1 SP5 could allow an unauthenticated attacker to execute arbitrary scripts due to insufficient input validation, aka XSS. A successful exploit could allow an…

CVSS: 9.6 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2020-09-24
Medium

CVE-2020-12818

An insufficient logging vulnerability in FortiGate before 6.4.1 may allow the traffic from an unauthenticated attacker to Fortinet owned IP addresses to go unnoticed.

CVSS: 5.3 CWE: N/A View on NVD
2020-09-23
Critical

CVE-2019-16028

A vulnerability in the web-based management interface of Cisco Firepower Management Center (FMC) could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions…

CVSS: 9.8 CWE: CWE-287 - Improper Authentication View on NVD
Medium

CVE-2019-16004

A vulnerability in the REST API endpoint of Cisco Vision Dynamic Signage Director could allow an unauthenticated, remote attacker to bypass authentication on an affected device. The vulnerability is…

CVSS: 6.5 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
2020-09-22
Critical

CVE-2020-11857

An Authorization Bypass vulnerability on Micro Focus Operation Bridge Reporter, affecting version 10.40 and earlier. The vulnerability could allow remote attackers to access the OBR host as a non-adm…

CVSS: 9.8 CWE: CWE-798 - Use of Hard-coded Credentials View on NVD
High

CVE-2020-11855

An Authorization Bypass vulnerability on Micro Focus Operation Bridge Reporter, affecting version 10.40 and earlier. The vulnerability could allow local attackers on the OBR host to execute code with…

CVSS: 7.8 CWE: CWE-732 - Incorrect Permission Assignment for Critical Resource View on NVD
High

CVE-2020-8887

Telestream Tektronix Medius before 10.7.5 and Sentry before 10.7.5 have a SQL injection vulnerability allowing an unauthenticated attacker to dump database contents via the page parameter in a page=l…

CVSS: 7.5 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
2020-09-17
Medium

CVE-2020-14181

Affected versions of Atlassian Jira Server and Data Center allow an unauthenticated user to enumerate users via an Information Disclosure vulnerability in the /ViewUserHover.jspa endpoint. The affect…

CVSS: 5.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2020-09-16
High

CVE-2020-1748

A flaw was found in all supported versions before wildfly-elytron-1.6.8.Final-redhat-00001, where the WildFlySecurityManager checks were bypassed when using custom security managers, resulting in an…

CVSS: 7.5 CWE: N/A View on NVD
2020-09-15
Critical

CVE-2020-23512

VR CAM P1 Model P1 v1 has an incorrect access control vulnerability where an attacker can obtain complete access of the device from web (remote) without authentication.

CVSS: 9.8 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
High

CVE-2020-13303

A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. Due to improper verification of permissions, an unauthorized user can access a private repository within a public…

CVSS: 7.1 CWE: CWE-287 - Improper Authentication View on NVD
2020-09-14
High

CVE-2020-24457

Logic error in BIOS firmware for 8th, 9th and 10th Generation Intel(R) Core(TM) Processors may allow an unauthenticated user to potentially enable escalation of privilege, denial of service and/or in…

CVSS: 7.6 CWE: N/A View on NVD
High

CVE-2020-25540

ThinkAdmin v6 is affected by a directory traversal vulnerability. An unauthorized attacker can read arbitrarily file on a remote server via GET request encode parameter.

CVSS: 7.5 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2020-09-11
High

CVE-2020-1031

<p>An information disclosure vulnerability exists in the way that the Windows Server DHCP service improperly discloses the contents of its memory.</p> <p>To exploit the vulnerability, an unauthentica…

CVSS: 7.5 CWE: N/A View on NVD
Medium

CVE-2020-15802

Devices supporting Bluetooth before 5.1 may allow man-in-the-middle attacks, aka BLURtooth. Cross Transport Key Derivation in Bluetooth Core Specification v4.2 and v5.0 may permit an unauthenticated…

CVSS: 5.9 CWE: CWE-287 - Improper Authentication View on NVD
Low

CVE-2020-16218

In Patient Information Center iX (PICiX) Versions B.02, C.02, C.03, the software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is then us…

CVSS: 3.5 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2020-09-10
Medium

CVE-2020-13920

Apache ActiveMQ uses LocateRegistry.createRegistry() to create the JMX RMI registry and binds the server to the "jmxrmi" entry. It is possible to connect to the registry without authentication and ca…

CVSS: 5.9 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
Critical

CVE-2020-8758

Improper buffer restrictions in network subsystem in provisioned Intel(R) AMT and Intel(R) ISM versions before 11.8.79, 11.12.79, 11.22.79, 12.0.68 and 14.0.39 may allow an unauthenticated user to po…

CVSS: 9.8 CWE: N/A View on NVD
Medium

CVE-2020-5780

Missing Authentication for Critical Function in Icegram Email Subscribers & Newsletters Plugin for WordPress prior to version 4.5.6 allows a remote, unauthenticated attacker to conduct unauthenticate…

CVSS: 5.3 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
2020-09-09
High

CVE-2020-2041

An insecure configuration of the appweb daemon of Palo Alto Networks PAN-OS 8.1 allows a remote unauthenticated user to send a specifically crafted request to the device that causes the appweb servic…

CVSS: 7.5 CWE: CWE-16 View on NVD
Critical

CVE-2020-2040

A buffer overflow vulnerability in PAN-OS allows an unauthenticated attacker to disrupt system processes and potentially execute arbitrary code with root privileges by sending a malicious request to…

CVSS: 9.8 CWE: CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') View on NVD
Medium

CVE-2020-2039

An uncontrolled resource consumption vulnerability in Palo Alto Networks PAN-OS allows for a remote unauthenticated user to upload temporary files through the management web interface that are not pr…

CVSS: 5.3 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
Medium

CVE-2020-6324

SAP Netweaver AS ABAP(BSP Test Application sbspext_table), version-700,701,720,730,731,740,750,751,752,753,754,755, allows an unauthenticated attacker to send polluted URL to the victim, when the vic…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2020-09-04
High

CVE-2020-3473

A vulnerability in task group assignment for a specific CLI command in Cisco IOS XR Software could allow an authenticated, local CLI shell user to elevate privileges and gain full administrative cont…

CVSS: 7.8 CWE: CWE-264 View on NVD
2020-09-03
Critical

CVE-2020-24193

A SQL injection vulnerability in login in Sourcecodetester Daily Tracker System 1.0 allows unauthenticated user to execute authentication bypass with SQL injection via the email parameter.

CVSS: 9.8 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
High

CVE-2020-11579

An issue was discovered in Chadha PHPKB 9.0 Enterprise Edition. installer/test-connection.php (part of the installation process) allows a remote unauthenticated attacker to disclose local files on ho…

CVSS: 7.5 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
High

CVE-2020-25068

Setelsa Conacwin v3.7.1.2 is vulnerable to a local file inclusion vulnerability. This vulnerability allows a remote unauthenticated attacker to read internal files on the server via an http:IP:PORT/.…

CVSS: 7.5 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2020-09-02
High

CVE-2020-5386

Dell EMC ECS, versions prior to 3.5, contains an Exposure of Resource vulnerability. A remote unauthenticated attacker can access the list of DT (Directory Table) objects of all internally running se…

CVSS: 7.5 CWE: CWE-668 - Exposure of Resource to Wrong Sphere View on NVD
High

CVE-2020-5369

Dell EMC Isilon OneFS versions 8.2.2 and earlier and Dell EMC PowerScale OneFS version 9.0.0 contain a privilege escalation vulnerability. An authenticated malicious user may exploit this vulnerabili…

CVSS: 8.8 CWE: CWE-732 - Incorrect Permission Assignment for Critical Resource View on NVD
2020-09-01
Medium

CVE-2020-8335

The BIOS tamper detection mechanism was not triggered in Lenovo ThinkPad A285, BIOS versions up to r0xuj70w; A485, BIOS versions up to r0wuj65w; T495 BIOS versions up to r12uj55w; T495s/X395, BIOS ve…

CVSS: 6.1 CWE: N/A View on NVD
Critical

CVE-2020-5777

MAGMI versions prior to 0.7.24 are vulnerable to a remote authentication bypass due to allowing default credentials in the event there is a database connection failure. A remote attacker can trigger…

CVSS: 9.8 CWE: CWE-287 - Improper Authentication View on NVD
Critical

CVE-2020-25067

NETGEAR R8300 devices before 1.0.2.134 are affected by command injection by an unauthenticated attacker.

CVSS: 9.6 CWE: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection') View on NVD
2020-08-31
High

CVE-2020-24363

TP-Link TL-WA855RE V5 20200415-rel37464 devices allow an unauthenticated attacker (on the same network) to submit a TDDP_RESET POST request for a factory reset and reboot. The attacker can then obtai…

CVSS: 8.8 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
Critical

CVE-2020-24786

An issue was discovered in Zoho ManageEngine Exchange Reporter Plus before build number 5510, AD360 before build number 4228, ADSelfService Plus before build number 5817, DataSecurity Plus before bui…

CVSS: 9.8 CWE: CWE-287 - Improper Authentication View on NVD
2020-08-27
Medium

CVE-2020-10517

An improper access control vulnerability was identified in GitHub Enterprise Server that allowed authenticated users of the instance to determine the names of unauthorized private repositories given…

CVSS: 4.3 CWE: CWE-285 - Improper Authorization View on NVD
High

CVE-2020-15605

If LDAP authentication is enabled, an LDAP authentication bypass vulnerability in Trend Micro Vulnerability Protection 2.0 SP2 could allow an unauthenticated attacker with prior knowledge of the targ…

CVSS: 8.1 CWE: CWE-287 - Improper Authentication View on NVD
High

CVE-2020-15601

If LDAP authentication is enabled, an LDAP authentication bypass vulnerability in Trend Micro Deep Security 10.x-12.x could allow an unauthenticated attacker with prior knowledge of the targeted orga…

CVSS: 8.1 CWE: CWE-287 - Improper Authentication View on NVD
High

CVE-2020-3517

A vulnerability in the Cisco Fabric Services component of Cisco FXOS Software and Cisco NX-OS Software could allow an unauthenticated attacker to cause process crashes, which could result in a denial…

CVSS: 8.6 CWE: CWE-476 - NULL Pointer Dereference View on NVD
2020-08-26
High

CVE-2019-5321

Aruba Intelligent Edge Switch Series 2540, 2530, 2930F, 2930M, 2920, 5400R, and 3810M with firmware 16.08.* before 16.08.0009, 16.09.* before 16.09.0007, 16.10.* before 16.10.0003 are vulnerable to R…

CVSS: 8.8 CWE: N/A View on NVD
High

CVE-2020-11797

An Authentication Bypass vulnerability in the Published Area of the web conferencing component of Mitel MiCollab AWV before 8.1.2.4 and 9.x before 9.1.3 could allow an unauthenticated attacker to gai…

CVSS: 7.5 CWE: N/A View on NVD
High

CVE-2018-1501

IBM Security Guardium 10.5, 10.6, and 11.0 could allow an unauthorized user to obtain sensitive information due to missing security controls. IBM X-Force ID: 141226.

CVSS: 7.5 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
Medium

CVE-2020-13767

The Mitel MiCollab application before 9.1.332 for iOS could allow an unauthorized user to access restricted files and folders due to insufficient access control. An exploit requires a rooted iOS devi…

CVSS: 5.9 CWE: N/A View on NVD
High

CVE-2020-13617

The Web UI component of Mitel MiVoice 6800 and 6900 series SIP Phones with firmware before 5.1.0.SP5 could allow an unauthenticated attacker to expose sensitive information due to improper memory han…

CVSS: 7.5 CWE: CWE-307 - Improper Restriction of Excessive Authentication Attempts View on NVD
High

CVE-2020-16251

HashiCorp Vault and Vault Enterprise versions 0.8.3 and newer, when configured with the GCP GCE auth method, may be vulnerable to authentication bypass. Fixed in 1.2.5, 1.3.8, 1.4.4, and 1.5.1.

CVSS: 8.2 CWE: CWE-287 - Improper Authentication View on NVD
High

CVE-2020-16250

HashiCorp Vault and Vault Enterprise versions 0.7.1 and newer, when configured with the AWS IAM auth method, may be vulnerable to authentication bypass. Fixed in 1.2.5, 1.3.8, 1.4.4, and 1.5.1..

CVSS: 8.2 CWE: CWE-290 - Authentication Bypass by Spoofing View on NVD
Critical

CVE-2020-24007

Umanni RH 1.0 does not limit the number of authentication attempts. An unauthenticated user may exploit this vulnerability to launch a brute-force authentication attack against the Login page.

CVSS: 9.8 CWE: CWE-307 - Improper Restriction of Excessive Authentication Attempts View on NVD
2020-08-25
High

CVE-2020-17385

Cellopoint CelloOS v4.1.10 Build 20190922 does not validate URL inputted properly, which allows unauthorized user to launch Path Traversal attack and access arbitrate file on the system.

CVSS: 7.5 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2020-08-24
Medium

CVE-2020-19880

DBHcms v1.2.0 has a stored xss vulnerability as there is no htmlspecialchars function form 'Name' in dbhcms\types.php, A remote unauthenticated attacker can exploit this vulnerability to hijack other…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
High

CVE-2020-19878

DBHcms v1.2.0 has a sensitive information leaks vulnerability as there is no security access control in /dbhcms/ext/news/ext.news.be.php, A remote unauthenticated attacker can exploit this vulnerabil…

CVSS: 7.5 CWE: N/A View on NVD
Medium

CVE-2020-19877

DBHcms v1.2.0 has a directory traversal vulnerability as there is no directory control function in directory /dbhcms/. A remote unauthenticated attacker can exploit this vulnerability to obtain serve…

CVSS: 5.3 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2020-08-21
Medium

CVE-2020-5775

Server-Side Request Forgery in Canvas LMS 2020-07-29 allows a remote, unauthenticated attacker to cause the Canvas application to perform HTTP GET requests to arbitrary domains.

CVSS: 5.8 CWE: CWE-918 - Server-Side Request Forgery (SSRF) View on NVD
Critical

CVE-2020-24051

The Moog EXO Series EXVF5C-2 and EXVP7C2-3 units support the ONVIF interoperability IP-based physical security protocol, which requires authentication for some of its operations. It was found that th…

CVSS: 9.8 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
2020-08-20
Critical

CVE-2020-23935

Kabir Alhasan Student Management System 1.0 is vulnerable to Authentication Bypass via "Username: admin'# && Password: (Write Something)".

CVSS: 9.8 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
Critical

CVE-2020-23936

PHPGurukul Vehicle Parking Management System 1.0 is vulnerable to Authentication Bypass via "Username: admin'# && Password: (Write Something)".

CVSS: 9.8 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
Critical

CVE-2020-10283

The Micro Air Vehicle Link (MAVLink) protocol presents authentication mechanisms on its version 2.0 however according to its documentation, in order to maintain backwards compatibility, GCS and autop…

CVSS: 9.8 CWE: CWE-288 - Authentication Bypass Using an Alternate Path or Channel View on NVD
2020-08-19
Medium

CVE-2020-4648

A vulnerability exsists in IBM Planning Analytics 2.0 whereby avatars in Planning Analytics Workspace could be modified by other users without authorization to do so. IBM X-Force ID: 186019.

CVSS: 6.5 CWE: N/A View on NVD
2020-08-17
High

CVE-2020-13933

Apache Shiro before 1.6.0, when using Apache Shiro, a specially crafted HTTP request may cause an authentication bypass.

CVSS: 7.5 CWE: N/A View on NVD
High

CVE-2020-1597

A denial of service vulnerability exists when ASP.NET Core improperly handles web requests. An attacker who successfully exploited this vulnerability could cause a denial of service against an ASP.NE…

CVSS: 7.5 CWE: N/A View on NVD
Medium

CVE-2020-1472

An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An at…

CVSS: 5.5 CWE: N/A View on NVD
Medium

CVE-2020-3448

A vulnerability in an access control mechanism of Cisco Cyber Vision Center Software could allow an unauthenticated, remote attacker to bypass authentication and access internal services that are run…

CVSS: 5.8 CWE: CWE-284 - Improper Access Control View on NVD
2020-08-14
Medium

CVE-2020-9708

The resolveRepositoryPath function doesn't properly validate user input and a malicious user may traverse to any valid Git repository outside the repoRoot. This issue may lead to unauthorized access…

CVSS: 5.9 CWE: CWE-24 - Path Traversal: '../filedir' View on NVD
Critical

CVE-2020-10055

A vulnerability has been identified in Desigo CC (V4.x), Desigo CC (V3.x), Desigo CC Compact (V4.x), Desigo CC Compact (V3.x). Affected applications are delivered with a 3rd party component (BIRT) th…

CVSS: 9.8 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
Medium

CVE-2019-5591

A Default Configuration vulnerability in FortiOS may allow an unauthenticated attacker on the same subnet to intercept sensitive information by impersonating the LDAP server.

CVSS: 6.5 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
2020-08-13
Medium

CVE-2020-8689

Improper buffer restrictions in the Intel(R) Wireless for Open Source before version 1.5 may allow an unauthenticated user to potentially enable denial of service via adjacent access.

CVSS: 6.5 CWE: N/A View on NVD
High

CVE-2020-8688

Improper input validation in the Intel(R) RAID Web Console 3 for Windows* may allow an unauthenticated user to potentially enable denial of service via network access.

CVSS: 7.5 CWE: CWE-20 - Improper Input Validation View on NVD
High

CVE-2020-8732

Heap-based buffer overflow in the firmware for some Intel(R) Server Boards, Server Systems and Compute Modules before version 1.59 may allow an unauthenticated user to potentially enable escalation o…

CVSS: 8.8 CWE: CWE-787 - Out-of-bounds Write View on NVD
Medium

CVE-2020-8723

Cross-site scripting for some Intel(R) Server Boards, Server Systems and Compute Modules before version 1.59 may allow an unauthenticated user to potentially enable escalation of privilege via adjace…

CVSS: 6.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2020-8715

Invalid pointer for some Intel(R) Server Boards, Server Systems and Compute Modules before version 1.59 may allow an unauthenticated user to potentially enable denial of service via local access.

CVSS: 5.5 CWE: CWE-763 - Release of Invalid Pointer or Reference View on NVD
High

CVE-2020-8713

Improper authentication for some Intel(R) Server Boards, Server Systems and Compute Modules before version 1.59 may allow an unauthenticated user to potentially enable escalation of privilege via adj…

CVSS: 8.8 CWE: CWE-287 - Improper Authentication View on NVD
High

CVE-2020-8709

Improper authentication in socket services for some Intel(R) Server Boards, Server Systems and Compute Modules before version 2.45 may allow an unauthenticated user to potentially enable escalation o…

CVSS: 8.8 CWE: CWE-287 - Improper Authentication View on NVD
High

CVE-2020-8708

Improper authentication for some Intel(R) Server Boards, Server Systems and Compute Modules before version 1.59 may allow an unauthenticated user to potentially enable escalation of privilege via adj…

CVSS: 8.8 CWE: CWE-287 - Improper Authentication View on NVD