Filtered by CWE-425
Filtered by vendor Subscriptions
Total 177 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2020-29656 1 Asus 2 Rt-ac88u, Rt-ac88u Firmware 2024-11-21 7.5 High
An information disclosure vulnerability exists in RT-AC88U Download Master before 3.1.0.108. A direct access to /downloadmaster/dm_apply.cgi?action_mode=initial&download_type=General&special_cgi=get_language makes it possible to reach "unknown functionality" in a "known to be easy" manner via an unspecified "public exploit."
CVE-2020-28937 1 Openclinic Project 1 Openclinic 2024-11-21 7.5 High
OpenClinic version 0.8.2 is affected by a missing authentication vulnerability that allows unauthenticated users to access any patient's medical test results, possibly resulting in disclosure of Protected Health Information (PHI) stored in the application, via a direct request for the /tests/ URI.
CVE-2020-26150 1 Logaritmo 1 Aware Callmanager 2024-11-21 7.5 High
info.php in Logaritmo Aware CallManager 2012 allows remote attackers to obtain sensitive information via a direct request, which calls the phpinfo function.
CVE-2020-24765 1 Mind 1 Imind Server 2024-11-21 7.5 High
InterMind iMind Server through 3.13.65 allows remote unauthenticated attackers to read the self-diagnostic archive via a direct api/rs/monitoring/rs/api/system/dump-diagnostic-info?server=127.0.0.1 request.
CVE-2020-24660 2 Debian, Lemonldap-ng 2 Debian Linux, Lemonldap\ 2024-11-21 9.8 Critical
An issue was discovered in LemonLDAP::NG through 2.0.8, when NGINX is used. An attacker may bypass URL-based access control to protected Virtual Hosts by submitting a non-normalized URI. This also affects versions before 0.5.2 of the "Lemonldap::NG handler for Node.js" package.
CVE-2020-24203 1 Projectworlds 1 Travel Management System 2024-11-21 9.8 Critical
Insecure File Permissions and Arbitrary File Upload in the upload pic function in updatesubcategory.php in Projects World Travel Management System v1.0 allows remote unauthenticated attackers to gain remote code execution.
CVE-2020-13850 1 Pandorafms 1 Pandora Fms 2024-11-21 7.5 High
Artica Pandora FMS 7.44 has inadequate access controls on a web folder.
CVE-2020-13474 1 Nchsoftware 1 Express Accounts 2024-11-21 6.5 Medium
In NCH Express Accounts 8.24 and earlier, an authenticated low-privilege user can enter a crafted URL to access higher-privileged functionalities such as Add/Edit users.
CVE-2020-11561 1 Nchsoftware 1 Express Invoice 2024-11-21 8.8 High
In NCH Express Invoice 7.25, an authenticated low-privilege user can enter a crafted URL to access higher-privileged functionalities such as the "Add New Item" screen.
CVE-2020-10248 1 Meinbwa 2 Direx-pro, Direx-pro Firmware 2024-11-21 7.5 High
BWA DiREX-Pro 1.2181 devices allow remote attackers to discover passwords via a direct request to val_users.php3.
CVE-2019-9884 1 Eclass 1 Eclass Ip 2024-11-21 9.8 Critical
eClass platform < ip.2.5.10.2.1 allows an attacker to use GETS method to request /admin page to bypass the password validation and access management page.
CVE-2019-9584 1 Eq-3 4 Homematic Ccu2, Homematic Ccu2 Firmware, Homematic Ccu3 and 1 more 2024-11-21 N/A
eQ-3 Homematic AddOn 'CloudMatic' on CCU2 and CCU3 allows uncontrolled admin access, resulting in the ability to obtain VPN profile details, shutting down the VPN service and to delete the VPN service configuration. This is related to improper access control for all /addons/mh/ pages.
CVE-2019-9552 1 Eloan Project 1 Eloan 2024-11-21 N/A
Eloan V3.0 through 2018-09-20 allows remote attackers to list files via a direct request to the p2p/api/ or p2p/lib/ or p2p/images/ URI.
CVE-2019-7736 1 Dlink 2 Dir-600m, Dir-600m Firmware 2024-11-21 N/A
D-Link DIR-600M C1 3.04 devices allow authentication bypass via a direct request to the wan.htm page. NOTE: this may overlap CVE-2019-13101.
CVE-2019-6551 1 Pangea-comm 1 Fax Ata 2024-11-21 7.5 High
Pangea Communications Internet FAX ATA all Versions 3.1.8 and prior allow an attacker to bypass user authentication using a specially crafted URL to cause the device to reboot, which may be used to cause a continual denial-of-service condition.
CVE-2019-6126 1 Advance Peer To Peer Mlm Script Project 1 Advance Peer To Peer Mlm Script 2024-11-21 N/A
The Admin Panel of PHP Scripts Mall Advance Peer to Peer MLM Script v1.7.0 allows remote attackers to bypass intended access restrictions by directly navigating to admin/dashboard.php or admin/user.php, as demonstrated by disclosure of information about users and staff.
CVE-2019-3934 1 Crestron 4 Am-100, Am-100 Firmware, Am-101 and 1 more 2024-11-21 5.3 Medium
Crestron AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 allows anyone to bypass the presentation code sending a crafted HTTP POST request to login.cgi. A remote, unauthenticated attacker can use this vulnerability to download the current slide image without knowing the access code.
CVE-2019-3933 1 Crestron 4 Am-100, Am-100 Firmware, Am-101 and 1 more 2024-11-21 5.3 Medium
Crestron AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 allows anyone to bypass the presentation code simply by requesting /images/browserslide.jpg via HTTP. A remote, unauthenticated attacker can use this vulnerability to watch a slideshow without knowing the access code.
CVE-2019-3917 1 Nokia 2 I-240w-q Gpon Ont, I-240w-q Gpon Ont Firmware 2024-11-21 7.5 High
The Alcatel Lucent I-240W-Q GPON ONT using firmware version 3FE54567BOZJ19 allows a remote, unauthenticated attacker to enable telnetd on the router via a crafted HTTP request.
CVE-2019-3916 1 Verizon 2 Fios Quantum Gateway G1100, Fios Quantum Gateway G1100 Firmware 2024-11-21 N/A
Information disclosure vulnerability in Verizon Fios Quantum Gateway (G1100) firmware version 02.01.00.05 allows an remote, unauthenticated attacker to retrieve the value of the password salt by simply requesting an API URL in a web browser (e.g. /api).