Filtered by vendor
Subscriptions
Total
24 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2023-3629 | 2 Infinispan, Redhat | 4 Infinispan, Data Grid, Jboss Data Grid and 1 more | 2024-11-23 | 4.3 Medium |
A flaw was found in Infinispan's REST, Cache retrieval endpoints do not properly evaluate the necessary admin permissions for the operation. This issue could allow an authenticated user to access information outside of their intended permissions. | ||||
CVE-2023-3628 | 2 Infinispan, Redhat | 4 Infinispan, Data Grid, Jboss Data Grid and 1 more | 2024-11-23 | 6.5 Medium |
A flaw was found in Infinispan's REST. Bulk read endpoints do not properly evaluate user permissions for the operation. This issue could allow an authenticated user to access information outside of their intended permissions. | ||||
CVE-2023-52424 | 2024-11-21 | 7.4 High | ||
The IEEE 802.11 standard sometimes enables an adversary to trick a victim into connecting to an unintended or untrusted network with Home WEP, Home WPA3 SAE-loop. Enterprise 802.1X/EAP, Mesh AMPE, or FILS, aka an "SSID Confusion" issue. This occurs because the SSID is not always used to derive the pairwise master key or session keys, and because there is not a protected exchange of an SSID during a 4-way handshake. | ||||
CVE-2023-51384 | 2 Debian, Openbsd | 2 Debian Linux, Openssh | 2024-11-21 | 5.5 Medium |
In ssh-agent in OpenSSH before 9.6, certain destination constraints can be incompletely applied. When destination constraints are specified during addition of PKCS#11-hosted private keys, these constraints are only applied to the first key, even if a PKCS#11 token returns multiple keys. | ||||
CVE-2023-22833 | 1 Palantir | 1 Foundry | 2024-11-21 | 7.6 High |
Palantir Foundry deployments running Lime2 versions between 2.519.0 and 2.532.0 were vulnerable a bug that allowed authenticated users within a Foundry organization to bypass discretionary or mandatory access controls under certain circumstances. | ||||
CVE-2022-40622 | 1 Wavlink | 2 Wn531g3, Wn531g3 Firmware | 2024-11-21 | 8.8 High |
The WAVLINK Quantum D4G (WN531G3) running firmware version M31G3.V5030.200325 uses IP addresses to hold sessions and does not not use session tokens. Therefore, if an attacker changes their IP address to match the logged-in administrator's, or is behind the same NAT as the logged in administrator, session takeover is possible. | ||||
CVE-2022-39360 | 1 Metabase | 1 Metabase | 2024-11-21 | 6.5 Medium |
Metabase is data visualization software. Prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9 single sign on (SSO) users were able to do password resets on Metabase, which could allow a user access without going through the SSO IdP. This issue is patched in versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9. Metabase now blocks password reset for all users who use SSO for their Metabase login. | ||||
CVE-2022-2821 | 1 Namelessmc | 1 Nameless | 2024-11-21 | 7.5 High |
Missing Critical Step in Authentication in GitHub repository namelessmc/nameless prior to v2.0.2. | ||||
CVE-2022-2302 | 1 Lenze | 6 C520, C520 Firmware, C550 and 3 more | 2024-11-21 | 9.8 Critical |
Multiple Lenze products of the cabinet series skip the password verification upon second login. After a user has been logged on to the device once, a remote attacker can get full access without knowledge of the password. | ||||
CVE-2022-1065 | 1 Abacus | 5 Abacus Erp 2018, Abacus Erp 2019, Abacus Erp 2020 and 2 more | 2024-11-21 | 8.1 High |
A vulnerability within the authentication process of Abacus ERP allows a remote attacker to bypass the second authentication factor. This issue affects: Abacus ERP v2022 versions prior to R1 of 2022-01-15; v2021 versions prior to R4 of 2022-01-15; v2020 versions prior to R6 of 2022-01-15; v2019 versions later than R5 (service pack); v2018 versions later than R5 (service pack). This issue does not affect: Abacus ERP v2019 versions prior to R5 of 2020-03-15; v2018 versions prior to R7 of 2020-04-15; v2017 version and prior versions and prior versions. | ||||
CVE-2021-41179 | 1 Nextcloud | 1 Server | 2024-11-21 | 6.5 Medium |
Nextcloud is an open-source, self-hosted productivity platform. Prior to Nextcloud Server versions 20.0.13, 21.0.5, and 22.2.0, the Two-Factor Authentication wasn't enforced for pages marked as public. Any page marked as `@PublicPage` could thus be accessed with a valid user session that isn't authenticated. This particularly affects the Nextcloud Talk application, as this could be leveraged to gain access to any private chat channel without going through the Two-Factor flow. It is recommended that the Nextcloud Server be upgraded to 20.0.13, 21.0.5 or 22.2.0. There are no known workarounds aside from upgrading. | ||||
CVE-2020-29004 | 1 Mediawiki | 1 Mediawiki | 2024-11-21 | 8.8 High |
The API in the Push extension for MediaWiki through 1.35 did not require an edit token in ApiPushBase.php and therefore facilitated a CSRF attack. | ||||
CVE-2019-16766 | 1 Labdigital | 1 Wagtail-2fa | 2024-11-21 | 8.7 High |
When using wagtail-2fa before 1.3.0, if someone gains access to someone's Wagtail login credentials, they can log into the CMS and bypass the 2FA check by changing the URL. They can then add a new device and gain full access to the CMS. This problem has been patched in version 1.3.0. | ||||
CVE-2017-10807 | 1 Jabberd2 | 1 Jabberd2 | 2024-11-21 | N/A |
JabberD 2.x (aka jabberd2) before 2.6.1 allows anyone to authenticate using SASL ANONYMOUS, even when the sasl.anonymous c2s.xml option is not enabled. | ||||
CVE-2016-1567 | 1 Tuxfamily | 1 Chrony | 2024-11-21 | N/A |
chrony before 1.31.2 and 2.x before 2.2.1 do not verify peer associations of symmetric keys when authenticating packets, which might allow remote attackers to conduct impersonation attacks via an arbitrary trusted key, aka a "skeleton key." | ||||
CVE-2015-7974 | 5 Debian, Netapp, Ntp and 2 more | 9 Debian Linux, Clustered Data Ontap, Oncommand Balance and 6 more | 2024-11-21 | 7.7 High |
NTP 4.x before 4.2.8p6 and 4.3.x before 4.3.90 do not verify peer associations of symmetric keys when authenticating packets, which might allow remote attackers to conduct impersonation attacks via an arbitrary trusted key, aka a "skeleton key." | ||||
CVE-2015-5600 | 2 Openbsd, Redhat | 2 Openssh, Enterprise Linux | 2024-11-21 | N/A |
The kbdint_next_device function in auth2-chall.c in sshd in OpenSSH through 6.9 does not properly restrict the processing of keyboard-interactive devices within a single connection, which makes it easier for remote attackers to conduct brute-force attacks or cause a denial of service (CPU consumption) via a long and duplicative list in the ssh -oKbdInteractiveDevices option, as demonstrated by a modified client that provides a different password for each pam element on this list. | ||||
CVE-2015-3206 | 1 Apple | 1 Pykerberos | 2024-11-21 | N/A |
The checkPassword function in python-kerberos does not authenticate the KDC it attempts to communicate with, which allows remote attackers to cause a denial of service (bad response), or have other unspecified impact by performing a man-in-the-middle attack. | ||||
CVE-2012-4456 | 2 Openstack, Redhat | 2 Keystone, Openstack | 2024-11-21 | N/A |
The (1) OS-KSADM/services and (2) tenant APIs in OpenStack Keystone Essex before 2012.1.2 and Folsom before folsom-2 do not properly validate X-Auth-Token, which allow remote attackers to read the roles for an arbitrary user or get, create, or delete arbitrary services. | ||||
CVE-2011-3172 | 1 Suse | 1 Suse Linux Enterprise Server | 2024-11-21 | N/A |
A vulnerability in pam_modules of SUSE Linux Enterprise allows attackers to log into accounts that should have been disabled. Affected releases are SUSE Linux Enterprise: versions prior to 12. |