Total
3710 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-30755 | 1 Google | 1 Android | 2024-11-21 | 4.6 MEDIUM | 7.3 HIGH |
| Improper authentication vulnerability in AppLock prior to SMR Jul-2022 Release 1 allows attacker to bypass password confirm activity by hijacking the implicit intent. | |||||
| CVE-2022-30749 | 1 Samsung | 1 Smartthings | 2024-11-21 | 4.6 MEDIUM | 3.3 LOW |
| Improper access control vulnerability in Smart Things prior to 1.7.85.25 allows local attackers to add arbitrary smart devices by bypassing login activity. | |||||
| CVE-2022-30624 | 1 Chcnav | 2 P5e Gnss, P5e Gnss Firmware | 2024-11-21 | N/A | 6.8 MEDIUM |
| Browsing the admin.html page allows the user to reset the admin password. Also appears in the JS code for the password. | |||||
| CVE-2022-30623 | 1 Chcnav | 2 P5e Gnss, P5e Gnss Firmware | 2024-11-21 | N/A | 5.9 MEDIUM |
| The server checks the user's cookie in a non-standard way, and a value is entered in the cookie value name of the status and its value is set to true to bypass the identification with the system using a username and password. | |||||
| CVE-2022-30270 | 1 Motorola | 2 Ace1000, Ace1000 Firmware | 2024-11-21 | N/A | 9.8 CRITICAL |
| The Motorola ACE1000 RTU through 2022-05-02 has default credentials. It exposes an SSH interface on port 22/TCP. This interface is used for remote maintenance and for SFTP file-transfer operations that are part of engineering software functionality. Access to this interface is controlled by 5 preconfigured accounts (root, abuilder, acelogin, cappl, ace), all of which come with default credentials. Although the ACE1000 documentation mentions the root, abuilder and acelogin accounts and instructs users to change the default credentials, the cappl and ace accounts remain undocumented and thus are unlikely to have their credentials changed. | |||||
| CVE-2022-30238 | 1 Schneider-electric | 4 Wiser Smart Eer21000, Wiser Smart Eer21000 Firmware, Wiser Smart Eer21001 and 1 more | 2024-11-21 | 7.5 HIGH | 8.3 HIGH |
| A CWE-287: Improper Authentication vulnerability exists that could allow an attacker to take over the admin account when an attacker hijacks a session. Affected Products: Wiser Smart, EER21000 & EER21001 (V4.5 and prior) | |||||
| CVE-2022-30229 | 1 Siemens | 1 Sicam Gridedge Essential | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability has been identified in SICAM GridEdge Essential ARM (All versions < V2.6.6), SICAM GridEdge Essential Intel (All versions < V2.6.6), SICAM GridEdge Essential with GDS ARM (All versions < V2.6.6), SICAM GridEdge Essential with GDS Intel (All versions < V2.6.6). The affected software does not require authenticated access for privileged functions. This could allow an unauthenticated attacker to change data of an user, such as credentials, in case that user's id is known. | |||||
| CVE-2022-30034 | 1 Flower Project | 1 Flower | 2024-11-21 | 7.5 HIGH | 8.6 HIGH |
| Flower, a web UI for the Celery Python RPC framework, all versions as of 05-02-2022 is vulnerable to an OAuth authentication bypass. An attacker could then access the Flower API to discover and invoke arbitrary Celery RPC calls or deny service by shutting down Celery task nodes. | |||||
| CVE-2022-2757 | 1 Kingspan | 2 Tms300 Cs, Tms300 Cs Firmware | 2024-11-21 | N/A | 9.8 CRITICAL |
| Due to the lack of adequately implemented access-control rules, all versions Kingspan TMS300 CS are vulnerable to an attacker viewing and modifying the application settings without authenticating by accessing a specific uniform resource locator (URL) on the webserver. | |||||
| CVE-2022-2752 | 1 Secomea | 1 Gatemanager | 2024-11-21 | N/A | 5.5 MEDIUM |
| A vulnerability in the web server of Secomea GateManager allows a local user to impersonate as the previous user under some failed login conditions. This issue affects: Secomea GateManager versions from 9.4 through 9.7. | |||||
| CVE-2022-2664 | 1 Private Cloud Management Platform Project | 1 Private Cloud Management Platform | 2024-11-21 | N/A | 7.3 HIGH |
| A vulnerability classified as critical has been found in Private Cloud Management Platform. Affected is an unknown function of the file /management/api/rcx_management/global_config_query of the component POST Request Handler. The manipulation leads to improper authentication. It is possible to launch the attack remotely. VDB-205614 is the identifier assigned to this vulnerability. | |||||
| CVE-2022-2662 | 1 Sequi | 2 Portbloque S, Portbloque S Firmware | 2024-11-21 | N/A | 9.6 CRITICAL |
| Sequi PortBloque S has a improper authentication issues which may allow an attacker to bypass the authentication process and gain user-level access to the device. | |||||
| CVE-2022-2553 | 3 Clusterlabs, Debian, Fedoraproject | 3 Booth, Debian Linux, Fedora | 2024-11-21 | N/A | 6.5 MEDIUM |
| The authfile directive in the booth config file is ignored, preventing use of authentication in communications from node to node. As a result, nodes that do not have the correct authentication key are not prevented from communicating with other nodes in the cluster. | |||||
| CVE-2022-2503 | 1 Linux | 1 Linux Kernel | 2024-11-21 | N/A | 6.9 MEDIUM |
| Dm-verity is used for extending root-of-trust to root filesystems. LoadPin builds on this property to restrict module/firmware loads to just the trusted root filesystem. Device-mapper table reloads currently allow users with root privileges to switch out the target with an equivalent dm-linear target and bypass verification till reboot. This allows root to bypass LoadPin and can be used to load untrusted and unverified kernel modules and firmware, which implies arbitrary kernel execution and persistence for peripherals that do not verify firmware updates. We recommend upgrading past commit 4caae58406f8ceb741603eee460d79bacca9b1b5 | |||||
| CVE-2022-2336 | 1 Softing | 6 Edgeaggregator, Edgeconnector, Opc and 3 more | 2024-11-21 | N/A | 9.8 CRITICAL |
| Softing Secure Integration Server, edgeConnector, and edgeAggregator software ships with the default administrator credentials as `admin` and password as `admin`. This allows Softing to log in to the server directly to perform administrative functions. Upon installation or upon first login, the application does not ask the user to change the `admin` password. There is no warning or prompt to ask the user to change the default password, and to change the password, many steps are required. | |||||
| CVE-2022-2303 | 1 Gitlab | 1 Gitlab | 2024-11-21 | N/A | 4.3 MEDIUM |
| An issue has been discovered in GitLab CE/EE affecting all versions before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1. It may be possible for group members to bypass 2FA enforcement enabled at the group level by using Resource Owner Password Credentials grant to obtain an access token without using 2FA. | |||||
| CVE-2022-2302 | 1 Lenze | 6 C520, C520 Firmware, C550 and 3 more | 2024-11-21 | 9.3 HIGH | 9.8 CRITICAL |
| Multiple Lenze products of the cabinet series skip the password verification upon second login. After a user has been logged on to the device once, a remote attacker can get full access without knowledge of the password. | |||||
| CVE-2022-2197 | 1 Exemys | 2 Rme1, Rme1 Firmware | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| By using a specific credential string, an attacker with network access to the device’s web interface could circumvent the authentication scheme and perform administrative operations. | |||||
| CVE-2022-2133 | 1 Miniorange | 1 Oauth Single Sign On | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| The OAuth Single Sign On WordPress plugin before 6.22.6 doesn't validate that OAuth access token requests are legitimate, which allows attackers to log onto the site with the only knowledge of a user's email address. | |||||
| CVE-2022-2031 | 1 Samba | 1 Samba | 2024-11-21 | N/A | 8.8 HIGH |
| A flaw was found in Samba. The security vulnerability occurs when KDC and the kpasswd service share a single account and set of keys, allowing them to decrypt each other's tickets. A user who has been requested to change their password, can exploit this flaw to obtain and use tickets to other services. | |||||