Total
1566 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-36200 | 1 Johnsoncontrols | 3 Metasys Application And Data Server, Metasys Extended Application And Data Server, Metasys Open Application Server | 2024-11-21 | N/A | 5.3 MEDIUM |
| Under certain circumstances an unauthenticated user could access the the web API for Metasys ADS/ADX/OAS 10 versions prior to 10.1.6 and 11 versions prior to 11.0.2 and enumerate users. | |||||
| CVE-2021-36124 | 1 Echobh | 1 Sharecare | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Echo ShareCare 8.15.5. It does not perform authentication or authorization checks when accessing a subset of sensitive resources, leading to the ability for unauthenticated users to access pages that are vulnerable to attacks such as SQL injection. | |||||
| CVE-2021-35979 | 1 Digi | 35 6350-sr, 6350-sr Firmware, Cm and 32 more | 2024-11-21 | 6.8 MEDIUM | 8.1 HIGH |
| An issue was discovered in Digi RealPort through 4.8.488.0. The 'encrypted' mode is vulnerable to man-in-the-middle attacks and does not perform authentication. | |||||
| CVE-2021-35941 | 1 Westerndigital | 4 Wd My Book Live, Wd My Book Live Duo, Wd My Book Live Duo Firmware and 1 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Western Digital WD My Book Live (2.x and later) and WD My Book Live Duo (all versions) have an administrator API that can perform a system factory restore without authentication, as exploited in the wild in June 2021, a different vulnerability than CVE-2018-18472. | |||||
| CVE-2021-35936 | 1 Apache | 1 Airflow | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| If remote logging is not used, the worker (in the case of CeleryExecutor) or the scheduler (in the case of LocalExecutor) runs a Flask logging server and is listening on a specific port and also binds on 0.0.0.0 by default. This logging server had no authentication and allows reading log files of DAG jobs. This issue affects Apache Airflow < 2.1.2. | |||||
| CVE-2021-34870 | 1 Netgear | 1 Xr1000 | 2024-11-21 | 3.3 LOW | 6.5 MEDIUM |
| This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of NETGEAR XR1000 1.0.0.52_1.0.38 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the processing of SOAP messages. The issue results from a lack of authentication required for a privileged request. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-13325. | |||||
| CVE-2021-34621 | 1 Properfraction | 1 Profilepress | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| A vulnerability in the user registration component found in the ~/src/Classes/RegistrationAuth.php file of the ProfilePress WordPress plugin made it possible for users to register on sites as an administrator. This issue affects versions 3.0.0 - 3.1.3. . | |||||
| CVE-2021-34543 | 1 Bkw | 2 Solar-log 500, Solar-log 500 Firmware | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| The web administration server in Solar-Log 500 before 2.8.2 Build 52 does not require authentication, which allows remote attackers to gain administrative privileges by connecting to the server. As a result, the attacker can modify configuration files and change the system status. Fixed with 3.0.0-60 11.10.2013 for SL 200, 500, 1000 / not existing for SL 250, 300, 1200, 2000, SL 50 Gateway, SL Base. | |||||
| CVE-2021-34538 | 1 Apache | 1 Hive | 2024-11-21 | N/A | 7.5 HIGH |
| Apache Hive before 3.1.3 "CREATE" and "DROP" function operations does not check for necessary authorization of involved entities in the query. It was found that an unauthorized user can manipulate an existing UDF without having the privileges to do so. This allowed unauthorized or underprivileged users to drop and recreate UDFs pointing them to new jars that could be potentially malicious. | |||||
| CVE-2021-33882 | 1 Bbraun | 3 Infusomat Large Volume Pump 871305u, Spacecom2, Spacestation 8713142u | 2024-11-21 | 5.0 MEDIUM | 6.8 MEDIUM |
| A Missing Authentication for Critical Function vulnerability in B. Braun SpaceCom2 prior to 012U000062 allows a remote attacker to reconfigure the device from an unknown source because of lack of authentication on proprietary networking commands. | |||||
| CVE-2021-33843 | 1 Fresenius-kabi | 2 Agilia Sp Mc Wifi, Agilia Sp Mc Wifi Firmware | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| Fresenius Kabi Agilia SP MC WiFi vD25 and prior has a default configuration page accessible without authentication. An attacker may use this functionality to change the exposed configuration values such as network settings. | |||||
| CVE-2021-33543 | 1 Geutebrueck | 32 G-cam Ebc-2110, G-cam Ebc-2110 Firmware, G-cam Ebc-2111 and 29 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Multiple camera devices by UDP Technology, Geutebrück and other vendors allow unauthenticated remote access to sensitive files due to default user authentication settings. This can lead to manipulation of the device and denial of service. | |||||
| CVE-2021-33346 | 1 Dlink | 2 Dsl-2888a, Dsl-2888a Firmware | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
| There is an arbitrary password modification vulnerability in a D-LINK DSL-2888A router product. An attacker can use this vulnerability to modify the password of the admin user without authorization. | |||||
| CVE-2021-33259 | 2 D-link, Dlink | 2 Dir-868lw Firmware, Dir-868lw | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| Several web interfaces in D-Link DIR-868LW 1.12b have no authentication requirements for access, allowing for attackers to obtain users' DNS query history. | |||||
| CVE-2021-33221 | 1 Commscope | 1 Ruckus Iot Controller | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in CommScope Ruckus IoT Controller 1.7.1.0 and earlier. There are Unauthenticated API Endpoints. | |||||
| CVE-2021-33008 | 1 Aveva | 1 System Platform | 2024-11-21 | 7.5 HIGH | 8.8 HIGH |
| AVEVA System Platform versions 2017 through 2020 R2 P01 does not perform any authentication for functionality that requires a provable user identity. | |||||
| CVE-2021-32930 | 1 Advantech | 1 Iview | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The affected product’s configuration is vulnerable due to missing authentication, which may allow an attacker to change configurations and execute arbitrary code on the iView (versions prior to v5.7.03.6182). | |||||
| CVE-2021-32800 | 1 Nextcloud | 1 Nextcloud Server | 2024-11-21 | 6.4 MEDIUM | 8.1 HIGH |
| Nextcloud server is an open source, self hosted personal cloud. In affected versions an attacker is able to bypass Two Factor Authentication in Nextcloud. Thus knowledge of a password, or access to a WebAuthN trusted device of a user was sufficient to gain access to an account. It is recommended that the Nextcloud Server is upgraded to 20.0.12, 21.0.4 or 22.1.0. There are no workaround for this vulnerability. | |||||
| CVE-2021-32794 | 1 Archisteamfarm Project | 1 Archisteamfarm | 2024-11-21 | 6.0 MEDIUM | 6.8 MEDIUM |
| ArchiSteamFarm is a C# application with primary purpose of idling Steam cards from multiple accounts simultaneously. Due to a bug in ASF code `POST /Api/ASF` ASF API endpoint responsible for updating global ASF config incorrectly removed `IPCPassword` from the resulting config when the caller did not specify it explicitly. Due to the above, it was possible for the user to accidentally remove `IPCPassword` security measure from his IPC interface when updating global ASF config, which exists as part of global config update functionality in ASF-ui. Removal of `IPCPassword` possesses a security risk, as unauthorized users may in result access the IPC interface after such modification. The issue is patched in ASF V5.1.2.4 and future versions. We recommend to manually verify that `IPCPassword` is specified after update, and if not, set it accordingly. In default settings, ASF is configured to allow IPC access from `localhost` only and should not affect majority of users. | |||||
| CVE-2021-32709 | 1 Shopware | 1 Shopware | 2024-11-21 | 4.0 MEDIUM | 4.9 MEDIUM |
| Shopware is an open source eCommerce platform. Creation of order credits was not validated by ACL in admin orders. Users are recommend to update to the current version 6.4.1.1. You can get the update to 6.4.1.1 regularly via the Auto-Updater or directly via the download overview. For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version. | |||||