Total
1514 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-5716 | 1 Asus | 1 Armoury Crate | 2024-11-21 | 9.8 Critical |
| ASUS Armoury Crate has a vulnerability in arbitrary file write and allows remote attackers to access or modify arbitrary files by sending specific HTTP requests without permission. | ||||
| CVE-2023-5253 | 1 Nozominetworks | 2 Cmc, Guardian | 2024-11-21 | 5.3 Medium |
| A missing authentication check in the WebSocket channel used for the Check Point IoT integration in Nozomi Networks Guardian and CMC, may allow an unauthenticated attacker to obtain assets data without authentication. Malicious unauthenticated users with knowledge on the underlying system may be able to extract limited asset information. | ||||
| CVE-2023-51987 | 1 Dlink | 2 Dir-822, Dir-822 Firmware | 2024-11-21 | 9.8 Critical |
| D-Link DIR-822+ V1.0.2 contains a login bypass in the HNAP1 interface, which allows attackers to log in to administrator accounts with empty passwords. | ||||
| CVE-2023-51947 | 1 Actidata | 2 Actinas Sl 2u-8 Rdx, Actinas Sl 2u-8 Rdx Firmware | 2024-11-21 | 9.1 Critical |
| Improper access control on nasSvr.php in actidata actiNAS SL 2U-8 RDX 3.2.03-SP1 allows remote attackers to read and modify different types of data without authentication. | ||||
| CVE-2023-51587 | 2024-11-21 | N/A | ||
| Voltronic Power ViewPower getModbusPassword Missing Authentication Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Voltronic Power ViewPower. Authentication is not required to exploit this vulnerability. The specific flaw exists within the getModbusPassword method. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-22073. | ||||
| CVE-2023-51571 | 2024-11-21 | N/A | ||
| Voltronic Power ViewPower Pro SocketService Missing Authentication Denial-of-Service Vulnerability. This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of Voltronic Power ViewPower Pro. Authentication is not required to exploit this vulnerability. The specific flaw exists within the SocketService module, which listens on UDP port 41222 by default. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage this vulnerability to create a denial-of-service condition on the system. Was ZDI-CAN-21162. | ||||
| CVE-2023-51062 | 1 Qstar | 1 Archive Storage Manager | 2024-11-21 | 5.3 Medium |
| An unauthenticated log file read in the component log-smblog-save of QStar Archive Solutions RELEASE_3-0 Build 7 Patch 0 allows attackers to disclose the SMB Log contents via executing a crafted command. | ||||
| CVE-2023-50263 | 1 Networktocode | 1 Nautobot | 2024-11-21 | 3.7 Low |
| Nautobot is a Network Source of Truth and Network Automation Platform built as a web application atop the Django Python framework with a PostgreSQL or MySQL database. In Nautobot 1.x and 2.0.x prior to 1.6.7 and 2.0.6, the URLs `/files/get/?name=...` and `/files/download/?name=...` are used to provide admin access to files that have been uploaded as part of a run request for a Job that has FileVar inputs. Under normal operation these files are ephemeral and are deleted once the Job in question runs. In the default implementation used in Nautobot, as provided by `django-db-file-storage`, these URLs do not by default require any user authentication to access; they should instead be restricted to only users who have permissions to view Nautobot's `FileProxy` model instances. Note that no URL mechanism is provided for listing or traversal of the available file `name` values, so in practice an unauthenticated user would have to guess names to discover arbitrary files for download, but if a user knows the file name/path value, they can access it without authenticating, so we are considering this a vulnerability. Fixes are included in Nautobot 1.6.7 and Nautobot 2.0.6. No known workarounds are available other than applying the patches included in those versions. | ||||
| CVE-2023-4884 | 1 Open5gs | 1 Open5gs | 2024-11-21 | 6.5 Medium |
| An attacker could send an HTTP request to an Open5GS endpoint and retrieve the information stored on the device due to the lack of Authentication. | ||||
| CVE-2023-4857 | 2024-11-21 | 7.5 High | ||
| An authentication bypass vulnerability was identified in SMM/SMM2 and FPC that could allow an authenticated user to execute certain IPMI calls that could lead to exposure of limited system information. | ||||
| CVE-2023-4815 | 1 Answer | 1 Answer | 2024-11-21 | 8.8 High |
| Missing Authentication for Critical Function in GitHub repository answerdev/answer prior to v1.1.3. | ||||
| CVE-2023-4702 | 1 Yepas | 1 Digital Yepas | 2024-11-21 | 9.8 Critical |
| Authentication Bypass Using an Alternate Path or Channel vulnerability in Yepas Digital Yepas allows Authentication Bypass.This issue affects Digital Yepas: before 1.0.1. | ||||
| CVE-2023-4335 | 3 Broadcom, Intel, Linux | 4 Lsi Storage Authority, Raid Controller Web Interface, Raid Web Console 3 and 1 more | 2024-11-21 | 7.5 High |
| Broadcom RAID Controller Web server (nginx) is serving private server-side files without any authentication on Linux | ||||
| CVE-2023-4334 | 1 Broadcom | 1 Raid Controller Web Interface | 2024-11-21 | 7.5 High |
| Broadcom RAID Controller Web server (nginx) is serving private files without any authentication | ||||
| CVE-2023-49693 | 1 Netgear | 1 Prosafe Network Management System | 2024-11-21 | 9.8 Critical |
| NETGEAR ProSAFE Network Management System has Java Debug Wire Protocol (JDWP) listening on port 11611 and it is remotely accessible by unauthenticated users, allowing attackers to execute arbitrary code. | ||||
| CVE-2023-49115 | 1 Machinesense | 2 Feverwarn, Feverwarn Firmware | 2024-11-21 | 7.5 High |
| MachineSense devices use unauthenticated MQTT messaging to monitor devices and remote viewing of sensor data by users. | ||||
| CVE-2023-47674 | 1 C-first | 56 Cfr-1004ea, Cfr-1004ea Firmware, Cfr-1008ea and 53 more | 2024-11-21 | 9.8 Critical |
| Missing authentication for critical function vulnerability in First Corporation's DVRs allows a remote unauthenticated attacker to rewrite or obtain the configuration information of the affected device. Note that updates are provided only for Late model of CFR-4EABC, CFR-4EAB, CFR-8EAB, CFR-16EAB, MD-404AB, and MD-808AB. As for the other products, apply the workaround. | ||||
| CVE-2023-46978 | 1 Totolink | 2 X6000r, X6000r Firmware | 2024-11-21 | 7.5 High |
| TOTOLINK X6000R V9.4.0cu.852_B20230719 is vulnerable to Incorrect Access Control.Attackers can reset login password & WIFI passwords without authentication. | ||||
| CVE-2023-46819 | 1 Apache | 1 Ofbiz | 2024-11-21 | 5.3 Medium |
| Missing Authentication in Apache Software Foundation Apache OFBiz when using the Solr plugin. This issue affects Apache OFBiz: before 18.12.09. Users are recommended to upgrade to version 18.12.09 | ||||
| CVE-2023-46249 | 1 Goauthentik | 1 Authentik | 2024-11-21 | 9.7 Critical |
| authentik is an open-source Identity Provider. Prior to versions 2023.8.4 and 2023.10.2, when the default admin user has been deleted, it is potentially possible for an attacker to set the password of the default admin user without any authentication. authentik uses a blueprint to create the default admin user, which can also optionally set the default admin users' password from an environment variable. When the user is deleted, the `initial-setup` flow used to configure authentik after the first installation becomes available again. authentik 2023.8.4 and 2023.10.2 fix this issue. As a workaround, ensure the default admin user (Username `akadmin`) exists and has a password set. It is recommended to use a very strong password for this user, and store it in a secure location like a password manager. It is also possible to deactivate the user to prevent any logins as akadmin. | ||||