Total
1518 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-0993 | 1 Siteground | 1 Siteground Security | 2024-11-21 | 8.1 High |
| The SiteGround Security plugin for WordPress is vulnerable to authentication bypass that allows unauthenticated users to log in as administrative users due to missing identity verification on the 2FA back-up code implementation that logs users in upon success. This affects versions up to, and including, 1.2.5. | ||||
| CVE-2022-0878 | 1 Combined Charging System Project | 2 Combined Charging System, Combined Charging System Firmware | 2024-11-21 | 4.6 Medium |
| Electric Vehicle (EV) commonly utilises the Combined Charging System (CCS) for DC rapid charging. To exchange important messages such as the State of Charge (SoC) with the Electric Vehicle Supply Equipment (EVSE) CCS uses a high-bandwidth IP link provided by the HomePlug Green PHY (HPGP) power-line communication (PLC) technology. The attack interrupts necessary control communication between the vehicle and charger, causing charging sessions to abort. The attack can be conducted wirelessly from a distance using electromagnetic interference, allowing individual vehicles or entire fleets to be disrupted simultaneously. In addition, the attack can be mounted with off-the-shelf radio hardware and minimal technical knowledge. With a power budget of 1 W, the attack is successful from around 47 m distance. The exploited behavior is a required part of the HomePlug Green PHY, DIN 70121 & ISO 15118 standards and all known implementations exhibit it. In addition to electric cars, Brokenwire affects electric ships, airplanes and heavy duty vehicles utilising these standards. | ||||
| CVE-2022-0424 | 1 Supsystic | 1 Popup | 2024-11-21 | 5.3 Medium |
| The Popup by Supsystic WordPress plugin before 1.10.9 does not have any authentication and authorisation in an AJAX action, allowing unauthenticated attackers to call it and get the email addresses of subscribed users | ||||
| CVE-2022-0188 | 1 Niteothemes | 1 Cmp | 2024-11-21 | 5.3 Medium |
| The CMP WordPress plugin before 4.0.19 allows any user, even not logged in, to arbitrarily change the coming soon page layout. | ||||
| CVE-2022-0140 | 1 Vfbpro | 1 Visual Form Builder | 2024-11-21 | 5.3 Medium |
| The Visual Form Builder WordPress plugin before 3.0.6 does not perform access control on entry form export, allowing unauthenticated users to see the form entries or export it as a CSV File using the vfb-export endpoint. | ||||
| CVE-2021-46384 | 1 Mingsoft | 1 Mcms | 2024-11-21 | 9.8 Critical |
| https://gitee.com/mingSoft/MCMS MCMS <=5.2.5 is affected by: RCE. The impact is: execute arbitrary code (remote). The attack vector is: ${"freemarker.template.utility.Execute"?new()("calc")}. ΒΆΒΆ MCMS has a pre-auth RCE vulnerability through which allows unauthenticated attacker with network access via http to compromise MCMS. Successful attacks of this vulnerability can result in takeover of MCMS. | ||||
| CVE-2021-46371 | 1 Antd-admin Project | 1 Antd-admin | 2024-11-21 | 7.5 High |
| antd-admin 5.5.0 is affected by an incorrect access control vulnerability. Unauthorized access to some interfaces in the foreground leads to leakage of sensitive information. | ||||
| CVE-2021-46009 | 1 Totolink | 2 A3100r, A3100r Firmware | 2024-11-21 | 9.8 Critical |
| In Totolink A3100R V5.9c.4577, multiple pages can be read by curl or Burp Suite without authentication. Additionally, admin configurations can be set without cookies. | ||||
| CVE-2021-46006 | 1 Totolink | 2 A3100r, A3100r Firmware | 2024-11-21 | 6.5 Medium |
| In Totolink A3100R V5.9c.4577, "test.asp" contains an API-like function, which is not authenticated. Using this function, an attacker can configure multiple settings without authentication. | ||||
| CVE-2021-45878 | 1 Garo | 6 Wallbox Glb, Wallbox Glb Firmware, Wallbox Gtb and 3 more | 2024-11-21 | 9.1 Critical |
| Multiple versions of GARO Wallbox GLB/GTB/GTC are affected by incorrect access control. Lack of access control on the web manger pages allows any user to view and modify information. | ||||
| CVE-2021-45420 | 1 Emerson | 2 Dixell Xweb-500, Dixell Xweb-500 Firmware | 2024-11-21 | 9.8 Critical |
| Emerson Dixell XWEB-500 products are affected by arbitrary file write vulnerability in /cgi-bin/logo_extra_upload.cgi, /cgi-bin/cal_save.cgi, and /cgi-bin/lo_utils.cgi. An attacker will be able to write any file on the target system without any kind of authentication mechanism, and this can lead to denial of service and potentially remote code execution. Note: the product has not been supported since 2018 and should be removed or replaced | ||||
| CVE-2021-45232 | 1 Apache | 1 Apisix Dashboard | 2024-11-21 | 9.8 Critical |
| In Apache APISIX Dashboard before 2.10.1, the Manager API uses two frameworks and introduces framework `droplet` on the basis of framework `gin`, all APIs and authentication middleware are developed based on framework `droplet`, but some API directly use the interface of framework `gin` thus bypassing the authentication. | ||||
| CVE-2021-44262 | 1 Netgear | 6 Mbr1517, Mbr1517 Firmware, Wac104 and 3 more | 2024-11-21 | 7.5 High |
| A vulnerability is in the 'MNU_top.htm' page of the Netgear W104, version WAC104-V1.0.4.13, which can allow a remote attacker to access this page without any authentication. When processed, it exposes some key information for the device. | ||||
| CVE-2021-44261 | 1 Netgear | 10 R6220, R6220 Firmware, R6900 and 7 more | 2024-11-21 | 5.3 Medium |
| A vulnerability is in the 'BRS_top.html' page of the Netgear W104, version WAC104-V1.0.4.13, which can allow a remote attacker to access this page without any authentication. When processed, it exposes firmware version information for the device. | ||||
| CVE-2021-44260 | 1 Wavlink | 2 Wl-wn531g3, Wl-wn531g3 Firmware | 2024-11-21 | 7.5 High |
| A vulnerability is in the 'live_mfg.html' page of the WAVLINK AC1200, version WAVLINK-A42W-1.27.6-20180418, which can allow a remote attacker to access this page without any authentication. When processed, it exposes some key information of the manager of router. | ||||
| CVE-2021-44259 | 1 Wavlink | 2 Wl-wn531g3, Wl-wn531g3 Firmware | 2024-11-21 | 9.8 Critical |
| A vulnerability is in the 'wx.html' page of the WAVLINK AC1200, version WAVLINK-A42W-1.27.6-20180418, which can allow a remote attacker to access this page without any authentication. When an unauthorized user accesses this page directly, it connects to this device as a friend of the device owner. | ||||
| CVE-2021-44255 | 2 Motioneye Project, Motioneyeos Project | 2 Motioneye, Motioneyeos | 2024-11-21 | 7.2 High |
| Authenticated remote code execution in MotionEye <= 0.42.1 and MotioneEyeOS <= 20200606 allows a remote attacker to upload a configuration backup file containing a malicious python pickle file which will execute arbitrary code on the server. | ||||
| CVE-2021-44222 | 1 Siemens | 1 Simatic Easie Core Package | 2024-11-21 | 9.1 Critical |
| A vulnerability has been identified in SIMATIC eaSie Core Package (All versions < V22.00). The underlying MQTT service of affected systems does not perform authentication in the default configuration. This could allow an unauthenticated remote attacker to send arbitrary messages to the service and thereby issue arbitrary requests in the affected system. | ||||
| CVE-2021-44152 | 1 Reprisesoftware | 1 Reprise License Manager | 2024-11-21 | 9.8 Critical |
| An issue was discovered in Reprise RLM 14.2. Because /goform/change_password_process does not verify authentication or authorization, an unauthenticated user can change the password of any existing user. This allows an attacker to change the password of any known user, thereby preventing valid users from accessing the system and granting the attacker full access to that user's account. | ||||
| CVE-2021-43974 | 1 Sysaid | 1 Itil | 2024-11-21 | 5.3 Medium |
| An issue was discovered in SysAid ITIL 20.4.74 b10. The /enduserreg endpoint is used to register end users anonymously, but does not respect the server-side setting that determines if anonymous users are allowed to register new accounts. Configuring the server-side setting to disable anonymous user registration only hides the client-side registration form. An attacker can still post registration data to create new accounts without prior authentication. | ||||