Total
3717 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-16886 | 3 Etcd, Fedoraproject, Redhat | 5 Etcd, Fedora, Enterprise Linux Desktop and 2 more | 2024-11-21 | 6.8 MEDIUM | 8.1 HIGH |
| etcd versions 3.2.x before 3.2.26 and 3.3.x before 3.3.11 are vulnerable to an improper authentication issue when role-based access control (RBAC) is used and client-cert-auth is enabled. If an etcd client server TLS certificate contains a Common Name (CN) which matches a valid RBAC username, a remote attacker may authenticate as that user with any valid (trusted) client certificate in a REST API request to the gRPC-gateway. | |||||
| CVE-2018-16877 | 6 Canonical, Clusterlabs, Debian and 3 more | 9 Ubuntu Linux, Pacemaker, Debian Linux and 6 more | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
| A flaw was found in the way pacemaker's client-server authentication was implemented in versions up to and including 2.0.0. A local attacker could use this flaw, and combine it with other IPC weaknesses, to achieve local privilege escalation. | |||||
| CVE-2018-16738 | 3 Debian, Starwindsoftware, Tinc-vpn | 3 Debian Linux, Starwind Virtual San, Tinc | 2024-11-21 | 4.3 MEDIUM | 3.7 LOW |
| tinc 1.0.30 through 1.0.34 has a broken authentication protocol, although there is a partial mitigation. This is fixed in 1.1. | |||||
| CVE-2018-16737 | 2 Starwindsoftware, Tinc-vpn | 2 Starwind Virtual San, Tinc | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| tinc before 1.0.30 has a broken authentication protocol, without even a partial mitigation. | |||||
| CVE-2018-16670 | 1 Circontrol | 1 Circarlife Scada | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in CIRCONTROL CirCarLife before 4.3. There is PLC status disclosure due to lack of authentication for /html/devstat.html. | |||||
| CVE-2018-16668 | 1 Circontrol | 1 Circarlife Scada | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in CIRCONTROL CirCarLife before 4.3. There is internal installation path disclosure due to the lack of authentication for /html/repository. | |||||
| CVE-2018-16590 | 1 Furuno | 4 Felcom 250, Felcom 250 Firmware, Felcom 500 and 1 more | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| FURUNO FELCOM 250 and 500 devices use only client-side JavaScript in login.js for authentication. | |||||
| CVE-2018-16496 | 1 Versa-networks | 1 Versa Director | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| In Versa Director, the un-authentication request found. | |||||
| CVE-2018-16467 | 1 Nextcloud | 1 Nextcloud Server | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| A missing check in Nextcloud Server prior to 14.0.0 could give unauthorized access to the previews of single file password protected shares. | |||||
| CVE-2018-16465 | 1 Nextcloud | 1 Nextcloud Server | 2024-11-21 | 4.3 MEDIUM | 5.3 MEDIUM |
| Missing state in Nextcloud Server prior to 14.0.0 would not enforce the use of a second factor at login if the the provider of the second factor failed to load. | |||||
| CVE-2018-16464 | 1 Nextcloud | 1 Nextcloud Server | 2024-11-21 | 3.5 LOW | 5.7 MEDIUM |
| A missing access check in Nextcloud Server prior to 14.0.0 could lead to continued access to password protected link shares when the owner had changed the password. | |||||
| CVE-2018-16286 | 1 Lg | 1 Supersign Cms | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
| LG SuperSign CMS allows authentication bypass because the CAPTCHA requirement is skipped if a captcha:pass cookie is sent, and because the PIN is limited to four digits. | |||||
| CVE-2018-16219 | 1 Audiocodes | 2 405hd, 405hd Firmware | 2024-11-21 | 3.3 LOW | 8.8 HIGH |
| A missing password verification in the web interface in AudioCodes 405HD VoIP phone with firmware 2.2.12 allows an remote attacker (in the same network as the device) to change the admin password without authentication via a POST request. | |||||
| CVE-2018-16160 | 2 Ftsafe, Microsoft | 3 Securecore, Windows 8, Windows 8.1 | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
| SecureCore Standard Edition Version 2.x allows an attacker to bypass the product 's authentication to log in to a Windows PC. | |||||
| CVE-2018-15819 | 1 Easyio | 2 Easyio 30p, Easyio 30p Firmware | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| EasyIO EasyIO-30P devices before 2.0.5.27 have Incorrect Access Control, related to webuser.js. | |||||
| CVE-2018-15751 | 1 Saltstack | 1 Salt | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| SaltStack Salt before 2017.7.8 and 2018.3.x before 2018.3.3 allow remote attackers to bypass authentication and execute arbitrary commands via salt-api(netapi). | |||||
| CVE-2018-15727 | 2 Grafana, Redhat | 2 Grafana, Ceph Storage | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Grafana 2.x, 3.x, and 4.x before 4.6.4 and 5.x before 5.2.3 allows authentication bypass because an attacker can generate a valid "remember me" cookie knowing only a username of an LDAP or OAuth user. | |||||
| CVE-2018-15721 | 1 Logitech | 2 Harmony Hub, Harmony Hub Firmware | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The XMPP server in Logitech Harmony Hub before version 4.15.206 is vulnerable to authentication bypass via a crafted XMPP request. Remote attackers can use this vulnerability to gain access to the local API. | |||||
| CVE-2018-15667 | 1 Airmailapp | 1 Airmail | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in Bloop Airmail 3 3.5.9 for macOS. It registers and uses the airmail:// URL scheme. The "send" command in the URL scheme allows an external application to send arbitrary emails from an active account without authentication. The handler has no restriction on who can use its functionality. The handler can be invoked using any method that invokes the URL handler such as a hyperlink in an email. The user is not prompted when the handler processes the "send" command, thus leading to automatic transmission of an attacker crafted email from the target account. | |||||
| CVE-2018-15598 | 1 Traefik | 1 Traefik | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Containous Traefik 1.6.x before 1.6.6, when --api is used, exposes the configuration and secret if authentication is missing and the API's port is publicly reachable. | |||||