Vulnerabilities (CVE)

Filtered by CWE-306
Total 1450 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2021-21986 1 Vmware 2 Cloud Foundation, Vcenter Server 2024-11-21 10.0 HIGH 9.8 CRITICAL
The vSphere Client (HTML5) contains a vulnerability in a vSphere authentication mechanism for the Virtual SAN Health Check, Site Recovery, vSphere Lifecycle Manager, and VMware Cloud Director Availability plug-ins. A malicious actor with network access to port 443 on vCenter Server may perform actions allowed by the impacted plug-ins without authentication.
CVE-2021-21964 1 Sealevel 2 Seaconnect 370w, Seaconnect 370w Firmware 2024-11-21 7.1 HIGH 7.4 HIGH
A denial of service vulnerability exists in the Modbus configuration functionality of Sealevel Systems, Inc. SeaConnect 370W v1.3.34. Specially-crafted network packets can lead to denial of service. An attacker can send a malicious packet to trigger this vulnerability.
CVE-2021-21535 1 Dell 1 Hybrid Client 2024-11-21 7.2 HIGH 7.4 HIGH
Dell Hybrid Client versions prior to 1.5 contain a missing authentication for a critical function vulnerability. A local unauthenticated attacker may exploit this vulnerability in order to gain root level access to the system.
CVE-2021-21472 1 Sap 1 Software Provisioning Manager 2024-11-21 6.5 MEDIUM 8.8 HIGH
SAP Software Provisioning Manager 1.0 (SAP NetWeaver Master Data Management Server 7.1) does not have an option to set password during its installation, this allows an authenticated attacker to perform various security attacks like Directory Traversal, Password Brute force Attack, SMB Relay attack, Security Downgrade.
CVE-2021-20998 1 Wago 10 0852-0303, 0852-0303 Firmware, 0852-1305 and 7 more 2024-11-21 7.5 HIGH 10.0 CRITICAL
In multiple managed switches by WAGO in different versions without authorization and with specially crafted packets it is possible to create users.
CVE-2021-20990 1 Fibaro 4 Home Center 2, Home Center 2 Firmware, Home Center Lite and 1 more 2024-11-21 7.8 HIGH 7.5 HIGH
In Fibaro Home Center 2 and Lite devices with firmware version 4.600 and older an internal management service is accessible on port 8000 and some API endpoints could be accessed without authentication to trigger a shutdown, a reboot or a reboot into recovery mode.
CVE-2021-20697 1 Dlink 2 Dap-1880ac, Dap-1880ac Firmware 2024-11-21 7.5 HIGH 9.8 CRITICAL
Missing authentication for critical function in DAP-1880AC firmware version 1.21 and earlier allows a remote attacker to login to the device as an authenticated user without the access privilege via unspecified vectors.
CVE-2021-20662 1 Contec 2 Sv-cpt-mc310, Sv-cpt-mc310 Firmware 2024-11-21 5.0 MEDIUM 7.5 HIGH
Missing authentication for critical function in SolarView Compact SV-CPT-MC310 prior to Ver.6.5 allows an attacker to alter the setting information without the access privileges via unspecified vectors.
CVE-2021-20474 1 Ibm 1 Guardium Data Encryption 2024-11-21 5.0 MEDIUM 7.5 HIGH
IBM Guardium Data Encryption (GDE) 3.0.0.2 and 4.0.0.4 does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
CVE-2021-20262 1 Redhat 2 Keycloak, Single Sign-on 2024-11-21 4.6 MEDIUM 6.8 MEDIUM
A flaw was found in Keycloak 12.0.0 where re-authentication does not occur while updating the password. This flaw allows an attacker to take over an account if they can obtain temporary, physical access to a user’s browser. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
CVE-2021-20238 1 Redhat 2 Openshift Container Platform, Openshift Machine-config-operator 2024-11-21 4.3 MEDIUM 3.7 LOW
It was found in OpenShift Container Platform 4 that ignition config, served by the Machine Config Server, can be accessed externally from clusters without authentication. The MCS endpoint (port 22623) provides ignition configuration used for bootstrapping Nodes and can include some sensitive data, e.g. registry pull secrets. There are two scenarios where this data can be accessed. The first is on Baremetal, OpenStack, Ovirt, Vsphere and KubeVirt deployments which do not have a separate internal API endpoint and allow access from outside the cluster to port 22623 from the standard OpenShift API Virtual IP address. The second is on cloud deployments when using unsupported network plugins, which do not create iptables rules that prevent to port 22623. In this scenario, the ignition config is exposed to all pods within the cluster and cannot be accessed externally.
CVE-2021-20198 1 Redhat 1 Openshift Installer 2024-11-21 6.8 MEDIUM 8.1 HIGH
A flaw was found in the OpenShift Installer before version v0.9.0-master.0.20210125200451-95101da940b0. During installation of OpenShift Container Platform 4 clusters, bootstrap nodes are provisioned with anonymous authentication enabled on kubelet port 10250. A remote attacker able to reach this port during installation can make unauthenticated `/exec` requests to execute arbitrary commands within running containers. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
CVE-2021-20161 1 Trendnet 2 Tew-827dru, Tew-827dru Firmware 2024-11-21 7.2 HIGH 6.8 MEDIUM
Trendnet AC2600 TEW-827DRU version 2.08B01 does not have sufficient protections for the UART functionality. A malicious actor with physical access to the device is able to connect to the UART port via a serial connection. No username or password is required and the user is given a root shell with full control of the device.
CVE-2021-20158 1 Trendnet 2 Tew-827dru, Tew-827dru Firmware 2024-11-21 7.5 HIGH 9.8 CRITICAL
Trendnet AC2600 TEW-827DRU version 2.08B01 contains an authentication bypass vulnerability. It is possible for an unauthenticated, malicous actor to force the change of the admin password due to a hidden administrative command.
CVE-2021-20152 1 Trendnet 2 Tew-827dru, Tew-827dru Firmware 2024-11-21 5.8 MEDIUM 6.5 MEDIUM
Trendnet AC2600 TEW-827DRU version 2.08B01 lacks proper authentication to the bittorrent functionality. If enabled, anyone is able to visit and modify settings and files via the Bittorent web client by visiting: http://192.168.10.1:9091/transmission/web/
CVE-2021-20150 1 Trendnet 2 Tew-827dru, Tew-827dru Firmware 2024-11-21 5.0 MEDIUM 5.3 MEDIUM
Trendnet AC2600 TEW-827DRU version 2.08B01 improperly discloses information via redirection from the setup wizard. Authentication can be bypassed and a user may view information as Admin by manually browsing to the setup wizard and forcing it to redirect to the desired page.
CVE-2021-20136 1 Zohocorp 1 Manageengine Log360 2024-11-21 7.5 HIGH 9.8 CRITICAL
ManageEngine Log360 Builds < 5235 are affected by an improper access control vulnerability allowing database configuration overwrite. An unauthenticated remote attacker can send a specially crafted message to Log360 to change its backend database to an attacker-controlled database and to force Log360 to restart. An attacker can leverage this vulnerability to achieve remote code execution by replacing files executed by Log360 on startup.
CVE-2021-20107 1 Sloan 142 Basys Efx-100, Basys Efx-100 Firmware, Basys Efx-150 and 139 more 2024-11-21 4.8 MEDIUM 5.4 MEDIUM
There exists an unauthenticated BLE Interface in Sloan SmartFaucets including Optima EAF, Optima ETF/EBF, BASYS EFX, and Flushometers including SOLIS. The vulnerability allows for unauthenticated kinetic effects and information disclosure on the faucets. It is possible to use the Bluetooth Low Energy (BLE) connectivity to read and write to many BLE characteristics on the device. Some of these control the flow of water, the sensitivity of the sensors, and information about maintenance.
CVE-2021-20067 1 Racom 2 M\!dge, M\!dge Firmware 2024-11-21 5.0 MEDIUM 5.3 MEDIUM
Racom's MIDGE Firmware 4.4.40.105 contains an issue that allows attackers to view sensitive syslog events without authentication.
CVE-2021-1499 1 Cisco 8 Hyperflex Hx220c Af M5, Hyperflex Hx220c All Nvme M5, Hyperflex Hx220c Edge M5 and 5 more 2024-11-21 5.0 MEDIUM 5.3 MEDIUM
A vulnerability in the web-based management interface of Cisco HyperFlex HX Data Platform could allow an unauthenticated, remote attacker to upload files to an affected device. This vulnerability is due to missing authentication for the upload function. An attacker could exploit this vulnerability by sending a specific HTTP request to an affected device. A successful exploit could allow the attacker to upload files to the affected device with the permissions of the tomcat8 user.