Total
449 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-3103 | 1 Unitree | 2 A1, A1 Firmware | 2024-11-21 | 8 High |
| Authentication bypass vulnerability, the exploitation of which could allow a local attacker to perform a Man-in-the-Middle (MITM) attack on the robot's camera video stream. In addition, if a MITM attack is carried out, it is possible to consume the robot's resources, which could lead to a denial-of-service (DOS) condition. | ||||
| CVE-2023-37865 | 2024-11-21 | 5.3 Medium | ||
| Authentication Bypass by Spoofing vulnerability in IP2Location Download IP2Location Country Blocker allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Download IP2Location Country Blocker: from n/a through 2.29.1. | ||||
| CVE-2023-30950 | 1 Palantir | 1 Foundry Campaigns | 2024-11-21 | 6.5 Medium |
| The foundry campaigns service was found to be vulnerable to an unauthenticated information disclosure in a rest endpoint | ||||
| CVE-2023-30803 | 1 Sangfor | 1 Next-gen Application Firewall | 2024-11-21 | 9.8 Critical |
| The Sangfor Next-Gen Application Firewall version NGAF8.0.17 is vulnerable to an authentication bypass vulnerability. A remote and unauthenticated attacker can bypass authentication and access administrative functionality by sending HTTP requests using a crafted Y-forwarded-for header. | ||||
| CVE-2023-28803 | 1 Zscaler | 1 Client Connector | 2024-11-21 | 5.9 Medium |
| An authentication bypass by spoofing of a device with a synthetic IP address is possible in Zscaler Client Connector on Windows, allowing a functionality bypass. This issue affects Client Connector: before 3.9. | ||||
| CVE-2023-22474 | 1 Parseplatform | 1 Parse-server | 2024-11-21 | 8.7 High |
| Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Parse Server uses the request header `x-forwarded-for` to determine the client IP address. If Parse Server doesn't run behind a proxy server, then a client can set this header and Parse Server will trust the value of the header. The incorrect client IP address will be used by various features in Parse Server. This allows to circumvent the security mechanism of the Parse Server option `masterKeyIps` by setting an allowed IP address as the `x-forwarded-for` header value. This issue has been patched in version 5.4.1. The mechanism to determine the client IP address has been rewritten. The correct IP address determination now requires to set the Parse Server option `trustProxy`. | ||||
| CVE-2023-20246 | 2 Cisco, Snort | 3 Firepower Threat Defense, Ios Xe, Snort | 2024-11-21 | 5.8 Medium |
| Multiple Cisco products are affected by a vulnerability in Snort access control policies that could allow an unauthenticated, remote attacker to bypass the configured policies on an affected system. This vulnerability is due to a logic error that occurs when the access control policies are being populated. An attacker could exploit this vulnerability by establishing a connection to an affected device. A successful exploit could allow the attacker to bypass configured access control rules on the affected system. | ||||
| CVE-2023-20245 | 1 Cisco | 2 Adaptive Security Appliance Software, Firepower Threat Defense | 2024-11-21 | 5.8 Medium |
| Multiple vulnerabilities in the per-user-override feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to bypass a configured access control list (ACL) and allow traffic that should be denied to flow through an affected device. These vulnerabilities are due to a logic error that could occur when the affected software constructs and applies per-user-override rules. An attacker could exploit these vulnerabilities by connecting to a network through an affected device that has a vulnerable configuration. A successful exploit could allow the attacker to bypass the interface ACL and access resources that would should be protected. | ||||
| CVE-2022-48513 | 1 Huawei | 2 Emui, Harmonyos | 2024-11-21 | 9.8 Critical |
| Vulnerability of identity verification being bypassed in the Gallery module. Successful exploitation of this vulnerability may cause out-of-bounds access. | ||||
| CVE-2022-39227 | 1 Python-jwt Project | 1 Python-jwt | 2024-11-21 | 9.1 Critical |
| python-jwt is a module for generating and verifying JSON Web Tokens. Versions prior to 3.3.4 are subject to Authentication Bypass by Spoofing, resulting in identity spoofing, session hijacking or authentication bypass. An attacker who obtains a JWT can arbitrarily forge its contents without knowing the secret key. Depending on the application, this may for example enable the attacker to spoof other user's identities, hijack their sessions, or bypass authentication. Users should upgrade to version 3.3.4. There are no known workarounds. | ||||
| CVE-2022-38164 | 1 F-secure | 1 Safe | 2024-11-21 | 6.5 Medium |
| A vulnerability affecting F-Secure SAFE browser for Android and iOS was discovered. A maliciously crafted website could make a phishing attack with URL spoofing as the browser only display certain part of the entire URL. | ||||
| CVE-2022-37709 | 1 Tesla | 3 Model 3, Model 3 Firmware, Tesla | 2024-11-21 | 5.3 Medium |
| Tesla Model 3 V11.0(2022.4.5.1 6b701552d7a6) Tesla mobile app v4.23 is vulnerable to Authentication Bypass by spoofing. Tesla Model 3's Phone Key authentication is vulnerable to Man-in-the-middle attacks in the BLE channel. It allows attackers to open a door and drive the car away by leveraging access to a legitimate Phone Key. | ||||
| CVE-2022-35629 | 1 Rapid7 | 1 Velociraptor | 2024-11-21 | 5.4 Medium |
| Due to a bug in the handling of the communication between the client and server, it was possible for one client, already registered with their own client ID, to send messages to the server claiming to come from another client ID. This issue was resolved in Velociraptor 0.6.5-2. | ||||
| CVE-2022-33991 | 1 Dproxy-nexgen Project | 1 Dproxy-nexgen | 2024-11-21 | 5.3 Medium |
| dproxy-nexgen (aka dproxy nexgen) forwards and caches DNS queries with the CD (aka checking disabled) bit set to 1. This leads to disabling of DNSSEC protection provided by upstream resolvers. | ||||
| CVE-2022-32983 | 1 Nic | 1 Knot Resolver | 2024-11-21 | 5.3 Medium |
| Knot Resolver through 5.5.1 may allow DNS cache poisoning when there is an attempt to limit forwarding actions by filters. | ||||
| CVE-2022-32744 | 1 Samba | 1 Samba | 2024-11-21 | 8.8 High |
| A flaw was found in Samba. The KDC accepts kpasswd requests encrypted with any key known to it. By encrypting forged kpasswd requests with its own key, a user can change other users' passwords, enabling full domain takeover. | ||||
| CVE-2022-30319 | 1 Honeywell | 1 Saia Pg5 Controls Suite | 2024-11-21 | 8.1 High |
| Saia Burgess Controls (SBC) PCD through 2022-05-06 allows Authentication bypass. According to FSCT-2022-0062, there is a Saia Burgess Controls (SBC) PCD S-Bus authentication bypass issue. The affected components are characterized as: S-Bus (5050/UDP) authentication. The potential impact is: Authentication bypass. The Saia Burgess Controls (SBC) PCD controllers utilize the S-Bus protocol (5050/UDP) for a variety of engineering purposes. It is possible to configure a password in order to restrict access to sensitive engineering functionality. Authentication functions on the basis of a MAC/IP whitelist with inactivity timeout to which an authenticated client's MAC/IP is stored. UDP traffic can be spoofed to bypass the whitelist-based access control. Since UDP is stateless, an attacker capable of passively observing traffic can spoof arbitrary messages using the MAC/IP of an authenticated client. This allows the attacker access to sensitive engineering functionality such as uploading/downloading control logic and manipulating controller configuration. | ||||
| CVE-2022-2368 | 1 Microweber | 1 Microweber | 2024-11-21 | 6.5 Medium |
| Authentication Bypass by Spoofing in GitHub repository microweber/microweber prior to 1.2.20. | ||||
| CVE-2022-2324 | 1 Sonicwall | 1 Email Security | 2024-11-21 | 7.5 High |
| Improperly Implemented Security Check vulnerability in the SonicWall Hosted Email Security leads to bypass of Capture ATP security service in the appliance. This vulnerability impacts 10.0.17.7319 and earlier versions | ||||
| CVE-2022-2310 | 1 Skyhighsecurity | 1 Secure Web Gateway | 2024-11-21 | 10 Critical |
| An authentication bypass vulnerability in Skyhigh SWG in main releases 10.x prior to 10.2.12, 9.x prior to 9.2.23, 8.x prior to 8.2.28, and controlled release 11.x prior to 11.2.1 allows a remote attacker to bypass authentication into the administration User Interface. This is possible because of SWG incorrectly whitelisting authentication bypass methods and using a weak crypto password. This can lead to the attacker logging into the SWG admin interface, without valid credentials, as the super user with complete control over the SWG. | ||||