Total
3838 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2018-17431 | 1 Comodo | 1 Unified Threat Management Firewall | 2024-11-21 | 9.8 Critical |
| Web Console in Comodo UTM Firewall before 2.7.0 allows remote attackers to execute arbitrary code without authentication via a crafted URL. | ||||
| CVE-2018-17341 | 2 Bigtreecms, Microsoft | 2 Bigtree Cms, Windows | 2024-11-21 | N/A |
| BigTree 4.2.23 on Windows, when Advanced or Simple Rewrite routing is enabled, allows remote attackers to bypass authentication via a ..\ substring, as demonstrated by a launch.php?bigtree_htaccess_url=admin/images/..\ URI. | ||||
| CVE-2018-17213 | 1 Printeron | 1 Central Print Services | 2024-11-21 | N/A |
| An issue was discovered in PrinterOn Central Print Services (CPS) through 4.1.4. A user without valid credentials can bypass the authentication process, obtaining a valid session cookie with guest/pseudo-guest level privileges. This cookie can then be further used to perform other attacks. | ||||
| CVE-2018-17153 | 1 Western Digital | 21 My Cloud Dl2100, My Cloud Dl4100, My Cloud Dl4100 Firmware and 18 more | 2024-11-21 | N/A |
| It was discovered that the Western Digital My Cloud device before 2.30.196 is affected by an authentication bypass vulnerability. An unauthenticated attacker can exploit this vulnerability to authenticate as an admin user without needing to provide a password, thereby gaining full control of the device. (Whenever an admin logs into My Cloud, a server-side session is created that is bound to the user's IP address. After the session is created, it is possible to call authenticated CGI modules by sending the cookie username=admin in the HTTP request. The invoked CGI will check if a valid session is present and bound to the user's IP address.) It was found that it is possible for an unauthenticated attacker to create a valid session without a login. The network_mgr.cgi CGI module contains a command called "cgi_get_ipv6" that starts an admin session -- tied to the IP address of the user making the request -- if the additional parameter "flag" with the value "1" is provided. Subsequent invocation of commands that would normally require admin privileges now succeed if an attacker sets the username=admin cookie. | ||||
| CVE-2018-16947 | 2 Debian, Openafs | 2 Debian Linux, Openafs | 2024-11-21 | N/A |
| An issue was discovered in OpenAFS before 1.6.23 and 1.8.x before 1.8.2. The backup tape controller (butc) process accepts incoming RPCs but does not require (or allow for) authentication of those RPCs. Handling those RPCs results in operations being performed with administrator credentials, including dumping/restoring volume contents and manipulating the backup database. For example, an unauthenticated attacker can replace any volume's content with arbitrary data. | ||||
| CVE-2018-16886 | 3 Etcd, Fedoraproject, Redhat | 6 Etcd, Fedora, Enterprise Linux Desktop and 3 more | 2024-11-21 | 8.1 High |
| etcd versions 3.2.x before 3.2.26 and 3.3.x before 3.3.11 are vulnerable to an improper authentication issue when role-based access control (RBAC) is used and client-cert-auth is enabled. If an etcd client server TLS certificate contains a Common Name (CN) which matches a valid RBAC username, a remote attacker may authenticate as that user with any valid (trusted) client certificate in a REST API request to the gRPC-gateway. | ||||
| CVE-2018-16877 | 6 Canonical, Clusterlabs, Debian and 3 more | 9 Ubuntu Linux, Pacemaker, Debian Linux and 6 more | 2024-11-21 | 7.8 High |
| A flaw was found in the way pacemaker's client-server authentication was implemented in versions up to and including 2.0.0. A local attacker could use this flaw, and combine it with other IPC weaknesses, to achieve local privilege escalation. | ||||
| CVE-2018-16738 | 3 Debian, Starwindsoftware, Tinc-vpn | 3 Debian Linux, Starwind Virtual San, Tinc | 2024-11-21 | 3.7 Low |
| tinc 1.0.30 through 1.0.34 has a broken authentication protocol, although there is a partial mitigation. This is fixed in 1.1. | ||||
| CVE-2018-16737 | 2 Starwindsoftware, Tinc-vpn | 2 Starwind Virtual San, Tinc | 2024-11-21 | 5.3 Medium |
| tinc before 1.0.30 has a broken authentication protocol, without even a partial mitigation. | ||||
| CVE-2018-16670 | 1 Circontrol | 1 Circarlife Scada | 2024-11-21 | N/A |
| An issue was discovered in CIRCONTROL CirCarLife before 4.3. There is PLC status disclosure due to lack of authentication for /html/devstat.html. | ||||
| CVE-2018-16668 | 1 Circontrol | 1 Circarlife Scada | 2024-11-21 | 5.3 Medium |
| An issue was discovered in CIRCONTROL CirCarLife before 4.3. There is internal installation path disclosure due to the lack of authentication for /html/repository. | ||||
| CVE-2018-16590 | 1 Furuno | 4 Felcom 250, Felcom 250 Firmware, Felcom 500 and 1 more | 2024-11-21 | N/A |
| FURUNO FELCOM 250 and 500 devices use only client-side JavaScript in login.js for authentication. | ||||
| CVE-2018-16496 | 1 Versa-networks | 1 Versa Director | 2024-11-21 | 5.3 Medium |
| In Versa Director, the un-authentication request found. | ||||
| CVE-2018-16467 | 1 Nextcloud | 1 Nextcloud Server | 2024-11-21 | N/A |
| A missing check in Nextcloud Server prior to 14.0.0 could give unauthorized access to the previews of single file password protected shares. | ||||
| CVE-2018-16465 | 1 Nextcloud | 1 Nextcloud Server | 2024-11-21 | N/A |
| Missing state in Nextcloud Server prior to 14.0.0 would not enforce the use of a second factor at login if the the provider of the second factor failed to load. | ||||
| CVE-2018-16464 | 1 Nextcloud | 1 Nextcloud Server | 2024-11-21 | N/A |
| A missing access check in Nextcloud Server prior to 14.0.0 could lead to continued access to password protected link shares when the owner had changed the password. | ||||
| CVE-2018-16286 | 1 Lg | 1 Supersign Cms | 2024-11-21 | N/A |
| LG SuperSign CMS allows authentication bypass because the CAPTCHA requirement is skipped if a captcha:pass cookie is sent, and because the PIN is limited to four digits. | ||||
| CVE-2018-16219 | 1 Audiocodes | 2 405hd, 405hd Firmware | 2024-11-21 | N/A |
| A missing password verification in the web interface in AudioCodes 405HD VoIP phone with firmware 2.2.12 allows an remote attacker (in the same network as the device) to change the admin password without authentication via a POST request. | ||||
| CVE-2018-16160 | 2 Ftsafe, Microsoft | 3 Securecore, Windows 8, Windows 8.1 | 2024-11-21 | N/A |
| SecureCore Standard Edition Version 2.x allows an attacker to bypass the product 's authentication to log in to a Windows PC. | ||||
| CVE-2018-16152 | 3 Canonical, Debian, Strongswan | 3 Ubuntu Linux, Debian Linux, Strongswan | 2024-11-21 | N/A |
| In verify_emsa_pkcs1_signature() in gmp_rsa_public_key.c in the gmp plugin in strongSwan 4.x and 5.x before 5.7.0, the RSA implementation based on GMP does not reject excess data in the digestAlgorithm.parameters field during PKCS#1 v1.5 signature verification. Consequently, a remote attacker can forge signatures when small public exponents are being used, which could lead to impersonation when only an RSA signature is used for IKEv2 authentication. This is a variant of CVE-2006-4790 and CVE-2014-1568. | ||||