Filtered by CWE-306
Total 1563 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2024-12371 2024-12-18 N/A
A device takeover vulnerability exists in the Rockwell Automation Power Monitor 1000. This vulnerability allows configuration of a new Policyholder user without any authentication via API. Policyholder user is the most privileged user that can perform edit operations, creating admin users and performing factory reset.
CVE-2024-51493 1 Octoprint 1 Octoprint 2024-12-18 5.3 Medium
OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up until and including 1.10.2 contain a vulnerability that allows an attacker that has gained temporary control over an authenticated victim's OctoPrint browser session to retrieve/recreate/delete the user's or - if the victim has admin permissions - the global API key without having to reauthenticate by re-entering the user account's password. An attacker could use a stolen API key to access OctoPrint through its API, or disrupt workflows depending on the API key they deleted. This vulnerability will be patched in version 1.10.3 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
CVE-2021-26278 2024-12-17 6.3 Medium
The wifi module exposes the interface and has improper permission control, leaking sensitive information about the device.
CVE-2022-48496 1 Huawei 1 Emui 2024-12-17 7.5 High
Vulnerability of lax app identity verification in the pre-authorization function.Successful exploitation of this vulnerability will cause malicious apps to become pre-authorized.
CVE-2022-48494 1 Huawei 1 Emui 2024-12-17 7.5 High
Vulnerability of lax app identity verification in the pre-authorization function.Successful exploitation of this vulnerability will cause malicious apps to become pre-authorized.
CVE-2024-10205 2024-12-17 9.4 Critical
Authentication Bypass vulnerability in Hitachi Ops Center Analyzer on Linux, 64 bit (Hitachi Ops Center Analyzer detail view component), Hitachi Infrastructure Analytics Advisor on Linux, 64 bit (Hitachi Data Center Analytics component ).This issue affects Hitachi Ops Center Analyzer: from 10.0.0-00 before 11.0.3-00; Hitachi Infrastructure Analytics Advisor: from 2.1.0-00 through 4.4.0-00.
CVE-2020-12484 2024-12-17 6.4 Medium
When using special mode to connect to enterprise wifi, certain options are not properly configured and attackers can pretend to be enterprise wifi through a carefully constructed wifi with the same name, which can lead to man-in-the-middle attacks.
CVE-2021-26280 2024-12-17 7.9 High
Locally installed application can bypass the permission check and perform system operations that require permission.
CVE-2024-2450 1 Mattermost 2 Mattermost, Mattermost Server 2024-12-13 8.8 High
Mattermost versions 8.1.x before 8.1.10, 9.2.x before 9.2.6, 9.3.x before 9.3.2, and 9.4.x before 9.4.3 fail to correctly verify account ownership when switching from email to SAML authentication, allowing an authenticated attacker to take over other user accounts via a crafted switch request under specific conditions.
CVE-2024-9164 1 Gitlab 1 Gitlab 2024-12-13 9.6 Critical
An issue was discovered in GitLab EE affecting all versions starting from 12.5 prior to 17.2.9, starting from 17.3, prior to 17.3.5, and starting from 17.4 prior to 17.4.2, which allows running pipelines on arbitrary branches.
CVE-2023-37265 1 Icewhale 2 Casaos, Casaos-gateway 2024-12-12 9.8 Critical
CasaOS is an open-source Personal Cloud system. Due to a lack of IP address verification an unauthenticated attackers can execute arbitrary commands as `root` on CasaOS instances. The problem was addressed by improving the detection of client IP addresses in `391dd7f`. This patch is part of CasaOS 0.4.4. Users should upgrade to CasaOS 0.4.4. If they can't, they should temporarily restrict access to CasaOS to untrusted users, for instance by not exposing it publicly.
CVE-2024-26011 1 Fortinet 6 Fortimanager, Fortios, Fortipam and 3 more 2024-12-12 5.2 Medium
A missing authentication for critical function in Fortinet FortiManager version 7.4.0 through 7.4.2, 7.2.0 through 7.2.4, 7.0.0 through 7.0.11, 6.4.0 through 6.4.14, FortiPAM version 1.2.0, 1.1.0 through 1.1.2, 1.0.0 through 1.0.3, FortiProxy version 7.4.0 through 7.4.2, 7.2.0 through 7.2.9, 7.0.0 through 7.0.17, 2.0.0 through 2.0.14, 1.2.0 through 1.2.13, 1.1.0 through 1.1.6, 1.0.0 through 1.0.7, FortiSwitchManager version 7.2.0 through 7.2.3, 7.0.0 through 7.0.3, FortiPortal version 6.0.0 through 6.0.14, FortiOS version 7.4.0 through 7.4.3, 7.2.0 through 7.2.7, 7.0.0 through 7.0.14, 6.4.0 through 6.4.15, 6.2.0 through 6.2.16, 6.0.0 through 6.0.18 allows attacker to execute unauthorized code or commands via specially crafted packets.
CVE-2024-33616 2024-12-10 5.3 Medium
Admin authentication can be bypassed with some specific invalid credentials, which allows logging in with an administrative privilege. Sharp Corporation states the telnet feature is implemented on older models only, and is planning to provide the firmware update to remove the feature. As for the details of affected product names, model numbers, and versions, refer to the information provided by the respective vendors listed under [References].
CVE-2023-31411 1 Sick 1 Sick Eventcam App 2024-12-09 9.8 Critical
A remote unprivileged attacker can modify and access configuration settings on the EventCam App due to the absence of API authentication. The lack of authentication in the API allows the attacker to potentially compromise the functionality of the EventCam App.
CVE-2024-10774 1 Sick 2 Inspector61x Firmware, Inspector62x Firmware 2024-12-09 7.3 High
Unauthenticated CROWN APIs allow access to critical functions. This leads to the accessibility of large parts of the web application without authentication.
CVE-2024-10776 1 Sick 2 Inspector61x Firmware, Inspector62x Firmware 2024-12-09 8.2 High
Lua apps can be deployed, removed, started, reloaded or stopped without authorization via AppManager. This allows an attacker to remove legitimate apps creating a DoS attack, read and write files or load apps that use all features of the product available to a customer.
CVE-2022-48621 1 Huawei 2 Emui, Harmonyos 2024-12-06 6.3 Medium
Vulnerability of missing authentication for critical functions in the Wi-Fi module.Successful exploitation of this vulnerability may affect service confidentiality.
CVE-2024-37303 1 Element-hq 1 Synapse 2024-12-03 5.3 Medium
Synapse is an open-source Matrix homeserver. Synapse before version 1.106 allows, by design, unauthenticated remote participants to trigger a download and caching of remote media from a remote homeserver to the local media repository. Such content then also becomes available for download from the local homeserver in an unauthenticated way. The implication is that unauthenticated remote adversaries can use this functionality to plant problematic content into the media repository. Synapse 1.106 introduces a partial mitigation in the form of new endpoints which require authentication for media downloads. The unauthenticated endpoints will be frozen in a future release, closing the attack vector.
CVE-2024-53701 2024-12-03 N/A
Multiple FCNT Android devices provide the original security features such as "privacy mode" where arbitrary applications can be set not to be displayed, etc. Under certain conditions, and when an attacker can directly operate the device which its screen is unlocked by a user, the provided security features' setting pages may be exposed and/or the settings may be altered, without authentication. For example, specific applications in the device configured to be hidden may be displayed and/or activated.
CVE-2018-0127 1 Cisco 4 Rv132w, Rv132w Firmware, Rv134w and 1 more 2024-12-02 9.8 Critical
A vulnerability in the web interface of Cisco RV132W ADSL2+ Wireless-N VPN Routers and Cisco RV134W VDSL2 Wireless-AC VPN Routers could allow an unauthenticated, remote attacker to view configuration parameters for an affected device, which could lead to the disclosure of confidential information. The vulnerability is due to the absence of user authentication requirements for certain pages that are part of the web interface and contain confidential information for an affected device. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device and examining the HTTP response to the request. A successful exploit could allow the attacker to view configuration parameters, including the administrator password, for the affected device. Cisco Bug IDs: CSCvg92739, CSCvh60172.