CVE-2020-27902

An authentication issue was addressed with improved state management. This issue is fixed in iOS 14.2 and iPadOS 14.2. A person with physical access to an iOS device may be able to access stored passwords without authentication...

CVE-2020-27902

CVE-2020-27902 is an Apple iOS/iPadOS vulnerability describing an authentication issue where a user with physical access could access stored passwords without authentication. Apple fixed this issue in iOS 14.2 and iPadOS 14.2 by improving state management. The CVE appears under Keyboard in the Ap...

CVE-2020-28250

CVE-2020-28250 affects Cellinx NVT Web Server 5.0.0.014b.test (2019-09-05). The vulnerability allows a remote user to run commands as root via SetFileContent.cgi because authentication is performed on the client side. Exploitation details are not provided in the documents; no patch/version remedi...

A vulnerability in the SonicWall Capture Security Center was allowing access to the managed firewall without authentication

A vulnerability in the SonicWall Capture Security Center - Cloud Security Management Service was allowing users to access managed firewalls without authentication, this issue has been resolved and a security patch has been pushed out to all affected Capture Security Center - Management and...

CVE-2020-25251

CVE-2020-25251 affects Hyland OnBase prior to specific build revisions (16.0.2.83 and below; 17.0.2.109 and below; 18.0.0.37 and below; 19.8.16.1000 and below; 20.3.10.1000 and below). The issue stems from client-side authentication used for critical functions (e.g., adding users or retrieving se...

CVE-2020-25079

An issue was discovered on D-Link DCS-2530L before 1.06.01 Hotfix and DCS-2670L through 2.02 devices. cgi-bin/ddnsenc.cgi allows authenticated command injection...

CVE-2020-6871

The server management software module of ZTE has an authentication issue vulnerability, which allows users to skip the authentication of the server and execute some commands for high-level users. This affects:...

CVE-2020-6871

CVE-2020-6871 concerns a ZTE server management software module with an authentication bypass that lets an attacker skip server authentication and execute commands with high-level privileges. The vulnerability affects multiple ZTE router/server models (e.g., R5300G4V03.x, R8500G4V03.x, R5500G4V03....

CVE-2020-6871

The server management software module of ZTE has an authentication issue vulnerability, which allows users to skip the authentication of the server and execute some commands for high-level users. This affects:...

CVE-2020-14501

Advantech iView, versions 5.6 and prior, has an improper authentication for critical function CWE-306 issue. Successful exploitation of this vulnerability may allow an attacker to obtain the information of the user table, including the administrator credentials in plain text. An attacker may also...

PT-2020-5955 · Sap · Sap Netweaver As Java

Name of the Vulnerable Software and Affected Versions: SAP NetWeaver AS JAVA LM Configuration Wizard versions 7.30 through 7.50 Description: The vulnerability is related to missing authentication for critical functions in the SAP NetWeaver Java Application Server. This issue allows an attacker to...

Red Hat Keycloak Cross-Site Scripting Vulnerability (CNVD-2021-17784)

Red Hat Keycloak is a suite of software from Red Hat, Inc. that provides authentication and management capabilities for modern applications and services. A cross-site scripting vulnerability exists in Red Hat Keycloak. The vulnerability stems from a lack of proper authentication of client-side da...

PT-2020-20691

Name of the Vulnerable Software and Affected Versions Apache Spark versions 2.4.5 and earlier Description A specially-crafted RPC to the master can succeed in starting an application's resources on the Spark cluster, even without the shared key, when authentication is enabled via a shared secret...

MGASA-2020-0260 Updated networkmanager packages fix security vulnerability

It was found that nmcli, a command line interface to NetworkManager did not honour 802-1x.ca-path and 802-1x.phase2-ca-path settings, when creating a new profile. When a user connects to a network using this profile, the authentication does not happen and the connection is made insecurely...

Default credentials

The OKLOK 3.1.1 mobile companion app for Fingerprint Bluetooth Padlock FB50 2.3 allows remote attackers to submit API requests using authenticated but unauthorized tokens, resulting in IDOR issues. A remote attacker can use their own token to make unauthorized API requests on behalf of arbitrary...

Fortinet FortiMail and FortiVoice Entreprise Authorization Issues Vulnerability

Fortinet FortiMail and FortiVoice Entreprise are both products of the U.S. Fiat Fortinet, Inc. FortiMail is a suite of e-mail security gateway products. FortiMail is an email security gateway product that provides email security and data protection, etc. FortiVoice Entreprise is an enterprise...

Improper access control

X.509 certificates generated by the MongoDB Enterprise Kubernetes Operator may allow an attacker with access to the Kubernetes cluster improper access to MongoDB instances. Customers who do not use X.509 authentication, and those who do not use the Operator to generate their X.509 certificates ar...

Red Hat Keycloak Security Feature Issue Vulnerability

Red Hat Keycloak is a suite of software from Red Hat, Inc. that provides authentication and management capabilities for modern applications and services. A security signature issue vulnerability exists in Red Hat Keycloak all versions. The vulnerability stems from a lack of security measures such...

httpd: Out of bounds write in mod_authnz_ldap when using too small Accept-Language values

In Apache httpd 2.0.23 to 2.0.65, 2.2.0 to 2.2.34, and 2.4.0 to 2.4.29, modauthnzldap, if configured with AuthLDAPCharsetConfig, uses the Accept-Language header value to lookup the right charset encoding when verifying the user's credentials. If the header value is not present in the charset...

Design/Logic Flaw

Trend Micro Apex One 2019, OfficeScan XG and Worry-Free Business Security 9.0, 9.5, 10.0 server contains a vulnerable service DLL file that could allow an attacker to delete any file on the server with SYSTEM level privileges. Authentication is not required to exploit this vulnerability...