The communication module of the Mitsubishi Electric WS0-GETH00200 security controller is vulnerable due to the lack of authentication. This allows attackers to escalate their privileges and gain access to the device.

The vulnerability of the communication module for Mitsubishi Electric WS0-GETH00200 security controllers is related to the absence of authentication. Exploiting this vulnerability allows a malicious actor to remotely increase their privileges and gain access to the device via the TELNET network...

The vulnerability of microprogrammed software in logic controllers for building and facility control systems from Schneider Electric—such as spaceLYnk, Wiser for KNX (formerly homeLYnk), and FellerLYnk—is related to the lack of authentication for critical functions. This allows attackers to alter the configuration of the system.

The vulnerability of microprogramming software for logic controllers used in building and facility management systems from Schneider Electric—such as spaceLYnk, Wiser for KNX formerly homeLYnk, and FellerLYnk—is related to the absence of authentication for critical functions. Exploiting this...

The vulnerability of the server-side components of WAGO’s programmable logic controllers, such as WAGO PFC100/PFC200, CC100, Edge Controller, as well as the WAGO Touch Panel 600, allows a malicious actor to record arbitrary data with root privileges.

The vulnerability of the server-side components of WAGO PFC100/PFC200, CC100, Edge Controller programmable logic controllers, and WAGO Touch Panel 600 sensor panels lies in the absence of authentication for critical functions. Exploiting this vulnerability allows an attacker to remotely record...

The vulnerability of the database server of the software solution for monitoring the status of B&R APROL industrial systems allows a hacker to read and modify configuration data.

The vulnerability of the database server of the B&R APROL software solution for monitoring the status of industrial systems is related to the absence of an authentication procedure. Exploiting this vulnerability allows a malicious actor to read and modify configuration data remotely...

CVE-2023-24526

SAP NetWeaver Application Server Java for Classload Service - version 7.50, does not perform any authentication checks for functionalities that require user identity, resulting in escalation of privileges. This failure has a low impact on confidentiality of the data such that an unassigned user c...

CVE-2023-22803

LS ELECTRIC XBC-DN32U with operating system version 01.80 is missing authentication to perform critical functions to the PLC. This could allow an attacker to change the PLC's mode arbitrarily...

SUSE CVE-2008-4576

sctp in Linux kernel before 2.6.25.18 allows remote attackers to cause a denial of service OOPS via an INIT-ACK that states the peer does not support AUTH, which causes the sctpprocessinit function to clean up active transports and triggers the OOPS when the T1-Init timer expires...

CVE-2022-48299

The WMS module lacks the authentication mechanism in some APIs. Successful exploitation of this vulnerability may affect data confidentiality...

plugin: Lack of authentication mechanism in Git Plugin webhook

The webhook endpoint in Jenkins Git Plugin 4.11.3 and earlier provide unauthenticated attackers information about the existence of jobs configured to use an attacker-specified Git repository...

CVE-2022-3841

RHACM: unauthenticated SSRF in console API endpoint. A Server-Side Request Forgery SSRF vulnerability was found in the console API endpoint from Red Hat Advanced Cluster Management for Kubernetes RHACM. An attacker could take advantage of this as the console API endpoint is missing an...

The vulnerability of the Cisco Software-Defined Application Visibility and Control (SD-AVC) function in the centralized network management system, the Cisco Catalyst SD-WAN Manager, allows a intruder to gain unauthorized access to the system.

The vulnerability of the Cisco Software-Defined Application Visibility and Control SD-AVC function in the centralized network management system, Cisco Catalyst SD-WAN Manager, is related to the lack of authentication for this critical function. Exploiting this vulnerability could allow a maliciou...

CVE-2022-24190

The /device/acceptBind end-point for Ourphoto App version 1.4.1 does not require authentication or authorization. The usertoken header is not implemented or present on this end-point. An attacker can send a request to bind their account to any users picture frame, then send a POST request to acce...

Rdiffweb 访问控制错误漏洞

Rdiffweb is a web application by Patrik Dufresne, an individual developer in the USA. Provides quick access to your archives through an efficient web interface. An access control error vulnerability exists in Rdiffweb versions prior to 2.5.0a6, which stems from a lack of authentication for critic...

CVE-2022-30515

ZKTeco BioTime 8.5.4 is missing authentication on folders containing employee photos, allowing an attacker to view them through filename enumeration...

CVE-2022-41644

Delta Electronics InfraSuite Device Master versions 00.00.01a and prior lacks authentication for a function that changes group privileges. An attacker could use this to create a denial-of-service state or escalate their own privileges...

Password recovery vulnerability affects multiple SICK SIMs

SICK received a report about a vulnerability in multiple SICK SIM products. The vulnerability is classified as a "Missing Authentication for Critical Function" vulnerability and results from a mishandling of access to a password recovery mechanism. It is possible for an unprivileged, remote user ...

PT-2022-23329 · Siemens · Logo! 8 Bm

Name of the Vulnerable Software and Affected Versions: LOGO! 8 BM incl. SIPLUS variants versions prior to V8.3 Description: A vulnerability has been identified where affected devices load firmware updates without checking the authenticity. The integrity of the unencrypted firmware is only verifie...

Zephyr Project Manager < 3.2.55 - Unauthorised AJAX Calls To Stored XSS

The plugin does not have any authorisation as well as CSRF in all its AJAX actions, allowing unauthenticated users to call them either directly or via CSRF attacks. Furthermore, due to the lack of sanitisation and escaping, it could also allow them to perform Stored Cross-Site Scripting attacks...

DEBIAN-CVE-2022-36640

influxData influxDB before v1.8.10 contains no authentication mechanism or controls, allowing unauthenticated attackers to execute arbitrary commands. NOTE: the CVE ID assignment is disputed because the vendor's documentation states "If InfluxDB is being deployed on a publicly accessible endpoint...

The implementation of the wchp/wchc command in the centralized service for managing configuration information, naming, distributed synchronization, and providing group services via Apache ZooKeeper is vulnerable. This vulnerability stems from the lack of authentication for the critical function, allowing a malicious actor operating remotely to cause service failures.

The vulnerability of the wchp/wchc command implementation in the centralized service for managing configuration information, naming, distributed synchronization, and providing group services in Apache ZooKeeper is related to the lack of authentication for the critical function. Exploiting this...