Path traversal

Improper limitation of a pathname to a restricted directory 'Path Traversal' vulnerability in cgi component in Synology DNS Server before 2.2.2-5027 allows remote authenticated users to delete arbitrary files via unspecified vectors...

CVE-2022-22686

Cross-Site Request Forgery CSRF vulnerability in webapi component in Synology Calendar before 2.3.4-0631 allows remote authenticated users to hijack the authentication of administrators via unspecified vectors...

CVE-2022-26136

A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to bypass Servlet Filters used by first and third party apps. The impact depends on which filters are used by each app, and how the filters are used. This vulnerability can result in authentication bypass and...

CVE-2022-22360

IBM Sterling Partner Engagement Manager 6.1.2, 6.2, and Cloud/SasS 22.2 could allow a remote authenticated attacker to conduct an LDAP injection. By using a specially crafted request, an attacker could exploit this vulnerability and could result in in granting permission to unauthorized resources...

CVE-2022-27661

Operation restriction bypass vulnerability in Workflow of Cybozu Garoon 4.0.0 to 5.5.1 allows a remote authenticated attacker to alter the data of Workflow...

CVE-2022-26368

CVE-2022-26368 is a vulnerability in Cybozu Garoon's Cabinet component (versions 4.0.0 to 5.5.1) described as a browse restriction bypass and operation restriction bypass (CWE-285). The issue allows a remote authenticated attacker to alter and/or obtain data stored in Cabinet. It is associated wi...

PT-2022-18558 · Cybozu · Cybozu Garoon

Name of the Vulnerable Software and Affected Versions: Cybozu Garoon versions 4.0.0 through 5.5.1 Description: The issue allows a remote authenticated attacker to bypass operation restrictions in the Workflow of Cybozu Garoon and alter the data of Workflow. Recommendations: For Cybozu Garoon...

CVE-2022-28620

A remote authentication bypass vulnerability was discovered in HPE Cray Legacy Shasta System Solutions; HPE Slingshot; and HPE Cray EX supercomputers versions: Prior to node controller firmware associated with HPE Cray EX liquid cooled blades, and all versions of chassis controller firmware...

CVE-2022-28620

A remote authentication bypass vulnerability was discovered in HPE Cray Legacy Shasta System Solutions; HPE Slingshot; and HPE Cray EX supercomputers versions: Prior to node controller firmware associated with HPE Cray EX liquid cooled blades, and all versions of chassis controller firmware...

Authentication flaw

A remote authentication bypass vulnerability was discovered in HPE Cray Legacy Shasta System Solutions; HPE Slingshot; and HPE Cray EX supercomputers versions: Prior to node controller firmware associated with HPE Cray EX liquid cooled blades, and all versions of chassis controller firmware...

CVE-2022-28620

CVE-2022-28620 is a remote authentication bypass affecting HPE Cray Legacy Shasta System Solutions, HPE Slingshot, and HPE Cray EX supercomputers. Affected firmware/versions include: node controller firmware for HPE Cray EX liquid-cooled blades; chassis controller firmware in HPE Cray EX liquid-c...

Default credentials

In multiple CODESYS products, file download and upload function allows access to internal files in the working directory e.g. firmware files of the PLC. All requests are processed on the controller only if no level 1 password is configured on the controller or if remote attacker has previously...

PT-2022-19108 · Hewlett Packard · Hpe Cray Ex Supercomputers +2

Name of the Vulnerable Software and Affected Versions: HPE Cray Legacy Shasta System Solutions versions prior to node controller firmware associated with HPE Cray EX liquid cooled blades HPE Slingshot versions prior to 1.7.2 HPE Cray EX supercomputers versions prior to 1.6.27/1.5.33/1.4.27...

CVE-2022-26041

Directory traversal vulnerability in RCCMD 4.26 and earlier allows a remote authenticated attacker with an administrative privilege to read or alter an arbitrary file on the server via unspecified vectors...

CVE-2017-20039

The CVE-2017-20039 entry refers to SICUNET Access Controller 0.32-05z. Affected component: system’s authentication mechanism; root cause: weak authentication that can be triggered remotely. Impact: high risk due to remote exploit potential and partial confidentiality/integrity/availability impact...

CVE-2022-30760

Vulnerability context: CVE-2022-30760 affects the ihb eG FlexNow product (fn2Web) prior to version 2.04.09.016. The issue is an insecure direct object reference (IDOR) that allows remote authenticated users to access sensitive student data by altering the student ID parameter in a POST to the Fro...

CVE-2022-1703

Improper neutralization of special elements in the SonicWall SSL-VPN SMA100 series management interface allows a remote authenticated attacker to inject OS Commands which potentially leads to remote command execution vulnerability or denial of service DoS attack...

PT-2022-23719 · Ivanti · Ivanti Avalanche

Name of the Vulnerable Software and Affected Versions: Ivanti Avalanche version 6.3.2.3490 Description: The issue allows remote attackers to bypass authentication on affected installations. The specific flaw exists within the ProfileDaoImpl class, where a crafted request can trigger execution of...

The vulnerability of the `get_aes_key_info_by_packetid()` function in Anker Eufy Homebase surveillance systems allows a intruder to bypass the authentication process.

The vulnerability of the getaeskeyinfobypacketid function in Anker Eufy Homebase surveillance systems is related to a small number of possible random values. Exploiting this vulnerability could allow a malicious actor to bypass the authentication process remotely...

GHSA-22WC-7WMM-V4CC Liferay Portal and Liferay DXP does not properly check user permission

The Portlet Configuration module before 4.0.13 in Liferay Portal 7.2.0 through 7.3.3, and Liferay DXP 7.0 fix pack pack 93 and 94, 7.1 fix pack 18, and 7.2 before fix pack 8, does not properly check user permission, which allows remote authenticated users to view the Guest and User role even if...