Total
32 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-39360 | 1 Metabase | 1 Metabase | 2024-11-21 | 6.5 Medium |
| Metabase is data visualization software. Prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9 single sign on (SSO) users were able to do password resets on Metabase, which could allow a user access without going through the SSO IdP. This issue is patched in versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9. Metabase now blocks password reset for all users who use SSO for their Metabase login. | ||||
| CVE-2022-2821 | 1 Namelessmc | 1 Nameless | 2024-11-21 | 7.5 High |
| Missing Critical Step in Authentication in GitHub repository namelessmc/nameless prior to v2.0.2. | ||||
| CVE-2022-2302 | 1 Lenze | 6 C520, C520 Firmware, C550 and 3 more | 2024-11-21 | 9.8 Critical |
| Multiple Lenze products of the cabinet series skip the password verification upon second login. After a user has been logged on to the device once, a remote attacker can get full access without knowledge of the password. | ||||
| CVE-2022-1065 | 1 Abacus | 5 Abacus Erp 2018, Abacus Erp 2019, Abacus Erp 2020 and 2 more | 2024-11-21 | 8.1 High |
| A vulnerability within the authentication process of Abacus ERP allows a remote attacker to bypass the second authentication factor. This issue affects: Abacus ERP v2022 versions prior to R1 of 2022-01-15; v2021 versions prior to R4 of 2022-01-15; v2020 versions prior to R6 of 2022-01-15; v2019 versions later than R5 (service pack); v2018 versions later than R5 (service pack). This issue does not affect: Abacus ERP v2019 versions prior to R5 of 2020-03-15; v2018 versions prior to R7 of 2020-04-15; v2017 version and prior versions and prior versions. | ||||
| CVE-2021-41179 | 1 Nextcloud | 1 Server | 2024-11-21 | 6.5 Medium |
| Nextcloud is an open-source, self-hosted productivity platform. Prior to Nextcloud Server versions 20.0.13, 21.0.5, and 22.2.0, the Two-Factor Authentication wasn't enforced for pages marked as public. Any page marked as `@PublicPage` could thus be accessed with a valid user session that isn't authenticated. This particularly affects the Nextcloud Talk application, as this could be leveraged to gain access to any private chat channel without going through the Two-Factor flow. It is recommended that the Nextcloud Server be upgraded to 20.0.13, 21.0.5 or 22.2.0. There are no known workarounds aside from upgrading. | ||||
| CVE-2020-29004 | 1 Mediawiki | 1 Mediawiki | 2024-11-21 | 8.8 High |
| The API in the Push extension for MediaWiki through 1.35 did not require an edit token in ApiPushBase.php and therefore facilitated a CSRF attack. | ||||
| CVE-2019-16766 | 1 Labdigital | 1 Wagtail-2fa | 2024-11-21 | 8.7 High |
| When using wagtail-2fa before 1.3.0, if someone gains access to someone's Wagtail login credentials, they can log into the CMS and bypass the 2FA check by changing the URL. They can then add a new device and gain full access to the CMS. This problem has been patched in version 1.3.0. | ||||
| CVE-2011-3172 | 1 Suse | 1 Suse Linux Enterprise Server | 2024-11-21 | N/A |
| A vulnerability in pam_modules of SUSE Linux Enterprise allows attackers to log into accounts that should have been disabled. Affected releases are SUSE Linux Enterprise: versions prior to 12. | ||||
| CVE-2024-45764 | 1 Dell | 2 Enterprise Sonic Distribution, Enterprise Sonic Os | 2024-11-13 | 9 Critical |
| Dell Enterprise SONiC OS, version(s) 4.1.x, 4.2.x, contain(s) a Missing Critical Step in Authentication vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to Protection mechanism bypass. This is a critical severity vulnerability so Dell recommends customers to upgrade at the earliest opportunity. | ||||
| CVE-2024-7745 | 1 Progress | 1 Ws Ftp Server | 2024-09-04 | 6.5 Medium |
| In WS_FTP Server versions before 8.8.8 (2022.0.8), a Missing Critical Step in Multi-Factor Authentication of the Web Transfer Module allows users to skip the second-factor verification and log in with username and password only. | ||||
| CVE-2024-6040 | 1 Parisneo | 1 Lollms-webui | 2024-08-01 | N/A |
| In parisneo/lollms-webui version v9.8, the lollms_binding_infos is missing the client_id parameter, which leads to multiple security vulnerabilities. Specifically, the endpoints /reload_binding, /install_binding, /reinstall_binding, /unInstall_binding, /set_active_binding_settings, and /update_binding_settings are susceptible to CSRF attacks and local attacks. An attacker can exploit this vulnerability to perform unauthorized actions on the victim's machine. | ||||
| CVE-2019-9619 | 2023-11-07 | N/A | ||
| DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none | ||||