This affects the package cesanta/mongoose before 7.6. The unsafe handling of file names during upload using mg_http_upload() method may enable attackers to write files to arbitrary locations outside the designated target folder.
Missing authentication on ShenYu Admin when register by HTTP. This issue affected Apache ShenYu 2.4.0 and 2.4.1.
Exploitation of Authentication vulnerability in the web interface in McAfee Advanced Threat Defense (ATD) 3.10, 3.8, 3.6, 3.4 allows remote unauthenticated users / remote attackers to bypass ATD detection via loose enforcement of authentication and authorization.
GitLab Community and Enterprise Editions before 10.1.6, 10.2.6, and 10.3.4 are vulnerable to an authorization bypass issue in the GitLab import component resulting in an attacker being able to perform operations under a group in which they were previously unauthorized.
getgps data in iTrack Easy can be modified without authentication by setting the data using the parametercmd:setothergps. This vulnerability can be exploited to alter the GPS data of a lost device.
A CWE-306: Missing Authentication for Critical Function vulnerability exists that could allow modifications of the touch configurations in an unauthorized manner when an attacker attempts to modify the touch configurations. Affected Product: spaceLYnk (V2.6.2 and prior), Wiser for KNX (formerly homeLYnk) (V2.6.2 and prior), fellerLYnk (V2.6.2 and prior)
Tad Uploader edit book list function is vulnerable to authorization bypass, thus remote attackers can use the function to amend the folder names in the book list without logging in.
Incorrect access control in AMAG Symmetry Door Edge Network Controllers (EN-1DBC Boot App 23611 03.60 and STD App 23603 03.60; EN-2DBC Boot App 24451 01.00 and STD App 2461 01.00) enables remote attackers to execute door controller commands (e.g., lock, unlock, add ID card value) by sending unauthenticated requests to the affected devices via Serial over TCP/IP, as demonstrated by a Ud command.
An issue was discovered on Samsung mobile devices with Q(10.0) software. The DynamicLockscreen Terms and Conditions can be accepted without authentication. The Samsung ID is SVE-2020-17079 (October 2020).
Lack of authentication in the network relays used in MEGVII Koala 2.9.1-c3s allows attackers to grant physical access to anyone by sending packet data to UDP port 5000.