Screen SFT DAB 600/C firmware 1.9.3 contains an authentication bypass vulnerability that allows attackers to change the admin password without requiring the current credentials. Attackers can exploit the userManager.cgx API endpoint by sending a crafted POST request with a new MD5-hashed password to directly modify the admin account's authentication.
Screen SFT DAB 600/C Firmware 1.9.3 contains a weak session management vulnerability that allows attackers to bypass authentication controls by reusing IP-bound session identifiers. Attackers can exploit the vulnerable deviceManagement API endpoint to reset device configurations by sending crafted POST requests with manipulated session parameters.
The LuxCal Web Calendar prior to 5.3.3M (MySQL version) and prior to 5.3.3L (SQLite version) contains a missing authentication vulnerability in dloader.php. If this vulnerability is exploited, arbitrary files on a server may be obtained.
IC Realtime ICIP-P2012T 2.420 is vulnerable to Incorrect Access Control via an exposed HTTP channel using VLC network.
A weakness has been identified in haxxorsid Stock-Management-System up to fbbbf213e9c93b87183a3891f77e3cc7095f22b0. This affects an unknown function of the file /api/employees. Executing manipulation can lead to missing authentication. It is possible to launch the attack remotely. The exploit has been made available to the public and could be exploited. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The vendor was contacted early about this disclosure but did not respond in any way. This vulnerability only affects products that are no longer supported by the maintainer.
EasyFlow .NET and EasyFlow AiNet, developed by Digiwin, has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to obtain database administrator credentials via a specific functionality.
A missing authentication check in the WebSocket channel used for the Check Point IoT integration in Nozomi Networks Guardian and CMC, may allow an unauthenticated attacker to obtain assets data without authentication. Malicious unauthenticated users with knowledge on the underlying system may be able to extract limited asset information.
In TOTOLINK EX1200T V4.1.2cu.5215, an attacker can obtain sensitive information (wifikey, etc.) without authorization through getSysStatusCfg.
An authentication bypass vulnerability was identified in SMM/SMM2 and FPC that could allow an authenticated user to execute certain IPMI calls that could lead to exposure of limited system information.
An attacker could send an HTTP request to an Open5GS endpoint and retrieve the information stored on the device due to the lack of Authentication.
MachineSense devices use unauthenticated MQTT messaging to monitor devices and remote viewing of sensor data by users.
An issue was discovered on D-Link DIR-816L devices 2.x before 1.10b04Beta02. There exists an exposed administration function in getcfg.php, which can be used to call various services. It can be utilized by an attacker to retrieve various sensitive information, such as admin login credentials, by setting the value of _POST_SERVICES in the query string to DEVICE.ACCOUNT.
OpenVPN 2.5.1 and earlier versions allows a remote attackers to bypass authentication and access control channel data on servers configured with deferred authentication, which can be used to potentially trigger further information leaks.
An authentication issue was addressed with improved state management. This issue is fixed in iOS 17 and iPadOS 17, macOS Sonoma 14. Photos in the Hidden Photos Album may be viewed without authentication.
Tenda D151 and D301 routers contain an unauthenticated configuration download vulnerability that allows remote attackers to retrieve router configuration files. Attackers can send a request to /goform/getimage endpoint to download configuration data including admin credentials without authentication.
The memory management module has the logic bypass vulnerability. Successful exploitation of this vulnerability may affect data confidentiality.
In TOTOLINK EX1200T V4.1.2cu.5215, an attacker can obtain sensitive information (wifikey, etc.) without authorization.