Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-23857: Multiple vulnerabilities in Rexroth IndraMotion and IndraLogic series

Login with hash: The login routine allows the client to log in to the system not by using the password, but by using the hash of the password. Combined with CVE-2021-23858, this allows an attacker to subsequently login to the system.

CVE

Related news

CVE-2021-43130: Offensive Security’s Exploit Database Archive

An SQL Injection vulnerability exists in Sourcecodester Customer Relationship Management System (CRM) 1.0 via the username parameter in customer/login.php.

CVE-2021-26107: PSIRT Advisories | FortiGuard

An improper access control vulnerability [CWE-284] in FortiManager versions 6.4.4 and 6.4.5 may allow an authenticated attacker with a restricted user profile to modify the VPN tunnel status of other VDOMs using VPN Manager.

CVE-2021-32663: Build software better, together

iTop is an open source web based IT Service Management tool. In affected versions an attacker can call the system setup without authentication. Given specific parameters this can lead to SSRF. This issue has been resolved in versions 2.6.5 and 2.7.5 and later

Moxa MXview Network Management Software

This advisory contains mitigations for Path Traversal, Use of Hard-coded Password, Unprotected Transport of Credentials, Injection, and Improper Access Control vulnerabilities in Moxa MXview network management software.

CVE-2021-38299: Releases · web-auth/webauthn-framework

Webauthn Framework 3.3.x before 3.3.4 has Incorrect Access Control. An attacker that controls a user's system is able to login to a vulnerable service using an attached FIDO2 authenticator without passing a check of the user presence.

Netgear fixes RCE flaw in routers’ parental controls feature

Bug in third-party code offers salutary lessons around enterprise risk management, say researchers

CVE-2021-41011: HackerOne

LINE client for iOS before 11.15.0 might expose authentication information for a certain service to external entities under certain conditions. This is usually impossible, but in combination with a server-side bug, attackers could get this information.

CVE-2021-41390: Ericsson ECM (Enterprise Content Management) solution Vulnerable to CSV Injection

In Ericsson ECM before 18.0, it was observed that Security Provider Endpoint in the User Profile Management Section is vulnerable to CSV Injection.

CVE-2021-41391: Ericsson ECM (Enterprise Content Management) solution Vulnerable to Stored XSS.

In Ericsson ECM before 18.0, it was observed that Security Management Endpoint in User Profile Management Section is vulnerable to stored XSS via a name, leading to session hijacking and full account takeover.

CVE-2021-37184:

A vulnerability has been identified in Industrial Edge Management (All versions < V1.3). An unauthenticated attacker could change the the password of any user in the system under certain circumstances. With this an attacker could impersonate any valid user on an affected system.

CVE-2021-37414: Vulnerability: Improper Authorization Handling

Zoho ManageEngine DesktopCentral before 10.0.709 allows anyone to get a valid user's APIKEY without authentication.

CVE-2021-37414: Vulnerability: Improper Authorization Handling

Zoho ManageEngine DesktopCentral version 10.1.2119.7 and prior allows anyone to get a valid user's APIKEY without authentication.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907