# |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
1 |
CVE-2023-0052 |
306 |
|
Exec Code |
2023-01-20 |
2023-01-23 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
SAUTER Controls Nova 200–220 Series with firmware version 3.3-006 and prior and BACnetstac version 4.2.1 and prior allows the execution of commands without credentials. As Telnet and file transfer protocol (FTP) are the only protocols available for device management, an unauthorized user could access the system and modify the device configuration, which could result in the unauthorized user executing unrestricted malicious commands. |
2 |
CVE-2022-46463 |
306 |
|
|
2023-01-13 |
2023-01-24 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
** DISPUTED ** An access control issue in Harbor v1.X.X to v2.5.3 allows attackers to access public and private image repositories without authentication. NOTE: the vendor's position is that this "is clearly described in the documentation as a feature." |
3 |
CVE-2022-45481 |
306 |
|
Exec Code |
2022-12-05 |
2022-12-08 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
The default configuration of Lazy Mouse does not require a password, allowing remote unauthenticated users to execute arbitrary code with no prior authorization or authentication. CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
4 |
CVE-2022-45479 |
306 |
|
Exec Code |
2022-12-05 |
2022-12-08 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
PC Keyboard allows remote unauthenticated users to send instructions to the server to execute arbitrary code without any previous authorization or authentication. CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
5 |
CVE-2022-45477 |
306 |
|
Exec Code |
2022-12-05 |
2022-12-08 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
Telepad allows remote unauthenticated users to send instructions to the server to execute arbitrary code without any previous authorization or authentication. CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
6 |
CVE-2022-44001 |
306 |
|
Bypass |
2022-11-17 |
2022-11-18 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
An issue was discovered in BACKCLICK Professional 5.9.63. User authentication for accessing the CORBA back-end services can be bypassed. |
7 |
CVE-2022-44000 |
306 |
|
Exec Code |
2022-11-16 |
2022-11-21 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
An issue was discovered in BACKCLICK Professional 5.9.63. Due to an exposed internal communications interface, it is possible to execute arbitrary system commands on the server. |
8 |
CVE-2022-43999 |
306 |
|
Exec Code |
2022-11-16 |
2022-11-21 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
An issue was discovered in BACKCLICK Professional 5.9.63. Due to exposed CORBA management services, arbitrary system commands can be executed on the server. |
9 |
CVE-2022-43990 |
306 |
|
+Priv |
2022-11-01 |
2022-12-16 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
Password recovery vulnerability in SICK SIM1012 Partnumber 1098146 with firmware version <2.2.0 allows an unprivileged remote attacker to gain access to the userlevel defined as RecoverableUserLevel by invocating the password recovery mechanism method. This leads to an increase in their privileges on the system and thereby affecting the confidentiality integrity and availability of the system. An attacker can expect repeatable success by exploiting the vulnerability. The recommended solution is to update the firmware to a version >= 2.2.0 as soon as possible (available in SICK Support Portal). |
10 |
CVE-2022-43989 |
306 |
|
+Priv |
2022-11-01 |
2022-12-16 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
Password recovery vulnerability in SICK SIM2x00 (ARM) Partnumber 1092673 and 1081902 with firmware version < 1.2.0 allows an unprivileged remote attacker to gain access to the userlevel defined as RecoverableUserLevel by invocating the password recovery mechanism method. This leads to an increase in their privileges on the system and thereby affecting the confidentiality integrity and availability of the system. An attacker can expect repeatable success by exploiting the vulnerability. The recommended solution is to update the firmware to a version >= 1.2.0 as soon as possible (available in SICK Support Portal). |
11 |
CVE-2022-42982 |
306 |
|
|
2022-11-17 |
2022-11-21 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
BKG Professional NtripCaster 2.0.39 allows querying information over the UDP protocol without authentication. The NTRIP sourcetable is typically quite long (tens of kBs) and can be requested with a packet of only 30 bytes. This presents a vector that can be used for UDP amplification attacks. Normally, only authenticated streaming data will be provided over UDP and not the sourcetable. |
12 |
CVE-2022-42785 |
306 |
|
Bypass |
2022-11-15 |
2022-11-21 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
Multiple W&T products of the ComServer Series are prone to an authentication bypass. An unathenticated remote attacker, can log in without knowledge of the password by crafting a modified HTTP GET Request. |
13 |
CVE-2022-42473 |
306 |
|
|
2022-11-02 |
2022-11-03 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
A missing authentication for a critical function vulnerability in Fortinet FortiSOAR 6.4.0 - 6.4.4 and 7.0.0 - 7.0.3 and 7.2.0 allows an attacker to disclose information via logging into the database using a privileged account without a password. |
14 |
CVE-2022-42458 |
306 |
|
Bypass |
2022-12-07 |
2022-12-12 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
Authentication bypass using an alternate path or channel vulnerability in bingo!CMS version1.7.4.1 and earlier allows a remote unauthenticated attacker to upload an arbitrary file. As a result, an arbitrary script may be executed and/or a file may be altered. |
15 |
CVE-2022-42277 |
306 |
|
DoS Exec Code |
2023-01-13 |
2023-01-20 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
NVIDIA DGX Station contains a vulnerability in SBIOS in the SmiFlash, where a local user with elevated privileges can read, write and erase flash, which may lead to code execution, escalation of privileges, denial of service, and information disclosure. The scope of impact can extend to other components. |
16 |
CVE-2022-42276 |
306 |
|
DoS Exec Code |
2023-01-13 |
2023-01-20 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
NVIDIA DGX A100 contains a vulnerability in SBIOS in the SmiFlash, where a local user with elevated privileges can read, write and erase flash, which may lead to code execution, escalation of privileges, denial of service, and information disclosure. The scope of impact can extend to other components. |
17 |
CVE-2022-42275 |
306 |
|
DoS Bypass |
2023-01-13 |
2023-01-24 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
NVIDIA BMC IPMI handler allows an unauthenticated host to write to a host SPI flash bypassing secureboot protections. This may lead to a loss of integrity and denial of service. |
18 |
CVE-2022-41776 |
306 |
|
|
2022-10-31 |
2022-11-02 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
Delta Electronics InfraSuite Device Master versions 00.00.01a and prior allow unauthenticated users to trigger the WriteConfiguration method, which could allow an attacker to provide new values for user configuration files such as UserListInfo.xml. This could lead to the changing of administrative passwords. |
19 |
CVE-2022-41688 |
306 |
|
|
2022-10-31 |
2022-11-02 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
Delta Electronics InfraSuite Device Master versions 00.00.01a and prior lack proper authentication for functions that create and modify user groups. An attacker could provide malicious serialized objects that could run these functions without authentication to create a new user and add them to the administrator group. |
20 |
CVE-2022-41644 |
306 |
|
|
2022-10-31 |
2022-11-02 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
Delta Electronics InfraSuite Device Master versions 00.00.01a and prior lacks authentication for a function that changes group privileges. An attacker could use this to create a denial-of-service state or escalate their own privileges. |
21 |
CVE-2022-41629 |
306 |
|
|
2022-10-31 |
2022-11-02 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
Delta Electronics InfraSuite Device Master versions 00.00.01a and prior allow unauthenticated users to access the aprunning endpoint, which could allow an attacker to retrieve any file from the “RunningConfigs” directory. The attacker could then view and modify configuration files such as UserListInfo.xml, which would allow them to see existing administrative passwords. |
22 |
CVE-2022-40684 |
306 |
|
Bypass |
2022-10-18 |
2022-10-20 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
An authentication bypass using an alternate path or channel [CWE-288] in Fortinet FortiOS version 7.2.0 through 7.2.1 and 7.0.0 through 7.0.6, FortiProxy version 7.2.0 and version 7.0.0 through 7.0.6 and FortiSwitchManager version 7.2.0 and 7.0.0 allows an unauthenticated atttacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests. |
23 |
CVE-2022-40202 |
306 |
|
Exec Code |
2022-10-31 |
2022-11-02 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
The database backup function in Delta Electronics InfraSuite Device Master Versions 00.00.01a and prior lacks proper authentication. An attacker could provide malicious serialized objects which, when deserialized, could activate an opcode for a backup scheduling function without authentication. This function allows the user to designate all function arguments and the file to be executed. This could allow the attacker to start any new process and achieve remote code execution. |
24 |
CVE-2022-38870 |
306 |
|
|
2022-10-25 |
2022-10-26 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
Free5gc v3.2.1 is vulnerable to Information disclosure. |
25 |
CVE-2022-38168 |
306 |
|
Bypass |
2022-11-03 |
2022-11-08 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
** UNSUPPPORTED WHEN ASSIGNED **Broken Access Control in User Authentication in Avaya Scopia Pathfinder 10 and 20 PTS version 8.3.7.0.4 allows remote unauthenticated attackers to bypass the login page, access sensitive information, and reset user passwords via URL modification. |
26 |
CVE-2022-37298 |
306 |
|
|
2022-10-20 |
2022-10-21 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
Shinken Solutions Shinken Monitoring Version 2.4.3 affected is vulnerable to Incorrect Access Control. The SafeUnpickler class found in shinken/safepickle.py implements a weak authentication scheme when unserializing objects passed from monitoring nodes to the Shinken monitoring server. |
27 |
CVE-2022-37062 |
306 |
|
|
2022-08-18 |
2022-10-26 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
All FLIR AX8 thermal sensor cameras version up to and including 1.46.16 are affected by an insecure design vulnerability due to an improper directory access restriction. An unauthenticated, remote attacker can exploit this by sending a URI that contains the path of the SQLite users database and download it. A successful exploit could allow the attacker to extract usernames and hashed passwords. |
28 |
CVE-2022-36619 |
306 |
|
|
2022-08-31 |
2022-09-02 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
In D-link DIR-816 A2_v1.10CNB04.img,the network can be reset without authentication via /goform/setMAC. |
29 |
CVE-2022-36604 |
306 |
|
|
2022-09-01 |
2022-09-08 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
An access control issue in Canaan Avalon ASIC Miner 2020.3.30 and below allows unauthenticated attackers to arbitrarily change user passwords via a crafted POST request. |
30 |
CVE-2022-36521 |
306 |
|
|
2022-08-26 |
2022-09-01 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
Insecure permissions in cskefu v7.0.1 allows unauthenticated attackers to arbitrarily add administrator accounts. |
31 |
CVE-2022-35871 |
306 |
|
Exec Code |
2022-07-25 |
2022-08-03 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition 8.1.15 (b2022030114). Authentication is not required to exploit this vulnerability. The specific flaw exists within the authenticateAdSso method. The issue results from the lack of authentication prior to allowing the execution of python code. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-17206. |
32 |
CVE-2022-35865 |
306 |
|
Exec Code |
2022-08-03 |
2022-08-09 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
This vulnerability allows remote attackers to execute arbitrary code on affected installations of BMC Track-It! 20.21.2.109. Authentication is not required to exploit this vulnerability. The specific flaw exists within the authorization of HTTP requests. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-16709. |
33 |
CVE-2022-35733 |
306 |
|
Exec Code |
2022-08-23 |
2022-08-26 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
Missing authentication for critical function vulnerability in UNIMO Technology digital video recorders (UDR-JA1004/JA1008/JA1016 firmware versions v1.0.20.13 and earlier, and UDR-JA1016 firmware versions v2.0.20.13 and earlier) allows a remote unauthenticated attacker to execute an arbitrary OS command by sending a specially crafted request to the affected device web interface. |
34 |
CVE-2022-33138 |
306 |
|
|
2022-07-12 |
2022-07-15 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
A vulnerability has been identified in SIMATIC MV540 H (All versions < V3.3), SIMATIC MV540 S (All versions < V3.3), SIMATIC MV550 H (All versions < V3.3), SIMATIC MV550 S (All versions < V3.3), SIMATIC MV560 U (All versions < V3.3), SIMATIC MV560 X (All versions < V3.3). Affected devices do not perform authentication for several web API endpoints. This could allow an unauthenticated remote attacker to read and download data from the device. |
35 |
CVE-2022-32251 |
306 |
|
+Priv |
2022-06-14 |
2022-06-22 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.1). There is a missing authentication verification for a resource used to change the roles and permissions of a user. This could allow an attacker to change the permissions of any user and gain the privileges of an administrative user. |
36 |
CVE-2022-32157 |
306 |
|
|
2022-06-15 |
2022-06-24 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
Splunk Enterprise deployment servers in versions before 9.0 allow unauthenticated downloading of forwarder bundles. Remediation requires you to update the deployment server to version 9.0 and Configure authentication for deployment servers and clients (https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/ConfigDSDCAuthEnhancements#Configure_authentication_for_deployment_servers_and_clients). Once enabled, deployment servers can manage only Universal Forwarder versions 9.0 and higher. Though the vulnerability does not directly affect Universal Forwarders, remediation requires updating all Universal Forwarders that the deployment server manages to version 9.0 or higher prior to enabling the remediation. |
37 |
CVE-2022-31685 |
306 |
|
Bypass |
2022-11-09 |
2022-11-10 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
VMware Workspace ONE Assist prior to 22.10 contains an Authentication Bypass vulnerability. A malicious actor with network access to Workspace ONE Assist may be able to obtain administrative access without the need to authenticate to the application. |
38 |
CVE-2022-31022 |
306 |
|
|
2022-06-01 |
2022-06-09 |
2.1 |
None |
Local |
Low |
Not required |
None |
Partial |
None |
Bleve is a text indexing library for go. Bleve includes HTTP utilities under bleve/http package, that are used by its sample application. These HTTP methods pave way for exploitation of a node’s filesystem where the bleve index resides, if the user has used bleve’s own HTTP (bleve/http) handlers for exposing the access to the indexes. For instance, the CreateIndexHandler (`http/index_create.go`) and DeleteIndexHandler (`http/index_delete.go`) enable an attacker to create a bleve index (directory structure) anywhere where the user running the server has the write permissions and to delete recursively any directory owned by the same user account. Users who have used the bleve/http package for exposing access to bleve index without the explicit handling for the Role Based Access Controls(RBAC) of the index assets would be impacted by this issue. There is no patch for this issue because the http package is purely intended to be used for demonstration purposes. Bleve was never designed handle the RBACs, nor it was ever advertised to be used in that way. The collaborators of this project have decided to stay away from adding any authentication or authorization to bleve project at the moment. The bleve/http package is mainly for demonstration purposes and it lacks exhaustive validation of the user inputs as well as any authentication and authorization measures. It is recommended to not use bleve/http in production use cases. |
39 |
CVE-2022-30515 |
306 |
|
|
2022-11-08 |
2022-11-09 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
ZKTeco BioTime 8.5.4 is missing authentication on folders containing employee photos, allowing an attacker to view them through filename enumeration. |
40 |
CVE-2022-30317 |
306 |
|
DoS |
2022-08-31 |
2022-09-09 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
Honeywell Experion LX through 2022-05-06 has Missing Authentication for a Critical Function. According to FSCT-2022-0055, there is a Honeywell Experion LX Control Data Access (CDA) EpicMo protocol with unauthenticated functionality issue. The affected components are characterized as: Honeywell Control Data Access (CDA) EpicMo (55565/TCP). The potential impact is: Firmware manipulation, Denial of service. The Honeywell Experion LX Distributed Control System (DCS) utilizes the Control Data Access (CDA) EpicMo protocol (55565/TCP) for device diagnostics and maintenance purposes. This protocol does not have any authentication features, allowing any attacker capable of communicating with the ports in question to invoke (a subset of) desired functionality. There is no authentication functionality on the protocol in question. An attacker capable of invoking the protocols' functionalities could issue firmware download commands potentially allowing for firmware manipulation and reboot devices causing denial of service. |
41 |
CVE-2022-30313 |
306 |
|
|
2022-07-28 |
2022-08-05 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
Honeywell Experion PKS Safety Manager through 2022-05-06 has Missing Authentication for a Critical Function. According to FSCT-2022-0051, there is a Honeywell Experion PKS Safety Manager multiple proprietary protocols with unauthenticated functionality issue. The affected components are characterized as: Honeywell Experion TCP (51000/TCP), Safety Builder (51010/TCP). The potential impact is: Manipulate controller state, Manipulate controller configuration, Manipulate controller logic, Manipulate controller files, Manipulate IO. The Honeywell Experion PKS Distributed Control System (DCS) Safety Manager utilizes several proprietary protocols for a wide variety of functionality, including process data acquisition, controller steering and configuration management. These protocols include: Experion TCP (51000/TCP) and Safety Builder (51010/TCP). None of these protocols have any authentication features, allowing any attacker capable of communicating with the ports in question to invoke (a subset of) desired functionality. There is no authentication functionality on the protocols in question. An attacker capable of invoking the protocols' functionalities could achieve a wide range of adverse impacts, including (but not limited to), the following: for Experion TCP (51000/TCP): Issue IO manipulation commands, Issue file read/write commands; and for Safety Builder (51010/TCP): Issue controller start/stop commands, Issue logic download/upload commands, Issue file read commands, Issue system time change commands. A mitigating factor with regards to some, but not all, of the above functionality is that these require the Safety Manager physical keyswitch to be in the right position. |
42 |
CVE-2022-30276 |
306 |
|
|
2022-07-26 |
2022-08-09 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
The Motorola MOSCAD and ACE line of RTUs through 2022-05-02 omit an authentication requirement. They feature IP Gateway modules which allow for interfacing between Motorola Data Link Communication (MDLC) networks (potentially over a variety of serial, RF and/or Ethernet links) and TCP/IP networks. Communication with RTUs behind the gateway is done by means of the proprietary IPGW protocol (5001/TCP). This protocol does not have any authentication features, allowing any attacker capable of communicating with the port in question to invoke (a subset of) desired functionality. |
43 |
CVE-2022-30230 |
306 |
|
|
2022-06-14 |
2022-06-22 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
A vulnerability has been identified in SICAM GridEdge Essential ARM (All versions < V2.6.6), SICAM GridEdge Essential Intel (All versions < V2.6.6), SICAM GridEdge Essential with GDS ARM (All versions < V2.6.6), SICAM GridEdge Essential with GDS Intel (All versions < V2.6.6). The affected software does not require authenticated access for privileged functions. This could allow an unauthenticated attacker to create a new user with administrative permissions. |
44 |
CVE-2022-29957 |
306 |
|
|
2022-07-26 |
2023-01-24 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
The Emerson DeltaV Distributed Control System (DCS) through 2022-04-29 mishandles authentication. It utilizes several proprietary protocols for a wide variety of functionality. These protocols include Firmware upgrade (18508/TCP, 18518/TCP); Plug-and-Play (18510/UDP); Hawk services (18507/UDP); Management (18519/TCP); Cold restart (18512/UDP); SIS communications (12345/TCP); and Wireless Gateway Protocol (18515/UDP). None of these protocols have any authentication features, allowing any attacker capable of communicating with the ports in question to invoke (a subset of) desired functionality. |
45 |
CVE-2022-29952 |
306 |
|
|
2022-07-26 |
2022-08-02 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
Bently Nevada condition monitoring equipment through 2022-04-29 mishandles authentication. It utilizes the TDI command and data protocols (60005/TCP, 60007/TCP) for communications between the monitoring controller and System 1 and/or Bently Nevada Monitor Configuration (BNMC) software. These protocols provide configuration management and historical data related functionality. Neither protocol has any authentication features, allowing any attacker capable of communicating with the ports in question to invoke (a subset of) desired functionality. |
46 |
CVE-2022-29951 |
306 |
|
|
2022-07-26 |
2022-08-02 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
JTEKT TOYOPUC PLCs through 2022-04-29 mishandle authentication. They utilize the CMPLink/TCP protocol (configurable on ports 1024-65534 on either TCP or UDP) for a wide variety of engineering purposes such as starting and stopping the PLC, downloading and uploading projects, and changing configuration settings. This protocol does not have any authentication features, allowing any attacker capable of communicating with the port in question to invoke (a subset of) desired functionality. |
47 |
CVE-2022-29881 |
306 |
|
|
2022-05-20 |
2022-06-02 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
A vulnerability has been identified in SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00). The web based management interface of affected devices does not employ special access protection for certain internal developer views. This could allow unauthenticated users to extract internal configuration details. |
48 |
CVE-2022-29879 |
306 |
|
|
2022-05-20 |
2022-06-02 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
A vulnerability has been identified in SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00). The web based management interface of affected devices does not employ special access protection for certain internal developer views. This could allow authenticated users to access critical device information. |
49 |
CVE-2022-29877 |
306 |
|
|
2022-05-20 |
2022-06-02 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
None |
A vulnerability has been identified in SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00). Affected devices allow unauthenticated access to the web interface configuration area. This could allow an attacker to extract internal configuration details or to reconfigure network settings. However, the reconfigured settings cannot be activated unless the role of an authenticated administrator user. |
50 |
CVE-2022-29402 |
306 |
|
Exec Code |
2022-05-25 |
2022-06-07 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
TP-Link TL-WR840N EU v6.20 was discovered to contain insecure protections for its UART console. This vulnerability allows attackers to connect to the UART port via a serial connection and execute commands as the root user without authentication. |