WebAccess/NMS (Versions prior to v3.0.3_Build6299) has an improper authentication vulnerability, which may allow unauthorized users to view resources monitored and controlled by the WebAccess/NMS, as well as IP addresses and names of all the devices managed via WebAccess/NMS.
CWE-287
CVE-2021-32967
Delta Electronics DIAEnergie Version 1.7.5 and prior may allow an attacker to add a new administrative user without being authenticated or authorized, which may allow the attacker to log in and use the device with administrative privileges.
CVE-2021-3297
On Zyxel NBG2105 V1.00(AAGU.2)C0 devices, setting the login cookie to 1 provides administrator access.
CVE-2021-32980
Automation Direct CLICK PLC CPU Modules: C0-1x CPUs with firmware prior to v3.00 does not protect against additional software programming connections. An attacker can connect to the PLC while an existing connection is already active.
CVE-2021-32984
All programming connections receive the same unlocked privileges, which can result in a privilege escalation. During the time Automation Direct CLICK PLC CPU Modules: C0-1x CPUs with firmware prior to v3.00 is unlocked by an authorized user, an attacker can connect to the PLC and read the project without authorization.
CVE-2021-3282
HashiCorp Vault Enterprise 1.6.0 & 1.6.1 allowed the `remove-peer` raft operator command to be executed against DR secondaries without authentication. Fixed in 1.6.2.