Total
4065 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-22441 | 1 Hpe | 1 Cray Parallel Application Launch Service | 2025-03-25 | N/A | 9.8 CRITICAL |
|
HPE Cray Parallel Application Launch Service (PALS) is subject to an authentication bypass.
|
|||||
| CVE-2022-48294 | 1 Huawei | 2 Emui, Harmonyos | 2025-03-24 | N/A | 7.5 HIGH |
|
The IHwAttestationService interface has a defect in authentication. Successful exploitation of this vulnerability may affect data confidentiality.
|
|||||
| CVE-2022-45724 | 1 Comfast | 2 Cf-wr610n, Cf-wr610n Firmware | 2025-03-24 | N/A | 5.4 MEDIUM |
|
Incorrect Access Control in Comfast router CF-WR6110N V2.3.1 allows a remote attacker on the same network to perform any HTTP request to an unauthenticated page to force the server to generate a SESSION_ID, and using this SESSION_ID an attacker can then perform authenticated requests.
|
|||||
| CVE-2024-20301 | 1 Cisco | 1 Duo Authentication For Windows Logon And Rdp | 2025-03-24 | N/A | 6.2 MEDIUM |
|
A vulnerability in Cisco Duo Authentication for Windows Logon and RDP could allow an authenticated, physical attacker to bypass secondary authentication and access an affected Windows device.
This vulnerability is due to a failure to invalidate locally created trusted sessions after a reboot of the affected device. An attacker with primary user credentials could exploit this vulnerability by attempting to authenticate to an affected device. A successful exploit could allow the attacker to ac ...
Show More |
|||||
| CVE-2025-27138 | 1 Dataease | 1 Dataease | 2025-03-21 | N/A | 9.8 CRITICAL |
|
DataEase is an open source business intelligence and data visualization tool. Prior to version 2.10.6, there is a flaw in the authentication in the io.dataease.auth.filter.TokenFilter class, which may cause the risk of unauthorized access. The vulnerability has been fixed in v2.10.6. No known workarounds are available.
|
|||||
| CVE-2025-30168 | 2025-03-21 | N/A | 6.9 MEDIUM | ||
|
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 7.5.2 and 8.0.2, the 3rd party authentication handling of Parse Server allows the authentication credentials of some specific authentication providers to be used across multiple Parse Server apps. For example, if a user signed up using the same authentication provider in two unrelated Parse Server apps, the credentials stored by one app can be used to authenticate the same user in the ...
Show More |
|||||
| CVE-2019-16261 | 1 Tripplite | 2 Pdumh15at, Pdumh15at Firmware | 2025-03-21 | 8.5 HIGH | 9.1 CRITICAL |
|
Tripp Lite PDUMH15AT 12.04.0053 and SU750XL 12.04.0052 devices allow unauthenticated POST requests to the /Forms/ directory, as demonstrated by changing the manager or admin password, or shutting off power to an outlet. NOTE: the vendor's position is that a newer firmware version, fixing this vulnerability, had already been released before this vulnerability report about 12.04.0053.
|
|||||
| CVE-2022-45168 | 1 Liveboxcloud | 1 Vdesk | 2025-03-20 | N/A | 6.5 MEDIUM |
|
An issue was discovered in LIVEBOX Collaboration vDesk through v018. A Bypass of Two-Factor Authentication can occur under the /login/backup_code endpoint and the /api/v1/vdeskintegration/createbackupcodes endpoint, because the application allows a user to generate or regenerate the backup codes before checking the TOTP.
|
|||||
| CVE-2024-36264 | 1 Apache | 1 Submarine | 2025-03-20 | N/A | 9.8 CRITICAL |
|
** UNSUPPORTED WHEN ASSIGNED ** Improper Authentication vulnerability in Apache Submarine Commons Utils.
If the user doesn't explicitly set `submarine.auth.default.secret`, a default value will be used.
This issue affects Apache Submarine Commons Utils: from 0.8.0.
As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users.
NOTE: This vulnerability only affects produc ...
Show More |
|||||
| CVE-2024-36132 | 1 Ivanti | 1 Endpoint Manager Mobile | 2025-03-19 | N/A | 7.5 HIGH |
|
Insufficient verification of authentication controls in EPMM prior to 12.1.0.1 allows a remote attacker to bypass authentication and access sensitive resources.
|
|||||
| CVE-2023-23460 | 1 Priority-software | 1 Priority | 2025-03-19 | N/A | 9.1 CRITICAL |
|
Priority Web version 19.1.0.68, parameter manipulation on an unspecified end-point may allow authentication bypass.
|
|||||
| CVE-2022-44595 | 1 Melapress | 1 Wp 2fa | 2025-03-19 | N/A | 5.3 MEDIUM |
|
Improper Authentication vulnerability in Melapress WP 2FA allows Authentication Bypass.This issue affects WP 2FA: from n/a through 2.2.0.
|
|||||
| CVE-2023-50804 | 1 Samsung | 26 Exynos 1080, Exynos 1080 Firmware, Exynos 1280 and 23 more | 2025-03-18 | N/A | 3.7 LOW |
|
An issue was discovered in Samsung Mobile Processor, and Modem Exynos 9820, Exynos 9825, Exynos 980, Exynos 990, Exynos 850, Exynos 1080, Exynos 2100, Exynos 2200, Exynos 1280, Exynos 1380, Exynos 1330, Exynos Modem 5123, Exynos Modem 5300. The baseband software does not properly check format types specified by the NAS (Non-Access-Stratum) module. This can lead to bypass of authentication.
|
|||||
| CVE-2023-25264 | 1 Docmosis | 1 Tornado | 2025-03-18 | N/A | 7.5 HIGH |
|
An issue was discovered in Docmosis Tornado prior to version 2.9.5. An unauthenticated attacker can bypass the authentication check filter completely by introducing a specially crafted request with relative path segments.
|
|||||
| CVE-2024-34093 | 1 Archerirm | 1 Archer | 2025-03-18 | N/A | 5.3 MEDIUM |
|
An issue was discovered in Archer Platform 6 before 2024.03. There is an X-Forwarded-For Header Bypass vulnerability. An unauthenticated attacker could potentially bypass intended whitelisting when X-Forwarded-For header is enabled.
|
|||||
| CVE-2025-2388 | 2025-03-17 | 7.5 HIGH | 7.3 HIGH | ||
|
A vulnerability was found in Keytop 路内停车收费系统 2.7.1. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /saas/commonApi/park/getParks of the component API. The manipulation leads to improper authentication. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2025-2344 | 2025-03-16 | 5.0 MEDIUM | 5.3 MEDIUM | ||
|
A vulnerability, which was classified as critical, has been found in IROAD Dash Cam X5 and Dash Cam X6 up to 20250308. Affected by this issue is some unknown functionality of the component API Endpoint. The manipulation leads to missing authentication. The attack may be launched remotely. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2024-36130 | 1 Ivanti | 1 Endpoint Manager Mobile | 2025-03-13 | N/A | 9.8 CRITICAL |
|
An insufficient authorization vulnerability in web component of EPMM prior to 12.1.0.1 allows an unauthorized attacker within the network to execute arbitrary commands on the underlying operating system of the appliance.
|
|||||
| CVE-2024-10474 | 1 Mozilla | 1 Firefox Focus | 2025-03-13 | N/A | 6.5 MEDIUM |
|
Focus was incorrectly allowing internal links to utilize the app scheme used for deeplinking, which could result in links potentially circumventing some URL safety checks This vulnerability affects Focus for iOS < 132.
|
|||||
| CVE-2025-2230 | 2025-03-13 | N/A | 7.7 HIGH | ||
|
A flaw exists in the Windows login flow where an AuthContext token can
be exploited for replay attacks and authentication bypass.
|
|||||
| CVE-2025-26326 | 2025-03-13 | N/A | 8.8 HIGH | ||
|
A vulnerability was identified in the NVDA Remote (version 2.6.4) and Tele NVDA Remote (version 2025.3.3) remote connection add-ons, which allows an attacker to obtain total control of the remote system by guessing a weak password. The problem occurs because these add-ons accept any password entered by the user and do not have an additional authentication or computer verification mechanism. Tests indicate that more than 1,000 systems use easy-to-guess passwords, many with less than 4 to 6 charac ...
Show More |
|||||
| CVE-2024-11087 | 1 Miniorange | 1 Social Login | 2025-03-13 | N/A | 8.1 HIGH |
|
The miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn) Pro Addon plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 200.3.9. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username and the user does not have an already-existing acco ...
Show More |
|||||
| CVE-2023-24093 | 1 H3c | 2 A210-g, A210-g Firmware | 2025-03-12 | N/A | 9.8 CRITICAL |
|
An access control issue in H3C A210-G A210-GV100R005 allows attackers to authenticate without a password.
|
|||||
| CVE-2023-51405 | 1 Reputeinfosystems | 1 Bookingpress | 2025-03-12 | N/A | 5.3 MEDIUM |
|
Improper Authentication vulnerability in Repute Infosystems BookingPress allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects BookingPress: from n/a through 1.0.74.
|
|||||
| CVE-2025-0813 | 2025-03-12 | N/A | 6.8 MEDIUM | ||
|
CWE-287: Improper Authentication vulnerability exists that could cause an Authentication Bypass when an
unauthorized user without permission rights has physical access to the EPAS-UI computer and is able to
reboot the workstation and interrupt the normal boot process.
|
|||||
| CVE-2022-48305 | 1 Huawei | 2 Simba-al00, Simba-al00 Firmware | 2025-03-11 | N/A | 5.5 MEDIUM |
|
There is an identity authentication bypass vulnerability in Huawei Children Smart Watch (Simba-AL00) 1.1.1.274. Successful exploitation of this vulnerability may cause the access control function of specific applications to fail.
|
|||||
| CVE-2022-48254 | 1 Huawei | 2 Leia-b29, Leia-b29 Firmware | 2025-03-11 | N/A | 4.6 MEDIUM |
|
There is a data processing error vulnerability in Leia-B29 2.0.0.49(M03). Successful exploitation could bypass lock screen authentication.
|
|||||
| CVE-2023-46172 | 1 Ibm | 2 Ds8900f, Ds8900f Firmware | 2025-03-11 | N/A | 5.6 MEDIUM |
|
IBM DS8900F HMC 89.21.19.0, 89.21.31.0, 89.30.68.0, 89.32.40.0, and 89.33.48.0 could allow a remote attacker to bypass authentication restrictions for authorized user. IBM X-Force ID: 269409.
|
|||||
| CVE-2023-42662 | 1 Jfrog | 1 Artifactory | 2025-03-11 | N/A | 9.3 CRITICAL |
|
JFrog Artifactory versions 7.59 and above, but below 7.59.18, 7.63.18, 7.68.19, 7.71.8 are vulnerable to an issue whereby user interaction with specially crafted URLs could lead to exposure of user access tokens due to improper handling of the CLI / IDE browser based SSO integration.
|
|||||
| CVE-2025-27403 | 2025-03-11 | N/A | N/A | ||
|
Ratify is a verification engine as a binary executable and on Kubernetes which enables verification of artifact security metadata and admits for deployment only those that comply with policies the user creates. In a Kubernetes environment, Ratify can be configured to authenticate to a private Azure Container Registry (ACR). The Azure workload identity and Azure managed identity authentication providers are configured in this setup. Users that configure a private ACR to be used with the Azure aut ...
Show More |
|||||
| CVE-2024-56336 | 2025-03-11 | N/A | 9.8 CRITICAL | ||
|
A vulnerability has been identified in SINAMICS S200 (All versions with serial number beginning with SZVS8, SZVS9, SZVS0 or SZVSN and the FS number is 02). The affected device contains an unlocked bootloader. This security oversight enables attackers to inject malicious code, or install untrusted firmware. The intrinsic security features designed to protect against data manipulation and unauthorized access are compromised when the bootloader is not secured.
|
|||||
| CVE-2025-0604 | 2025-03-10 | N/A | 5.4 MEDIUM | ||
|
A flaw was found in Keycloak. When an Active Directory user resets their password, the system updates it without performing an LDAP bind to validate the new credentials against AD. This vulnerability allows users whose AD accounts are expired or disabled to regain access in Keycloak, bypassing AD restrictions. The issue enables authentication bypass and could allow unauthorized access under certain conditions.
|
|||||
| CVE-2024-27767 | 1 Unitronics | 1 Unilogic | 2025-03-10 | N/A | 10.0 CRITICAL |
|
CWE-287: Improper Authentication may allow Authentication Bypass
|
|||||
| CVE-2023-51511 | 1 Booster | 1 Booster For Woocommerce | 2025-03-10 | N/A | 6.5 MEDIUM |
|
Improper Authentication vulnerability in Pluggabl LLC Booster Elite for WooCommerce allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Booster Elite for WooCommerce: from n/a before 7.1.3.
|
|||||
| CVE-2023-38534 | 1 Opentext | 1 Exceed Turbox | 2025-03-10 | N/A | 8.6 HIGH |
|
Improper authentication vulnerability in OpenText™ Exceed Turbo X affecting versions 12.5.0 and 12.5.1. The vulnerability could allow disclosure of restricted information in unauthenticated RPC.
|
|||||
| CVE-2021-41265 | 1 Dpgaspar | 1 Flask-appbuilder | 2025-03-07 | 6.5 MEDIUM | 8.1 HIGH |
|
Flask-AppBuilder is a development framework built on top of Flask. Verions prior to 3.3.4 contain an improper authentication vulnerability in the REST API. The issue allows for a malicious actor with a carefully crafted request to successfully authenticate and gain access to existing protected REST API endpoints. This only affects non database authentication types and new REST API endpoints. Users should upgrade to Flask-AppBuilder 3.3.4 to receive a patch.
|
|||||
| CVE-2025-1475 | 2025-03-07 | N/A | 9.8 CRITICAL | ||
|
The WPCOM Member plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.7.5. This is due to insufficient verification on the 'user_phone' parameter when logging in. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if SMS login is enabled.
|
|||||
| CVE-2022-48364 | 1 Joinmastodon | 1 Mastodon | 2025-03-06 | N/A | 4.3 MEDIUM |
|
The undo_mark_statuses_as_sensitive method in app/services/approve_appeal_service.rb in Mastodon 3.5.x before 3.5.3 does not use the server's representative account, resulting in moderator identity disclosure when a moderator approves the appeal of a user whose status update was marked as sensitive.
|
|||||
| CVE-2023-42554 | 1 Samsung | 1 Pass | 2025-03-06 | N/A | 5.4 MEDIUM |
|
Improper Authentication vulnerabiity in Samsung Pass prior to version 4.3.00.17 allows physical attackers to bypass authentication.
|
|||||
| CVE-2024-5044 | 1 Emlog | 1 Emlog | 2025-03-05 | 2.6 LOW | 3.7 LOW |
|
A vulnerability was found in Emlog Pro 2.3.4. It has been classified as problematic. This affects an unknown part of the component Cookie Handler. The manipulation of the argument AuthCookie leads to improper authentication. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The identifier VDB-264741 was assigned to this vulnerability. NOTE: The vendo ...
Show More |
|||||