Total
124 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-52996 | 1 Filebrowser | 1 Filebrowser | 2025-08-04 | N/A | 3.1 LOW |
|
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. In versions 2.32.0 and prior, the implementation of password protected links is error-prone, resulting in potential unprotected sharing of a file through a direct download link. This link can either be shared unknowingly by a user or discovered from various locations such as the browser history or the log of a proxy server used. At time of publication ...
Show More |
|||||
| CVE-2025-31965 | 2025-07-31 | N/A | 8.2 HIGH | ||
|
Improper access restrictions in HCL BigFix Remote Control Server WebUI (versions 10.1.0.0248 and lower) allow non-admin users to view unauthorized information on certain web pages.
|
|||||
| CVE-2025-53167 | 1 Huawei | 1 Harmonyos | 2025-07-15 | N/A | 6.9 MEDIUM |
|
Authentication vulnerability in the distributed collaboration framework module
Impact: Successful exploitation of this vulnerability may affect service confidentiality.
|
|||||
| CVE-2024-12776 | 1 Langgenius | 1 Dify | 2025-07-14 | N/A | 8.1 HIGH |
|
In langgenius/dify v0.10.1, the `/forgot-password/resets` endpoint does not verify the password reset code, allowing an attacker to reset the password of any user, including administrators. This vulnerability can lead to a complete compromise of the application.
|
|||||
| CVE-2023-27538 | 6 Broadcom, Debian, Fedoraproject and 3 more | 15 Brocade Fabric Operating System Firmware, Debian Linux, Fedora and 12 more | 2025-06-09 | N/A | 5.5 MEDIUM |
|
An authentication bypass vulnerability exists in libcurl prior to v8.0.0 where it reuses a previously established SSH connection despite the fact that an SSH option was modified, which should have prevented reuse. libcurl maintains a pool of previously used connections to reuse them for subsequent transfers if the configurations match. However, two SSH settings were omitted from the configuration check, allowing them to match easily, potentially leading to the reuse of an inappropriate connectio ...
Show More |
|||||
| CVE-2023-27535 | 5 Debian, Fedoraproject, Haxx and 2 more | 14 Debian Linux, Fedora, Libcurl and 11 more | 2025-06-09 | N/A | 5.9 MEDIUM |
|
An authentication bypass vulnerability exists in libcurl <8.0.0 in the FTP connection reuse feature that can result in wrong credentials being used during subsequent transfers. Previously created connections are kept in a connection pool for reuse if they match the current setup. However, certain FTP settings such as CURLOPT_FTP_ACCOUNT, CURLOPT_FTP_ALTERNATIVE_TO_USER, CURLOPT_FTP_SSL_CCC, and CURLOPT_USE_SSL were not included in the configuration match checks, causing them to match too easily. ...
Show More |
|||||
| CVE-2025-3757 | 1 Openpubkey | 1 Openpubkey | 2025-05-23 | N/A | 9.8 CRITICAL |
|
Versions of OpenPubkey library prior to 0.10.0 contained a vulnerability that would allow a specially crafted JWS to bypass signature verification.
|
|||||
| CVE-2025-4658 | 1 Openpubkey | 2 Openpubkey, Opkssh | 2025-05-22 | N/A | 9.8 CRITICAL |
|
Versions of OpenPubkey library prior to 0.10.0 contained a vulnerability that would allow a specially crafted JWS to bypass signature verification. As OPKSSH depends on the OpenPubkey library for authentication, this vulnerability in OpenPubkey also applies to OPKSSH versions prior to 0.5.0 and would allow an attacker to bypass OPKSSH authentication.
|
|||||
| CVE-2025-46750 | 2025-05-12 | N/A | 4.4 MEDIUM | ||
|
SEL BIOS packages prior to 1.3.49152.117 or 2.6.49152.98 allow a local attacker to bypass password authentication and change password-protected BIOS settings by importing a BIOS settings file with no password set.
|
|||||
| CVE-2025-24522 | 2025-05-02 | N/A | 10.0 CRITICAL | ||
|
KUNBUS Revolution Pi OS Bookworm 01/2025 is vulnerable because authentication is not configured by default for the Node-RED server. This can give an unauthenticated remote attacker full access to the Node-RED server where they can run arbitrary commands on the underlying operating system.
|
|||||
| CVE-2025-32011 | 2025-05-02 | N/A | 9.8 CRITICAL | ||
|
KUNBUS PiCtory versions 2.5.0 through 2.11.1 have an authentication bypass vulnerability where a remote attacker can bypass authentication to get access due to a path traversal.
|
|||||
| CVE-2025-27371 | 2025-04-25 | N/A | 6.9 MEDIUM | ||
|
In certain IETF OAuth 2.0-related specifications, when the JSON Web Token Profile for OAuth 2.0 Client Authentication mechanism is used, there are ambiguities in the audience values of JWTs sent to authorization servers. The affected RFCs may include RFC 7523, and also RFC 7521, RFC 7522, RFC 9101 (JAR), and RFC 9126 (PAR).
|
|||||
| CVE-2025-27370 | 2025-04-25 | N/A | 6.9 MEDIUM | ||
|
OpenID Connect Core through 1.0 errata set 2 allows audience injection in certain situations. When the private_key_jwt authentication mechanism is used, a malicious Authorization Server could trick a Client into writing attacker-controlled values into the audience, including token endpoints or issuer identifiers of other Authorization Servers. The malicious Authorization Server could then use these private key JWTs to impersonate the Client.
|
|||||
| CVE-2023-34124 | 1 Sonicwall | 2 Analytics, Global Management System | 2025-04-08 | N/A | 9.8 CRITICAL |
|
The authentication mechanism in SonicWall GMS and Analytics Web Services had insufficient checks, allowing authentication bypass. This issue affects GMS: 9.3.2-SP1 and earlier versions; Analytics: 2.5.0.4-R7 and earlier versions.
|
|||||
| CVE-2022-3100 | 2 Openstack, Redhat | 5 Barbican, Enterprise Linux Eus, Openstack and 2 more | 2025-04-03 | N/A | 5.9 MEDIUM |
|
A flaw was found in the openstack-barbican component. This issue allows an access policy bypass via a query string when accessing the API.
|
|||||
| CVE-2025-1880 | 1 I-drive | 4 I11, I11 Firmware, I12 and 1 more | 2025-03-05 | 1.2 LOW | 2.0 LOW |
|
A vulnerability was found in i-Drive i11 and i12 up to 20250227. It has been classified as problematic. Affected is an unknown function of the component Device Pairing. The manipulation leads to authentication bypass by primary weakness. It is possible to launch the attack on the physical device. The complexity of an attack is rather high. The exploitability is told to be difficult. It was not possible to identify the current maintainer of the product. It must be assumed that the product is end- ...
Show More |
|||||
| CVE-2025-23017 | 2025-02-24 | N/A | 6.0 MEDIUM | ||
|
WorkOS Hosted AuthKit before 2025-01-07 allows a password authentication MFA bypass (by enrolling a new authentication factor) when the attacker knows the user's password. No exploitation occurred.
|
|||||
| CVE-2023-27536 | 5 Debian, Fedoraproject, Haxx and 2 more | 14 Debian Linux, Fedora, Libcurl and 11 more | 2025-02-14 | N/A | 5.9 MEDIUM |
|
An authentication bypass vulnerability exists libcurl <8.0.0 in the connection reuse feature which can reuse previously established connections with incorrect user permissions due to a failure to check for changes in the CURLOPT_GSSAPI_DELEGATION option. This vulnerability affects krb5/kerberos/negotiate/GSSAPI transfers and could potentially result in unauthorized access to sensitive information. The safest option is to not reuse connections if the CURLOPT_GSSAPI_DELEGATION option has been chan ...
Show More |
|||||
| CVE-2024-12054 | 2025-02-13 | N/A | 5.4 MEDIUM | ||
|
ZF Roll Stability Support Plus (RSSPlus)
is vulnerable to an authentication bypass vulnerability targeting
deterministic RSSPlus SecurityAccess service seeds, which may allow an
attacker to remotely (proximal/adjacent with RF equipment or via pivot
from J2497 telematics devices) call diagnostic functions intended for
workshop or repair scenarios. This can impact system availability,
potentially degrading performance or erasing software, however the
vehicle remains in a safe vehicle state.
|
|||||
| CVE-2024-12582 | 2025-02-13 | N/A | 7.1 HIGH | ||
|
A flaw was found in the skupper console, a read-only interface that renders cluster network, traffic details, and metrics for a network application that a user sets up across a hybrid multi-cloud environment. When the default authentication method is used, a random password is generated for the "admin" user and is persisted in either a Kubernetes secret or a podman volume in a plaintext file. This authentication method can be manipulated by an attacker, leading to the reading of any user-readab ...
Show More |
|||||
| CVE-2023-28727 | 1 Panasonic | 2 Aiseg2, Aiseg2 Firmware | 2025-02-12 | N/A | 9.6 CRITICAL |
|
Panasonic AiSEG2 versions 2.00J through 2.93A allows adjacent attackers bypass authentication due to mishandling of X-Forwarded-For headers.
|
|||||
| CVE-2024-1403 | 1 Progress | 1 Openedge | 2025-02-11 | N/A | 10.0 CRITICAL |
|
In OpenEdge Authentication Gateway and AdminServer prior to 11.7.19, 12.2.14, 12.8.1 on all platforms supported by the OpenEdge product, an authentication bypass vulnerability has been identified. The
vulnerability is a bypass to authentication based on a failure to properly
handle username and password. Certain unexpected
content passed into the credentials can lead to unauthorized access without proper
authentication.
|
|||||
| CVE-2024-6637 | 1 Wpwebelite | 1 Woocommerce Social Login | 2025-02-11 | N/A | 7.3 HIGH |
|
The WooCommerce - Social Login plugin for WordPress is vulnerable to unauthenticated privilege escalation in all versions up to, and including, 2.7.3. This is due to a lack of brute force controls on a weak one-time password. This makes it possible for unauthenticated attackers to brute force the one-time password for any user, except an Administrator, if they know the email of user.
|
|||||
| CVE-2023-28126 | 1 Ivanti | 1 Avalanche | 2025-01-29 | N/A | 5.9 MEDIUM |
|
An authentication bypass vulnerability exists in Avalanche versions 6.3.x and below that could allow an attacker to gain access by exploiting the SetUser method or can exploit the Race Condition in the authentication message.
|
|||||
| CVE-2021-26102 | 1 Fortinet | 1 Fortiwan | 2025-01-21 | N/A | 9.8 CRITICAL |
|
A relative path traversal vulnerability (CWE-23) in FortiWAN version 4.5.7 and below, 4.4 all versions may allow a remote non-authenticated attacker to delete files on the system by sending a crafted POST request. In particular, deleting specific configuration files will reset the Admin password to its default value.
|
|||||
| CVE-2024-34077 | 1 Mantisbt | 1 Mantisbt | 2025-01-16 | N/A | 7.3 HIGH |
|
MantisBT (Mantis Bug Tracker) is an open source issue tracker. Insufficient access control in the registration and password reset process allows an attacker to reset another user's password and takeover their account, if the victim has an incomplete request pending. The exploit is only possible while the verification token is valid, i.e for 5 minutes after the confirmation URL sent by e-mail has been opened, and the user did not complete the process by updating their password. A brute-force atta ...
Show More |
|||||
| CVE-2024-12802 | 2025-01-09 | N/A | 9.1 CRITICAL | ||
|
SSL-VPN MFA Bypass in SonicWALL SSL-VPN can arise in specific cases due to the separate handling of UPN (User Principal Name) and SAM (Security Account Manager) account names when integrated with Microsoft Active Directory, allowing MFA to be configured independently for each login method and potentially enabling attackers to bypass MFA by exploiting the alternative account name.
|
|||||
| CVE-2023-46611 | 2025-01-02 | N/A | 5.3 MEDIUM | ||
|
Authentication Bypass by Primary Weakness vulnerability in yourownprogrammer YOP Poll allows Authentication Bypass.This issue affects YOP Poll: from n/a through 6.5.28.
|
|||||
| CVE-2024-3847 | 2 Fedoraproject, Google | 2 Fedora, Chrome | 2024-12-19 | N/A | 6.1 MEDIUM |
|
Insufficient policy enforcement in WebUI in Google Chrome prior to 124.0.6367.60 allowed a remote attacker to bypass content security policy via a crafted HTML page. (Chromium security severity: Low)
|
|||||
| CVE-2024-9683 | 1 Redhat | 1 Quay | 2024-12-03 | N/A | 4.8 MEDIUM |
|
A vulnerability was found in Quay, which allows successful authentication even when a truncated password version is provided. This flaw affects the authentication mechanism, reducing the overall security of password enforcement. While the risk is relatively low due to the typical length of the passwords used (73 characters), this vulnerability can still be exploited to reduce the complexity of brute-force or password-guessing attacks. The truncation of passwords weakens the overall authenticati ...
Show More |
|||||
| CVE-2024-39899 | 2024-11-21 | N/A | 5.3 MEDIUM | ||
|
PrivateBin is an online pastebin where the server has zero knowledge of pasted data. In v1.5, PrivateBin introduced the YOURLS server-side proxy. The idea was to allow using the YOURLs URL shortener without running the YOURLs instance without authentication and/or exposing the authentication token to the public, allowing anyone to shorten any URL. With the proxy mechanism, anyone can shorten any URL pointing to the configured PrivateBin instance. The vulnerability allowed other URLs to be shorte ...
Show More |
|||||
| CVE-2024-38433 | 1 Nuvoton | 8 Npcm705r, Npcm705r Firmware, Npcm710r and 5 more | 2024-11-21 | N/A | 6.7 MEDIUM |
|
Nuvoton - CWE-305: Authentication Bypass by Primary Weakness
An attacker with write access to the SPI-Flash on an NPCM7xx BMC subsystem that uses the Nuvoton BootBlock
reference code can modify the u-boot image header on flash parsed by the BootBlock which could lead to arbitrary code
execution.
|
|||||
| CVE-2024-36388 | 2024-11-21 | N/A | 10.0 CRITICAL | ||
|
MileSight DeviceHub -
CWE-305 Missing Authentication for Critical Function
|
|||||
| CVE-2024-20674 | 1 Microsoft | 13 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 10 more | 2024-11-21 | N/A | 8.8 HIGH |
|
Windows Kerberos Security Feature Bypass Vulnerability
|
|||||
| CVE-2024-20015 | 2 Google, Mediatek | 40 Android, Mt6739, Mt6753 and 37 more | 2024-11-21 | N/A | 7.8 HIGH |
|
In telephony, there is a possible escalation of privilege due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08441419; Issue ID: ALPS08441419.
|
|||||
| CVE-2024-1202 | 2024-11-21 | N/A | 9.8 CRITICAL | ||
|
Authentication Bypass by Primary Weakness vulnerability in XPodas Octopod allows Authentication Bypass.This issue affects Octopod: before v1.
NOTE: The vendor was contacted and it was learned that the product is not supported.
|
|||||
| CVE-2023-7103 | 2024-11-21 | N/A | 9.8 CRITICAL | ||
|
Authentication Bypass by Primary Weakness vulnerability in ZKSoftware Biometric Security Solutions UFace 5 allows Authentication Bypass.This issue affects UFace 5: through 12022024.
|
|||||
| CVE-2023-6998 | 1 Coolkit | 1 Ewelink | 2024-11-21 | N/A | 7.7 HIGH |
|
Improper privilege management vulnerability in CoolKit Technology eWeLink on Android and iOS allows application lockscreen bypass.This issue affects eWeLink before 5.2.0.
|
|||||
| CVE-2023-6153 | 2024-11-21 | N/A | 9.8 CRITICAL | ||
|
Authentication Bypass by Primary Weakness vulnerability in TeoSOFT Software TeoBASE allows Authentication Bypass.This issue affects TeoBASE: through 20240327. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2023-4898 | 1 Mintplexlabs | 1 Anything-llm | 2024-11-21 | N/A | 7.5 HIGH |
|
Authentication Bypass by Primary Weakness in GitHub repository mintplex-labs/anything-llm prior to 0.0.1.
|
|||||