Total
1938 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-25589 | 1 Arubanetworks | 1 Clearpass Policy Manager | 2025-02-27 | 9.8 Critical |
| A vulnerability in the web-based management interface of ClearPass Policy Manager could allow an unauthenticated remote attacker to create arbitrary users on the platform. A successful exploit allows an attacker to achieve total cluster compromise. | ||||
| CVE-2023-27060 | 1 Lightcms Project | 1 Lightcms | 2025-02-26 | 9.8 Critical |
| LightCMS v1.3.7 was discovered to contain a remote code execution (RCE) vulnerability via the image:make function. | ||||
| CVE-2023-28470 | 1 Couchbase | 1 Couchbase Server | 2025-02-24 | 5.3 Medium |
| In Couchbase Server 5 through 7 before 7.1.4, the nsstats endpoint is accessible without authentication. | ||||
| CVE-2024-8584 | 1 Learningdigital | 1 Orca Hcm | 2025-02-21 | 9.8 Critical |
| Orca HCM from LEARNING DIGITAL has an Missing Authentication vulnerability, allowing unauthenticated remote attacker to exploit this functionality to create an account with administrator privilege and subsequently use it to log in. | ||||
| CVE-2024-28179 | 1 Jupyter | 1 Jupyter Server Proxy | 2025-02-21 | 9.1 Critical |
| Jupyter Server Proxy allows users to run arbitrary external processes alongside their Jupyter notebook servers and provides authenticated web access. Prior to versions 3.2.3 and 4.1.1, Jupyter Server Proxy did not check user authentication appropriately when proxying websockets, allowing unauthenticated access to anyone who had network access to the Jupyter server endpoint. This vulnerability can allow unauthenticated remote access to any websocket endpoint set up to be accessible via Jupyter Server Proxy. In many cases, this leads to remote unauthenticated arbitrary code execution, due to how affected instances use websockets. The websocket endpoints exposed by `jupyter_server` itself is not affected. Projects that do not rely on websockets are also not affected. Versions 3.2.3 and 4.1.1 contain a fix for this issue. | ||||
| CVE-2022-34858 | 1 Miniorange | 1 Oauth 2.0 Client For Sso | 2025-02-20 | 9.8 Critical |
| Authentication Bypass vulnerability in miniOrange OAuth 2.0 client for SSO plugin <= 1.11.3 at WordPress. | ||||
| CVE-2024-8943 | 1 Latepoint | 1 Latepoint | 2025-02-20 | 9.8 Critical |
| The LatePoint plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 5.0.12. This is due to insufficient verification on the user being supplied during the booking customer step. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the user id. Note that logging in as a WordPress user is only possible if the "Use WordPress users as customers" setting is enabled, which is disabled by default. The vulnerability is partially patched in version 5.0.12 and fully patched in version 5.0.13. | ||||
| CVE-2024-57055 | 2025-02-19 | 5 Medium | ||
| Server-Side Access Control Bypass vulnerability in WombatDialer before 25.02 could allow unauthorized users to potentially call certain services without the necessary access level. This issue is limited to services used by the client (not the general-use JSON services) and requires reverse engineering of the proprietary serialization protocol, making it difficult to exploit. | ||||
| CVE-2022-48291 | 1 Huawei | 2 Emui, Harmonyos | 2025-02-19 | 6.5 Medium |
| The Bluetooth module has an authentication bypass vulnerability in the pairing process. Successful exploitation of this vulnerability may affect confidentiality. | ||||
| CVE-2023-24838 | 1 Hgiga | 2 Powerstation, Powerstation Firmware | 2025-02-19 | 9.8 Critical |
| HGiga PowerStation has a vulnerability of Information Leakage. An unauthenticated remote attacker can exploit this vulnerability to obtain the administrator's credential. This credential can then be used to login PowerStation or Secure Shell to achieve remote code execution. | ||||
| CVE-2022-36983 | 1 Ivanti | 1 Avalanche | 2025-02-18 | 9.8 Critical |
| This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche. Authentication is not required to exploit this vulnerability. The specific flaw exists within the SetSettings class. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-15919. | ||||
| CVE-2020-14140 | 1 Mi | 1 Xiaomi Router Firmware | 2025-02-18 | 7.5 High |
| When Xiaomi router firmware is updated in 2020, there is an unauthenticated API that can reveal WIFI password vulnerability. This vulnerability is caused by the lack of access control policies on some API interfaces. Attackers can exploit this vulnerability to enter the background and execute background command injection. | ||||
| CVE-2022-27645 | 1 Netgear | 46 Lax20, Lax20 Firmware, R6400 and 43 more | 2025-02-18 | 8.8 High |
| This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of NETGEAR R6700v3 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within readycloud_control.cgi. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-15762. | ||||
| CVE-2024-57725 | 2025-02-18 | 6.5 Medium | ||
| An issue in the Arcadyan Livebox Fibra PRV3399B_B_LT allows a remote or local attacker to modify the GPON link value without authentication, causing an internet service disruption via the /firstconnection.cgi endpoint. | ||||
| CVE-2024-3281 | 2025-02-13 | 8.8 High | ||
| A vulnerability was discovered in the firmware builds after 8.0.2.3267 and prior to 8.1.3.1301 in CCX devices. A flaw in the firmware build process did not properly restrict access to a resource from an unauthorized actor. | ||||
| CVE-2024-27169 | 1 Toshibatec | 50 E-studio-2010-ac, E-studio-2015-nc, E-studio-2018 A and 47 more | 2025-02-13 | 8.4 High |
| Toshiba printers provides API without authentication for internal access. A local attacker can bypass authentication in applications, providing administrative access. As for the affected products/models/versions, see the reference URL. | ||||
| CVE-2023-6949 | 1 Dji | 1 Mini 3 Pro Firmware | 2025-02-13 | 5.2 Medium |
| A Missing Authentication for Critical Function issue affecting the HTTP service running on the DJI Mavic Mini 3 Pro on the standard port 80 could allow an attacker to enumerate and download videos and pictures saved on the drone internal or external memory without requiring any kind of authentication. | ||||
| CVE-2023-34329 | 1 Ami | 1 Megarac Sp-x | 2025-02-13 | 8.4 High |
| AMI MegaRAC SPx12 contains a vulnerability in BMC where a User may cause an authentication bypass by spoofing the HTTP header. A successful exploit of this vulnerability may lead to loss of confidentiality, integrity, and availability. | ||||
| CVE-2023-42845 | 1 Apple | 4 Ios And Ipados, Ipados, Iphone Os and 1 more | 2025-02-13 | 5.3 Medium |
| An authentication issue was addressed with improved state management. This issue is fixed in macOS Sonoma 14.1, iOS 17.1 and iPadOS 17.1. Photos in the Hidden Photos Album may be viewed without authentication. | ||||
| CVE-2023-40401 | 1 Apple | 1 Macos | 2025-02-13 | 7.5 High |
| The issue was addressed with additional permissions checks. This issue is fixed in macOS Ventura 13.6.1. An attacker may be able to access passkeys without authentication. | ||||