Total
4027 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-36264 | 1 Apache | 1 Submarine | 2025-03-20 | 9.8 Critical |
| ** UNSUPPORTED WHEN ASSIGNED ** Improper Authentication vulnerability in Apache Submarine Commons Utils. If the user doesn't explicitly set `submarine.auth.default.secret`, a default value will be used. This issue affects Apache Submarine Commons Utils: from 0.8.0. As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | ||||
| CVE-2024-36132 | 1 Ivanti | 1 Endpoint Manager Mobile | 2025-03-19 | 7.5 High |
| Insufficient verification of authentication controls in EPMM prior to 12.1.0.1 allows a remote attacker to bypass authentication and access sensitive resources. | ||||
| CVE-2023-23460 | 1 Priority-software | 1 Priority | 2025-03-19 | 9.1 Critical |
| Priority Web version 19.1.0.68, parameter manipulation on an unspecified end-point may allow authentication bypass. | ||||
| CVE-2022-44595 | 1 Melapress | 1 Wp 2fa | 2025-03-19 | 5.3 Medium |
| Improper Authentication vulnerability in Melapress WP 2FA allows Authentication Bypass.This issue affects WP 2FA: from n/a through 2.2.0. | ||||
| CVE-2023-50804 | 1 Samsung | 26 Exynos 1080, Exynos 1080 Firmware, Exynos 1280 and 23 more | 2025-03-18 | 3.7 Low |
| An issue was discovered in Samsung Mobile Processor, and Modem Exynos 9820, Exynos 9825, Exynos 980, Exynos 990, Exynos 850, Exynos 1080, Exynos 2100, Exynos 2200, Exynos 1280, Exynos 1380, Exynos 1330, Exynos Modem 5123, Exynos Modem 5300. The baseband software does not properly check format types specified by the NAS (Non-Access-Stratum) module. This can lead to bypass of authentication. | ||||
| CVE-2022-47508 | 1 Solarwinds | 1 Server And Application Monitor | 2025-03-18 | 7.5 High |
| Customers who had configured their polling to occur via Kerberos did not expect NTLM Traffic on their environment, but since we were querying for data via IP address this prevented us from utilizing Kerberos. | ||||
| CVE-2023-25264 | 1 Docmosis | 1 Tornado | 2025-03-18 | 7.5 High |
| An issue was discovered in Docmosis Tornado prior to version 2.9.5. An unauthenticated attacker can bypass the authentication check filter completely by introducing a specially crafted request with relative path segments. | ||||
| CVE-2024-34093 | 1 Archerirm | 1 Archer | 2025-03-18 | 5.3 Medium |
| An issue was discovered in Archer Platform 6 before 2024.03. There is an X-Forwarded-For Header Bypass vulnerability. An unauthenticated attacker could potentially bypass intended whitelisting when X-Forwarded-For header is enabled. | ||||
| CVE-2025-2230 | 2025-03-17 | 7.7 High | ||
| A flaw exists in the Windows login flow where an AuthContext token can be exploited for replay attacks and authentication bypass. | ||||
| CVE-2025-2388 | 2025-03-17 | 7.3 High | ||
| A vulnerability was found in Keytop 路内停车收费系统 2.7.1. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /saas/commonApi/park/getParks of the component API. The manipulation leads to improper authentication. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-2344 | 2025-03-17 | 5.3 Medium | ||
| A vulnerability, which was classified as critical, has been found in IROAD Dash Cam X5 and Dash Cam X6 up to 20250308. Affected by this issue is some unknown functionality of the component API Endpoint. The manipulation leads to missing authentication. The attack may be launched remotely. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-36130 | 1 Ivanti | 1 Endpoint Manager Mobile | 2025-03-13 | 9.8 Critical |
| An insufficient authorization vulnerability in web component of EPMM prior to 12.1.0.1 allows an unauthorized attacker within the network to execute arbitrary commands on the underlying operating system of the appliance. | ||||
| CVE-2024-10474 | 1 Mozilla | 2 Firefox Focus, Focus For Ios | 2025-03-13 | 9.1 Critical |
| Focus was incorrectly allowing internal links to utilize the app scheme used for deeplinking, which could result in links potentially circumventing some URL safety checks This vulnerability affects Focus for iOS < 132. | ||||
| CVE-2025-26326 | 2025-03-13 | 8.8 High | ||
| A vulnerability was identified in the NVDA Remote (version 2.6.4) and Tele NVDA Remote (version 2025.3.3) remote connection add-ons, which allows an attacker to obtain total control of the remote system by guessing a weak password. The problem occurs because these add-ons accept any password entered by the user and do not have an additional authentication or computer verification mechanism. Tests indicate that more than 1,000 systems use easy-to-guess passwords, many with less than 4 to 6 characters, including common sequences. This allows brute force attacks or trial-and-error attempts by malicious invaders. The vulnerability can be exploited by a remote attacker who knows or can guess the password used in the connection. As a result, the attacker gains complete access to the affected system and can execute commands, modify files, and compromise user security. | ||||
| CVE-2024-11087 | 1 Miniorange | 1 Social Login | 2025-03-13 | 8.1 High |
| The miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn) Pro Addon plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 200.3.9. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username and the user does not have an already-existing account for the service returning the token. | ||||
| CVE-2024-45042 | 2025-03-12 | 4.4 Medium | ||
| Ory Kratos is an identity, user management and authentication system for cloud services. Prior to version 1.3.0, given a number of preconditions, the `highest_available` setting will incorrectly assume that the identity’s highest available AAL is `aal1` even though it really is `aal2`. This means that the `highest_available` configuration will act as if the user has only one factor set up, for that particular user. This means that they can call the settings and whoami endpoint without a `aal2` session, even though that should be disallowed. An attacker would need to steal or guess a valid login OTP of a user who has only OTP for login enabled and who has an incorrect `available_aal` value stored, to exploit this vulnerability. All other aspects of the session (e.g. the session’s aal) are not impacted by this issue. On the Ory Network, only 0.00066% of registered users were affected by this issue, and most of those users appeared to be test users. Their respective AAL values have since been updated and they are no longer vulnerable to this attack. Version 1.3.0 is not affected by this issue. As a workaround, those who require MFA should disable the passwordless code login method. If that is not possible, check the sessions `aal` to identify if the user has `aal1` or `aal2`. | ||||
| CVE-2023-24093 | 1 H3c | 2 A210-g, A210-g Firmware | 2025-03-12 | 9.8 Critical |
| An access control issue in H3C A210-G A210-GV100R005 allows attackers to authenticate without a password. | ||||
| CVE-2023-51405 | 1 Reputeinfosystems | 1 Bookingpress | 2025-03-12 | 5.3 Medium |
| Improper Authentication vulnerability in Repute Infosystems BookingPress allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects BookingPress: from n/a through 1.0.74. | ||||
| CVE-2025-0813 | 2025-03-12 | 6.8 Medium | ||
| CWE-287: Improper Authentication vulnerability exists that could cause an Authentication Bypass when an unauthorized user without permission rights has physical access to the EPAS-UI computer and is able to reboot the workstation and interrupt the normal boot process. | ||||
| CVE-2025-21349 | 1 Microsoft | 13 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 10 more | 2025-03-12 | 6.8 Medium |
| Windows Remote Desktop Configuration Service Tampering Vulnerability | ||||