Total
1628 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-42178 | 1 Hcltech | 1 Dryice Myxalytics | 2025-05-16 | 2.5 Low |
| HCL MyXalytics is affected by a failure to restrict URL access vulnerability. Unauthenticated users might gain unauthorized access to potentially confidential information, creating a risk of misuse, manipulation, or unauthorized distribution. | ||||
| CVE-2023-6221 | 1 Machinesense | 2 Feverwarn, Feverwarn Firmware | 2025-05-15 | 7.7 High |
| The cloud provider MachineSense uses for integration and deployment for multiple MachineSense devices, such as the programmable logic controller (PLC), PumpSense, PowerAnalyzer, FeverWarn, and others is insufficiently protected against unauthorized access. An attacker with access to the internal procedures could view source code, secret credentials, and more. | ||||
| CVE-2022-35136 | 1 Boodskap | 1 Iot Platform | 2025-05-15 | 6.5 Medium |
| Boodskap IoT Platform v4.4.9-02 allows attackers to make unauthenticated API requests. | ||||
| CVE-2024-23815 | 1 Siemens | 1 Desigo Cc | 2025-05-13 | 7.5 High |
| A vulnerability has been identified in Desigo CC (All versions if access from Installed Clients to Desigo CC server is allowed from networks outside of a highly protected zone), Desigo CC (All versions if access from Installed Clients to Desigo CC server is only allowed within highly protected zones). The affected server application fails to authenticate specific client requests. Modification of the client binary could allow an unauthenticated remote attacker to execute arbitrary SQL queries on the server database via the event port (default: 4998/tcp) | ||||
| CVE-2025-4557 | 2025-05-12 | 9.1 Critical | ||
| The specific APIs of Parking Management System from ZONG YU has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to access specific APIs and operate system functions. These functions include opening gates and restarting the system. | ||||
| CVE-2025-4555 | 2025-05-12 | 9.8 Critical | ||
| The web management interface of Okcat Parking Management Platform from ZONG YU has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to directly access system functions. These functions include opening gates, viewing license plates and parking records, and restarting the system. | ||||
| CVE-2025-4560 | 2025-05-12 | 6.5 Medium | ||
| The ISOinsight from Netvision has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to access certain system functions. These functions include viewing the administrator list, viewing and editing IP settings, and uploading files. | ||||
| CVE-2024-25618 | 1 Joinmastodon | 1 Mastodon | 2025-05-12 | 4.2 Medium |
| Mastodon is a free, open-source social network server based on ActivityPub. Mastodon allows new identities from configured authentication providers (CAS, SAML, OIDC) to attach to existing local users with the same e-mail address. This results in a possible account takeover if the authentication provider allows changing the e-mail address or multiple authentication providers are configured. When a user logs in through an external authentication provider for the first time, Mastodon checks the e-mail address passed by the provider to find an existing account. However, using the e-mail address alone means that if the authentication provider allows changing the e-mail address of an account, the Mastodon account can immediately be hijacked. All users logging in through external authentication providers are affected. The severity is medium, as it also requires the external authentication provider to misbehave. However, some well-known OIDC providers (like Microsoft Azure) make it very easy to accidentally allow unverified e-mail changes. Moreover, OpenID Connect also allows dynamic client registration. This issue has been addressed in versions 4.2.6, 4.1.14, 4.0.14, and 3.5.18. Users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2022-3327 | 1 Ikus-soft | 1 Rdiffweb | 2025-05-09 | 9.8 Critical |
| Missing Authentication for Critical Function in GitHub repository ikus060/rdiffweb prior to 2.5.0a6. | ||||
| CVE-2020-23648 | 1 Asus | 2 Rt-n12e, Rt-n12e Firmware | 2025-05-09 | 7.5 High |
| Asus RT-N12E 2.0.0.39 is affected by an incorrect access control vulnerability. Through system.asp / start_apply.htm, an attacker can change the administrator password without any authentication. | ||||
| CVE-2023-37495 | 1 Hcltech | 1 Domino | 2025-05-08 | 5.9 Medium |
| Internet passwords stored in Person documents in the Domino® Directory created using the "Add Person" action on the People & Groups tab in the Domino® Administrator are secured using a cryptographically weak hash algorithm. This could enable attackers with access to the hashed value to determine a user's password, e.g. using a brute force attack. This issue does not impact Person documents created through user registration https://help.hcltechsw.com/domino/10.0.1/admin/conf_userregistration_c.html . | ||||
| CVE-2025-3759 | 2025-05-08 | N/A | ||
| Endpoint /cgi-bin-igd/netcore_set.cgi which is used for changing device configuration is accessible without authentication. This poses a significant security threat allowing for e.g: administrator account hijacking or AP password changing. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-3758 | 2025-05-08 | N/A | ||
| WF2220 exposes endpoint /cgi-bin-igd/netcore_get.cgi that returns configuration of the device to unauthorized users. Returned configuration includes cleartext password. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2023-40393 | 1 Apple | 1 Macos | 2025-05-07 | 7.5 High |
| An authentication issue was addressed with improved state management. This issue is fixed in iOS 17 and iPadOS 17, macOS Sonoma 14. Photos in the Hidden Photos Album may be viewed without authentication. | ||||
| CVE-2022-38870 | 1 Free5gc | 1 Free5gc | 2025-05-07 | 7.5 High |
| Free5gc v3.2.1 is vulnerable to Information disclosure. | ||||
| CVE-2022-27623 | 1 Synology | 1 Diskstation Manager | 2025-05-07 | 7.4 High |
| Missing authentication for critical function vulnerability in iSCSI management functionality in Synology DiskStation Manager (DSM) before 7.1-42661 allows remote attackers to read or write arbitrary files via unspecified vectors. | ||||
| CVE-2025-4268 | 1 Totolink | 2 A720r, A720r Firmware | 2025-05-07 | 5.3 Medium |
| A vulnerability has been found in TOTOLINK A720R 4.1.5cu.374 and classified as critical. This vulnerability affects unknown code of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument topicurl with the input RebootSystem leads to missing authentication. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2024-21146 | 1 Oracle | 1 Trade Management | 2025-05-06 | 8.1 High |
| Vulnerability in the Oracle Trade Management product of Oracle E-Business Suite (component: GL Accounts). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Trade Management. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Trade Management accessible data as well as unauthorized access to critical data or complete access to all Oracle Trade Management accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N). | ||||
| CVE-2022-3312 | 1 Google | 1 Chrome | 2025-05-06 | 4.6 Medium |
| Insufficient validation of untrusted input in VPN in Google Chrome on ChromeOS prior to 106.0.5249.62 allowed a local attacker to bypass managed device restrictions via physical access to the device. (Chromium security severity: Medium) | ||||
| CVE-2022-27586 | 1 Sick | 2 Sim1004-0p0g311, Sim1004-0p0g311 Firmware | 2025-05-06 | 9.8 Critical |
| Password recovery vulnerability in SICK SIM1004 Partnumber 1098148 with firmware version <2.0.0 allows an unprivileged remote attacker to gain access to the userlevel defined as RecoverableUserLevel by invocating the password recovery mechanism method. This leads to an increase in their privileges on the system and thereby affecting the confidentiality integrity and availability of the system. An attacker can expect repeatable success by exploiting the vulnerability. The recommended solution is to update the firmware to a version >= 2.0.0 as soon as possible (available in SICK Support Portal). | ||||