Total
3747 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-27422 | 2025-03-03 | 7.5 High | ||
| FACTION is a PenTesting Report Generation and Collaboration Framework. Authentication is bypassed when an attacker registers a new user with admin privileges. This is possible at any time without any authorization. The request must follow the validation rules (no missing information, secure password, etc) but there are no other controls stopping them. This vulnerability is fixed in 1.4.3. | ||||
| CVE-2025-1723 | 2025-03-03 | 8.1 High | ||
| Zohocorp ManageEngine ADSelfService Plus versions 6510 and below are vulnerable to account takeover due to the session mishandling. Valid account holders in the setup only have the potential to exploit this bug. | ||||
| CVE-2024-38810 | 1 Vmware | 1 Spring Security | 2025-02-28 | 6.5 Medium |
| Missing Authorization When Using @AuthorizeReturnObject in Spring Security 6.3.0 and 6.3.1 allows attacker to render security annotations inaffective. | ||||
| CVE-2022-44574 | 1 Ivanti | 1 Avalanche | 2025-02-28 | 7.5 High |
| An improper authentication vulnerability exists in Avalanche version 6.3.x and below allows unauthenticated attacker to modify properties on specific port. | ||||
| CVE-2023-29463 | 1 Rockwellautomation | 1 Pavilion8 | 2025-02-27 | 8.8 High |
| The JMX Console within the Rockwell Automation Pavilion8 is exposed to application users and does not require authentication. If exploited, a malicious user could potentially retrieve other application users’ session data and or log users out of their session. | ||||
| CVE-2023-28540 | 1 Qualcomm | 304 315 5g Iot Modem, 315 5g Iot Modem Firmware, Apq5053-aa and 301 more | 2025-02-27 | 9.1 Critical |
| Cryptographic issue in Data Modem due to improper authentication during TLS handshake. | ||||
| CVE-2023-4562 | 1 Mitsubishielectric | 380 Fx3g-14 Mr\/ds, Fx3g-14 Mr\/ds Firmware, Fx3g-14 Mr\/es and 377 more | 2025-02-27 | 9.1 Critical |
| Improper Authentication vulnerability in Mitsubishi Electric Corporation MELSEC-F Series main modules allows a remote unauthenticated attacker to obtain sequence programs from the product or write malicious sequence programs or improper data in the product without authentication by sending illegitimate messages. | ||||
| CVE-2023-46290 | 1 Rockwellautomation | 1 Factorytalk Services Platform | 2025-02-27 | 8.1 High |
| Due to inadequate code logic, a previously unauthenticated threat actor could potentially obtain a local Windows OS user token through the FactoryTalk® Services Platform web service and then use the token to log in into FactoryTalk® Services Platform . This vulnerability can only be exploited if the authorized user did not previously log in into the FactoryTalk® Services Platform web service. | ||||
| CVE-2025-27112 | 1 Navidrome | 1 Navidrome | 2025-02-27 | 6.5 Medium |
| Navidrome is an open source web-based music collection server and streamer. Starting in version 0.52.0 and prior to version 0.54.5, in certain Subsonic API endpoints, a flaw in the authentication check process allows an attacker to specify any arbitrary username that does not exist on the system, along with a salted hash of an empty password. Under these conditions, Navidrome treats the request as authenticated, granting access to various Subsonic endpoints without requiring valid credentials. An attacker can use any non-existent username to bypass the authentication system and gain access to various read-only data in Navidrome, such as user playlists. However, any attempt to modify data fails with a "permission denied" error due to insufficient permissions, limiting the impact to unauthorized viewing of information. Version 0.54.5 contains a patch for this issue. | ||||
| CVE-2022-25768 | 1 Acquia | 1 Mautic | 2025-02-27 | 7 High |
| The logic in place to facilitate the update process via the user interface lacks access control to verify if permission exists to perform the tasks. Prior to this patch being applied it might be possible for an attacker to access the Mautic version number or to execute parts of the upgrade process without permission. As upgrading in the user interface is deprecated, this functionality is no longer required. | ||||
| CVE-2023-23857 | 1 Sap | 1 Netweaver Application Server For Java | 2025-02-27 | 9.9 Critical |
| Due to missing authentication check, SAP NetWeaver AS for Java - version 7.50, allows an unauthenticated attacker to attach to an open interface and make use of an open naming and directory API to access services which can be used to perform unauthorized operations affecting users and services across systems. On a successful exploitation, the attacker can read and modify some sensitive information but can also be used to lock up any element or operation of the system making that it unresponsive or unavailable. | ||||
| CVE-2023-1327 | 1 Netgear | 2 Rax30, Rax30 Firmware | 2025-02-27 | 9.8 Critical |
| Netgear RAX30 (AX2400), prior to version 1.0.6.74, was affected by an authentication bypass vulnerability, allowing an unauthenticated attacker to gain administrative access to the device's web management interface by resetting the admin password. | ||||
| CVE-2023-25957 | 1 Mendix | 1 Saml | 2025-02-27 | 9.1 Critical |
| A vulnerability has been identified in Mendix SAML (Mendix 7 compatible) (All versions >= V1.16.4 < V1.17.3), Mendix SAML (Mendix 8 compatible) (All versions >= V2.2.0 < V2.3.0), Mendix SAML (Mendix 9 latest compatible, New Track) (All versions >= V3.1.9 < V3.3.1), Mendix SAML (Mendix 9 latest compatible, Upgrade Track) (All versions >= V3.1.8 < V3.3.0), Mendix SAML (Mendix 9.6 compatible, New Track) (All versions >= V3.1.9 < V3.2.7), Mendix SAML (Mendix 9.6 compatible, Upgrade Track) (All versions >= V3.1.8 < V3.2.6). The affected versions of the module insufficiently verify the SAML assertions. This could allow unauthenticated remote attackers to bypass authentication and get access to the application. For compatibility reasons, fix versions still contain this issue, but only when the recommended, default configuration option `'Use Encryption'` is disabled. | ||||
| CVE-2024-12510 | 2025-02-27 | 6.7 Medium | ||
| If LDAP settings are accessed, authentication could be redirected to another server, potentially exposing credentials. This requires admin access and an active LDAP setup. | ||||
| CVE-2023-4612 | 1 Apereo | 1 Central Authentication Service | 2025-02-26 | 9.8 Critical |
| Improper Authentication vulnerability in Apereo CAS in jakarta.servlet.http.HttpServletRequest.getRemoteAddr method allows Multi-Factor Authentication bypass.This issue affects CAS: through 7.0.0-RC7. It is unknown whether in new versions the issue will be fixed. For the date of publication there is no patch, and the vendor does not treat it as a vulnerability. | ||||
| CVE-2023-28609 | 1 Ansible-semaphore | 1 Ansible Semaphore | 2025-02-26 | 9.8 Critical |
| api/auth.go in Ansible Semaphore before 2.8.89 mishandles authentication. | ||||
| CVE-2023-21455 | 1 Samsung | 2 Exynos, Exynos Firmware | 2025-02-26 | 5.9 Medium |
| Improper authorization implementation in Exynos baseband prior to SMR Mar-2023 Release 1 allows incorrect handling of unencrypted message. | ||||
| CVE-2022-46774 | 1 Ibm | 2 Manage Application, Maximo Application Suite | 2025-02-26 | 5.4 Medium |
| IBM Manage Application 8.8.0 and 8.9.0 in the IBM Maximo Application Suite is vulnerable to incorrect default permissions which could give access to a user to actions that they should not have access to. IBM X-Force ID: 242953. | ||||
| CVE-2023-21460 | 1 Samsung | 1 Android | 2025-02-26 | 4.4 Medium |
| Improper authentication in SecSettings prior to SMR Mar-2023 Release 1 allows attacker to reset the setting. | ||||
| CVE-2022-46773 | 1 Ibm | 3 Robotic Process Automation, Robotic Process Automation As A Service, Robotic Process Automation For Cloud Pak | 2025-02-26 | 4.3 Medium |
| IBM Robotic Process Automation 21.0.0 - 21.0.7 and 23.0.0 is vulnerable to client-side validation bypass for credential pools. Invalid credential pools may be created as a result. IBM X-Force ID: 242951. | ||||