Total
3657 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-54573 | 2025-07-30 | N/A | 4.3 MEDIUM | ||
| CVAT is an open source interactive video and image annotation tool for computer vision. In versions 1.1.0 through 2.41.0, email verification was not enforced when using Basic HTTP Authentication. As a result, users could create accounts using fake email addresses and use the product as verified users. Additionally, the missing email verification check leaves the system open to bot signups and further usage. CVAT 2.42.0 and later versions contain a fix for the issue. CVAT Enterprise customers have a workaround available; those customers may disable registration to prevent this issue. | |||||
| CVE-2025-49706 | 1 Microsoft | 2 Sharepoint Enterprise Server, Sharepoint Server | 2025-07-30 | N/A | 6.5 MEDIUM |
| Improper authentication in Microsoft Office SharePoint allows an unauthorized attacker to perform spoofing over a network. | |||||
| CVE-2024-30939 | 1 Yealink | 1 Vp59 Firmware | 2025-07-30 | N/A | 6.8 MEDIUM |
| An issue discovered in Yealink VP59 Teams Editions with firmware version 91.15.0.118 allows a physically proximate attacker to gain control of an account via a flaw in the factory reset procedure. | |||||
| CVE-2025-31267 | 1 Apple | 1 App Store Connect | 2025-07-29 | N/A | 4.6 MEDIUM |
| An authentication issue was addressed with improved state management. This issue is fixed in App Store Connect 3.0. An attacker with physical access to an unlocked device may be able to view sensitive user information. | |||||
| CVE-2025-49812 | 1 Apache | 1 Http Server | 2025-07-29 | N/A | 7.4 HIGH |
| In some mod_ssl configurations on Apache HTTP Server versions through to 2.4.63, an HTTP desynchronisation attack allows a man-in-the-middle attacker to hijack an HTTP session via a TLS upgrade. Only configurations using "SSLEngine optional" to enable TLS upgrades are affected. Users are recommended to upgrade to version 2.4.64, which removes support for TLS upgrade. | |||||
| CVE-2025-6505 | 2025-07-29 | N/A | 8.1 HIGH | ||
| Unauthorized access and impersonation can occur in versions 4.6.2.3226 and below of Progress Software's Hybrid Data Pipeline Server on Linux. This vulnerability allows attackers to combine credentials from different sources, potentially leading to client impersonation and unauthorized access. When OAuth Clients perform an OAuth handshake with the Hybrid Data Pipeline Server, the server accepts client credentials from both HTTP headers and request parameters. | |||||
| CVE-2025-54419 | 2025-07-29 | N/A | 10.0 CRITICAL | ||
| A SAML library not dependent on any frameworks that runs in Node. In version 5.0.1, Node-SAML loads the assertion from the (unsigned) original response document. This is different than the parts that are verified when checking signature. This allows an attacker to modify authentication details within a valid SAML assertion. For example, in one attack it is possible to remove any character from the SAML assertion username. To conduct the attack an attacker would need a validly signed document from the identity provider (IdP). This is fixed in version 5.1.0. | |||||
| CVE-2025-54452 | 1 Samsung | 1 Magicinfo 9 Server | 2025-07-28 | N/A | 7.3 HIGH |
| Improper Authentication vulnerability in Samsung Electronics MagicINFO 9 Server allows Authentication Bypass.This issue affects MagicINFO 9 Server: less than 21.1080.0. | |||||
| CVE-2025-3910 | 2025-07-28 | N/A | 5.4 MEDIUM | ||
| A flaw was found in Keycloak. The org.keycloak.authorization package may be vulnerable to circumventing required actions, allowing users to circumvent requirements such as setting up two-factor authentication. | |||||
| CVE-2024-51767 | 1 Hpe | 1 Autopass License Server | 2025-07-25 | N/A | 7.3 HIGH |
| An authentication bypass vulnerability exists in HPE AutoPass License Server (APLS) prior to 9.17. | |||||
| CVE-2024-12310 | 2025-07-25 | N/A | N/A | ||
| A vulnerability in Imprivata Enterprise Access Management (formerly Imprivata OneSign) allows bypassing the login screen of the shared kiosk workstation and allows unauthorized access to the underlying Windows system through the already logged-in autologon account due to insufficient handling of keyboard shortcuts. This issue affects Imprivata Enterprise Access Management versions 5.3 through 24.2. | |||||
| CVE-2025-45777 | 2025-07-25 | N/A | 9.8 CRITICAL | ||
| An issue in the OTP mechanism of Chavara Family Welfare Centre Chavara Matrimony Site v2.0 allows attackers to bypass authentication via supplying a crafted request. | |||||
| CVE-2025-0249 | 2025-07-25 | N/A | 3.3 LOW | ||
| HCL IEM is affected by an improper invalidation of access or JWT token vulnerability. A token was not invalidated which may allow attackers to access sensitive data without authorization. | |||||
| CVE-2025-37107 | 1 Hpe | 1 Autopass License Server | 2025-07-25 | N/A | 7.3 HIGH |
| An authentication bypass vulnerability exists in HPE AutoPass License Server (APLS) prior to 9.18. | |||||
| CVE-2025-37106 | 1 Hpe | 1 Autopass License Server | 2025-07-25 | N/A | 7.3 HIGH |
| An authentication bypass and disclosure of information vulnerability exists in HPE AutoPass License Server (APLS) prior to 9.18. | |||||
| CVE-2025-7862 | 1 Totolink | 2 T6, T6 Firmware | 2025-07-23 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability has been found in TOTOLINK T6 4.1.5cu.748_B20211015 and classified as critical. Affected by this vulnerability is the function setTelnetCfg of the file /cgi-bin/cstecgi.cgi of the component Telnet Service. The manipulation of the argument telnet_enabled with the input 1 leads to missing authentication. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2020-3411 | 1 Cisco | 1 Catalyst Center | 2025-07-23 | 5.0 MEDIUM | 7.5 HIGH |
| A vulnerability in Cisco DNA Center software could allow an unauthenticated remote attacker access to sensitive information on an affected system. The vulnerability is due to improper handling of authentication tokens by the affected software. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker access to sensitive device information, which includes configuration files. | |||||
| CVE-2024-7401 | 1 Netskope | 1 Netskope | 2025-07-23 | N/A | 7.5 HIGH |
| Netskope was notified about a security gap in Netskope Client enrollment process where NSClient is using a static token “Orgkey” as authentication parameter. Since this is a static token, if leaked, cannot be rotated or revoked. A malicious actor can use this token to enroll NSClient from a customer’s tenant and impersonate a user. | |||||
| CVE-2025-53771 | 2025-07-22 | N/A | 6.5 MEDIUM | ||
| Improper limitation of a pathname to a restricted directory ('path traversal') in Microsoft Office SharePoint allows an unauthorized attacker to perform spoofing over a network. | |||||
| CVE-2024-6107 | 2025-07-22 | N/A | 9.6 CRITICAL | ||
| Due to insufficient verification, an attacker could use a malicious client to bypass authentication checks and run RPC commands in a region. This has been addressed in MAAS and updated in the corresponding snaps. | |||||