Vulnerabilities (CVE)

Filtered by CWE-287
Total 4192 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2025-3222 2026-06-17 N/A N/A
Improper Authentication vulnerability in GE Vernova Smallworld on Windows, Linux allows Authentication Abuse.This issue affects Smallworld: 5.3.3 and prior versions for Linux, and 5.3.4. and prior versions for Windows.
CVE-2025-3062 1 Admin Lte Theme Project 1 Admin Lte Theme 2026-06-17 N/A 6.6 MEDIUM
Vulnerability in Drupal Drupal Admin LTE theme.This issue affects Drupal Admin LTE theme: *.*.
CVE-2025-3061 1 Material Admin Project 1 Material Admin 2026-06-17 N/A 6.6 MEDIUM
Vulnerability in Drupal Material Admin.This issue affects Material Admin: *.*.
CVE-2025-37731 1 Elastic 1 Elasticsearch 2026-06-17 N/A 6.8 MEDIUM
Improper Authentication in Elasticsearch PKI realm can lead to user impersonation via specially crafted client certificates. A malicious actor would need to have such a crafted client certificate signed by a legitimate, trusted Certificate Authority.
CVE-2025-37184 1 Arubanetworks 1 Edgeconnect Sd-wan Orchestrator 2026-06-17 N/A 9.8 CRITICAL
A vulnerability exists in an Orchestrator service that could allow an unauthenticated remote attacker to bypass multi-factor authentication requirements. Successful exploitation could allow an attacker to create an admin user account without the necessary multi-factor authentication, thereby compromising the integrity of secured access to the system.
CVE-2025-37107 1 Hpe 1 Autopass License Server 2026-06-17 N/A 7.3 HIGH
An authentication bypass vulnerability exists in HPE AutoPass License Server (APLS) prior to 9.18.
CVE-2025-37106 1 Hpe 1 Autopass License Server 2026-06-17 N/A 7.3 HIGH
An authentication bypass and disclosure of information vulnerability exists in HPE AutoPass License Server (APLS) prior to 9.18.
CVE-2025-37093 1 Hpe 1 Storeonce System 2026-06-17 N/A 9.8 CRITICAL
An authentication bypass vulnerability exists in HPE StoreOnce Software.
CVE-2025-34186 1 Ilevia 2 Eve X1 Server, Eve X1 Server Firmware 2026-06-17 N/A 9.8 CRITICAL
Ilevia EVE X1/X5 Server version ≤ 4.7.18.0.eden contains a vulnerability in its authentication mechanism. Unsanitized input is passed to a system() call for authentication, allowing attackers to inject special characters and manipulate command parsing. Because the binary interprets non-zero exit codes from system() as successful authentication, remote attackers can bypass authentication and gain full access to the system.
CVE-2025-32975 1 Quest 1 Kace Systems Management Appliance 2026-06-17 N/A 10.0 CRITICAL
Quest KACE Systems Management Appliance (SMA) 13.0.x before 13.0.385, 13.1.x before 13.1.81, 13.2.x before 13.2.183, 14.0.x before 14.0.341 (Patch 5), and 14.1.x before 14.1.101 (Patch 4) contains an authentication bypass vulnerability that allows attackers to impersonate legitimate users without valid credentials. The vulnerability exists in the SSO authentication handling mechanism and can lead to complete administrative takeover.
CVE-2025-32879 1 Yftech 2 Coros Pace 3, Coros Pace 3 Firmware 2026-06-17 N/A 8.8 HIGH
An issue was discovered on COROS PACE 3 devices through 3.0808.0. It starts advertising if no device is connected via Bluetooth. This allows an attacker to connect with the device via BLE if no other device is connected. While connected, none of the BLE services and characteristics of the device require any authentication or security level. Therefore, any characteristic, depending on their mode of operation (read/write/notify), can be used by the connected attacker. This allows, for example, configuring the device, sending notifications, resetting the device to factory settings, or installing software.
CVE-2025-32877 1 Yftech 2 Coros Pace 3, Coros Pace 3 Firmware 2026-06-17 N/A 9.8 CRITICAL
An issue was discovered on COROS PACE 3 devices through 3.0808.0. It identifies itself as a device without input or output capabilities, which results in the use of the Just Works pairing method. This method does not implement any authentication, which therefore allows machine-in-the-middle attacks. Furthermore, this lack of authentication allows attackers to interact with the device via BLE without requiring prior authorization.
CVE-2025-32875 2026-06-17 N/A 5.7 MEDIUM
An issue was discovered in the COROS application through 3.8.12 for Android. Bluetooth pairing and bonding is neither initiated nor enforced by the application itself. Also, the watch does not enforce pairing and bonding. As a result, any data transmitted via BLE remains unencrypted, allowing attackers within Bluetooth range to eavesdrop on the communication. Furthermore, even if a user manually initiates pairing and bonding in the Android settings, the application continues to transmit data without requiring the watch to be bonded. This fallback behavior enables attackers to exploit the communication, for example, by conducting an active machine-in-the-middle attack.
CVE-2025-32815 1 Infoblox 1 Netmri 2026-06-17 N/A 6.5 MEDIUM
An issue was discovered in Infoblox NETMRI before 7.6.1. Authentication Bypass via a Hardcoded credential can occur.
CVE-2025-31478 1 Zulip 1 Zulip Server 2026-06-17 N/A 8.2 HIGH
Zulip is an open-source team collaboration tool. Zulip supports a configuration where account creation is limited solely by being able to authenticate with a single-sign on authentication backend, meaning the organization places no restrictions on email address domains or invitations being required to join, but has disabled the EmailAuthBackend that is used for email/password authentication. A bug in the Zulip server means that it is possible to create an account in such organizations, without having an account with the configured SSO authentication backend. This issue is patched in version 10.2. A workaround includes requiring invitations to join the organization prevents the vulnerability from being accessed.
CVE-2025-31271 1 Apple 1 Macos 2026-06-17 N/A 7.5 HIGH
This issue was addressed through improved state management. This issue is fixed in macOS Tahoe 26. Incoming FaceTime calls can appear or be accepted on a locked macOS device, even with notifications disabled on the lock screen.
CVE-2025-31267 1 Apple 1 App Store Connect 2026-06-17 N/A 4.6 MEDIUM
An authentication issue was addressed with improved state management. This issue is fixed in App Store Connect 3.0. An attacker with physical access to an unlocked device may be able to view sensitive user information.
CVE-2025-31264 1 Apple 1 Macos 2026-06-17 N/A 4.6 MEDIUM
An authentication issue was addressed with improved state management. This issue is fixed in macOS Sequoia 15.4, macOS Sonoma 14.7.5, macOS Ventura 13.7.5. An attacker with physical access to a locked device may be able to view sensitive user information.
CVE-2025-31228 1 Apple 2 Ipados, Iphone Os 2026-06-17 N/A 6.8 MEDIUM
The issue was addressed with improved authentication. This issue is fixed in iOS 18.5 and iPadOS 18.5, iPadOS 17.7.7. An attacker with physical access to a device may be able to access notes from the lock screen.
CVE-2025-31122 2026-06-17 N/A N/A
scratch-coding-hut.github.io is the website for Coding Hut. In 1.0-beta3 and earlier, the login link can be used to login to any account by changing the username in the username field.