Vulnerabilities (CVE)

Filtered by CWE-287
Total 4196 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2024-7746 1 Traccar 1 Traccar 2026-06-17 N/A 9.8 CRITICAL
Use of Default Credentials vulnerability in Tananaev Solutions Traccar Server on Administrator Panel modules allows Authentication Abuse.This issue affects the privileged transactions implemented by the Traccar solution that should otherwise be protected by the authentication mechanism.  These transactions could have an impact on any sensitive aspect of the platform, including Confidentiality, Integrity and Availability.
CVE-2024-7745 1 Progress 1 Ws Ftp Server 2026-06-17 N/A 6.5 MEDIUM
In WS_FTP Server versions before 8.8.8 (2022.0.8), a Missing Critical Step in Multi-Factor Authentication of the Web Transfer Module allows users to skip the second-factor verification and log in with username and password only.
CVE-2024-7593 1 Ivanti 1 Virtual Traffic Manager 2026-06-17 N/A 9.8 CRITICAL
Incorrect implementation of an authentication algorithm in Ivanti vTM other than versions 22.2R1 or 22.7R2 allows a remote unauthenticated attacker to bypass authentication of the admin panel.
CVE-2024-7487 1 Wso2 1 Identity Server 2026-06-17 N/A 5.8 MEDIUM
An improper authentication vulnerability exists in WSO2 Identity Server 7.0.0 due to an implementation flaw that allows app-native authentication to be bypassed when an invalid object is passed. Exploitation of this vulnerability could enable malicious actors to circumvent the client verification mechanism, compromising the integrity of the authentication process.
CVE-2024-7401 1 Netskope 1 Netskope 2026-06-17 N/A 7.5 HIGH
Netskope was notified about a security gap in Netskope Client enrollment process where NSClient is using a static token “Orgkey” as authentication parameter. Since this is a static token, if leaked, cannot be rotated or revoked. A malicious actor can use this token to enroll NSClient from a customer’s tenant and impersonate a user.
CVE-2024-7395 2026-06-17 N/A N/A
An authentication bypass vulnerability in Korenix JetPort 5601v3 allows an attacker to access functionality on the device without specifying a password.This issue affects JetPort 5601v3: through 1.2.
CVE-2024-7346 1 Progress 1 Openedge 2026-06-17 N/A 7.2 HIGH
Host name validation for TLS certificates is bypassed when the installed OpenEdge default certificates are used to perform the TLS handshake for a networked connection.  This has been corrected so that default certificates are no longer capable of overriding host name validation and will need to be replaced where full TLS certificate validation is needed for network security.  The existing certificates should be replaced with CA-signed certificates from a recognized certificate authority that contain the necessary information to support host name validation.
CVE-2024-7050 2026-06-17 N/A N/A
Improper Authentication vulnerability in OpenText OpenText Directory Services may allow Multi-factor Authentication Bypass in particular scenarios.This issue affects OpenText Directory Services: 24.2.
CVE-2024-7012 1 Redhat 1 Satellite 2026-06-17 N/A 9.8 CRITICAL
An authentication bypass vulnerability has been identified in Foreman when deployed with External Authentication, due to the puppet-foreman configuration. This issue arises from Apache's mod_proxy not properly unsetting headers because of restrictions on underscores in HTTP headers, allowing authentication through a malformed header. This flaw impacts all active Satellite deployments (6.13, 6.14 and 6.15) and could potentially enable unauthorized users to gain administrative access.
CVE-2024-6576 1 Progress 1 Moveit Transfer 2026-06-17 N/A 7.3 HIGH
Improper Authentication vulnerability in Progress MOVEit Transfer (SFTP module) can lead to Privilege Escalation.This issue affects MOVEit Transfer: from 2023.0.0 before 2023.0.12, from 2023.1.0 before 2023.1.7, from 2024.0.0 before 2024.0.3.
CVE-2024-6535 1 Redhat 1 Service Interconnect 2026-06-17 N/A 5.3 MEDIUM
A flaw was found in Skupper. When Skupper is initialized with the console-enabled and with console-auth set to Openshift, it configures the openshift oauth-proxy with a static cookie-secret. In certain circumstances, this may allow an attacker to bypass authentication to the Skupper console via a specially-crafted cookie.
CVE-2024-6397 1 Instawp 1 Instawp Connect 2026-06-17 N/A 9.8 CRITICAL
The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 0.1.0.44. This is due to insufficient verification of the API key. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username, and to perform a variety of other administrative tasks. NOTE: This vulnerability was partially fixed in 0.1.0.44, but was still exploitable via Cross-Site Request Forgery.
CVE-2024-6248 1 Wyze 2 Cam V3, Cam V3 Firmware 2026-06-17 N/A 7.5 HIGH
Wyze Cam v3 Cloud Infrastructure Improper Authentication Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Wyze Cam v3 IP cameras. Authentication is not required to exploit this vulnerability. The specific flaw exists within the run_action_batch endpoint of the cloud infrastructure. The issue results from the use of the device's MAC address as a sole credential for authentication. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root. Was ZDI-CAN-22393.
CVE-2024-6235 1 Citrix 1 Netscaler Console 2026-06-17 N/A 8.8 HIGH
Sensitive information disclosure in NetScaler Console
CVE-2024-6174 1 Canonical 1 Cloud-init 2026-06-17 N/A 8.8 HIGH
When a non-x86 platform is detected, cloud-init grants root access to a hardcoded url with a local IP address. To prevent this, cloud-init default configurations disable platform enumeration.
CVE-2024-6107 1 Canonical 1 Metal As A Service 2026-06-17 N/A 9.6 CRITICAL
Due to insufficient verification, an attacker could use a malicious client to bypass authentication checks and run RPC commands in a region. This has been addressed in MAAS and updated in the corresponding snaps.
CVE-2024-6078 2026-06-17 N/A N/A
CVE-2024-6078 IMPACT An improper authentication vulnerability exists in the affected product, which could allow a malicious user to generate cookies for any user ID without the use of a username or password. If exploited, a malicious user could take over the account of a legitimate user. The malicious user would be able to view and modify data stored in the cloud.
CVE-2024-6057 1 Devolutions 1 Remote Desktop Manager 2026-06-17 N/A 9.8 CRITICAL
Improper authentication in the vault password feature in Devolutions Remote Desktop Manager 2024.1.31.0 and earlier allows an attacker that has compromised an access to an RDM instance to bypass the vault master password via the offline mode feature.
CVE-2024-5957 1 Trellix 1 Intrusion Prevention System Manager 2026-06-17 N/A 6.3 MEDIUM
This vulnerability allows unauthenticated remote attackers to bypass authentication and gain APIs access of the Manager.
CVE-2024-5956 1 Trellix 1 Intrusion Prevention System Manager 2026-06-17 N/A 6.5 MEDIUM
This vulnerability allows unauthenticated remote attackers to bypass authentication and gain partial data access to the vulnerable Trellix IPS Manager with garbage data in response mostly