Vulnerabilities (CVE)

Filtered by CWE-287
Total 4197 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2024-53704 1 Sonicwall 24 Nsa 2700, Nsa 3700, Nsa 4700 and 21 more 2026-06-17 N/A 9.8 CRITICAL
An Improper Authentication vulnerability in the SSLVPN authentication mechanism allows a remote attacker to bypass authentication.
CVE-2024-52968 1 Fortinet 1 Forticlient 2026-06-17 N/A 6.7 MEDIUM
An improper authentication in Fortinet FortiClientMac 7.0.11 through 7.2.4 allows attacker to gain improper access to MacOS via empty password.
CVE-2024-52786 2026-06-17 N/A 9.8 CRITICAL
An authentication bypass vulnerability in anji-plus AJ-Report up to v1.4.2 allows unauthenticated attackers to execute arbitrary code via a crafted URL.
CVE-2024-52518 1 Nextcloud 1 Nextcloud Server 2026-06-17 N/A 4.4 MEDIUM
Nextcloud Server is a self hosted personal cloud system. After an attacker got access to the session of a user or administrator, the attacker would be able to create, change or delete external storages without having to confirm the password. It is recommended that the Nextcloud Server is upgraded to 28.0.12, 29.0.9 or 30.0.2.
CVE-2024-51997 2026-06-17 N/A 8.1 HIGH
Trustee is a set of tools and components for attesting confidential guests and providing secrets to them. The ART (**Attestation Results Token**) token, generated by AS, could be manipulated by MITM attacker, but the verifier (CoCo Verification Demander like KBS) could still verify it successfully. In the payload of ART token, the ‘jwk’ could be replaced by attacker with his own pub key. Then attacker can use his own corresponding private key to sign the crafted ART token. Based on current code implementation (v0.8.0), such replacement and modification can not be detected. This issue has been addressed in version 0.8.2 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
CVE-2024-51996 2026-06-17 N/A 7.5 HIGH
Symphony process is a module for the Symphony PHP framework which executes commands in sub-processes. When consuming a persisted remember-me cookie, Symfony does not check if the username persisted in the database matches the username attached with the cookie, leading to authentication bypass. This vulnerability is fixed in 5.4.47, 6.4.15, and 7.1.8.
CVE-2024-51767 1 Hpe 1 Autopass License Server 2026-06-17 N/A 7.3 HIGH
An authentication bypass vulnerability exists in HPE AutoPass License Server (APLS) prior to 9.17.
CVE-2024-50645 2026-06-17 N/A 9.8 CRITICAL
MallChat v1.0-SNAPSHOT has an authentication bypass vulnerability. An attacker can exploit this vulnerability to access API without any token.
CVE-2024-50644 2026-06-17 N/A 9.8 CRITICAL
zhisheng17 blog 3.0.1-SNAPSHOT has an authentication bypass vulnerability. An attacker can exploit this vulnerability to access API without any token.
CVE-2024-50641 2026-06-17 N/A 8.1 HIGH
An authentication bypass vulnerability in PandoraNext-TokensTool v0.6.8 and before. An attacker can exploit this vulnerability to access API without any token.
CVE-2024-50640 2026-06-17 N/A 9.8 CRITICAL
jeewx-boot 1.3 has an authentication bypass vulnerability in the preHandle function
CVE-2024-50478 1 Swoopnow 1 1-click Login\ 2026-06-17 N/A 9.8 CRITICAL
Authentication Bypass by Primary Weakness vulnerability in Swoop 1-Click Login: Passwordless Authentication allows Authentication Bypass.This issue affects 1-Click Login: Passwordless Authentication: 1.4.5.
CVE-2024-50341 2026-06-17 N/A 3.1 LOW
symfony/security-bundle is a module for the Symphony PHP framework which provides a tight integration of the Security component into the Symfony full-stack framework. The custom `user_checker` defined on a firewall is not called when Login Programmaticaly with the `Security::login` method, leading to unwanted login. As of versions 6.4.10, 7.0.10 and 7.1.3 the `Security::login` method now ensure to call the configured `user_checker`. All users are advised to upgrade. There are no known workarounds for this vulnerability.
CVE-2024-50339 1 Glpi-project 1 Glpi 2026-06-17 N/A 5.3 MEDIUM
GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to version 10.0.17, an unauthenticated user can retrieve all the sessions IDs and use them to steal any valid session. Version 10.0.17 contains a patch for this issue.
CVE-2024-4784 1 Gitlab 1 Gitlab 2026-06-17 N/A 4.2 MEDIUM
An issue was discovered in GitLab EE starting from version 16.7 before 17.0.6, version 17.1 before 17.1.4 and 17.2 before 17.2.2 that allowed bypassing the password re-entry requirement to approve a policy.
CVE-2024-4601 2026-06-17 N/A 6.7 MEDIUM
An incorrect authentication vulnerability has been found in Socomec Net Vision affecting version 7.20. This vulnerability allows an attacker to perform a brute force attack on the application and recover a valid session, because the application uses a five-digit integer value.
CVE-2024-4303 2026-06-17 N/A 8.8 HIGH
ArmorX Android APP's multi-factor authentication (MFA) for the login function is not properly implemented. Remote attackers who obtain user credentials can bypass MFA, allowing them to successfully log into the APP.
CVE-2024-4129 2026-06-17 N/A 8.8 HIGH
Improper Authentication vulnerability in Snow Software AB Snow License Manager on Windows allows a networked attacker to perform an Authentication Bypass if Active Directory Authentication is enabled.This issue affects Snow License Manager: from 9.33.2 through 9.34.0.
CVE-2024-4024 1 Gitlab 1 Gitlab 2026-06-17 N/A 7.3 HIGH
An issue has been discovered in GitLab CE/EE affecting all versions starting from 7.8 before 16.9.6, all versions starting from 16.10 before 16.10.4, all versions starting from 16.11 before 16.11.1. Under certain conditions, an attacker with their Bitbucket account credentials may be able to take over a GitLab account linked to another user's Bitbucket account, if Bitbucket is used as an OAuth 2.0 provider on GitLab.
CVE-2024-49757 1 Zitadel 1 Zitadel 2026-06-17 N/A 7.5 HIGH
The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. Due to a missing security check in versions prior to 2.64.0, 2.63.5, 2.62.7, 2.61.4, 2.60.4, 2.59.5, and 2.58.7, disabling the "User Registration allowed" option only hid the registration button on the login page. Users could bypass this restriction by directly accessing the registration URL (/ui/login/loginname) and register a user that way. Versions 2.64.0, 2.63.5, 2.62.7, 2.61.4, 2.60.4, 2.59.5, and 2.58.7 contain a patch. No known workarounds are available.