Vulnerabilities (CVE)

Filtered by CWE-287
Total 4201 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2024-38139 1 Microsoft 1 Dataverse 2026-06-17 N/A 8.7 HIGH
Improper authentication in Microsoft Dataverse allows an authorized attacker to elevate privileges over a network.
CVE-2024-38124 1 Microsoft 6 Windows Server 2008, Windows Server 2012, Windows Server 2016 and 3 more 2026-06-17 N/A 9.0 CRITICAL
Windows Netlogon Elevation of Privilege Vulnerability
CVE-2024-38099 1 Microsoft 6 Windows Server 2008, Windows Server 2012, Windows Server 2016 and 3 more 2026-06-17 N/A 5.9 MEDIUM
Windows Remote Desktop Licensing Service Denial of Service Vulnerability
CVE-2024-37897 2026-06-17 N/A 5.4 MEDIUM
SFTPGo is a full-featured and highly configurable SFTP, HTTP/S, FTP/S and WebDAV server - S3, Google Cloud Storage, Azure Blob. SFTPGo WebAdmin and WebClient support password reset. This feature is disabled in the default configuration. In SFTPGo versions prior to v2.6.1, if the feature is enabled, even users with access restrictions (e.g. expired) can reset their password and log in. Users are advised to upgrade to version 2.6.1. Users unable to upgrade may keep the password reset feature disabled or set a blank email address for users and admins with access restrictions so they cannot receive the email with the reset code and exploit the vulnerability.
CVE-2024-37893 2026-06-17 N/A 5.9 MEDIUM
Firefly III is a free and open source personal finance manager. In affected versions an MFA bypass in the Firefly III OAuth flow may allow malicious users to bypass the MFA-check. This allows malicious users to use password spraying to gain access to Firefly III data using passwords stolen from other sources. As OAuth applications are easily enumerable using an incrementing id, an attacker could try sign an OAuth application up to a users profile quite easily if they have created one. The attacker would also need to know the victims username and password. This problem has been patched in Firefly III v6.1.17 and up. Users are advised to upgrade. Users unable to upgrade should Use a unique password for their Firefly III instance and store their password securely, i.e. in a password manager.
CVE-2024-37408 2026-06-17 N/A 7.3 HIGH
fprintd through 1.94.3 lacks a security attention mechanism, and thus unexpected actions might be authorized by "auth sufficient pam_fprintd.so" for Sudo. NOTE: the supplier disputes this because they believe issue resolution would involve modifying the PAM configuration to restrict pam_fprintd.so to front-ends that implement a proper attention mechanism, not modifying pam_fprintd.so or fprintd.
CVE-2024-37368 1 Rockwellautomation 1 Factorytalk View 2026-06-17 N/A 7.5 HIGH
A user authentication vulnerability exists in the Rockwell Automation FactoryTalk® View SE. The vulnerability allows a user from a remote system with FTView to send a packet to the customer’s server to view an HMI project. Due to the lack of proper authentication, this action is allowed without proper authentication verification.
CVE-2024-37367 1 Rockwellautomation 1 Factorytalk View 2026-06-17 N/A 7.5 HIGH
A user authentication vulnerability exists in the Rockwell Automation FactoryTalk® View SE v12. The vulnerability allows a user from a remote system with FTView to send a packet to the customer’s server to view an HMI project. This action is allowed without proper authentication verification.
CVE-2024-37313 1 Nextcloud 1 Nextcloud Server 2026-06-17 N/A 7.3 HIGH
Nextcloud server is a self hosted personal cloud system. Under some circumstance it was possible to bypass the second factor of 2FA after successfully providing the user credentials. It is recommended that the Nextcloud Server is upgraded to 26.0.13, 27.1.8 or 28.0.4 and Nextcloud Enterprise Server is upgraded to 21.0.9.17, 22.2.10.22, 23.0.12.17, 24.0.12.13, 25.0.13.8, 26.0.13, 27.1.8 or 28.0.4.
CVE-2024-37233 2026-06-17 N/A 4.3 MEDIUM
Improper Authentication vulnerability in Play.Ht allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Play.Ht: from n/a through 3.6.4.
CVE-2024-37152 1 Argoproj 1 Argo Cd 2026-06-17 N/A 5.3 MEDIUM
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The vulnerability allows unauthorized access to the sensitive settings exposed by /api/v1/settings endpoint without authentication. All sensitive settings are hidden except passwordPattern. This vulnerability is fixed in 2.11.3, 2.10.12, and 2.9.17.
CVE-2024-37085 1 Vmware 2 Cloud Foundation, Esxi 2026-06-17 N/A 6.8 MEDIUM
VMware ESXi contains an authentication bypass vulnerability. A malicious actor with sufficient Active Directory (AD) permissions can gain full access to an ESXi host that was previously configured to use AD for user management https://blogs.vmware.com/vsphere/2012/09/joining-vsphere-hosts-to-active-directory.html by re-creating the configured AD group ('ESXi Admins' by default) after it was deleted from AD.
CVE-2024-37028 1 F5 1 Big-ip Next Central Manager 2026-06-17 N/A 5.3 MEDIUM
BIG-IP Next Central Manager may allow an attacker to lock out an account that has never been logged in.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
CVE-2024-37019 2026-06-17 N/A 9.8 CRITICAL
Northern.tech Mender Enterprise before 3.6.4 and 3.7.x before 3.7.4 has Weak Authentication.
CVE-2024-36444 2026-06-17 N/A 8.1 HIGH
cgi-bin/fdmcgiwebv2.cgi on Swissphone DiCal-RED 4009 devices allows an unauthenticated attacker to gain access to device logs.
CVE-2024-36402 1 T2bot 1 Matrix-media-repo 2026-06-17 N/A 5.3 MEDIUM
Matrix Media Repo (MMR) is a highly configurable multi-homeserver media repository for Matrix. MMR before version 1.3.5 allows, by design, unauthenticated remote participants to trigger a download and caching of remote media from a remote homeserver to the local media repository. Such content then also becomes available for download from the local homeserver in an unauthenticated way. The implication is that unauthenticated remote adversaries can use this functionality to plant problematic content into the media repository. MMR 1.3.5 introduces a partial mitigation in the form of new endpoints which require authentication for media downloads. The unauthenticated endpoints will be frozen in a future release, closing the attack vector. Though extremely limited, server operators can use more strict rate limits based on IP address as a partial workaround.
CVE-2024-36266 1 Siemens 1 Powersys 2026-06-17 N/A 9.3 CRITICAL
A vulnerability has been identified in PowerSys (All versions < V3.11). The affected application insufficiently protects responses to authentication requests. This could allow a local attacker to bypass authentication, thereby gaining administrative privileges for the managed remote devices.
CVE-2024-36264 1 Apache 1 Submarine 2026-06-17 N/A 9.8 CRITICAL
** UNSUPPORTED WHEN ASSIGNED ** Improper Authentication vulnerability in Apache Submarine Commons Utils. If the user doesn't explicitly set `submarine.auth.default.secret`, a default value will be used. This issue affects Apache Submarine Commons Utils: from 0.8.0. As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
CVE-2024-36132 1 Ivanti 1 Endpoint Manager Mobile 2026-06-17 N/A 7.5 HIGH
Insufficient verification of authentication controls in EPMM prior to 12.1.0.1 allows a remote attacker to bypass authentication and access sensitive resources.
CVE-2024-36130 1 Ivanti 1 Endpoint Manager Mobile 2026-06-17 N/A 9.8 CRITICAL
An insufficient authorization vulnerability in web component of EPMM prior to 12.1.0.1 allows an unauthorized attacker within the network to execute arbitrary commands on the underlying operating system of the appliance.