Vulnerabilities (CVE)

Filtered by CWE-287
Total 4201 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2024-35775 2026-06-17 N/A 5.9 MEDIUM
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting'), Improper Authentication vulnerability in Soliloquy Team Slider by Soliloquy allows Cross-Site Scripting (XSS).This issue affects Slider by Soliloquy: from n/a through 2.7.6.
CVE-2024-35670 1 Softlabbd 1 Integrate Google Drive 2026-06-17 N/A 5.3 MEDIUM
Broken Authentication vulnerability in SoftLab Integrate Google Drive.This issue affects Integrate Google Drive: from n/a through 1.3.93.
CVE-2024-35248 1 Microsoft 1 Dynamics 365 Business Central 2026-06-17 N/A 7.3 HIGH
Microsoft Dynamics 365 Business Central Elevation of Privilege Vulnerability
CVE-2024-35184 2026-06-17 N/A 5.5 MEDIUM
Paperless-ngx is a document management system that transforms physical documents into a searchable online archive. Starting in version 2.5.0 and prior to version 2.8.6, remote user authentication allows API access even if API access is explicitly disabled. Version 2.8.6 contains a patchc for the issue.
CVE-2024-34788 1 Ivanti 1 Endpoint Manager Mobile 2026-06-17 N/A 6.5 MEDIUM
An improper authentication vulnerability in web component of EPMM prior to 12.1.0.1 allows a remote malicious user to access potentially sensitive information
CVE-2024-34596 1 Samsung 1 Smartthings 2026-06-17 N/A 5.9 MEDIUM
Improper authentication in SmartThings prior to version 1.8.17 allows remote attackers to bypass the expiration date for members set by the owner.
CVE-2024-34399 1 Bmc 1 Remedy Mid-tier 2026-06-17 N/A 9.8 CRITICAL
**UNSUPPORTED WHEN ASSIGNED** An issue was discovered in BMC Remedy Mid Tier 7.6.04. An unauthenticated remote attacker is able to access any user account without using any password. NOTE: This vulnerability only affects products that are no longer supported by the maintainer and the impacted version for this vulnerability is 7.6.04 only.
CVE-2024-34340 2 Cacti, Fedoraproject 2 Cacti, Fedora 2026-06-17 N/A 9.1 CRITICAL
Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, Cacti calls `compat_password_hash` when users set their password. `compat_password_hash` use `password_hash` if there is it, else use `md5`. When verifying password, it calls `compat_password_verify`. In `compat_password_verify`, `password_verify` is called if there is it, else use `md5`. `password_verify` and `password_hash` are supported on PHP < 5.5.0, following PHP manual. The vulnerability is in `compat_password_verify`. Md5-hashed user input is compared with correct password in database by `$md5 == $hash`. It is a loose comparison, not `===`. It is a type juggling vulnerability. Version 1.2.27 contains a patch for the issue.
CVE-2024-34103 1 Adobe 3 Commerce, Commerce Webhooks, Magento 2026-06-17 N/A 8.1 HIGH
Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Improper Authentication vulnerability that could result in privilege escalation. An attacker could exploit this vulnerability to gain unauthorized access or elevated privileges within the application. Exploitation of this issue does not require user interaction, but attack complexity is high.
CVE-2024-34093 1 Archerirm 1 Archer 2026-06-17 N/A 5.3 MEDIUM
An issue was discovered in Archer Platform 6 before 2024.03. There is an X-Forwarded-For Header Bypass vulnerability. An unauthenticated attacker could potentially bypass intended whitelisting when X-Forwarded-For header is enabled.
CVE-2024-33110 1 Dlink 2 Dir-845l, Dir-845l Firmware 2026-06-17 N/A 9.1 CRITICAL
D-Link DIR-845L router v1.01KRb03 and before is vulnerable to Permission Bypass via the getcfg.php component.
CVE-2024-31800 1 Gncchome 2 Gncc C2, Gncc C2 Firmware 2026-06-17 N/A 6.8 MEDIUM
Authentication Bypass in GNCC's GC2 Indoor Security Camera 1080P allows an attacker with physical access to gain a privileged command shell via the UART Debugging Port.
CVE-2024-30939 1 Yealink 1 Vp59 Firmware 2026-06-17 N/A 6.8 MEDIUM
An issue discovered in Yealink VP59 Teams Editions with firmware version 91.15.0.118 allows a physically proximate attacker to gain control of an account via a flaw in the factory reset procedure.
CVE-2024-30299 1 Adobe 1 Framemaker Publishing Server 2026-06-17 N/A 10.0 CRITICAL
Adobe Framemaker Publishing Server versions 2020.3, 2022.2 and earlier are affected by an Improper Authentication vulnerability that could result in privilege escalation. An attacker could exploit this vulnerability to gain unauthorized access or elevated privileges within the application. Exploitation of this issue does not require user interaction.
CVE-2024-2862 1 Lg 1 Lg Led Assistant 2026-06-17 N/A 9.1 CRITICAL
This vulnerability allows remote attackers to reset the password of anonymous users without authorization on the affected LG LED Assistant.
CVE-2024-2450 1 Mattermost 1 Mattermost Server 2026-06-17 N/A 8.8 HIGH
Mattermost versions 8.1.x before 8.1.10, 9.2.x before 9.2.6, 9.3.x before 9.3.2, and 9.4.x before 9.4.3 fail to correctly verify account ownership when switching from email to SAML authentication, allowing an authenticated attacker to take over other user accounts via a crafted switch request under specific conditions.
CVE-2024-2112 1 10web 1 Form Maker 2026-06-17 N/A 5.9 MEDIUM
The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.15.22 via the signature functionality. This makes it possible for unauthenticated attackers to extract sensitive data including user signatures.
CVE-2024-29849 1 Veeam 1 Veeam Backup \& Replication 2026-06-17 N/A 9.8 CRITICAL
Veeam Backup Enterprise Manager allows unauthenticated users to log in as any user to enterprise manager web interface.
CVE-2024-29837 1 Cs-technologies 1 Evolution 2026-06-17 N/A 8.8 HIGH
The Web interface of Evolution Controller Versions 2.04.560.31.03.2024 and below uses poor session management, allowing for an unauthenticated attacker to access administrator functionality if any other user is already signed in.
CVE-2024-29757 1 Google 1 Android 2026-06-17 N/A 7.3 HIGH
there is a possible permission bypass due to Debug certs being allowlisted. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.