Vulnerabilities (CVE)

Filtered by CWE-287
Total 4205 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2024-22441 1 Hpe 1 Cray Parallel Application Launch Service 2026-06-17 N/A 9.8 CRITICAL
HPE Cray Parallel Application Launch Service (PALS) is subject to an authentication bypass.
CVE-2024-22395 1 Sonicwall 10 Sma 200, Sma 200 Firmware, Sma 210 and 7 more 2026-06-17 N/A 6.3 MEDIUM
Improper access control vulnerability has been identified in the SMA100 SSL-VPN virtual office portal, which in specific conditions could potentially enable a remote authenticated attacker to associate another user's MFA mobile application.
CVE-2024-22394 1 Sonicwall 22 Nsa 2700, Nsa 3700, Nsa 4700 and 19 more 2026-06-17 N/A 9.8 CRITICAL
An improper authentication vulnerability has been identified in SonicWall SonicOS SSL-VPN feature, which in specific conditions could allow a remote attacker to bypass authentication.  This issue affects only firmware version SonicOS 7.1.1-7040.
CVE-2024-22247 2026-06-17 N/A 4.8 MEDIUM
VMware SD-WAN Edge contains a missing authentication and protection mechanism vulnerability. A malicious actor with physical access to the SD-WAN Edge appliance during activation can potentially exploit this vulnerability to access the BIOS configuration. In addition, the malicious actor may be able to exploit the default boot priority configured.
CVE-2024-22206 1 Clerk 1 Javascript 2026-06-17 N/A 9.0 CRITICAL
Clerk helps developers build user management. Unauthorized access or privilege escalation due to a logic flaw in auth() in the App Router or getAuth() in the Pages Router. This vulnerability was patched in version 4.29.3.
CVE-2024-21899 1 Qnap 3 Qts, Quts Hero, Qutscloud 2026-06-17 N/A 9.8 CRITICAL
An improper authentication vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to compromise the security of the system via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.3.2578 build 20231110 and later QTS 4.5.4.2627 build 20231225 and later QuTS hero h5.1.3.2578 build 20231110 and later QuTS hero h4.5.4.2626 build 20231225 and later QuTScloud c5.1.5.2651 and later
CVE-2024-21654 1 Rubygems 1 Rubygems.org 2026-06-17 N/A 4.8 MEDIUM
Rubygems.org is the Ruby community's gem hosting service. Rubygems.org users with MFA enabled would normally be protected from account takeover in the case of email account takeover. However, a workaround on the forgotten password form allows an attacker to bypass the MFA requirement and takeover the account. This vulnerability has been patched in commit 0b3272a.
CVE-2024-21638 1 Microsoft 1 Azure Ipam 2026-06-17 N/A 9.1 CRITICAL
Azure IPAM (IP Address Management) is a lightweight solution developed on top of the Azure platform designed to help Azure customers manage their IP Address space easily and effectively. By design there is no write access to customers' Azure environments as the Service Principal used is only assigned the Reader role at the root Management Group level. Until recently, the solution lacked the validation of the passed in authentication token which may result in attacker impersonating any privileged user to access data stored within the IPAM instance and subsequently from Azure, causing an elevation of privilege. This vulnerability has been patched in version 3.0.0.
CVE-2024-21635 1 Usememos 1 Memos 2026-06-17 N/A 7.5 HIGH
Memos is a privacy-first, lightweight note-taking service that uses Access Tokens to authenticate application access. When a user changes their password, the existing list of Access Tokens stay valid instead of expiring. If a user finds that their account has been compromised, they can update their password. In versions up to and including 0.18.1, though, the bad actor will still have access to their account because the bad actor's Access Token stays on the list as a valid token. The user will have to manually delete the bad actor's Access Token to secure their account. The list of Access Tokens has a generic Description which makes it hard to pinpoint a bad actor in a list of Access Tokens. A known patched version of Memos isn't available. To improve Memos security, all Access Tokens will need to be revoked when a user changes their password. This removes the session for all the user's devices and prompts the user to log in again. One can treat the old Access Tokens as "invalid" because those Access Tokens were created with the older password.
CVE-2024-21632 1 Recognizeapp 1 Omniauth\ 2026-06-17 N/A 8.6 HIGH
omniauth-microsoft_graph provides an Omniauth strategy for the Microsoft Graph API. Prior to versions 2.0.0, the implementation did not validate the legitimacy of the `email` attribute of the user nor did it give/document an option to do so, making it susceptible to nOAuth misconfiguration in cases when the `email` is used as a trusted user identifier. This could lead to account takeover. Version 2.0.0 contains a fix for this issue.
CVE-2024-21543 2026-06-17 N/A 7.1 HIGH
Versions of the package djoser before 2.3.0 are vulnerable to Authentication Bypass when the authenticate() function fails. This is because the system falls back to querying the database directly, granting access to users with valid credentials, and eventually bypassing custom authentication checks such as two-factor authentication, LDAP validations, or requirements from configured AUTHENTICATION_BACKENDS.
CVE-2024-21427 1 Microsoft 5 Windows Server 2012, Windows Server 2016, Windows Server 2019 and 2 more 2026-06-17 N/A 7.5 HIGH
Windows Kerberos Security Feature Bypass Vulnerability
CVE-2024-21410 1 Microsoft 1 Exchange Server 2026-06-17 N/A 9.8 CRITICAL
Microsoft Exchange Server Elevation of Privilege Vulnerability
CVE-2024-20900 1 Samsung 1 Android 2026-06-17 N/A 4.0 MEDIUM
Improper authentication in MTP application prior to SMR Jul-2024 Release 1 allows local attackers to enter MTP mode without proper authentication.
CVE-2024-20890 1 Samsung 1 Android 2026-06-17 N/A 5.3 MEDIUM
Improper input validation in BLE prior to SMR Jul-2024 Release 1 allows adjacent attackers to trigger abnormal behavior.
CVE-2024-20889 1 Samsung 1 Android 2026-06-17 N/A 5.9 MEDIUM
Improper authentication in BLE prior to SMR Jul-2024 Release 1 allows adjacent attackers to pair with devices.
CVE-2024-20856 1 Samsung 1 Android 2026-06-17 N/A 4.3 MEDIUM
Improper Authentication vulnerability in Secure Folder prior to SMR May-2024 Release 1 allows physical attackers to access Secure Folder without proper authentication in a specific scenario.
CVE-2024-20816 1 Samsung 1 Android 2026-06-17 N/A 8.0 HIGH
Improper authentication vulnerability in onCharacteristicWriteRequest in Auto Hotspot prior to SMR Feb-2024 Release 1 allows adjacent attackers connect to victim's mobile hotspot without user awareness.
CVE-2024-20815 1 Samsung 1 Android 2026-06-17 N/A 8.0 HIGH
Improper authentication vulnerability in onCharacteristicReadRequest in Auto Hotspot prior to SMR Feb-2024 Release 1 allows adjacent attackers connect to victim's mobile hotspot without user awareness.
CVE-2024-20803 1 Samsung 1 Android 2026-06-17 N/A 6.8 MEDIUM
Improper authentication vulnerability in Bluetooth pairing process prior to SMR Jan-2024 Release 1 allows remote attackers to establish pairing process without user interaction.