Vulnerabilities (CVE)

Filtered by CWE-287
Total 4205 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2024-20738 2 Adobe, Microsoft 2 Framemaker Publishing Server, Windows 2026-06-17 N/A 9.8 CRITICAL
Adobe FrameMaker Publishing Server versions 2022.1 and earlier are affected by an Improper Authentication vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass authentication mechanisms and gain unauthorized access. Exploitation of this issue does not require user interaction.
CVE-2024-20301 1 Cisco 1 Duo Authentication For Windows Logon And Rdp 2026-06-17 N/A 6.2 MEDIUM
A vulnerability in Cisco Duo Authentication for Windows Logon and RDP could allow an authenticated, physical attacker to bypass secondary authentication and access an affected Windows device. This vulnerability is due to a failure to invalidate locally created trusted sessions after a reboot of the affected device. An attacker with primary user credentials could exploit this vulnerability by attempting to authenticate to an affected device. A successful exploit could allow the attacker to access the affected device without valid permissions.
CVE-2024-1817 1 Demososo 1 Dm Enterprise Website Building System 2026-06-17 7.5 HIGH 7.3 HIGH
A vulnerability has been found in Demososo DM Enterprise Website Building System up to 2022.8 and classified as critical. Affected by this vulnerability is the function dmlogin of the file indexDM_load.php of the component Cookie Handler. The manipulation of the argument is_admin with the input y leads to improper authentication. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-254605 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2024-1735 1 Linecorp 1 Armeria 2026-06-17 N/A 9.1 CRITICAL
A vulnerability has been identified in armeria-saml versions less than 1.27.2, allowing the use of malicious SAML messages to bypass authentication. All users who rely on armeria-saml older than version 1.27.2 must upgrade to 1.27.2 or later.
CVE-2024-1610 2026-06-17 N/A 9.8 CRITICAL
In OPPO Store APP, there's a possible escalation of privilege due to improper input validation.
CVE-2024-1609 2026-06-17 N/A N/A
In OPPOStore iOS App, there's a possible escalation of privilege due to improper input validation.
CVE-2024-1039 1 Gesslergmbh 2 Web-master, Web-master Firmware 2026-06-17 N/A 9.8 CRITICAL
Gessler GmbH WEB-MASTER has a restoration account that uses weak hard coded credentials and if exploited could allow an attacker control over the web management of the device.
CVE-2024-1006 1 Shanxi Tianneng Technology 1 Noderp 2026-06-17 7.5 HIGH 7.3 HIGH
A vulnerability was found in Shanxi Diankeyun Technology NODERP up to 6.0.2 and classified as critical. This issue affects some unknown processing of the file application/index/common.php of the component Cookie Handler. The manipulation of the argument Nod_User_Id/Nod_User_Token leads to improper authentication. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-252275. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2024-14034 2026-06-17 N/A 9.8 CRITICAL
Hirschmann HiEOS devices versions prior to 01.1.00 contain an authentication bypass vulnerability in the HTTP(S) management module that allows unauthenticated remote attackers to gain administrative access by sending specially crafted HTTP(S) requests. Attackers can exploit improper authentication handling to obtain elevated privileges and perform unauthorized actions including configuration download or upload and firmware modification.
CVE-2024-13804 2026-06-17 N/A 9.8 CRITICAL
Unauthenticated RCE in HPE Insight Cluster Management Utility
CVE-2024-13528 1 Wpfactory 1 Customer Email Verification For Woocommerce 2026-06-17 N/A 7.5 HIGH
The Customer Email Verification for WooCommerce plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 2.9.5. This is due to the presence of a shortcode that will generate a confirmation link with a placeholder email. This makes it possible for authenticated attackers, with Contributor-level access and above, to generate a verification link for any unverified user and log into the account. The 'Fine tune placement' option must be enabled in the plugin settings in order to exploit the vulnerability.
CVE-2024-13309 1 Login Disable Project 1 Login Disable 2026-06-17 N/A 5.4 MEDIUM
Improper Authentication vulnerability in Drupal Login Disable allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Login Disable: from 2.0.0 before 2.1.1.
CVE-2024-13111 1 Kaoshifeng 1 Yunfan Learning Examination System 2026-06-17 5.1 MEDIUM 5.6 MEDIUM
A vulnerability classified as critical was found in Beijing Yunfan Internet Technology Yunfan Learning Examination System 1.9.2. Affected by this vulnerability is an unknown functionality of the file src/main/java/com/yf/exam/modules/sys/user/controller/SysUserControl of the component JWT Token Handler. The manipulation leads to improper authentication. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used.
CVE-2024-13088 1 Qnap 1 Qurouter 2026-06-17 N/A 7.8 HIGH
An improper authentication vulnerability has been reported to affect QHora. If an attacker gains local network access, they can then exploit the vulnerability to compromise the security of the system. We have already fixed the vulnerability in the following version: QuRouter 2.5.0.140 and later
CVE-2024-12919 1 Cozmoslabs 1 Membership \& Content Restriction - Paid Member Subscriptions 2026-06-17 N/A 9.8 CRITICAL
The Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 2.13.7. This is due to the pms_pb_payment_redirect_link function using the user-controlled value supplied via the 'pms_payment_id' parameter to authenticate users without any further identity validation. This makes it possible for unauthenticated attackers with knowledge of a valid payment ID to log in as any user who has made a purchase on the targeted site.
CVE-2024-12510 2026-06-17 N/A 6.7 MEDIUM
If LDAP settings are accessed, authentication could be redirected to another server, potentially exposing credentials. This requires admin access and an active LDAP setup.
CVE-2024-12310 2026-06-17 N/A N/A
A vulnerability in Imprivata Enterprise Access Management (formerly Imprivata OneSign) allows bypassing the login screen of the shared kiosk workstation and allows unauthorized access to the underlying Windows system through the already logged-in autologon account due to insufficient handling of keyboard shortcuts. This issue affects Imprivata Enterprise Access Management versions 5.3 through 24.2.
CVE-2024-12287 2026-06-17 N/A 9.8 CRITICAL
The Biagiotti Membership plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.0.2. This is due to the plugin not properly verifying a user's identity prior to authenticating them. This makes it possible for unauthenticated attackers to log in as other users, such as administrators, granted they have access to an email.
CVE-2024-12264 2026-06-17 N/A 9.8 CRITICAL
The PayU CommercePro Plugin plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 3.8.3. This is due to /wp-json/payu/v1/generate-user-token and /wp-json/payu/v1/get-shipping-cost REST API endpoints not properly verifying a user's identity prior to setting the users ID and auth cookies. This makes it possible for unauthenticated attackers to create new administrative user accounts.
CVE-2024-11917 2026-06-17 N/A 8.1 HIGH
The JobSearch WP Job Board plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.9.2. This is due to improper configurations in the 'jobsearch_xing_response_data_callback', 'set_access_tokes', and 'google_callback' functions. This makes it possible for unauthenticated attackers to log in as the first connected Xing user, or any connected Xing user if the Xing id is known. It is also possible for unauthenticated attackers to log in as the first connected Google user if the user has logged in, without subsequently logging out, in thirty days. The vulnerability was partially patched in version 2.8.4.