Total
3671 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-6528 | 2025-06-26 | 3.3 LOW | 4.3 MEDIUM | ||
| A vulnerability has been found in 70mai M300 up to 20250611 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /livestream/12 of the component RTSP Live Video Stream Endpoint. The manipulation leads to improper authentication. The attack needs to be done within the local network. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-6524 | 2025-06-26 | 1.8 LOW | 3.1 LOW | ||
| A vulnerability classified as problematic has been found in 70mai 1S up to 20250611. This affects an unknown part of the component Video Services. The manipulation leads to improper authentication. Access to the local network is required for this attack to succeed. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-6174 | 2025-06-26 | N/A | 8.8 HIGH | ||
| When a non-x86 platform is detected, cloud-init grants root access to a hardcoded url with a local IP address. To prevent this, cloud-init default configurations disable platform enumeration. | |||||
| CVE-2025-53013 | 2025-06-26 | N/A | 5.2 MEDIUM | ||
| Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. A vulnerability present in versions 0.9.10 through 0.9.16 allows a user to authenticate to a Linux host via Himmelblau using an *invalid* Linux Hello PIN, provided the host is offline. While the user gains access to the local system, Single Sign-On (SSO) fails due to the network being down and the inability to issue tokens (due to a failure to unlock the Hello key). The core issue lies in an incorrect assumption within the `acquire_token_by_hello_for_business_key` function: it was expected to return a `TPMFail` error for an invalid Hello key when offline, but instead, a preceding nonce request resulted in a `RequestFailed` error, leading the system to erroneously transition to an offline success state without validating the Hello key unlock. This impacts systems using Himmelblau for authentication when operating in an offline state with Hello PIN authentication enabled. Rocky Linux 8 (and variants) are not affected by this vulnerability. The problem is resolved in Himmelblau version 0.9.17. A workaround is available for users who cannot immediately upgrade. Disabling Hello PIN authentication by setting `enable_hello = false` in `/etc/himmelblau/himmelblau.conf` will mitigate the vulnerability. | |||||
| CVE-2025-48746 | 1 Netwrix | 1 Directory Manager | 2025-06-24 | N/A | 6.5 MEDIUM |
| Netwrix Directory Manager (formerly Imanami GroupID) v.11.0.0.0 and before, as well as after v.11.1.25134.03 lacks Authentication for a Critical Function. | |||||
| CVE-2025-3627 | 1 Moodle | 1 Moodle | 2025-06-24 | N/A | 4.3 MEDIUM |
| A security vulnerability was discovered in Moodle that allows some users to access sensitive information about other students before they finish verifying their identities using two-factor authentication (2FA). | |||||
| CVE-2025-3634 | 1 Moodle | 1 Moodle | 2025-06-24 | N/A | 4.3 MEDIUM |
| A security vulnerability was discovered in Moodle that allows students to enroll themselves in courses without completing all the necessary safety checks. Specifically, users can sign up for courses prematurely, even if they haven't finished two-step verification processes. | |||||
| CVE-2025-32875 | 2025-06-23 | N/A | 5.7 MEDIUM | ||
| An issue was discovered in the COROS application through 3.8.12 for Android. Bluetooth pairing and bonding is neither initiated nor enforced by the application itself. Also, the watch does not enforce pairing and bonding. As a result, any data transmitted via BLE remains unencrypted, allowing attackers within Bluetooth range to eavesdrop on the communication. Furthermore, even if a user manually initiates pairing and bonding in the Android settings, the application continues to transmit data without requiring the watch to be bonded. This fallback behavior enables attackers to exploit the communication, for example, by conducting an active machine-in-the-middle attack. | |||||
| CVE-2024-45347 | 2025-06-23 | N/A | 9.6 CRITICAL | ||
| An unauthorized access vulnerability exists in the Xiaomi Mi Connect Service APP. The vulnerability is caused by the validation logic is flawed and can be exploited by attackers to Unauthorized access to the victim’s device. | |||||
| CVE-2025-27086 | 1 Hpe | 1 Performance Cluster Manager | 2025-06-23 | N/A | 8.1 HIGH |
| A vulnerability in the HPE Performance Cluster Manager (HPCM) GUI could allow an attacker to bypass authentication. | |||||
| CVE-2023-50275 | 1 Hp | 1 Oneview | 2025-06-20 | N/A | 7.5 HIGH |
| HPE OneView may allow clusterService Authentication Bypass resulting in denial of service. | |||||
| CVE-2023-42935 | 1 Apple | 1 Macos | 2025-06-20 | N/A | 5.5 MEDIUM |
| An authentication issue was addressed with improved state management. This issue is fixed in macOS Ventura 13.6.4. A local attacker may be able to view the previous logged in user’s desktop from the fast user switching screen. | |||||
| CVE-2023-50127 | 1 Hozard | 1 Alarm System | 2025-06-20 | N/A | 5.9 MEDIUM |
| Hozard alarm system (Alarmsysteem) v1.0 is vulnerable to Improper Authentication. Commands sent via the SMS functionality are accepted from random phone numbers, which allows an attacker to bring the alarm system to a disarmed state from any given phone number. | |||||
| CVE-2024-3701 | 1 Tecno | 1 Hios | 2025-06-17 | N/A | 9.8 CRITICAL |
| The system application (com.transsion.kolun.aiservice) component does not perform an authentication check, which allows attackers to perform malicious exploitations and affect system services. | |||||
| CVE-2023-48865 | 1 Reportico | 1 Reportico | 2025-06-17 | N/A | 6.5 MEDIUM |
| An issue discovered in Reportico Till 8.1.0 allows attackers to obtain sensitive information via execute_mode parameter of the URL. | |||||
| CVE-2024-29757 | 1 Google | 1 Android | 2025-06-17 | N/A | 7.3 HIGH |
| there is a possible permission bypass due to Debug certs being allowlisted. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | |||||
| CVE-2025-5985 | 1 Fabian | 1 School Fees Payment System | 2025-06-17 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability was found in code-projects School Fees Payment System 1.0 and classified as critical. Affected by this issue is some unknown functionality. The manipulation leads to improper authentication. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2024-11917 | 2025-06-17 | N/A | 8.1 HIGH | ||
| The JobSearch WP Job Board plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.9.2. This is due to improper configurations in the 'jobsearch_xing_response_data_callback', 'set_access_tokes', and 'google_callback' functions. This makes it possible for unauthenticated attackers to log in as the first connected Xing user, or any connected Xing user if the Xing id is known. It is also possible for unauthenticated attackers to log in as the first connected Google user if the user has logged in, without subsequently logging out, in thirty days. The vulnerability was partially patched in version 2.8.4. | |||||
| CVE-2024-24279 | 1 Secdiskapp | 1 Secdiskapp | 2025-06-17 | N/A | 8.8 HIGH |
| An issue in secdiskapp 1.5.1 (management program for NewQ Fingerprint Encryption Super Speed Flash Disk) allows attackers to gain escalated privileges via vsVerifyPassword and vsSetFingerPrintPower functions. | |||||
| CVE-2023-47256 | 1 Connectwise | 2 Automate, Screenconnect | 2025-06-17 | N/A | 5.5 MEDIUM |
| ConnectWise ScreenConnect through 23.8.4 allows local users to connect to arbitrary relay servers via implicit trust of proxy settings | |||||