Vulnerabilities (CVE)

Filtered by CWE-287
Total 4205 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2023-27482 1 Home-assistant 2 Home-assistant, Supervisor 2026-06-17 N/A 10.0 CRITICAL
homeassistant is an open source home automation tool. A remotely exploitable vulnerability bypassing authentication for accessing the Supervisor API through Home Assistant has been discovered. This impacts all Home Assistant installation types that use the Supervisor 2023.01.1 or older. Installation types, like Home Assistant Container (for example Docker), or Home Assistant Core manually in a Python environment, are not affected. The issue has been mitigated and closed in Supervisor version 2023.03.1, which has been rolled out to all affected installations via the auto-update feature of the Supervisor. This rollout has been completed at the time of publication of this advisory. Home Assistant Core 2023.3.0 included mitigation for this vulnerability. Upgrading to at least that version is thus advised. In case one is not able to upgrade the Home Assistant Supervisor or the Home Assistant Core application at this time, it is advised to not expose your Home Assistant instance to the internet.
CVE-2023-27388 2 Especmic, Tandd 20 Rs-12n, Rs-12n Firmware, Rt-12n and 17 more 2026-06-17 N/A 9.8 CRITICAL
Improper authentication vulnerability in T&D Corporation and ESPEC MIC CORP. data logger products allows a remote unauthenticated attacker to login to the product as a registered user. Affected products and versions are as follows: T&D Corporation data logger products (TR-71W/72W all firmware versions, RTR-5W all firmware versions, WDR-7 all firmware versions, WDR-3 all firmware versions, and WS-2 all firmware versions), and ESPEC MIC CORP. data logger products (RT-12N/RS-12N all firmware versions, RT-22BN all firmware versions, and TEU-12N all firmware versions).
CVE-2023-27377 1 Idattend 1 Idweb 2026-06-17 N/A 7.5 HIGH
Missing authentication in the StudentPopupDetails_EmergencyContactDetails method in IDAttend’s IDWeb application 3.1.052 and earlier allows extraction of sensitive student data by unauthenticated attackers.
CVE-2023-27351 1 Papercut 2 Papercut Mf, Papercut Ng 2026-06-17 N/A 7.5 HIGH
This vulnerability allows remote attackers to bypass authentication on affected installations of PaperCut NG 22.0.5 (Build 63914). Authentication is not required to exploit this vulnerability. The specific flaw exists within the SecurityRequestFilter class. The issue results from improper implementation of the authentication algorithm. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-19226.
CVE-2023-27091 1 Teacms Project 1 Teacms 2026-06-17 N/A 7.2 HIGH
An unauthorized access issue found in XiaoBingby TeaCMS 2.3.3 allows attackers to escalate privileges via the id and keywords parameter(s).
CVE-2023-26455 1 Open-xchange 1 Open-xchange Appsuite 2026-06-17 N/A 5.6 MEDIUM
RMI was not requiring authentication when calling ChronosRMIService:setEventOrganizer. Attackers with local or adjacent network access could abuse the RMI service to modify calendar items using RMI. RMI access is restricted to localhost by default. The interface has been updated to require authenticated requests. No publicly available exploits are known.
CVE-2023-26150 1 Freeopcua 1 Opcua-asyncio 2026-06-17 N/A 6.5 MEDIUM
Versions of the package asyncua before 0.9.96 are vulnerable to Improper Authentication such that it is possible to access Address Space without encryption and authentication. **Note:** This issue is a result of missing checks for services that require an active session.
CVE-2023-25957 1 Mendix 1 Saml 2026-06-17 N/A 9.1 CRITICAL
A vulnerability has been identified in Mendix SAML (Mendix 7 compatible) (All versions >= V1.16.4 < V1.17.3), Mendix SAML (Mendix 8 compatible) (All versions >= V2.2.0 < V2.3.0), Mendix SAML (Mendix 9 latest compatible, New Track) (All versions >= V3.1.9 < V3.3.1), Mendix SAML (Mendix 9 latest compatible, Upgrade Track) (All versions >= V3.1.8 < V3.3.0), Mendix SAML (Mendix 9.6 compatible, New Track) (All versions >= V3.1.9 < V3.2.7), Mendix SAML (Mendix 9.6 compatible, Upgrade Track) (All versions >= V3.1.8 < V3.2.6). The affected versions of the module insufficiently verify the SAML assertions. This could allow unauthenticated remote attackers to bypass authentication and get access to the application. For compatibility reasons, fix versions still contain this issue, but only when the recommended, default configuration option `'Use Encryption'` is disabled.
CVE-2023-25946 1 Qrio 2 Q-sl2, Q-sl2 Firmware 2026-06-17 N/A 8.8 HIGH
Authentication bypass vulnerability in Qrio Lock (Q-SL2) firmware version 2.0.9 and earlier allows a network-adjacent attacker to analyze the product's communication data and conduct an arbitrary operation under certain conditions.
CVE-2023-25931 1 Medtronic 2 Interstim X Clinician, Micro Clinician 2026-06-17 N/A 6.4 MEDIUM
Medtronic identified that the Pelvic Health clinician apps, which are installed on the Smart Programmer mobile device, have a password vulnerability that requires a security update to fix. Not updating could potentially result in unauthorized control of the clinician therapy application, which has greater control over therapy parameters than the patient app. Changes still cannot be made outside of the established therapy parameters of the programmer. For unauthorized access to occur, an individual would need physical access to the Smart Programmer.
CVE-2023-25913 1 Danfoss 2 Ak-sm 800a, Ak-sm 800a Firmware 2026-06-17 N/A 7.5 HIGH
Because of an authentication flaw an attacker would be capable of generating a web report that discloses sensitive information such as internal IP addresses, usernames, store names and other sensitive information.
CVE-2023-25790 2026-06-17 N/A 5.3 MEDIUM
Improper Authentication, Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in xtemos WoodMart allows Cross-Site Scripting (XSS).This issue affects WoodMart: from n/a through 7.0.4.
CVE-2023-25601 1 Apache 1 Dolphinscheduler 2026-06-17 N/A 4.3 MEDIUM
On version 3.0.0 through 3.1.1, Apache DolphinScheduler's python gateway suffered from improper authentication: an attacker could use a socket bytes attack without authentication. This issue has been fixed from version 3.1.2 onwards. For users who use version 3.0.0 to 3.1.1, you can turn off the python-gateway function by changing the value `python-gateway.enabled=false` in configuration file `application.yaml`. If you are using the python gateway, please upgrade to version 3.1.2 or above.
CVE-2023-25597 1 Mitel 1 Micollab 2026-06-17 N/A 5.9 MEDIUM
A vulnerability in the web conferencing component of Mitel MiCollab through 9.6.2.9 could allow an unauthenticated attacker to download a shared file via a crafted request - including the exact path and filename - due to improper authentication control. A successful exploit could allow access to sensitive information.
CVE-2023-25556 1 Schneider-electric 14 Merten Instabus Tastermodul 1fach System M, Merten Instabus Tastermodul 1fach System M Firmware, Merten Instabus Tastermodul 2fach System M and 11 more 2026-06-17 N/A 8.3 HIGH
A CWE-287: Improper Authentication vulnerability exists that could allow a device to be compromised when a key of less than seven digits is entered and the attacker has access to the KNX installation.
CVE-2023-25264 1 Docmosis 1 Tornado 2026-06-17 N/A 7.5 HIGH
An issue was discovered in Docmosis Tornado prior to version 2.9.5. An unauthenticated attacker can bypass the authentication check filter completely by introducing a specially crafted request with relative path segments.
CVE-2023-25131 1 Cyberpower 1 Powerpanel 2026-06-17 N/A 9.4 CRITICAL
Use of default password vulnerability in PowerPanel Business Local/Remote for Windows v4.8.6 and earlier, PowerPanel Business Management for Windows v4.8.6 and earlier, PowerPanel Business Local/Remote for Linux 32bit v4.8.6 and earlier, PowerPanel Business Local/Remote for Linux 64bit v4.8.6 and earlier, PowerPanel Business Management for Linux 32bit v4.8.6 and earlier, PowerPanel Business Management for Linux 64bit v4.8.6 and earlier, PowerPanel Business Local/Remote for MacOS v4.8.6 and earlier, and PowerPanel Business Management for MacOS v4.8.6 and earlier allows remote attackers to log in to the server directly to perform administrative functions. Upon installation or upon first login, the application does not ask the user to change the 'admin' password.
CVE-2023-24831 1 Apache 1 Iotdb 2026-06-17 N/A 9.8 CRITICAL
Improper Authentication vulnerability in Apache Software Foundation Apache IoTDB.This issue affects Apache IoTDB Grafana Connector: from 0.13.0 through 0.13.3. Attackers could login without authorization. This is fixed in 0.13.4.
CVE-2023-24830 1 Apache 1 Iotdb 2026-06-17 N/A 7.5 HIGH
Improper Authentication vulnerability in Apache Software Foundation Apache IoTDB.This issue affects iotdb-web-workbench component: from 0.13.0 before 0.13.3.
CVE-2023-24479 1 Yifanwireless 2 Yf325, Yf325 Firmware 2026-06-17 N/A 9.8 CRITICAL
An authentication bypass vulnerability exists in the httpd nvram.cgi functionality of Yifan YF325 v1.0_20221108. A specially crafted network request can lead to arbitrary command execution. An attacker can send a network request to trigger this vulnerability.