Vulnerabilities (CVE)

Filtered by CWE-287
Total 4201 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2022-46316 1 Huawei 1 Harmonyos 2026-06-17 N/A 9.8 CRITICAL
A thread security vulnerability exists in the authentication process. Successful exploitation of this vulnerability may affect data integrity, confidentiality, and availability.
CVE-2022-46313 1 Huawei 1 Harmonyos 2026-06-17 N/A 5.3 MEDIUM
The sensor privacy module has an authentication vulnerability. Successful exploitation of this vulnerability may cause unavailability of the smartphone's camera and microphone.
CVE-2022-46172 1 Goauthentik 1 Authentik 2026-06-17 N/A 6.4 MEDIUM
authentik is an open-source Identity provider focused on flexibility and versatility. In versions prior to 2022.10.4, and 2022.11.4, any authenticated user can create an arbitrary number of accounts through the default flows. This would circumvent any policy in a situation where it is undesirable for users to create new accounts by themselves. This may also affect other applications as these new basic accounts would exist throughout the SSO infrastructure. By default the newly created accounts cannot be logged into as no password reset exists by default. However password resets are likely to be enabled by most installations. This vulnerability pertains to the user context used in the default-user-settings-flow, /api/v3/flows/instances/default-user-settings-flow/execute/. This issue has been fixed in versions 2022.10.4 and 2022.11.4.
CVE-2022-46170 1 Codeigniter 1 Codeigniter 2026-06-17 N/A 8.6 HIGH
CodeIgniter is a PHP full-stack web framework. When an application uses (1) multiple session cookies (e.g., one for user pages and one for admin pages) and (2) a session handler is set to `DatabaseHandler`, `MemcachedHandler`, or `RedisHandler`, then if an attacker gets one session cookie (e.g., one for user pages), they may be able to access pages that require another session cookie (e.g., for admin pages). This issue has been patched, please upgrade to version 4.2.11 or later. As a workaround, use only one session cookie.
CVE-2022-46146 1 Prometheus 1 Exporter Toolkit 2026-06-17 N/A 6.2 MEDIUM
Prometheus Exporter Toolkit is a utility package to build exporters. Prior to versions 0.7.2 and 0.8.2, if someone has access to a Prometheus web.yml file and users' bcrypted passwords, they can bypass security by poisoning the built-in authentication cache. Versions 0.7.2 and 0.8.2 contain a fix for the issue. There is no workaround, but attacker must have access to the hashed password to use this functionality.
CVE-2022-45922 1 Opentext 1 Opentext Extended Ecm 2026-06-17 N/A 8.8 HIGH
An issue was discovered in OpenText Content Suite Platform 22.1 (16.2.19.1803). The request handler for ll.KeepAliveSession sets a valid AdminPwd cookie even when the Web Admin password was not entered. This allows access to endpoints, which require a valid AdminPwd cookie, without knowing the password.
CVE-2022-45860 1 Fortinet 2 Fortinac, Fortinac-f 2026-06-17 N/A 5.3 MEDIUM
A weak authentication vulnerability [CWE-1390] in FortiNAC-F version 7.2.0, FortiNAC version 9.4.2 and below, 9.2 all versions, 9.1 all versions, 8.8 all versions, 8.7 all versions in device registration page may allow an unauthenticated attacker to perform password spraying attacks with an increased chance of success.
CVE-2022-45174 1 Liveboxcloud 1 Vdesk 2026-06-17 N/A 9.8 CRITICAL
An issue was discovered in LIVEBOX Collaboration vDesk through v018. A Bypass of Two-Factor Authentication for SAML Users can occur under the /login/backup_code endpoint and the /api/v1/vdeskintegration/challenge endpoint. The correctness of the TOTP is not checked properly, and can be bypassed by passing any string as the backup code.
CVE-2022-45173 1 Liveboxcloud 1 Vdesk 2026-06-17 N/A 9.8 CRITICAL
An issue was discovered in LIVEBOX Collaboration vDesk through v018. A Bypass of Two-Factor Authentication can occur under the /api/v1/vdeskintegration/challenge endpoint. Because only the client-side verifies whether a check was successful, an attacker can modify the response, and fool the application into concluding that the TOTP was correct.
CVE-2022-45168 1 Liveboxcloud 1 Vdesk 2026-06-17 N/A 6.5 MEDIUM
An issue was discovered in LIVEBOX Collaboration vDesk through v018. A Bypass of Two-Factor Authentication can occur under the /login/backup_code endpoint and the /api/v1/vdeskintegration/createbackupcodes endpoint, because the application allows a user to generate or regenerate the backup codes before checking the TOTP.
CVE-2022-45124 1 Wellintech 1 Kinghistorian 2026-06-17 N/A 7.5 HIGH
An information disclosure vulnerability exists in the User authentication functionality of WellinTech KingHistorian 35.01.00.05. A specially crafted network packet can lead to a disclosure of sensitive information. An attacker can sniff network traffic to leverage this vulnerability.
CVE-2022-44620 1 Unimo 6 Udr-ja1604, Udr-ja1604 Firmware, Udr-ja1608 and 3 more 2026-06-17 N/A 8.8 HIGH
Improper authentication vulnerability in UDR-JA1604/UDR-JA1608/UDR-JA1616 firmware versions 71x10.1.107112.43A and earlier allows a remote authenticated attacker to execute an arbitrary OS command on the device or alter the device settings.
CVE-2022-44610 1 Intel 1 Data Center Manager 2026-06-17 N/A 5.4 MEDIUM
Improper authentication in the Intel(R) DCM software before version 5.1 may allow an authenticated user to potentially enable escalation of privilege via network access.
CVE-2022-44595 1 Melapress 1 Wp 2fa 2026-06-17 N/A 5.3 MEDIUM
Improper Authentication vulnerability in Melapress WP 2FA allows Authentication Bypass.This issue affects WP 2FA: from n/a through 2.2.0.
CVE-2022-44574 1 Ivanti 1 Avalanche 2026-06-17 N/A 7.5 HIGH
An improper authentication vulnerability exists in Avalanche version 6.3.x and below allows unauthenticated attacker to modify properties on specific port.
CVE-2022-44569 1 Ivanti 1 Automation 2026-06-17 N/A 7.8 HIGH
A locally authenticated attacker with low privileges can bypass authentication due to insecure inter-process communication.
CVE-2022-44244 1 Lin-cms Project 1 Lin-cms 2026-06-17 N/A 6.6 MEDIUM
An authentication bypass in Lin-CMS v0.2.1 allows attackers to escalate privileges to Super Administrator.
CVE-2022-43900 1 Ibm 1 Websphere Automation For Ibm Cloud Pak For Watson Aiops 2026-06-17 N/A 5.3 MEDIUM
IBM WebSphere Automation for IBM Cloud Pak for Watson AIOps 1.4.2 could provide a weaker than expected security. A local attacker can create an outbound network connection to another system. IBM X-Force ID: 240827.
CVE-2022-43690 1 Concretecms 1 Concrete Cms 2026-06-17 N/A 6.3 MEDIUM
Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 did not use strict comparison for the legacy_salt so that limited authentication bypass could occur if using this functionality. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+.
CVE-2022-43620 1 Dlink 2 Dir-1935, Dir-1935 Firmware 2026-06-17 N/A 8.8 HIGH
This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DIR-1935 1.03 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of HNAP login requests. The issue results from the lack of proper implementation of the authentication algorithm. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-16142.