Total
202 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-8012 | 1 Ivanti | 1 Workspace Control | 2025-06-12 | N/A | 7.8 HIGH |
| An authentication bypass weakness in the message broker service of Ivanti Workspace Control before version 2025.2 (10.19.0.0) allows a local authenticated attacker to escalate their privileges. | |||||
| CVE-2025-31019 | 2025-06-12 | N/A | 8.8 HIGH | ||
| Authentication Bypass Using an Alternate Path or Channel vulnerability in miniOrange Password Policy Manager password-policy-manager allows Authentication Abuse.This issue affects Password Policy Manager: from n/a through 2.0.4. | |||||
| CVE-2025-31022 | 2025-06-12 | N/A | 9.8 CRITICAL | ||
| Authentication Bypass Using an Alternate Path or Channel vulnerability in PayU India PayU India allows Authentication Abuse. This issue affects PayU India: from n/a through 3.8.5. | |||||
| CVE-2025-30184 | 2025-06-12 | N/A | 9.8 CRITICAL | ||
| CyberData 011209 Intercom could allow an unauthenticated user access to the Web Interface through an alternate path. | |||||
| CVE-2025-4973 | 2025-06-12 | N/A | 9.8 CRITICAL | ||
| The Workreap plugin for WordPress, used by the Workreap - Freelance Marketplace WordPress Theme, is vulnerable to authentication bypass in all versions up to, and including, 3.3.1. This is due to the plugin not properly verifying a user's identity prior to logging them in when verifying an account with an email address. This makes it possible for unauthenticated attackers to log in as registered users, including administrators, if they know user's email address. This is only exploitable fi the user's confirmation_key has not already been set by the plugin. | |||||
| CVE-2025-47707 | 1 Miniorange | 1 Miniorange 2fa | 2025-06-10 | N/A | 7.5 HIGH |
| Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Enterprise MFA - TFA for Drupal allows Authentication Bypass.This issue affects Enterprise MFA - TFA for Drupal: from 0.0.0 before 4.7.0, from 5.0.0 before 5.2.0. | |||||
| CVE-2025-47710 | 1 Miniorange | 1 Miniorange 2fa | 2025-06-10 | N/A | 7.4 HIGH |
| Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Enterprise MFA - TFA for Drupal allows Authentication Bypass.This issue affects Enterprise MFA - TFA for Drupal: from 0.0.0 before 4.7.0, from 5.0.0 before 5.2.0. | |||||
| CVE-2025-48011 | 1 One Time Password Project | 1 One Time Password | 2025-06-10 | N/A | 4.8 MEDIUM |
| Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal One Time Password allows Functionality Bypass.This issue affects One Time Password: from 0.0.0 before 1.3.0. | |||||
| CVE-2025-48010 | 1 One Time Password Project | 1 One Time Password | 2025-06-10 | N/A | 4.8 MEDIUM |
| Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal One Time Password allows Functionality Bypass.This issue affects One Time Password: from 0.0.0 before 1.3.0. | |||||
| CVE-2025-48904 | 2025-06-06 | N/A | 4.4 MEDIUM | ||
| Vulnerability that cards can call unauthorized APIs in the FRS process Impact: Successful exploitation of this vulnerability may affect availability. | |||||
| CVE-2025-3932 | 1 Mozilla | 1 Thunderbird | 2025-06-05 | N/A | 6.5 MEDIUM |
| It was possible to craft an email that showed a tracking link as an attachment. If the user attempted to open the attachment, Thunderbird automatically accessed the link. The configuration to block remote content did not prevent that. Thunderbird has been fixed to no longer allow access to web pages listed in the X-Mozilla-External-Attachment-URL header of an email. This vulnerability affects Thunderbird < 128.10.1 and Thunderbird < 138.0.1. | |||||
| CVE-2025-40581 | 1 Siemens | 2 Scalance Lpe9403, Scalance Lpe9403 Firmware | 2025-06-04 | N/A | 7.1 HIGH |
| A vulnerability has been identified in SCALANCE LPE9403 (6GK5998-3GS00-2AC2) (All versions with SINEMA Remote Connect Edge Client installed). Affected devices are vulnerable to an authentication bypass. This could allow a non-privileged local attacker to bypass the authentication of the SINEMA Remote Connect Edge Client, and to read and modify the configuration parameters. | |||||
| CVE-2025-4797 | 2025-06-04 | N/A | 9.8 CRITICAL | ||
| The Golo - City Travel Guide WordPress Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.7.0. This is due to the plugin not properly validating a user's identity prior to setting an authorization cookie. This makes it possible for unauthenticated attackers to log in as any user, including administrators, provided they know the user's email address. | |||||
| CVE-2025-5190 | 2025-05-30 | N/A | 8.8 HIGH | ||
| The Browse As plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 0.2. This is due to incorrect authentication checking in the 'IS_BA_Browse_As::notice' function with the 'is_ba_original_user_COOKIEHASH' cookie value. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to log in as any existing user on the site, such as an administrator, if they have access to the user id. | |||||
| CVE-2024-36042 | 1 Silverpeas | 1 Silverpeas | 2025-05-29 | N/A | 9.8 CRITICAL |
| Silverpeas before 6.3.5 allows authentication bypass by omitting the Password field to AuthenticationServlet, often providing an unauthenticated user with superadmin access. | |||||
| CVE-2025-48926 | 2025-05-29 | N/A | 4.3 MEDIUM | ||
| The admin panel in the TeleMessage service through 2025-05-05 allows attackers to discover usernames, e-mail addresses, passwords, and telephone numbers, as exploited in the wild in May 2025. | |||||
| CVE-2025-4687 | 2025-05-29 | N/A | N/A | ||
| In Teltonika Networks Remote Management System (RMS), it is possible to perform account pre-hijacking by misusing the invite functionality. If a victim has a pending invite and registers to the platform directly, they are added to the attackers company without their knowledge. The victims account and their company can then be managed by the attacker.This issue affects RMS: before 5.7. | |||||
| CVE-2025-1909 | 1 Buddyboss | 1 Buddyboss Platform | 2025-05-28 | N/A | 9.8 CRITICAL |
| The BuddyBoss Platform Pro plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.7.01. This is due to insufficient verification on the user being supplied during the Apple OAuth authenticate request through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email. | |||||
| CVE-2022-31022 | 1 Couchbase | 1 Bleve | 2025-05-27 | 2.1 LOW | 6.2 MEDIUM |
| Bleve is a text indexing library for go. Bleve includes HTTP utilities under bleve/http package, that are used by its sample application. These HTTP methods pave way for exploitation of a node’s filesystem where the bleve index resides, if the user has used bleve’s own HTTP (bleve/http) handlers for exposing the access to the indexes. For instance, the CreateIndexHandler (`http/index_create.go`) and DeleteIndexHandler (`http/index_delete.go`) enable an attacker to create a bleve index (directory structure) anywhere where the user running the server has the write permissions and to delete recursively any directory owned by the same user account. Users who have used the bleve/http package for exposing access to bleve index without the explicit handling for the Role Based Access Controls(RBAC) of the index assets would be impacted by this issue. Version 2.5.0 relocated the `http/` dir used _only_ by bleve-explorer to `blevesearch/bleve-explorer`, thereby addressing the issue. However, the http package is purely intended to be used for demonstration purposes. Bleve was never designed handle the RBACs, nor it was ever advertised to be used in that way. The collaborators of this project have decided to stay away from adding any authentication or authorization to bleve project at the moment. The bleve/http package is mainly for demonstration purposes and it lacks exhaustive validation of the user inputs as well as any authentication and authorization measures. It is recommended to not use bleve/http in production use cases. | |||||
| CVE-2024-13553 | 1 Cozyvision | 1 Sms Alert Order Notifications | 2025-05-27 | N/A | 9.8 CRITICAL |
| The SMS Alert Order Notifications – WooCommerce plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.7.9. This is due to the plugin using the Host header to determine if the plugin is in a playground environment. This makes it possible for unauthenticated attackers to spoof the Host header to make the OTP code "1234" and authenticate as any user, including administrators. | |||||