Total
428 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-21491 | 1 Svix | 1 Svix-webhooks | 2025-05-09 | N/A | 5.9 MEDIUM |
| Versions of the package svix before 1.17.0 are vulnerable to Authentication Bypass due to an issue in the verify function where signatures of different lengths are incorrectly compared. An attacker can bypass signature verification by providing a shorter signature that matches the beginning of the actual signature. **Note:** The attacker would need to know a victim uses the Rust library for verification,no easy way to automatically check that; and uses webhooks by a service that uses Svix, and then figure out a way to craft a malicious payload that will actually include all of the correct identifiers needed to trick the receivers to cause actual issues. | |||||
| CVE-2023-50272 | 1 Hpe | 4 Integrated Lights-out 5, Integrated Lights-out 5 Firmware, Integrated Lights-out 6 and 1 more | 2025-05-07 | N/A | 7.5 HIGH |
| A potential security vulnerability has been identified in HPE Integrated Lights-Out 5 (iLO 5) and Integrated Lights-Out 6 (iLO 6). The vulnerability could be remotely exploited to allow authentication bypass. | |||||
| CVE-2024-26566 | 1 Iscute | 1 Cute Http File Server | 2025-04-30 | N/A | 8.2 HIGH |
| An issue in Cute Http File Server v.3.1 allows a remote attacker to escalate privileges via the password verification component. | |||||
| CVE-2025-32357 | 1 Zammad | 1 Zammad | 2025-04-15 | N/A | 4.3 MEDIUM |
| In Zammad 6.4.x before 6.4.2, an authenticated agent with knowledge base permissions was able to use the Zammad API to fetch knowledge base content that they have no permission for. | |||||
| CVE-2025-1283 | 1 Dingtian-tech | 8 Dt-r002, Dt-r002 Firmware, Dt-r008 and 5 more | 2025-04-10 | N/A | 9.8 CRITICAL |
| The Dingtian DT-R0 Series is vulnerable to an exploit that allows attackers to bypass login requirements by directly navigating to the main page. | |||||
| CVE-2022-3614 | 1 Octopus | 1 Octopus Server | 2025-04-10 | N/A | 6.1 MEDIUM |
| In affected versions of Octopus Deploy users of certain browsers using AD to sign-in to Octopus Server were able to bypass authentication checks and be redirected to the configured redirect url without any validation. | |||||
| CVE-2024-13446 | 1 Amentotech | 1 Workreap | 2025-04-02 | N/A | 9.8 CRITICAL |
| The Workreap plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.2.5. This is due to the plugin not properly validating a user's identity prior to (1) performing a social auto-login or (2) updating their profile details (e.g. password). This makes it possible for unauthenticated attackers to (1) login as an arbitrary user if their email address is known or (2) change an arbitrary user's password, including administrators, and leverage that to gain access to their account. NOTE: This vulnerability was partially fixed in version 3.2.5. | |||||
| CVE-2025-27658 | 1 Printerlogic | 2 Vasion Print, Virtual Appliance | 2025-04-01 | N/A | 9.8 CRITICAL |
| Vasion Print (formerly PrinterLogic) before Virtual Appliance Host 22.0.843 Application 20.0.1923 allows Authentication Bypass OVE-20230524-0001. | |||||
| CVE-2024-31814 | 1 Totolink | 2 Ex200, Ex200 Firmware | 2025-03-18 | N/A | 8.8 HIGH |
| TOTOLINK EX200 V4.0.3c.7646_B20201211 allows attackers to bypass login through the Form_Login function. | |||||
| CVE-2025-1315 | 1 Sfwebservice | 1 Injob | 2025-03-13 | N/A | 9.8 CRITICAL |
| The InWave Jobs plugin for WordPress is vulnerable to privilege escalation via password reset in all versions up to, and including, 3.5.1. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account. | |||||
| CVE-2024-9658 | 1 Dasinfomedia | 1 School Management System | 2025-03-13 | N/A | 8.8 HIGH |
| The School Management System for Wordpress plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 93.0.0. This is due to the plugin not properly validating a user's identity prior to updating their details like email and password through the mj_smgt_update_user() and mj_smgt_add_admission() functions, along with a local file inclusion vulnerability. This makes it possible for authenticated attackers, with student-level access and above, to change arbitrary user's email addresses and passwords, including administrators, and leverage that to gain access to their account. This was escalated four months ago after no response to our initial outreach, yet it still vulnerable. | |||||
| CVE-2023-23503 | 1 Apple | 5 Ipados, Iphone Os, Macos and 2 more | 2025-03-12 | N/A | 5.5 MEDIUM |
| A logic issue was addressed with improved state management. This issue is fixed in macOS Ventura 13.2, iOS 16.3 and iPadOS 16.3, iOS 15.7.3 and iPadOS 15.7.3, tvOS 16.3, watchOS 9.3. An app may be able to bypass Privacy preferences. | |||||
| CVE-2024-8943 | 1 Latepoint | 1 Latepoint | 2025-02-20 | N/A | 9.8 CRITICAL |
| The LatePoint plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 5.0.12. This is due to insufficient verification on the user being supplied during the booking customer step. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the user id. Note that logging in as a WordPress user is only possible if the "Use WordPress users as customers" setting is enabled, which is disabled by default. The vulnerability is partially patched in version 5.0.12 and fully patched in version 5.0.13. | |||||
| CVE-2024-6635 | 1 Wpwebelite | 1 Woocommerce Social Login | 2025-02-11 | N/A | 7.3 HIGH |
| The WooCommerce - Social Login plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.7.3. This is due to insufficient controls in the 'woo_slg_login_email' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, excluding an administrator, if they know the email of user. | |||||
| CVE-2024-36470 | 1 Jetbrains | 1 Teamcity | 2025-02-07 | N/A | 8.1 HIGH |
| In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 authentication bypass was possible in specific edge cases | |||||
| CVE-2024-7503 | 1 Wpwebelite | 1 Woocommerce Social Login | 2025-02-07 | N/A | 9.8 CRITICAL |
| The WooCommerce - Social Login plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.7.5. This is due to the use of loose comparison of the activation code in the 'woo_slg_confirm_email_user' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the userID. This requires the email module to be enabled. | |||||
| CVE-2023-21098 | 1 Google | 1 Android | 2025-02-05 | N/A | 7.8 HIGH |
| In multiple functions of AccountManagerService.java, there is a possible loading of arbitrary code into the System Settings app due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-12 Android-12L Android-13Android ID: A-260567867 | |||||
| CVE-2025-24456 | 1 Jetbrains | 1 Hub | 2025-01-30 | N/A | 6.7 MEDIUM |
| In JetBrains Hub before 2024.3.55417 privilege escalation was possible via LDAP authentication mapping | |||||
| CVE-2024-9861 | 1 Miniorange | 1 Otp Verification With Firebase | 2025-01-28 | N/A | 8.1 HIGH |
| The Miniorange OTP Verification with Firebase plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.6.0. This is due to missing validation on the token being supplied during the otp login through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they know the phone number associated with that user. | |||||
| CVE-2024-12857 | 1 Scriptsbundle | 1 Adforest | 2025-01-24 | N/A | 9.8 CRITICAL |
| The AdForest theme for WordPress is vulnerable to authentication bypass in all versions up to, and including, 5.1.8. This is due to the plugin not properly verifying a user's identity prior to logging them in as that user. This makes it possible for unauthenticated attackers to authenticate as any user as long as they have configured OTP login by phone number. | |||||