Total
202 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-32357 | 1 Zammad | 1 Zammad | 2025-04-15 | N/A | 4.3 MEDIUM |
| In Zammad 6.4.x before 6.4.2, an authenticated agent with knowledge base permissions was able to use the Zammad API to fetch knowledge base content that they have no permission for. | |||||
| CVE-2025-1283 | 1 Dingtian-tech | 8 Dt-r002, Dt-r002 Firmware, Dt-r008 and 5 more | 2025-04-10 | N/A | 9.8 CRITICAL |
| The Dingtian DT-R0 Series is vulnerable to an exploit that allows attackers to bypass login requirements by directly navigating to the main page. | |||||
| CVE-2022-3614 | 1 Octopus | 1 Octopus Server | 2025-04-10 | N/A | 6.1 MEDIUM |
| In affected versions of Octopus Deploy users of certain browsers using AD to sign-in to Octopus Server were able to bypass authentication checks and be redirected to the configured redirect url without any validation. | |||||
| CVE-2024-46887 | 2025-04-08 | N/A | 5.3 MEDIUM | ||
| The web server of affected devices do not properly authenticate user request to the '/ClientArea/RuntimeInfoData.mwsl' endpoint. This could allow an unauthenticated remote attacker to gain knowledge about current actual and configured maximum cycle times as well as about configured maximum communication load. | |||||
| CVE-2025-24095 | 1 Apple | 3 Ipados, Iphone Os, Visionos | 2025-04-07 | N/A | 7.6 HIGH |
| This issue was addressed with additional entitlement checks. This issue is fixed in visionOS 2.4, iOS 18.4 and iPadOS 18.4. An app may be able to bypass Privacy preferences. | |||||
| CVE-2024-13446 | 1 Amentotech | 1 Workreap | 2025-04-02 | N/A | 9.8 CRITICAL |
| The Workreap plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.2.5. This is due to the plugin not properly validating a user's identity prior to (1) performing a social auto-login or (2) updating their profile details (e.g. password). This makes it possible for unauthenticated attackers to (1) login as an arbitrary user if their email address is known or (2) change an arbitrary user's password, including administrators, and leverage that to gain access to their account. NOTE: This vulnerability was partially fixed in version 3.2.5. | |||||
| CVE-2025-27658 | 1 Printerlogic | 2 Vasion Print, Virtual Appliance | 2025-04-01 | N/A | 9.8 CRITICAL |
| Vasion Print (formerly PrinterLogic) before Virtual Appliance Host 22.0.843 Application 20.0.1923 allows Authentication Bypass OVE-20230524-0001. | |||||
| CVE-2025-31095 | 2025-04-01 | N/A | 9.8 CRITICAL | ||
| Authentication Bypass Using an Alternate Path or Channel vulnerability in ho3einie Material Dashboard allows Authentication Bypass. This issue affects Material Dashboard: from n/a through 1.4.5. | |||||
| CVE-2025-22277 | 2025-04-01 | N/A | 8.8 HIGH | ||
| Authentication Bypass Using an Alternate Path or Channel vulnerability in appsbd Vitepos allows Authentication Abuse. This issue affects Vitepos: from n/a through 3.1.4. | |||||
| CVE-2023-50915 | 2025-03-28 | N/A | 6.5 MEDIUM | ||
| An issue exists in GalaxyClientService.exe in GOG Galaxy (Beta) 2.0.67.2 through 2.0.71.2 that could allow authenticated users to overwrite and corrupt critical system files via a combination of an NTFS Junction and an RPC Object Manager symbolic link and could result in a denial of service. | |||||
| CVE-2024-13772 | 1 Uxper | 1 Civi | 2025-03-28 | N/A | 5.6 MEDIUM |
| The Civi - Job Board & Freelance Marketplace WordPress Theme plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.1.4. This is due to a lack of randomization of a password created during Single Sign-On via Google or Facebook. This makes it possible for unauthenticated attackers to change the password of arbitrary Candidate-level users if the attacker knows the username assigned to the victim during account creation. | |||||
| CVE-2024-13771 | 1 Uxper | 1 Civi | 2025-03-28 | N/A | 9.8 CRITICAL |
| The Civi - Job Board & Freelance Marketplace WordPress Theme plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.1.4. This is due to a lack of user validation before changing a password. This makes it possible for unauthenticated attackers to change the password of arbitrary users, including administrators, if the attacker knows the username of the victim. | |||||
| CVE-2025-30112 | 2025-03-27 | N/A | 7.1 HIGH | ||
| On 70mai Dash Cam 1S devices, by connecting directly to the dashcam's network and accessing the API on port 80 and RTSP on port 554, an attacker can bypass the device authorization mechanism from the official mobile app that requires a user to physically press on the power button during a connection. | |||||
| CVE-2025-22230 | 2025-03-27 | N/A | 7.8 HIGH | ||
| VMware Tools for Windows contains an authentication bypass vulnerability due to improper access control. A malicious actor with non-administrative privileges on a guest VM may gain ability to perform certain high privilege operations within that VM. | |||||
| CVE-2025-24472 | 1 Fortinet | 2 Fortios, Fortiproxy | 2025-03-19 | N/A | 8.1 HIGH |
| An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS 7.0.0 through 7.0.16 and FortiProxy 7.2.0 through 7.2.12, 7.0.0 through 7.0.19 may allow a remote attacker to gain super-admin privileges via crafted CSF proxy requests. | |||||
| CVE-2024-13442 | 2025-03-19 | N/A | 9.8 CRITICAL | ||
| The Service Finder Bookings plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 5.0. This is due to the plugin not properly validating a user's identity prior to (1) performing a post-booking auto-login or (2) updating their profile details (e.g. password). This makes it possible for unauthenticated attackers to (1) login as an arbitrary user if their email address is known or (2) change an arbitrary user's password, including administrators, and leverage that to gain access to their account. | |||||
| CVE-2024-31814 | 1 Totolink | 2 Ex200, Ex200 Firmware | 2025-03-18 | N/A | 8.8 HIGH |
| TOTOLINK EX200 V4.0.3c.7646_B20201211 allows attackers to bypass login through the Form_Login function. | |||||
| CVE-2020-10148 | 1 Solarwinds | 1 Orion Platform | 2025-03-17 | 7.5 HIGH | 9.8 CRITICAL |
| The SolarWinds Orion API is vulnerable to an authentication bypass that could allow a remote attacker to execute API commands. This vulnerability could allow a remote attacker to bypass authentication and execute API commands which may result in a compromise of the SolarWinds instance. SolarWinds Orion Platform versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1 are affected. | |||||
| CVE-2023-37057 | 2025-03-14 | N/A | 9.8 CRITICAL | ||
| An issue in JLINK Unionman Technology Co. Ltd Jlink AX1800 v.1.0 allows a remote attacker to execute arbitrary code via the router's authentication mechanism. | |||||
| CVE-2024-11286 | 2025-03-14 | N/A | 9.8 CRITICAL | ||
| The WP JobHunt plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 7.1. This is due to the plugin not properly verifying a user's identity prior to authenticating them through the cs_parse_request() function. This makes it possible for unauthenticated attackers to to log in to any user's account, including administrators. | |||||