Total
107 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-3757 | 1 Openpubkey | 1 Openpubkey | 2025-05-23 | N/A | 9.8 CRITICAL |
| Versions of OpenPubkey library prior to 0.10.0 contained a vulnerability that would allow a specially crafted JWS to bypass signature verification. | |||||
| CVE-2025-4658 | 1 Openpubkey | 2 Openpubkey, Opkssh | 2025-05-22 | N/A | 9.8 CRITICAL |
| Versions of OpenPubkey library prior to 0.10.0 contained a vulnerability that would allow a specially crafted JWS to bypass signature verification. As OPKSSH depends on the OpenPubkey library for authentication, this vulnerability in OpenPubkey also applies to OPKSSH versions prior to 0.5.0 and would allow an attacker to bypass OPKSSH authentication. | |||||
| CVE-2022-3100 | 2 Openstack, Redhat | 5 Barbican, Enterprise Linux Eus, Openstack and 2 more | 2025-04-03 | N/A | 5.9 MEDIUM |
| A flaw was found in the openstack-barbican component. This issue allows an access policy bypass via a query string when accessing the API. | |||||
| CVE-2025-1880 | 2025-03-03 | 1.2 LOW | 2.0 LOW | ||
| A vulnerability was found in i-Drive i11 and i12 up to 20250227. It has been classified as problematic. Affected is an unknown function of the component Device Pairing. The manipulation leads to authentication bypass by primary weakness. It is possible to launch the attack on the physical device. The complexity of an attack is rather high. The exploitability is told to be difficult. It was not possible to identify the current maintainer of the product. It must be assumed that the product is end-of-life. | |||||
| CVE-2023-28727 | 1 Panasonic | 2 Aiseg2, Aiseg2 Firmware | 2025-02-12 | N/A | 9.6 CRITICAL |
| Panasonic AiSEG2 versions 2.00J through 2.93A allows adjacent attackers bypass authentication due to mishandling of X-Forwarded-For headers. | |||||
| CVE-2024-1403 | 1 Progress | 1 Openedge | 2025-02-11 | N/A | 10.0 CRITICAL |
| In OpenEdge Authentication Gateway and AdminServer prior to 11.7.19, 12.2.14, 12.8.1 on all platforms supported by the OpenEdge product, an authentication bypass vulnerability has been identified. The vulnerability is a bypass to authentication based on a failure to properly handle username and password. Certain unexpected content passed into the credentials can lead to unauthorized access without proper authentication. | |||||
| CVE-2024-6637 | 1 Wpwebelite | 1 Woocommerce Social Login | 2025-02-11 | N/A | 7.3 HIGH |
| The WooCommerce - Social Login plugin for WordPress is vulnerable to unauthenticated privilege escalation in all versions up to, and including, 2.7.3. This is due to a lack of brute force controls on a weak one-time password. This makes it possible for unauthenticated attackers to brute force the one-time password for any user, except an Administrator, if they know the email of user. | |||||
| CVE-2021-26102 | 1 Fortinet | 1 Fortiwan | 2025-01-21 | N/A | 9.8 CRITICAL |
| A relative path traversal vulnerability (CWE-23) in FortiWAN version 4.5.7 and below, 4.4 all versions may allow a remote non-authenticated attacker to delete files on the system by sending a crafted POST request. In particular, deleting specific configuration files will reset the Admin password to its default value. | |||||
| CVE-2024-34077 | 1 Mantisbt | 1 Mantisbt | 2025-01-16 | N/A | 7.3 HIGH |
| MantisBT (Mantis Bug Tracker) is an open source issue tracker. Insufficient access control in the registration and password reset process allows an attacker to reset another user's password and takeover their account, if the victim has an incomplete request pending. The exploit is only possible while the verification token is valid, i.e for 5 minutes after the confirmation URL sent by e-mail has been opened, and the user did not complete the process by updating their password. A brute-force attack calling account_update.php with increasing user IDs is possible. A successful takeover would grant the attacker full access to the compromised account, including sensitive information and functionalities associated with the account, the extent of which depends on its privileges and the data it has access to. Version 2.26.2 contains a patch for the issue. As a workaround, one may mitigate the risk by reducing the verification token's validity (change the value of the `TOKEN_EXPIRY_AUTHENTICATED` constant in `constants_inc.php`). | |||||
| CVE-2024-3847 | 2 Fedoraproject, Google | 2 Fedora, Chrome | 2024-12-19 | N/A | 6.1 MEDIUM |
| Insufficient policy enforcement in WebUI in Google Chrome prior to 124.0.6367.60 allowed a remote attacker to bypass content security policy via a crafted HTML page. (Chromium security severity: Low) | |||||
| CVE-2024-9683 | 1 Redhat | 1 Quay | 2024-12-03 | N/A | 4.8 MEDIUM |
| A vulnerability was found in Quay, which allows successful authentication even when a truncated password version is provided. This flaw affects the authentication mechanism, reducing the overall security of password enforcement. While the risk is relatively low due to the typical length of the passwords used (73 characters), this vulnerability can still be exploited to reduce the complexity of brute-force or password-guessing attacks. The truncation of passwords weakens the overall authentication process, thereby reducing the effectiveness of password policies and potentially increasing the risk of unauthorized access in the future. | |||||
| CVE-2024-38433 | 1 Nuvoton | 8 Npcm705r, Npcm705r Firmware, Npcm710r and 5 more | 2024-11-21 | N/A | 6.7 MEDIUM |
| Nuvoton - CWE-305: Authentication Bypass by Primary Weakness An attacker with write access to the SPI-Flash on an NPCM7xx BMC subsystem that uses the Nuvoton BootBlock reference code can modify the u-boot image header on flash parsed by the BootBlock which could lead to arbitrary code execution. | |||||
| CVE-2024-36388 | 2024-11-21 | N/A | 10.0 CRITICAL | ||
| MileSight DeviceHub - CWE-305 Missing Authentication for Critical Function | |||||
| CVE-2024-20674 | 1 Microsoft | 13 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 10 more | 2024-11-21 | N/A | 8.8 HIGH |
| Windows Kerberos Security Feature Bypass Vulnerability | |||||
| CVE-2024-20015 | 2 Google, Mediatek | 40 Android, Mt6739, Mt6753 and 37 more | 2024-11-21 | N/A | 7.8 HIGH |
| In telephony, there is a possible escalation of privilege due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08441419; Issue ID: ALPS08441419. | |||||
| CVE-2023-6998 | 1 Coolkit | 1 Ewelink | 2024-11-21 | N/A | 7.7 HIGH |
| Improper privilege management vulnerability in CoolKit Technology eWeLink on Android and iOS allows application lockscreen bypass.This issue affects eWeLink before 5.2.0. | |||||
| CVE-2023-36497 | 1 Doverfuelingsolutions | 2 Maglink Lx 3, Maglink Lx Web Console Configuration | 2024-11-21 | N/A | 8.8 HIGH |
| Dover Fueling Solutions MAGLINK LX Web Console Configuration versions 2.5.1, 2.5.2, 2.5.3, 2.6.1, 2.11, 3.0, 3.2, and 3.3 could allow a guest user to elevate to admin privileges. | |||||
| CVE-2023-1307 | 1 Froxlor | 1 Froxlor | 2024-11-21 | N/A | 9.8 CRITICAL |
| Authentication Bypass by Primary Weakness in GitHub repository froxlor/froxlor prior to 2.0.13. | |||||
| CVE-2023-0777 | 1 Modoboa | 1 Modoboa | 2024-11-21 | N/A | 9.8 CRITICAL |
| Authentication Bypass by Primary Weakness in GitHub repository modoboa/modoboa prior to 2.0.4. | |||||
| CVE-2022-2651 | 1 Joinbookwyrm | 1 Bookwyrm | 2024-11-21 | N/A | 9.8 CRITICAL |
| Authentication Bypass by Primary Weakness in GitHub repository bookwyrm-social/bookwyrm prior to 0.4.5. | |||||