Total
1398 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-3777 | 1 Ai3 | 1 Qbibot | 2025-04-08 | N/A | 9.8 CRITICAL |
| The password reset feature of Ai3 QbiBot lacks proper access control, allowing unauthenticated remote attackers to reset any user's password. | |||||
| CVE-2022-46463 | 1 Linuxfoundation | 1 Harbor | 2025-04-08 | N/A | 7.5 HIGH |
| An access control issue in Harbor v1.X.X to v2.5.3 allows attackers to access public and private image repositories without authentication. NOTE: the vendor's position is that this "is clearly described in the documentation as a feature." | |||||
| CVE-2022-43976 | 1 Ge | 2 Ms 3000, Ms 3000 Firmware | 2025-04-07 | N/A | 9.8 CRITICAL |
| An issue was discovered in FC46-WebBridge on GE Grid Solutions MS3000 devices before 3.7.6.25p0_3.2.2.17p0_4.7p0. Direct access to the API is possible on TCP port 8888 via programs located in the cgi-bin folder without any authentication. | |||||
| CVE-2023-37265 | 1 Icewhale | 2 Casaos, Casaos-gateway | 2025-04-07 | N/A | 9.8 CRITICAL |
| CasaOS is an open-source Personal Cloud system. Due to a lack of IP address verification an unauthenticated attackers can execute arbitrary commands as `root` on CasaOS instances. The problem was addressed by improving the detection of client IP addresses in `391dd7f`. This patch is part of CasaOS 0.4.4. Users should upgrade to CasaOS 0.4.4. If they can't, they should temporarily restrict access to CasaOS to untrusted users, for instance by not exposing it publicly. | |||||
| CVE-2022-26501 | 1 Veeam | 1 Veeam Backup \& Replication | 2025-04-04 | 10.0 HIGH | 9.8 CRITICAL |
| Veeam Backup & Replication 10.x and 11.x has Incorrect Access Control (issue 1 of 2). | |||||
| CVE-2024-51567 | 1 Cyberpanel | 1 Cyberpanel | 2025-04-03 | N/A | 10.0 CRITICAL |
| upgrademysqlstatus in databases/views.py in CyberPanel (aka Cyber Panel) before 5b08cd6 allows remote attackers to bypass authentication and execute arbitrary commands via /dataBases/upgrademysqlstatus by bypassing secMiddleware (which is only for a POST request) and using shell metacharacters in the statusfile property, as exploited in the wild in October 2024 by PSAUX. Versions through 2.3.6 and (unpatched) 2.3.7 are affected. | |||||
| CVE-2021-37415 | 1 Zohocorp | 1 Manageengine Servicedesk Plus | 2025-04-03 | 7.5 HIGH | 9.8 CRITICAL |
| Zoho ManageEngine ServiceDesk Plus before 11302 is vulnerable to authentication bypass that allows a few REST-API URLs without authentication. | |||||
| CVE-2022-24990 | 1 Terra-master | 30 F2-210, F2-221, F2-223 and 27 more | 2025-04-03 | N/A | 7.5 HIGH |
| TerraMaster NAS 4.2.29 and earlier allows remote attackers to discover the administrative password by sending "User-Agent: TNAS" to module/api.php?mobile/webNasIPS and then reading the PWD field in the response. | |||||
| CVE-2020-23256 | 1 Electerm Project | 1 Electerm | 2025-04-03 | N/A | 9.8 CRITICAL |
| An issue was discovered in Electerm 1.3.22, allows attackers to execute arbitrary code via unverified request to electerms service. | |||||
| CVE-2020-22661 | 1 Ruckuswireless | 28 R310, R310 Firmware, R500 and 25 more | 2025-04-03 | N/A | 6.5 MEDIUM |
| In Ruckus R310 10.5.1.0.199, Ruckus R500 10.5.1.0.199, Ruckus R600 10.5.1.0.199, Ruckus T300 10.5.1.0.199, Ruckus T301n 10.5.1.0.199, Ruckus T301s 10.5.1.0.199, SmartCell Gateway 200 (SCG200) before 3.6.2.0.795, SmartZone 100 (SZ-100) before 3.6.2.0.795, SmartZone 300 (SZ300) before 3.6.2.0.795, Virtual SmartZone (vSZ) before 3.6.2.0.795, ZoneDirector 1100 9.10.2.0.130, ZoneDirector 1200 10.2.1.0.218, ZoneDirector 3000 10.2.1.0.218, ZoneDirector 5000 10.0.1.0.151, a vulnerability allows attackers to erase the backup secondary official image and write secondary backup unauthorized image. | |||||
| CVE-2022-41505 | 1 Tp-link | 2 Tapo C200 V1, Tapo C200 V1 Firmware | 2025-04-03 | N/A | 6.4 MEDIUM |
| An access control issue on TP-LInk Tapo C200 V1 devices allows physically proximate attackers to obtain root access by connecting to the UART pins, interrupting the boot process, and setting an init=/bin/sh value. | |||||
| CVE-2004-0213 | 1 Microsoft | 1 Windows 2000 | 2025-04-03 | 7.2 HIGH | 7.8 HIGH |
| Utility Manager in Windows 2000 launches winhlp32.exe while Utility Manager is running with raised privileges, which allows local users to gain system privileges via a "Shatter" style attack that sends a Windows message to cause Utility Manager to launch winhlp32 by directly accessing the context sensitive help and bypassing the GUI, then sending another message to winhlp32 in order to open a user-selected file, a different vulnerability than CVE-2003-0908. | |||||
| CVE-2002-1810 | 1 Dlink | 2 Dwl-900ap\+, Dwl-900ap\+ Firmware | 2025-04-03 | 7.5 HIGH | 7.5 HIGH |
| D-Link DWL-900AP+ Access Point 2.1 and 2.2 allows remote attackers to access the TFTP server without authentication and read the config.img file, which contains sensitive information such as the administrative password, the WEP encryption keys, and network configuration information. | |||||
| CVE-2023-46747 | 1 F5 | 20 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Advanced Web Application Firewall and 17 more | 2025-04-02 | N/A | 9.8 CRITICAL |
| Undisclosed requests may bypass configuration utility authentication, allowing an attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated | |||||
| CVE-2021-33658 | 2 Huawei, Openatom | 2 Atune, Openeuler | 2025-04-02 | 4.6 MEDIUM | 7.8 HIGH |
| atune before 0.3-0.8 log in as a local user and run the curl command to access the local atune url interface to escalate the local privilege or modify any file. Authentication is not forcibly enabled in the default configuration. | |||||
| CVE-2022-1388 | 1 F5 | 11 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Analytics and 8 more | 2025-04-02 | 7.5 HIGH | 9.8 CRITICAL |
| On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions, undisclosed requests may bypass iControl REST authentication. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated | |||||
| CVE-2021-43447 | 1 Onlyoffice | 1 Server | 2025-04-02 | N/A | 7.5 HIGH |
| ONLYOFFICE all versions as of 2021-11-08 is affected by Incorrect Access Control. An authentication bypass in the document editor allows attackers to edit documents without authentication. | |||||
| CVE-2025-25060 | 2025-04-02 | N/A | 8.2 HIGH | ||
| Missing authentication for critical function vulnerability exists in AssetView and AssetView CLOUD. If exploited, the files on the server where the product is running may be obtained and/or deleted by a remote unauthenticated attacker. | |||||
| CVE-2023-0463 | 1 Devolutions | 1 Remote Desktop Manager | 2025-04-02 | N/A | 3.3 LOW |
| The force offline MFA prompt setting is not respected when switching to offline mode in Devolutions Remote Desktop Manager 2022.3.29 to 2022.3.30 allows a user to save sensitive data on disk. | |||||
| CVE-2023-48426 | 2025-03-28 | N/A | 10.0 CRITICAL | ||
| u-boot bug that allows for u-boot shell and interrupt over UART | |||||