Total
3616 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-31478 | 2025-04-17 | N/A | 8.2 HIGH | ||
| Zulip is an open-source team collaboration tool. Zulip supports a configuration where account creation is limited solely by being able to authenticate with a single-sign on authentication backend, meaning the organization places no restrictions on email address domains or invitations being required to join, but has disabled the EmailAuthBackend that is used for email/password authentication. A bug in the Zulip server means that it is possible to create an account in such organizations, without having an account with the configured SSO authentication backend. This issue is patched in version 10.2. A workaround includes requiring invitations to join the organization prevents the vulnerability from being accessed. | |||||
| CVE-2022-47209 | 1 Netgear | 2 Rax30, Rax30 Firmware | 2025-04-17 | N/A | 8.8 HIGH |
| A support user exists on the device and appears to be a backdoor for Technical Support staff. The default password for this account is “support” and cannot be changed by a user via any normally accessible means. | |||||
| CVE-2020-14504 | 1 Rockwellautomation | 4 1734-aentr Point I\/o Dual Port Network Adaptor Series B, 1734-aentr Point I\/o Dual Port Network Adaptor Series B Firmware, 1734-aentr Point I\/o Dual Port Network Adaptor Series C and 1 more | 2025-04-17 | 5.0 MEDIUM | 5.3 MEDIUM |
| The web interface of the 1734-AENTR communication module mishandles authentication for HTTP POST requests. A remote, unauthenticated attacker can send a crafted request that may allow for modification of the configuration settings. | |||||
| CVE-2025-30215 | 2025-04-17 | N/A | 9.6 CRITICAL | ||
| NATS-Server is a High-Performance server for NATS.io, the cloud and edge native messaging system. In versions starting from 2.2.0 but prior to 2.10.27 and 2.11.1, the management of JetStream assets happens with messages in the $JS. subject namespace in the system account; this is partially exposed into regular accounts to allow account holders to manage their assets. Some of the JS API requests were missing access controls, allowing any user with JS management permissions in any account to perform certain administrative actions on any JS asset in any other account. At least one of the unprotected APIs allows for data destruction. None of the affected APIs allow disclosing stream contents. This vulnerability is fixed in v2.11.1 or v2.10.27. | |||||
| CVE-2022-46400 | 1 Microchip | 18 Bm70, Bm70 Firmware, Bm71 and 15 more | 2025-04-17 | N/A | 5.4 MEDIUM |
| The Microchip RN4870 module firmware 1.43 (and the Microchip PIC LightBlue Explorer Demo 4.2 DT100112) allows attackers to bypass passkey entry in legacy pairing. | |||||
| CVE-2022-42453 | 1 Hcltech | 1 Bigfix Platform | 2025-04-17 | N/A | 6.9 MEDIUM |
| There are insufficient warnings when a Fixlet is imported by a user. The warning message currently assumes the owner of the script is the logged in user, with insufficient warnings when attempting to run the script. | |||||
| CVE-2022-40494 | 1 Ehang-io | 1 Nps | 2025-04-17 | N/A | 9.8 CRITICAL |
| NPS before v0.26.10 was discovered to contain an authentication bypass vulnerability via constantly generating and sending the Auth key and Timestamp parameters. | |||||
| CVE-2022-46316 | 1 Huawei | 1 Harmonyos | 2025-04-17 | N/A | 9.8 CRITICAL |
| A thread security vulnerability exists in the authentication process. Successful exploitation of this vulnerability may affect data integrity, confidentiality, and availability. | |||||
| CVE-2022-46313 | 1 Huawei | 1 Harmonyos | 2025-04-17 | N/A | 5.3 MEDIUM |
| The sensor privacy module has an authentication vulnerability. Successful exploitation of this vulnerability may cause unavailability of the smartphone's camera and microphone. | |||||
| CVE-2022-41590 | 1 Huawei | 1 Harmonyos | 2025-04-16 | N/A | 5.5 MEDIUM |
| Some smartphones have authentication-related (including session management) vulnerabilities as the setup wizard is bypassed. Successful exploitation of this vulnerability affects the smartphone availability. | |||||
| CVE-2023-44039 | 1 Veridiumid | 1 Veridiumad | 2025-04-16 | N/A | 9.1 CRITICAL |
| In VeridiumID before 3.5.0, the WebAuthn API allows an internal unauthenticated attacker (who can pass enrollment verifications and is allowed to enroll a FIDO key) to register their FIDO authenticator to a victim’s account and consequently take over the account. | |||||
| CVE-2025-27641 | 1 Printerlogic | 2 Vasion Print, Virtual Appliance | 2025-04-15 | N/A | 9.8 CRITICAL |
| Vasion Print (formerly PrinterLogic) before Virtual Appliance Host 22.0.951 Application 20.0.2368 allows Unauthenticated APIs for Single-Sign On V-2024-009. | |||||
| CVE-2025-2572 | 2025-04-15 | N/A | 5.6 MEDIUM | ||
| In WhatsUp Gold versions released before 2024.0.3, a database manipulation vulnerability allows an unauthenticated attacker to modify the contents of WhatsUp.dbo.WrlsMacAddressGroup. | |||||
| CVE-2022-46875 | 2 Apple, Mozilla | 4 Macos, Firefox, Firefox Esr and 1 more | 2025-04-15 | N/A | 6.5 MEDIUM |
| The executable file warning was not presented when downloading .atloc and .ftploc files, which can run commands on a user's computer. <br>*Note: This issue only affected Mac OS operating systems. Other operating systems are unaffected.*. This vulnerability affects Firefox < 108, Firefox ESR < 102.6, and Thunderbird < 102.6. | |||||
| CVE-2022-47633 | 1 Kyverno | 1 Kyverno | 2025-04-15 | N/A | 8.1 HIGH |
| An image signature validation bypass vulnerability in Kyverno 1.8.3 and 1.8.4 allows a malicious image registry (or a man-in-the-middle attacker) to inject unsigned arbitrary container images into a protected Kubernetes cluster. This is fixed in 1.8.5. This has been fixed in 1.8.5 and mitigations are available for impacted releases. | |||||
| CVE-2020-11101 | 1 Sierrawireless | 1 Airlink Mobility Manager | 2025-04-14 | N/A | 9.8 CRITICAL |
| Sierra Wireless AirLink Mobility Manager (AMM) before 2.17 mishandles sessions and thus an unauthenticated attacker can obtain a login session with administrator privileges. | |||||
| CVE-2014-1984 | 1 Cybozu | 1 Remote Service Manager | 2025-04-12 | 6.8 MEDIUM | N/A |
| Session fixation vulnerability in the management screen in Cybozu Remote Service Manager through 2.3.0 and 3.x before 3.1.1 allows remote attackers to hijack web sessions via unspecified vectors. | |||||
| CVE-2016-5686 | 1 Animas | 2 Onetouch Ping, Onetouch Ping Firmware | 2025-04-12 | 9.3 HIGH | 9.8 CRITICAL |
| Johnson & Johnson Animas OneTouch Ping devices mishandle acknowledgements, which makes it easier for remote attackers to bypass authentication via a custom communication protocol. | |||||
| CVE-2014-4619 | 1 Emc | 1 Rsa Identity Management And Governance | 2025-04-12 | 9.3 HIGH | N/A |
| EMC RSA Identity Management and Governance (IMG) 6.5.x before 6.5.1 P11, 6.5.2 before P02HF01, and 6.8.x before 6.8.1 P07, when Novell Identity Manager (aka NovellIM) is used, allows remote attackers to bypass authentication via an arbitrary valid username. | |||||
| CVE-2014-3623 | 1 Apache | 2 Cxf, Wss4j | 2025-04-12 | 5.0 MEDIUM | N/A |
| Apache WSS4J before 1.6.17 and 2.x before 2.0.2, as used in Apache CXF 2.7.x before 2.7.13 and 3.0.x before 3.0.2, when using TransportBinding, does not properly enforce the SAML SubjectConfirmation method security semantics, which allows remote attackers to conduct spoofing attacks via unspecified vectors. | |||||