Total
3643 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-32875 | 2025-06-23 | N/A | 5.7 MEDIUM | ||
| An issue was discovered in the COROS application through 3.8.12 for Android. Bluetooth pairing and bonding is neither initiated nor enforced by the application itself. Also, the watch does not enforce pairing and bonding. As a result, any data transmitted via BLE remains unencrypted, allowing attackers within Bluetooth range to eavesdrop on the communication. Furthermore, even if a user manually initiates pairing and bonding in the Android settings, the application continues to transmit data without requiring the watch to be bonded. This fallback behavior enables attackers to exploit the communication, for example, by conducting an active machine-in-the-middle attack. | |||||
| CVE-2024-45347 | 2025-06-23 | N/A | 9.6 CRITICAL | ||
| An unauthorized access vulnerability exists in the Xiaomi Mi Connect Service APP. The vulnerability is caused by the validation logic is flawed and can be exploited by attackers to Unauthorized access to the victim’s device. | |||||
| CVE-2025-27086 | 1 Hpe | 1 Performance Cluster Manager | 2025-06-23 | N/A | 8.1 HIGH |
| A vulnerability in the HPE Performance Cluster Manager (HPCM) GUI could allow an attacker to bypass authentication. | |||||
| CVE-2023-50275 | 1 Hp | 1 Oneview | 2025-06-20 | N/A | 7.5 HIGH |
| HPE OneView may allow clusterService Authentication Bypass resulting in denial of service. | |||||
| CVE-2023-42935 | 1 Apple | 1 Macos | 2025-06-20 | N/A | 5.5 MEDIUM |
| An authentication issue was addressed with improved state management. This issue is fixed in macOS Ventura 13.6.4. A local attacker may be able to view the previous logged in user’s desktop from the fast user switching screen. | |||||
| CVE-2023-50127 | 1 Hozard | 1 Alarm System | 2025-06-20 | N/A | 5.9 MEDIUM |
| Hozard alarm system (Alarmsysteem) v1.0 is vulnerable to Improper Authentication. Commands sent via the SMS functionality are accepted from random phone numbers, which allows an attacker to bring the alarm system to a disarmed state from any given phone number. | |||||
| CVE-2024-3701 | 1 Tecno | 1 Hios | 2025-06-17 | N/A | 9.8 CRITICAL |
| The system application (com.transsion.kolun.aiservice) component does not perform an authentication check, which allows attackers to perform malicious exploitations and affect system services. | |||||
| CVE-2023-48865 | 1 Reportico | 1 Reportico | 2025-06-17 | N/A | 6.5 MEDIUM |
| An issue discovered in Reportico Till 8.1.0 allows attackers to obtain sensitive information via execute_mode parameter of the URL. | |||||
| CVE-2024-29757 | 1 Google | 1 Android | 2025-06-17 | N/A | 7.3 HIGH |
| there is a possible permission bypass due to Debug certs being allowlisted. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | |||||
| CVE-2025-5985 | 1 Fabian | 1 School Fees Payment System | 2025-06-17 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability was found in code-projects School Fees Payment System 1.0 and classified as critical. Affected by this issue is some unknown functionality. The manipulation leads to improper authentication. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2024-11917 | 2025-06-17 | N/A | 8.1 HIGH | ||
| The JobSearch WP Job Board plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.9.2. This is due to improper configurations in the 'jobsearch_xing_response_data_callback', 'set_access_tokes', and 'google_callback' functions. This makes it possible for unauthenticated attackers to log in as the first connected Xing user, or any connected Xing user if the Xing id is known. It is also possible for unauthenticated attackers to log in as the first connected Google user if the user has logged in, without subsequently logging out, in thirty days. The vulnerability was partially patched in version 2.8.4. | |||||
| CVE-2024-24279 | 1 Secdiskapp | 1 Secdiskapp | 2025-06-17 | N/A | 8.8 HIGH |
| An issue in secdiskapp 1.5.1 (management program for NewQ Fingerprint Encryption Super Speed Flash Disk) allows attackers to gain escalated privileges via vsVerifyPassword and vsSetFingerPrintPower functions. | |||||
| CVE-2023-47256 | 1 Connectwise | 2 Automate, Screenconnect | 2025-06-17 | N/A | 5.5 MEDIUM |
| ConnectWise ScreenConnect through 23.8.4 allows local users to connect to arbitrary relay servers via implicit trust of proxy settings | |||||
| CVE-2025-25504 | 1 Niceforyou | 2 Gefen Gf-avip-mc Firmware, Gefen Webfwc | 2025-06-17 | N/A | 6.5 MEDIUM |
| An issue in the /usr/local/bin/jncs.sh script of Gefen WebFWC (In AV over IP products) v1.85h, v1.86v, and v1.70 allows attackers with network access to connect to the device over TCP port 4444 without authentication and execute arbitrary commands with root privileges. | |||||
| CVE-2024-28735 | 1 Unit4 | 1 Financials By Coda | 2025-06-17 | N/A | 8.1 HIGH |
| Unit4 Financials by Coda versions prior to 2023Q4 suffer from an incorrect access control authorization bypass vulnerability which allows an authenticated user to modify the password of any user of the application via a crafted request. | |||||
| CVE-2023-51717 | 1 Dataiku | 1 Data Science Studio | 2025-06-16 | N/A | 9.8 CRITICAL |
| Dataiku DSS before 11.4.5 and 12.4.1 has Incorrect Access Control that could lead to a full authentication bypass. | |||||
| CVE-2024-38822 | 2025-06-16 | N/A | 2.7 LOW | ||
| Multiple methods in the salt master skip minion token validation. Therefore a misbehaving minion can impersonate another minion. | |||||
| CVE-2025-6172 | 2025-06-16 | N/A | 9.8 CRITICAL | ||
| Permission vulnerability in the mobile application (com.afmobi.boomplayer) may lead to the risk of unauthorized operation. | |||||
| CVE-2025-6083 | 2025-06-16 | N/A | N/A | ||
| In ExtremeCloud Universal ZTNA, a syntax error in the 'searchKeyword' condition caused queries to bypass the owner_id filter. This issue may allow users to search data across the entire table instead of being restricted to their specific owner_id. | |||||
| CVE-2024-38825 | 2025-06-16 | N/A | 6.4 MEDIUM | ||
| The salt.auth.pki module does not properly authenticate callers. The "password" field contains a public certificate which is validated against a CA certificate by the module. This is not pki authentication, as the caller does not need access to the corresponding private key for the authentication attempt to be accepted. | |||||