Total
3632 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2025-20083 | 2025-05-16 | N/A | 7.5 HIGH | ||
Improper authentication in the firmware for the Intel(R) Slim Bootloader may allow a privileged user to potentially enable escalation of privilege via local access. | |||||
CVE-2025-47790 | 2025-05-16 | N/A | 6.4 MEDIUM | ||
Nextcloud Server is a self hosted personal cloud system. Nextcloud Server prior to 29.0.15, 30.0.9, and 31.0.3 and Nextcloud Enterprise Server prior to 26.0.13.15, 27.1.11.15, 28.0.14.6, 29.0.15, 30.0.9, and 31.0.3 have a bug with session handling. The bug caused skipping the second factor confirmation after a successful login with the username and password when the server was configured with `remember_login_cookie_lifetime` set to `0`, once the session expired on the page to select the second factor and the page is reloaded. Nextcloud Server 29.0.15, 30.0.9, and 31.0.3 and Nextcloud Enterprise Server is upgraded to 26.0.13.15, 27.1.11.15, 28.0.14.6, 29.0.15, 30.0.9 and 31.0.3 contain a patch. As a workaround, set the `remember_login_cookie_lifetime` in config.php to a value other than `0`, e.g. `900`. Beware that this is only a workaround for new sessions created after the configuration change. System administration can delete affected sessions. | |||||
CVE-2025-47275 | 2025-05-16 | N/A | 9.1 CRITICAL | ||
Auth0-PHP provides the PHP SDK for Auth0 Authentication and Management APIs. Starting in version 8.0.0-BETA1 and prior to version 8.14.0, session cookies of applications using the Auth0-PHP SDK configured with CookieStore have authentication tags that can be brute forced, which may result in unauthorized access. Certain pre-conditions are required to be vulnerable to this issue: Applications using the Auth0-PHP SDK, or the Auth0/symfony, Auth0/laravel-auth0, and Auth0/wordpress SDKs that rely on the Auth0-PHP SDK; and session storage configured with CookieStore. Upgrade Auth0/Auth0-PHP to v8.14.0 to receive a patch. As an additional precautionary measure, rotating cookie encryption keys is recommended. Note that once updated, any previous session cookies will be rejected. | |||||
CVE-2024-42172 | 1 Hcltech | 1 Dryice Myxalytics | 2025-05-16 | N/A | 5.3 MEDIUM |
HCL MyXalytics is affected by broken authentication. It allows attackers to compromise keys, passwords, and session tokens, potentially leading to identity theft and system control. This vulnerability arises from poor configuration, logic errors, or software bugs and can affect any application with access control, including databases, network infrastructure, and web applications. | |||||
CVE-2021-36369 | 2 Debian, Dropbear Ssh Project | 2 Debian Linux, Dropbear Ssh | 2025-05-15 | N/A | 7.5 HIGH |
An issue was discovered in Dropbear through 2020.81. Due to a non-RFC-compliant check of the available authentication methods in the client-side SSH code, it is possible for an SSH server to change the login process in its favor. This attack can bypass additional security measures such as FIDO2 tokens or SSH-Askpass. Thus, it allows an attacker to abuse a forwarded agent for logging on to another server unnoticed. | |||||
CVE-2022-35135 | 1 Boodskap | 1 Iot Platform | 2025-05-15 | N/A | 8.8 HIGH |
Boodskap IoT Platform v4.4.9-02 allows attackers to escalate privileges via a crafted request sent to /api/user/upsert/<uuid>. | |||||
CVE-2022-40664 | 1 Apache | 1 Shiro | 2025-05-15 | N/A | 9.8 CRITICAL |
Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher. | |||||
CVE-2022-38982 | 1 Huawei | 1 Harmonyos | 2025-05-15 | N/A | 9.8 CRITICAL |
The fingerprint module has service logic errors.Successful exploitation of this vulnerability will cause the phone lock to be cracked. | |||||
CVE-2022-41436 | 1 Oxhoo | 2 Tp50, Tp50 Firmware | 2025-05-14 | N/A | 9.1 CRITICAL |
An issue in OXHOO TP50 OXH1.50 allows unauthenticated attackers to access the administrative panel via browsing to the URL http://device_ip/index1.html. | |||||
CVE-2024-6235 | 1 Citrix | 1 Netscaler Console | 2025-05-14 | N/A | 8.8 HIGH |
Sensitive information disclosure in NetScaler Console | |||||
CVE-2025-41450 | 2025-05-14 | N/A | 8.2 HIGH | ||
Improper Authentication vulnerability in Danfoss AKSM8xxA Series.This issue affects Danfoss AK-SM 8xxA Series prior to version 4.2 | |||||
CVE-2025-22477 | 1 Dell | 1 Storage Manager | 2025-05-13 | N/A | 8.3 HIGH |
Dell Storage Center - Dell Storage Manager, version(s) 20.1.20, contain(s) an Improper Authentication vulnerability. An unauthenticated attacker with adjacent network access could potentially exploit this vulnerability, leading to Elevation of privileges. | |||||
CVE-2022-2533 | 1 Gitlab | 1 Gitlab | 2025-05-13 | N/A | 6.5 MEDIUM |
An issue has been discovered in GitLab affecting all versions starting from 12.10 before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2. GitLab was not performing correct authentication with some Package Registries when IP address restrictions were configured, allowing an attacker already in possession of a valid Deploy Token to misuse it from any location. | |||||
CVE-2025-3659 | 2025-05-13 | N/A | N/A | ||
Improper authentication handling was identified in a set of HTTP POST requests affecting the following product families: * Digi PortServer TS - prior to and including 82000747_AA, build date 06/17/2022 * Digi One SP/Digi One SP IA/Digi One IA - prior to and including 82000774_Z, build date 10/19/2020 * Digi One IAP – prior to and including 82000770 Z, build date 10/19/2020 A specially crafted POST request to the device’s web interface may allow an unauthenticated attacker to modify configuration settings. | |||||
CVE-2025-4144 | 1 Cloudflare | 1 Workers-oauth-provider | 2025-05-12 | N/A | 9.8 CRITICAL |
PKCE was implemented in the OAuth implementation in workers-oauth-provider that is part of MCP framework https://github.com/cloudflare/workers-mcp . However, it was found that an attacker could cause the check to be skipped. Fixed in: https://github.com/cloudflare/workers-oauth-provider/pull/27 https://github.com/cloudflare/workers-oauth-provider/pull/27 Impact: PKCE is a defense-in-depth mechanism against certain kinds of attacks and was an optional extension in OAuth 2.0 which became required in the OAuth 2.1 draft. (Note that the MCP specification requires OAuth 2.1.). This bug completely bypasses PKCE protection. | |||||
CVE-2024-11186 | 2025-05-12 | N/A | 10.0 CRITICAL | ||
On affected versions of the CloudVision Portal, improper access controls could enable a malicious authenticated user to take broader actions on managed EOS devices than intended. This advisory impacts the Arista CloudVision Portal products when run on-premise. It does not impact CloudVision as-a-Service. | |||||
CVE-2025-4494 | 2025-05-12 | 7.5 HIGH | 7.3 HIGH | ||
A vulnerability, which was classified as critical, was found in JAdmin-JAVA JAdmin 1.0. Affected is the function toLogin of the file NoNeedLoginController.java of the component Admin Backend. The manipulation leads to improper authentication. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
CVE-2025-46590 | 1 Huawei | 1 Harmonyos | 2025-05-09 | N/A | 6.3 MEDIUM |
Bypass vulnerability in the network search instruction authentication module Impact: Successful exploitation of this vulnerability can bypass authentication and enable access to some network search functions. | |||||
CVE-2025-46348 | 1 Yeswiki | 1 Yeswiki | 2025-05-09 | N/A | 10.0 CRITICAL |
YesWiki is a wiki system written in PHP. Prior to version 4.5.4, the request to commence a site backup can be performed and downloaded without authentication. The archives are created with a predictable filename, so a malicious user could create and download an archive without being authenticated. This could result in a malicious attacker making numerous requests to create archives and fill up the file system, or by downloading the archive which contains sensitive site information. This issue has been patched in version 4.5.4. | |||||
CVE-2024-24830 | 1 Openobserve | 1 Openobserve | 2025-05-08 | N/A | 9.9 CRITICAL |
OpenObserve is a observability platform built specifically for logs, metrics, traces, analytics, designed to work at petabyte scale. A vulnerability has been identified in the "/api/{org_id}/users" endpoint. This vulnerability allows any authenticated regular user ('member') to add new users with elevated privileges, including the 'root' role, to an organization. This issue circumvents the intended security controls for role assignments. The vulnerability resides in the user creation process, where the payload does not validate the user roles. A regular user can manipulate the payload to assign root-level privileges. This vulnerability leads to Unauthorized Privilege Escalation and significantly compromises the application's role-based access control system. It allows unauthorized control over application resources and poses a risk to data security. All users, particularly those in administrative roles, are impacted. This issue has been addressed in release version 0.8.0. Users are advised to upgrade. There are no known workarounds for this vulnerability. |