Total
3613 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2022-2572 | 1 Octopus | 1 Octopus Server | 2025-05-06 | N/A | 9.8 CRITICAL |
In affected versions of Octopus Server where access is managed by an external authentication provider, it was possible that the API key/keys of a disabled/deleted user were still valid after the access was revoked. | |||||
CVE-2025-0217 | 2025-05-05 | N/A | N/A | ||
BeyondTrust Privileged Remote Access (PRA) versions prior to 25.1 are vulnerable to a local authentication bypass. A local authenticated attacker can view the connection details of a ShellJump session that was initiated with external tools, allowing unauthorized access to connected sessions. | |||||
CVE-2025-25504 | 2025-05-05 | N/A | 6.5 MEDIUM | ||
An issue in the /usr/local/bin/jncs.sh script of Gefen WebFWC (In AV over IP products) v1.85h, v1.86v, and v1.70 allows attackers with network access to connect to the device over TCP port 4444 without authentication and execute arbitrary commands with root privileges. | |||||
CVE-2022-22935 | 1 Saltstack | 1 Salt | 2025-05-05 | 4.3 MEDIUM | 3.7 LOW |
An issue was discovered in SaltStack Salt in versions before 3002.8, 3003.4, 3004.1. A minion authentication denial of service can cause a MiTM attacker to force a minion process to stop by impersonating a master. | |||||
CVE-2022-22730 | 1 Intel | 1 Edge Insights For Industrial | 2025-05-05 | N/A | 9.8 CRITICAL |
Improper authentication in the Intel(R) Edge Insights for Industrial software before version 2.6.1 may allow an unauthenticated user to potentially enable escalation of privilege via network access. | |||||
CVE-2021-0193 | 1 Ibm | 1 In-band Manageability | 2025-05-05 | 6.5 MEDIUM | 7.2 HIGH |
Improper authentication in the Intel(R) In-Band Manageability software before version 2.13.0 may allow a privileged user to potentially enable escalation of privilege via network access. | |||||
CVE-2023-52160 | 6 Debian, Fedoraproject, Google and 3 more | 7 Debian Linux, Fedora, Android and 4 more | 2025-05-05 | N/A | 6.5 MEDIUM |
The implementation of PEAP in wpa_supplicant through 2.10 allows authentication bypass. For a successful attack, wpa_supplicant must be configured to not verify the network's TLS certificate during Phase 1 authentication, and an eap_peap_decrypt vulnerability can then be abused to skip Phase 2 authentication. The attack vector is sending an EAP-TLV Success packet instead of starting Phase 2. This allows an adversary to impersonate Enterprise Wi-Fi networks. | |||||
CVE-2025-3910 | 2025-05-02 | N/A | 5.4 MEDIUM | ||
A flaw was found in Keycloak. The org.keycloak.authorization package may be vulnerable to circumventing required actions, allowing users to circumvent requirements such as setting up two-factor authentication. | |||||
CVE-2025-29906 | 2025-05-02 | N/A | 8.6 HIGH | ||
Finit is a fast init for Linux systems. Versions starting from 3.0-rc1 and prior to version 4.11 bundle an implementation of getty for the `tty` configuration directive that can bypass `/bin/login`, i.e., a user can log in as any user without authentication. This issue has been patched in version 4.11. | |||||
CVE-2024-40713 | 1 Veeam | 1 Veeam Backup \& Replication | 2025-05-01 | N/A | 7.8 HIGH |
A vulnerability that allows a user who has been assigned a low-privileged role within Veeam Backup & Replication to alter Multi-Factor Authentication (MFA) settings and bypass MFA. | |||||
CVE-2022-44244 | 1 Lin-cms Project | 1 Lin-cms | 2025-05-01 | N/A | 6.6 MEDIUM |
An authentication bypass in Lin-CMS v0.2.1 allows attackers to escalate privileges to Super Administrator. | |||||
CVE-2022-31686 | 1 Vmware | 1 Workspace One Assist | 2025-05-01 | N/A | 9.8 CRITICAL |
VMware Workspace ONE Assist prior to 22.10 contains a Broken Authentication Method vulnerability. A malicious actor with network access to Workspace ONE Assist may be able to obtain administrative access without the need to authenticate to the application. | |||||
CVE-2022-31685 | 1 Vmware | 1 Workspace One Assist | 2025-05-01 | N/A | 9.8 CRITICAL |
VMware Workspace ONE Assist prior to 22.10 contains an Authentication Bypass vulnerability. A malicious actor with network access to Workspace ONE Assist may be able to obtain administrative access without the need to authenticate to the application. | |||||
CVE-2022-3477 | 3 Newsmag Project, Newspaper Project, Tagdiv Composer Project | 3 Newsmag, Newspaper, Tagdiv Composer | 2025-04-30 | N/A | 9.8 CRITICAL |
The tagDiv Composer WordPress plugin before 3.5, required by the Newspaper WordPress theme before 12.1 and Newsmag WordPress theme before 5.2.2, does not properly implement the Facebook login feature, allowing unauthenticated attackers to login as any user by just knowing their email address | |||||
CVE-2022-43690 | 1 Concretecms | 1 Concrete Cms | 2025-04-30 | N/A | 6.3 MEDIUM |
Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 did not use strict comparison for the legacy_salt so that limited authentication bypass could occur if using this functionality. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+. | |||||
CVE-2025-2771 | 2025-04-29 | N/A | 5.3 MEDIUM | ||
BEC Technologies Multiple Routers Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of BEC Technologies routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the web-based user interface. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-25894. | |||||
CVE-2025-3634 | 2025-04-29 | N/A | 4.3 MEDIUM | ||
A security vulnerability was discovered in Moodle that allows students to enroll themselves in courses without completing all the necessary safety checks. Specifically, users can sign up for courses prematurely, even if they haven't finished two-step verification processes. | |||||
CVE-2024-11917 | 2025-04-29 | N/A | 8.1 HIGH | ||
The JobSearch WP Job Board plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.8.8. This is due to improper configurations in the 'jobsearch_xing_response_data_callback', 'set_access_tokes', and 'google_callback' functions. This makes it possible for unauthenticated attackers to log in as the first connected Xing user, or any connected Xing user if the Xing id is known. It is also possible for unauthenticated attackers to log in as the first connected Google user if the user has logged in, without subsequently logging out, in thirty days. The vulnerability was partially patched in version 2.8.4. | |||||
CVE-2025-3627 | 2025-04-29 | N/A | 4.3 MEDIUM | ||
A security vulnerability was discovered in Moodle that allows some users to access sensitive information about other students before they finish verifying their identities using two-factor authentication (2FA). | |||||
CVE-2025-4019 | 2025-04-29 | 7.5 HIGH | 7.3 HIGH | ||
A vulnerability, which was classified as critical, was found in 20120630 Novel-Plus up to 0e156c04b4b7ce0563bef6c97af4476fcda8f160. Affected is the function genCode of the file novel-admin/src/main/java/com/java2nb/common/controller/GeneratorController.java. The manipulation leads to missing authentication. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. |