Vulnerabilities (CVE)

Filtered by CWE-287
Total 3613 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2022-2572 1 Octopus 1 Octopus Server 2025-05-06 N/A 9.8 CRITICAL
In affected versions of Octopus Server where access is managed by an external authentication provider, it was possible that the API key/keys of a disabled/deleted user were still valid after the access was revoked.
CVE-2025-0217 2025-05-05 N/A N/A
BeyondTrust Privileged Remote Access (PRA) versions prior to 25.1 are vulnerable to a local authentication bypass. A local authenticated attacker can view the connection details of a ShellJump session that was initiated with external tools, allowing unauthorized access to connected sessions.
CVE-2025-25504 2025-05-05 N/A 6.5 MEDIUM
An issue in the /usr/local/bin/jncs.sh script of Gefen WebFWC (In AV over IP products) v1.85h, v1.86v, and v1.70 allows attackers with network access to connect to the device over TCP port 4444 without authentication and execute arbitrary commands with root privileges.
CVE-2022-22935 1 Saltstack 1 Salt 2025-05-05 4.3 MEDIUM 3.7 LOW
An issue was discovered in SaltStack Salt in versions before 3002.8, 3003.4, 3004.1. A minion authentication denial of service can cause a MiTM attacker to force a minion process to stop by impersonating a master.
CVE-2022-22730 1 Intel 1 Edge Insights For Industrial 2025-05-05 N/A 9.8 CRITICAL
Improper authentication in the Intel(R) Edge Insights for Industrial software before version 2.6.1 may allow an unauthenticated user to potentially enable escalation of privilege via network access.
CVE-2021-0193 1 Ibm 1 In-band Manageability 2025-05-05 6.5 MEDIUM 7.2 HIGH
Improper authentication in the Intel(R) In-Band Manageability software before version 2.13.0 may allow a privileged user to potentially enable escalation of privilege via network access.
CVE-2023-52160 6 Debian, Fedoraproject, Google and 3 more 7 Debian Linux, Fedora, Android and 4 more 2025-05-05 N/A 6.5 MEDIUM
The implementation of PEAP in wpa_supplicant through 2.10 allows authentication bypass. For a successful attack, wpa_supplicant must be configured to not verify the network's TLS certificate during Phase 1 authentication, and an eap_peap_decrypt vulnerability can then be abused to skip Phase 2 authentication. The attack vector is sending an EAP-TLV Success packet instead of starting Phase 2. This allows an adversary to impersonate Enterprise Wi-Fi networks.
CVE-2025-3910 2025-05-02 N/A 5.4 MEDIUM
A flaw was found in Keycloak. The org.keycloak.authorization package may be vulnerable to circumventing required actions, allowing users to circumvent requirements such as setting up two-factor authentication.
CVE-2025-29906 2025-05-02 N/A 8.6 HIGH
Finit is a fast init for Linux systems. Versions starting from 3.0-rc1 and prior to version 4.11 bundle an implementation of getty for the `tty` configuration directive that can bypass `/bin/login`, i.e., a user can log in as any user without authentication. This issue has been patched in version 4.11.
CVE-2024-40713 1 Veeam 1 Veeam Backup \& Replication 2025-05-01 N/A 7.8 HIGH
A vulnerability that allows a user who has been assigned a low-privileged role within Veeam Backup & Replication to alter Multi-Factor Authentication (MFA) settings and bypass MFA.
CVE-2022-44244 1 Lin-cms Project 1 Lin-cms 2025-05-01 N/A 6.6 MEDIUM
An authentication bypass in Lin-CMS v0.2.1 allows attackers to escalate privileges to Super Administrator.
CVE-2022-31686 1 Vmware 1 Workspace One Assist 2025-05-01 N/A 9.8 CRITICAL
VMware Workspace ONE Assist prior to 22.10 contains a Broken Authentication Method vulnerability. A malicious actor with network access to Workspace ONE Assist may be able to obtain administrative access without the need to authenticate to the application.
CVE-2022-31685 1 Vmware 1 Workspace One Assist 2025-05-01 N/A 9.8 CRITICAL
VMware Workspace ONE Assist prior to 22.10 contains an Authentication Bypass vulnerability. A malicious actor with network access to Workspace ONE Assist may be able to obtain administrative access without the need to authenticate to the application.
CVE-2022-3477 3 Newsmag Project, Newspaper Project, Tagdiv Composer Project 3 Newsmag, Newspaper, Tagdiv Composer 2025-04-30 N/A 9.8 CRITICAL
The tagDiv Composer WordPress plugin before 3.5, required by the Newspaper WordPress theme before 12.1 and Newsmag WordPress theme before 5.2.2, does not properly implement the Facebook login feature, allowing unauthenticated attackers to login as any user by just knowing their email address
CVE-2022-43690 1 Concretecms 1 Concrete Cms 2025-04-30 N/A 6.3 MEDIUM
Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 did not use strict comparison for the legacy_salt so that limited authentication bypass could occur if using this functionality. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+.
CVE-2025-2771 2025-04-29 N/A 5.3 MEDIUM
BEC Technologies Multiple Routers Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of BEC Technologies routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the web-based user interface. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-25894.
CVE-2025-3634 2025-04-29 N/A 4.3 MEDIUM
A security vulnerability was discovered in Moodle that allows students to enroll themselves in courses without completing all the necessary safety checks. Specifically, users can sign up for courses prematurely, even if they haven't finished two-step verification processes.
CVE-2024-11917 2025-04-29 N/A 8.1 HIGH
The JobSearch WP Job Board plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.8.8. This is due to improper configurations in the 'jobsearch_xing_response_data_callback', 'set_access_tokes', and 'google_callback' functions. This makes it possible for unauthenticated attackers to log in as the first connected Xing user, or any connected Xing user if the Xing id is known. It is also possible for unauthenticated attackers to log in as the first connected Google user if the user has logged in, without subsequently logging out, in thirty days. The vulnerability was partially patched in version 2.8.4.
CVE-2025-3627 2025-04-29 N/A 4.3 MEDIUM
A security vulnerability was discovered in Moodle that allows some users to access sensitive information about other students before they finish verifying their identities using two-factor authentication (2FA).
CVE-2025-4019 2025-04-29 7.5 HIGH 7.3 HIGH
A vulnerability, which was classified as critical, was found in 20120630 Novel-Plus up to 0e156c04b4b7ce0563bef6c97af4476fcda8f160. Affected is the function genCode of the file novel-admin/src/main/java/com/java2nb/common/controller/GeneratorController.java. The manipulation leads to missing authentication. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.