Total
1457 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-22069 | 1 Oracle | 1 Weblogic Server | 2025-03-06 | N/A | 9.8 CRITICAL |
| Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3, IIOP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). | |||||
| CVE-2024-31525 | 2025-03-06 | N/A | 7.2 HIGH | ||
| Peppermint Ticket Management 0.4.6 is vulnerable to Incorrect Access Control. A regular registered user is able to elevate his privileges to admin and gain complete access to the system as the authorization mechanism is not validated on the server side and only on the client side. This can result, for example, in creating a new admin user in the system which enables persistent access for the attacker as an administrator. | |||||
| CVE-2020-26942 | 1 Axigen | 1 Axigen Mail Server | 2025-03-05 | N/A | 9.1 CRITICAL |
| An issue discovered in Axigen Mail Server 10.3.x before 10.3.1.27 and 10.3.2.x before 10.3.3.1 allows unauthenticated attackers to submit a setAdminPassword operation request, subsequently setting a new arbitrary password for the admin account. | |||||
| CVE-2025-24924 | 2025-03-05 | N/A | 9.8 CRITICAL | ||
| Certain functionality within GMOD Apollo does not require authentication when passed with an administrative username | |||||
| CVE-2025-24865 | 1 Myscada | 1 Mypro | 2025-03-04 | N/A | 10.0 CRITICAL |
| The administrative web interface of mySCADA myPRO Manager can be accessed without authentication which could allow an unauthorized attacker to retrieve sensitive information and upload files without the associated password. | |||||
| CVE-2022-25770 | 1 Acquia | 1 Mautic | 2025-02-27 | N/A | 7.8 HIGH |
| Mautic allows you to update the application via an upgrade script. The upgrade logic isn't shielded off correctly, which may lead to vulnerable situation. This vulnerability is mitigated by the fact that Mautic needs to be installed in a certain way to be vulnerable. | |||||
| CVE-2023-25589 | 1 Arubanetworks | 1 Clearpass Policy Manager | 2025-02-27 | N/A | 9.8 CRITICAL |
| A vulnerability in the web-based management interface of ClearPass Policy Manager could allow an unauthenticated remote attacker to create arbitrary users on the platform. A successful exploit allows an attacker to achieve total cluster compromise. | |||||
| CVE-2023-27060 | 1 Lightcms Project | 1 Lightcms | 2025-02-26 | N/A | 9.8 CRITICAL |
| LightCMS v1.3.7 was discovered to contain a remote code execution (RCE) vulnerability via the image:make function. | |||||
| CVE-2023-28470 | 1 Couchbase | 1 Couchbase Server | 2025-02-24 | N/A | 5.3 MEDIUM |
| In Couchbase Server 5 through 7 before 7.1.4, the nsstats endpoint is accessible without authentication. | |||||
| CVE-2022-26925 | 1 Microsoft | 17 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 14 more | 2025-02-24 | 4.3 MEDIUM | 8.1 HIGH |
| Windows LSA Spoofing Vulnerability | |||||
| CVE-2024-28179 | 1 Jupyter | 1 Jupyter Server Proxy | 2025-02-21 | N/A | 9.0 CRITICAL |
| Jupyter Server Proxy allows users to run arbitrary external processes alongside their Jupyter notebook servers and provides authenticated web access. Prior to versions 3.2.3 and 4.1.1, Jupyter Server Proxy did not check user authentication appropriately when proxying websockets, allowing unauthenticated access to anyone who had network access to the Jupyter server endpoint. This vulnerability can allow unauthenticated remote access to any websocket endpoint set up to be accessible via Jupyter Server Proxy. In many cases, this leads to remote unauthenticated arbitrary code execution, due to how affected instances use websockets. The websocket endpoints exposed by `jupyter_server` itself is not affected. Projects that do not rely on websockets are also not affected. Versions 3.2.3 and 4.1.1 contain a fix for this issue. | |||||
| CVE-2024-8943 | 1 Latepoint | 1 Latepoint | 2025-02-20 | N/A | 9.8 CRITICAL |
| The LatePoint plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 5.0.12. This is due to insufficient verification on the user being supplied during the booking customer step. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the user id. Note that logging in as a WordPress user is only possible if the "Use WordPress users as customers" setting is enabled, which is disabled by default. The vulnerability is partially patched in version 5.0.12 and fully patched in version 5.0.13. | |||||
| CVE-2025-21355 | 2025-02-19 | N/A | 8.6 HIGH | ||
| Missing Authentication for Critical Function in Microsoft Bing allows an unauthorized attacker to execute code over a network | |||||
| CVE-2024-57055 | 2025-02-19 | N/A | 5.0 MEDIUM | ||
| Server-Side Access Control Bypass vulnerability in WombatDialer before 25.02 could allow unauthorized users to potentially call certain services without the necessary access level. This issue is limited to services used by the client (not the general-use JSON services) and requires reverse engineering of the proprietary serialization protocol, making it difficult to exploit. | |||||
| CVE-2025-26345 | 2025-02-18 | N/A | 9.8 CRITICAL | ||
| A CWE-306 "Missing Authentication for Critical Function" in maxprofile/menu/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to edit user group permissions via crafted HTTP requests. | |||||
| CVE-2025-26344 | 2025-02-18 | N/A | 9.8 CRITICAL | ||
| A CWE-306 "Missing Authentication for Critical Function" in maxprofile/guest-mode/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to enable passwordless guest mode via crafted HTTP requests. | |||||
| CVE-2020-14140 | 1 Mi | 1 Xiaomi Router Firmware | 2025-02-18 | N/A | 7.5 HIGH |
| When Xiaomi router firmware is updated in 2020, there is an unauthenticated API that can reveal WIFI password vulnerability. This vulnerability is caused by the lack of access control policies on some API interfaces. Attackers can exploit this vulnerability to enter the background and execute background command injection. | |||||
| CVE-2024-57725 | 2025-02-18 | N/A | 6.5 MEDIUM | ||
| An issue in the Arcadyan Livebox Fibra PRV3399B_B_LT allows a remote or local attacker to modify the GPON link value without authentication, causing an internet service disruption via the /firstconnection.cgi endpoint. | |||||
| CVE-2025-25224 | 2025-02-18 | N/A | 5.3 MEDIUM | ||
| The LuxCal Web Calendar prior to 5.3.3M (MySQL version) and prior to 5.3.3L (SQLite version) contains a missing authentication vulnerability in dloader.php. If this vulnerability is exploited, arbitrary files on a server may be obtained. | |||||
| CVE-2024-8584 | 1 Learningdigital | 1 Orca Hcm | 2025-02-17 | N/A | 9.8 CRITICAL |
| Orca HCM from LEARNING DIGITAL has an Missing Authentication vulnerability, allowing unauthenticated remote attacker to exploit this functionality to create an account with administrator privilege and subsequently use it to log in. | |||||