Total
3797 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-62398 | 1 Moodle | 1 Moodle | 2025-11-14 | N/A | 5.4 MEDIUM |
| A serious authentication flaw allowed attackers with valid credentials to bypass multi-factor authentication under certain conditions, potentially compromising user accounts. | |||||
| CVE-2024-21635 | 2025-11-14 | N/A | N/A | ||
| Memos is a privacy-first, lightweight note-taking service that uses Access Tokens to authenticate application access. When a user changes their password, the existing list of Access Tokens stay valid instead of expiring. If a user finds that their account has been compromised, they can update their password. In versions up to and including 0.18.1, though, the bad actor will still have access to their account because the bad actor's Access Token stays on the list as a valid token. The user will have to manually delete the bad actor's Access Token to secure their account. The list of Access Tokens has a generic Description which makes it hard to pinpoint a bad actor in a list of Access Tokens. A known patched version of Memos isn't available. To improve Memos security, all Access Tokens will need to be revoked when a user changes their password. This removes the session for all the user's devices and prompts the user to log in again. One can treat the old Access Tokens as "invalid" because those Access Tokens were created with the older password. | |||||
| CVE-2025-64517 | 2025-11-14 | N/A | 4.4 MEDIUM | ||
| sudo-rs is a memory safe implementation of sudo and su written in Rust. With `Defaults targetpw` (or `Defaults rootpw`) enabled, the password of the target account (or root account) instead of the invoking user is used for authentication. sudo-rs starting in version 0.2.5 and prior to version 0.2.10 incorrectly recorded the invoking user’s UID instead of the authenticated-as user's UID in the authentication timestamp. Any later `sudo` invocation on the same terminal while the timestamp was still valid would use that timestamp, potentially bypassing new authentication even if the policy would have required it. A highly-privileged user (able to run commands as other users, or as root, through sudo) who knows one password of an account they are allowed to run commands as, would be able to run commands as any other account the policy permits them to run commands for, even if they don't know the password for those accounts. A common instance of this would be that a user can still use their own password to run commands as root (the default behaviour of `sudo`), effectively negating the intended behaviour of the `targetpw` or `rootpw` options. Version 0.2.10 contains a patch for the issue. Versions prior to 0.2.5 are not affected, since they do not offer `Defaults targetpw` or `Defaults rootpw`. | |||||
| CVE-2025-64717 | 2025-11-14 | N/A | N/A | ||
| ZITADEL is an open source identity management platform. Starting in version 2.50.0 and prior to versions 2.71.19, 3.4.4, and 4.6.6, a vulnerability in ZITADEL's federation process allowed auto-linking users from external identity providers to existing users in ZITADEL even if the corresponding IdP was not active or if the organization did not allow federated authentication. This vulnerability stems from the platform's failure to correctly check or enforce an organization's specific security settings during the authentication flow. An Organization Administrator can explicitly disable an IdP or disallow federation, but this setting was not being honored during the auto-linking process. This allowed an unauthenticated attacker to initiate a login using an IdP that should have been disabled for that organization. The platform would incorrectly validate the login and, based on a matching criteria, link the attacker's external identity to an existing internal user account. This may result in a full Account Takeover, bypassing the organization's mandated security controls. Note that accounts with MFA enabled can not be taken over by this attack. Also note that only IdPs create on an instance level would allow this to work. IdPs registered on another organization would always be denied in the (auto-)linking process. Versions 4.6.6, 3.4.4, and 2.71.19 resolve the issue by correctly validating the organization's login policy before auto-linking an external user. No known workarounds are available aside from upgrading. | |||||
| CVE-2025-6528 | 1 70mai | 2 M300, M300 Firmware | 2025-11-14 | 3.3 LOW | 4.3 MEDIUM |
| A vulnerability has been found in 70mai M300 up to 20250611 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /livestream/12 of the component RTSP Live Video Stream Endpoint. The manipulation leads to improper authentication. The attack needs to be done within the local network. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-7114 | 1 Sim | 1 Sim | 2025-11-14 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability was found in SimStudioAI sim up to 37786d371e17d35e0764e1b5cd519d873d90d97b. It has been declared as critical. Affected by this vulnerability is the function POST of the file apps/sim/app/api/files/upload/route.ts of the component Session Handler. The manipulation of the argument Request leads to missing authentication. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-3222 | 2025-11-12 | N/A | N/A | ||
| Improper Authentication vulnerability in GE Vernova Smallworld on Windows, Linux allows Authentication Abuse.This issue affects Smallworld: 5.3.3 and prior versions for Linux, and 5.3.4. and prior versions for Windows. | |||||
| CVE-2025-64432 | 2025-11-12 | N/A | 4.7 MEDIUM | ||
| KubeVirt is a virtual machine management add-on for Kubernetes. Versions 1.5.3 and below, and 1.6.0 contained a flawed implementation of the Kubernetes aggregation layer's authentication flow which could enable bypass of RBAC controls. It was discovered that the virt-api component fails to correctly authenticate the client when receiving API requests over mTLS. In particular, it fails to validate the CN (Common Name) field in the received client TLS certificates against the set of allowed values defined in the extension-apiserver-authentication configmap. Failre to validate certain fields in the client TLS certificate may allow an attacker to bypass existing RBAC controls by directly communicating with the aggregated API server, impersonating the Kubernetes API server and its aggregator component. This issue is fixed in versions 1.5.3 and 1.6.1. | |||||
| CVE-2025-64434 | 2025-11-12 | N/A | 4.7 MEDIUM | ||
| KubeVirt is a virtual machine management add-on for Kubernetes. Prior to 1.5.3 and 1.6.1, due to the peer verification logic in virt-handler (via verifyPeerCert), an attacker who compromises a virt-handler instance, could exploit these shared credentials to impersonate virt-api and execute privileged operations against other virt-handler instances potentially compromising the integrity and availability of the VM managed by it. This vulnerability is fixed in 1.5.3 and 1.6.1. | |||||
| CVE-2025-64513 | 2025-11-12 | N/A | N/A | ||
| Milvus is an open-source vector database built for generative AI applications. An unauthenticated attacker can exploit a vulnerability in versions prior to 2.4.24, 2.5.21, and 2.6.5 to bypass all authentication mechanisms in the Milvus Proxy component, gaining full administrative access to the Milvus cluster. This grants the attacker the ability to read, modify, or delete data, and to perform privileged administrative operations such as database or collection management. This issue has been fixed in Milvus 2.4.24, 2.5.21, and 2.6.5. If immediate upgrade is not possible, a temporary mitigation can be applied by removing the sourceID header from all incoming requests at the gateway, API gateway, or load balancer level before they reach the Milvus Proxy. This prevents attackers from exploiting the authentication bypass behavior. | |||||
| CVE-2025-12998 | 2025-11-12 | N/A | N/A | ||
| Improper Authentication vulnerability in TYPO3 Extension "Modules" codingms/modules.This issue affects Extension "Modules": before 4.3.11, from 5.0.0 before 5.7.4, from 6.0.0 before 6.4.2, from 7.0.0 before 7.5.5. | |||||
| CVE-2025-23419 | 2 Debian, F5 | 3 Debian Linux, Nginx, Nginx Plus | 2025-11-12 | N/A | 4.3 MEDIUM |
| When multiple server blocks are configured to share the same IP address and port, an attacker can use session resumption to bypass client certificate authentication requirements on these servers. This vulnerability arises when TLS Session Tickets https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_ticket_key are used and/or the SSL session cache https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_cache are used in the default server and the default server is performing client certificate authentication. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | |||||
| CVE-2022-30229 | 1 Siemens | 1 Sicam Gridedge Essential | 2025-11-12 | 5.0 MEDIUM | 7.2 HIGH |
| A vulnerability has been identified in SICAM GridEdge (Classic) (All versions < V2.6.6). The affected application does not require authenticated access for privileged functions. This could allow an unauthenticated attacker to change data of a user, such as credentials, in case that user's id is known. | |||||
| CVE-2021-33044 | 1 Dahuasecurity | 38 Ipc-hum7xxx, Ipc-hum7xxx Firmware, Ipc-hx3xxx and 35 more | 2025-11-10 | 10.0 HIGH | 9.8 CRITICAL |
| The identity authentication bypass vulnerability found in some Dahua products during the login process. Attackers can bypass device identity authentication by constructing malicious data packets. | |||||
| CVE-2021-33045 | 1 Dahuasecurity | 36 Ipc-hum7xxx, Ipc-hum7xxx Firmware, Ipc-hx3xxx and 33 more | 2025-11-10 | 10.0 HIGH | 9.8 CRITICAL |
| The identity authentication bypass vulnerability found in some Dahua products during the login process. Attackers can bypass device identity authentication by constructing malicious data packets. | |||||
| CVE-2021-32030 | 1 Asus | 4 Gt-ac2900, Gt-ac2900 Firmware, Lyra Mini and 1 more | 2025-11-10 | 7.5 HIGH | 9.8 CRITICAL |
| The administrator application on ASUS GT-AC2900 devices before 3.0.0.4.386.42643 and Lyra Mini before 3.0.0.4_384_46630 allows authentication bypass when processing remote input from an unauthenticated user, leading to unauthorized access to the administrator interface. This relates to handle_request in router/httpd/httpd.c and auth_check in web_hook.o. An attacker-supplied value of '\0' matches the device's default value of '\0' in some situations. Note: All versions of Lyra Mini and earlier which are unsupported (End-of-Life, EOL) are also affected by this vulnerability, Consumers can mitigate this vulnerability by disabling the remote access features from WAN. | |||||
| CVE-2023-22893 | 1 Strapi | 1 Strapi | 2025-11-07 | N/A | 7.5 HIGH |
| Strapi through 4.5.5 does not verify the access or ID tokens issued during the OAuth flow when the AWS Cognito login provider is used for authentication. A remote attacker could forge an ID token that is signed using the 'None' type algorithm to bypass authentication and impersonate any user that use AWS Cognito for authentication. | |||||
| CVE-2025-60424 | 1 Nagios | 1 Fusion | 2025-11-05 | N/A | 7.6 HIGH |
| A lack of rate limiting in the OTP verification component of Nagios Fusion v2024R1.2 and v2024R2 allows attackers to bypass authentication via a bruteforce attack. | |||||
| CVE-2018-10561 | 1 Dasannetworks | 2 Gpon Router, Gpon Router Firmware | 2025-11-05 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered on Dasan GPON home routers. It is possible to bypass authentication simply by appending "?images" to any URL of the device that requires authentication, as demonstrated by the /menu.html?images/ or /GponForm/diag_FORM?images/ URI. One can then manage the device. | |||||
| CVE-2025-20730 | 5 Google, Linuxfoundation, Mediatek and 2 more | 36 Android, Yocto, Mt2737 and 33 more | 2025-11-05 | N/A | 6.7 MEDIUM |
| In preloader, there is a possible escalation of privilege due to an insecure default value. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10068463; Issue ID: MSV-4141. | |||||