Total
3303 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-8956 | 1 Ptzoptics | 4 Pt30x-ndi-xx-g2, Pt30x-ndi-xx-g2 Firmware, Pt30x-sdi and 1 more | 2024-11-05 | N/A | 9.1 CRITICAL |
| PTZOptics PT30X-SDI/NDI-xx before firmware 6.3.40 is vulnerable to an insufficient authentication issue. The camera does not properly enforce authentication to /cgi-bin/param.cgi when requests are sent without an HTTP Authorization header. The result is a remote and unauthenticated attacker can leak sensitive data such as usernames, password hashes, and configurations details. Additionally, the attacker can update individual configuration values or overwrite the whole file. | |||||
| CVE-2024-10620 | 2024-11-01 | 5.0 MEDIUM | 5.3 MEDIUM | ||
| A vulnerability was found in knightliao Disconf 2.6.36. It has been classified as critical. This affects an unknown part of the file /api/config/list of the component Configuration Center. The manipulation leads to improper authentication. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2024-50478 | 1 Swoopnow | 1 1-click Login\ | 2024-10-31 | N/A | 9.8 CRITICAL |
| Authentication Bypass by Primary Weakness vulnerability in Swoop 1-Click Login: Passwordless Authentication allows Authentication Bypass.This issue affects 1-Click Login: Passwordless Authentication: 1.4.5. | |||||
| CVE-2024-31800 | 1 Gncchome | 2 Gncc C2, Gncc C2 Firmware | 2024-10-30 | N/A | 6.8 MEDIUM |
| Authentication Bypass in GNCC's GC2 Indoor Security Camera 1080P allows an attacker with physical access to gain a privileged command shell via the UART Debugging Port. | |||||
| CVE-2024-0568 | 1 Se | 4 Renf22r2mmw, Renf22r2mmw Firmware, Rmnf22tb30 and 1 more | 2024-10-30 | N/A | 8.8 HIGH |
| CWE-287: Improper Authentication vulnerability exists that could cause unauthorized tampering of device configuration over NFC communication. | |||||
| CVE-2024-7763 | 1 Progress | 1 Whatsup Gold | 2024-10-30 | N/A | 7.5 HIGH |
| In WhatsUp Gold versions released before 2024.0.0, an Authentication Bypass issue exists which allows an attacker to obtain encrypted user credentials. | |||||
| CVE-2024-49755 | 2024-10-29 | N/A | 3.1 LOW | ||
| Duende IdentityServer is an OpenID Connect and OAuth 2.x framework for ASP.NET Core. IdentityServer's local API authentication handler performs insufficient validation of the cnf claim in DPoP access tokens. This allows an attacker to use leaked DPoP access tokens at local api endpoints even without possessing the private key for signing proof tokens. Note that this only impacts custom endpoints within an IdentityServer implementation that have explicitly used the LocalApiAuthenticationHandler for authentication. This vulnerability is patched in IdentityServer 7.0.8. Version 6.3 and below are unaffected, as they do not support DPoP in Local APIs. | |||||
| CVE-2024-49757 | 2024-10-28 | N/A | 7.5 HIGH | ||
| The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. Due to a missing security check in versions prior to 2.64.0, 2.63.5, 2.62.7, 2.61.4, 2.60.4, 2.59.5, and 2.58.7, disabling the "User Registration allowed" option only hid the registration button on the login page. Users could bypass this restriction by directly accessing the registration URL (/ui/login/loginname) and register a user that way. Versions 2.64.0, 2.63.5, 2.62.7, 2.61.4, 2.60.4, 2.59.5, and 2.58.7 contain a patch. No known workarounds are available. | |||||
| CVE-2023-39981 | 1 Moxa | 1 Mxsecurity | 2024-10-28 | N/A | 7.5 HIGH |
| A vulnerability that allows for unauthorized access has been discovered in MXsecurity versions prior to v1.0.1. This vulnerability arises from inadequate authentication measures, potentially leading to the disclosure of device information by a remote attacker. | |||||
| CVE-2023-33237 | 1 Moxa | 2 Tn-5900, Tn-5900 Firmware | 2024-10-28 | N/A | 8.8 HIGH |
| TN-5900 Series firmware version v3.3 and prior is vulnerable to improper-authentication vulnerability. This vulnerability arises from inadequate authentication measures implemented in the web API handler, allowing low-privileged APIs to execute restricted actions that only high-privileged APIs are allowed This presents a potential risk of unauthorized exploitation by malicious actors. | |||||
| CVE-2024-9947 | 1 Properfraction | 1 Profilepress | 2024-10-25 | N/A | 9.8 CRITICAL |
| The ProfilePress Pro plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 4.11.1. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email and the user does not have an already-existing account for the service returning the token. | |||||
| CVE-2024-9927 | 1 Wpovernight | 1 Woocommerce Order Proposal | 2024-10-25 | N/A | 7.2 HIGH |
| The WooCommerce Order Proposal plugin for WordPress is vulnerable to privilege escalation via order proposal in all versions up to and including 2.0.5. This is due to the improper implementation of allow_payment_without_login function. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to log in to WordPress as an arbitrary user account, including administrators. | |||||
| CVE-2024-10327 | 2024-10-25 | N/A | 8.1 HIGH | ||
| A vulnerability in Okta Verify for iOS versions 9.25.1 (beta) and 9.27.0 (including beta) allows push notification responses through the iOS ContextExtension feature allowing the authentication to proceed regardless of the user’s selection. When a user long-presses the notification banner and selects an option, both options allow the authentication to succeed. The ContextExtension feature is one of several push mechanisms available when using Okta Verify Push on iOS devices. The vulnerable flows include: * When a user is presented with a notification on a locked screen, the user presses on the notification directly and selects their reply without unlocking the device; * When a user is presented with a notification on the home screen and drags the notification down and selects their reply; * When an Apple Watch is used to reply directly to a notification. A pre-condition for this vulnerability is that the user must have enrolled in Okta Verify while the Okta customer was using Okta Classic. This applies irrespective of whether the organization has since upgraded to Okta Identity Engine. | |||||
| CVE-2024-36130 | 1 Ivanti | 1 Endpoint Manager Mobile | 2024-10-24 | N/A | 9.8 CRITICAL |
| An insufficient authorization vulnerability in web component of EPMM prior to 12.1.0.1 allows an unauthorized attacker within the network to execute arbitrary commands on the underlying operating system of the appliance. | |||||
| CVE-2022-0540 | 1 Atlassian | 3 Jira Data Center, Jira Server, Jira Service Management | 2024-10-24 | 6.8 MEDIUM | 9.8 CRITICAL |
| A vulnerability in Jira Seraph allows a remote, unauthenticated attacker to bypass authentication by sending a specially crafted HTTP request. This affects Atlassian Jira Server and Data Center versions before 8.13.18, versions 8.14.0 and later before 8.20.6, and versions 8.21.0 and later before 8.22.0. This also affects Atlassian Jira Service Management Server and Data Center versions before 4.13.18, versions 4.14.0 and later before 4.20.6, and versions 4.21.0 and later before 4.22.0. | |||||
| CVE-2024-21654 | 1 Rubygems | 1 Rubygems.org | 2024-10-24 | N/A | 9.8 CRITICAL |
| Rubygems.org is the Ruby community's gem hosting service. Rubygems.org users with MFA enabled would normally be protected from account takeover in the case of email account takeover. However, a workaround on the forgotten password form allows an attacker to bypass the MFA requirement and takeover the account. This vulnerability has been patched in commit 0b3272a. | |||||
| CVE-2023-52160 | 6 Debian, Fedoraproject, Google and 3 more | 7 Debian Linux, Fedora, Android and 4 more | 2024-10-23 | N/A | 6.5 MEDIUM |
| The implementation of PEAP in wpa_supplicant through 2.10 allows authentication bypass. For a successful attack, wpa_supplicant must be configured to not verify the network's TLS certificate during Phase 1 authentication, and an eap_peap_decrypt vulnerability can then be abused to skip Phase 2 authentication. The attack vector is sending an EAP-TLV Success packet instead of starting Phase 2. This allows an adversary to impersonate Enterprise Wi-Fi networks. | |||||
| CVE-2024-10173 | 1 Didiglobal | 1 Ddmq | 2024-10-22 | 7.5 HIGH | 7.5 HIGH |
| A vulnerability has been found in didi DDMQ 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the component Console Module. The manipulation with the input /;login leads to improper authentication. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-38124 | 1 Microsoft | 6 Windows Server 2008, Windows Server 2012, Windows Server 2016 and 3 more | 2024-10-22 | N/A | 9.0 CRITICAL |
| Windows Netlogon Elevation of Privilege Vulnerability | |||||
| CVE-2023-24831 | 1 Apache | 1 Iotdb | 2024-10-21 | N/A | 9.8 CRITICAL |
| Improper Authentication vulnerability in Apache Software Foundation Apache IoTDB.This issue affects Apache IoTDB Grafana Connector: from 0.13.0 through 0.13.3. Attackers could login without authorization. This is fixed in 0.13.4. | |||||