Total
3539 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-47003 | 1 Murasoftware | 1 Mura Cms | 2025-03-27 | N/A | 9.8 CRITICAL |
| A vulnerability in the Remember Me function of Mura CMS before v10.0.580 allows attackers to bypass authentication via a crafted web request. | |||||
| CVE-2024-45346 | 2025-03-27 | N/A | 8.8 HIGH | ||
| The Xiaomi Security Center expresses heartfelt thanks to Ken Gannon and Ilyes Beghdadi of NCC Group working with Trend Micro Zero Day Initiative! At the same time, we also welcome more outstanding and professional security experts and security teams to join the Mi Security Center (MiSRC) to jointly ensure the safe access of millions of Xiaomi users worldwide Life. | |||||
| CVE-2022-42951 | 1 Couchbase | 1 Couchbase Server | 2025-03-26 | N/A | 8.1 HIGH |
| An issue was discovered in Couchbase Server 6.5.x and 6.6.x before 6.6.6, 7.x before 7.0.5, and 7.1.x before 7.1.2. During the start-up of a Couchbase Server node, there is a small window of time (before the cluster management authentication has started) where an attacker can connect to the cluster manager using default credentials. | |||||
| CVE-2023-42818 | 1 Fit2cloud | 1 Jumpserver | 2025-03-25 | N/A | 5.4 MEDIUM |
| JumpServer is an open source bastion host. When users enable MFA and use a public key for authentication, the Koko SSH server does not verify the corresponding SSH private key. An attacker could exploit a vulnerability by utilizing a disclosed public key to attempt brute-force authentication against the SSH service This issue has been patched in versions 3.6.5 and 3.5.6. Users are advised to upgrade. There are no known workarounds for this issue. | |||||
| CVE-2025-30116 | 2025-03-25 | N/A | 7.5 HIGH | ||
| An issue was discovered on the Forvia Hella HELLA Driving Recorder DR 820. Remotely Dumping of Video Footage and the Live Video Stream can occur. It allows remote attackers to access and download recorded video footage from the SD card via port 9091. Additionally, attackers can connect to port 9092 to stream the live video feed by bypassing the challenge-response authentication mechanism. This exposes sensitive location and personal data. | |||||
| CVE-2024-46434 | 1 Tenda | 2 W18e, W18e Firmware | 2025-03-25 | N/A | 8.8 HIGH |
| Tenda W18E V16.01.0.8(1625) suffers from authentication bypass in the web management portal allowing an unauthorized remote attacker to gain administrative access by sending a specially crafted HTTP request. | |||||
| CVE-2023-41956 | 1 Simple-membership-plugin | 1 Simple Membership | 2025-03-25 | N/A | 8.8 HIGH |
| Improper Authentication vulnerability in smp7, wp.Insider Simple Membership.This issue affects Simple Membership: from n/a through 4.3.4. | |||||
| CVE-2024-22441 | 1 Hpe | 1 Cray Parallel Application Launch Service | 2025-03-25 | N/A | 9.8 CRITICAL |
| HPE Cray Parallel Application Launch Service (PALS) is subject to an authentication bypass. | |||||
| CVE-2022-48294 | 1 Huawei | 2 Emui, Harmonyos | 2025-03-24 | N/A | 7.5 HIGH |
| The IHwAttestationService interface has a defect in authentication. Successful exploitation of this vulnerability may affect data confidentiality. | |||||
| CVE-2024-57490 | 2025-03-24 | N/A | 7.7 HIGH | ||
| Guangzhou Hongfan Technology Co., LTD. iOffice20 has any user login vulnerability. An attacker can log in to any system account including the system administrator through a logical flaw. | |||||
| CVE-2022-45724 | 1 Comfast | 2 Cf-wr610n, Cf-wr610n Firmware | 2025-03-24 | N/A | 5.4 MEDIUM |
| Incorrect Access Control in Comfast router CF-WR6110N V2.3.1 allows a remote attacker on the same network to perform any HTTP request to an unauthenticated page to force the server to generate a SESSION_ID, and using this SESSION_ID an attacker can then perform authenticated requests. | |||||
| CVE-2024-20301 | 1 Cisco | 1 Duo Authentication For Windows Logon And Rdp | 2025-03-24 | N/A | 6.2 MEDIUM |
| A vulnerability in Cisco Duo Authentication for Windows Logon and RDP could allow an authenticated, physical attacker to bypass secondary authentication and access an affected Windows device. This vulnerability is due to a failure to invalidate locally created trusted sessions after a reboot of the affected device. An attacker with primary user credentials could exploit this vulnerability by attempting to authenticate to an affected device. A successful exploit could allow the attacker to access the affected device without valid permissions. | |||||
| CVE-2025-30114 | 2025-03-21 | N/A | 9.1 CRITICAL | ||
| An issue was discovered on the Forvia Hella HELLA Driving Recorder DR 820. Bypassing of Device Pairing can occur. The pairing mechanism relies solely on the connecting device's MAC address. By obtaining the MAC address through network scanning and spoofing it, an attacker can bypass the authentication process and gain full access to the dashcam's features without proper authorization. | |||||
| CVE-2025-27138 | 1 Dataease | 1 Dataease | 2025-03-21 | N/A | 9.8 CRITICAL |
| DataEase is an open source business intelligence and data visualization tool. Prior to version 2.10.6, there is a flaw in the authentication in the io.dataease.auth.filter.TokenFilter class, which may cause the risk of unauthorized access. The vulnerability has been fixed in v2.10.6. No known workarounds are available. | |||||
| CVE-2025-30168 | 2025-03-21 | N/A | 6.9 MEDIUM | ||
| Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 7.5.2 and 8.0.2, the 3rd party authentication handling of Parse Server allows the authentication credentials of some specific authentication providers to be used across multiple Parse Server apps. For example, if a user signed up using the same authentication provider in two unrelated Parse Server apps, the credentials stored by one app can be used to authenticate the same user in the other app. Note that this only affects Parse Server apps that specifically use an affected 3rd party authentication provider for user authentication, for example by setting the Parse Server option auth to configure a Parse Server authentication adapter. The fix of this vulnerability requires to upgrade Parse Server to a version that includes the bug fix, as well as upgrade the client app to send a secure payload, which is different from the previous insecure payload. This vulnerability is fixed in 7.5.2 and 8.0.2. | |||||
| CVE-2019-16261 | 1 Tripplite | 2 Pdumh15at, Pdumh15at Firmware | 2025-03-21 | 8.5 HIGH | 9.1 CRITICAL |
| Tripp Lite PDUMH15AT 12.04.0053 and SU750XL 12.04.0052 devices allow unauthenticated POST requests to the /Forms/ directory, as demonstrated by changing the manager or admin password, or shutting off power to an outlet. NOTE: the vendor's position is that a newer firmware version, fixing this vulnerability, had already been released before this vulnerability report about 12.04.0053. | |||||
| CVE-2022-45168 | 1 Liveboxcloud | 1 Vdesk | 2025-03-20 | N/A | 6.5 MEDIUM |
| An issue was discovered in LIVEBOX Collaboration vDesk through v018. A Bypass of Two-Factor Authentication can occur under the /login/backup_code endpoint and the /api/v1/vdeskintegration/createbackupcodes endpoint, because the application allows a user to generate or regenerate the backup codes before checking the TOTP. | |||||
| CVE-2024-36264 | 1 Apache | 1 Submarine | 2025-03-20 | N/A | 9.8 CRITICAL |
| ** UNSUPPORTED WHEN ASSIGNED ** Improper Authentication vulnerability in Apache Submarine Commons Utils. If the user doesn't explicitly set `submarine.auth.default.secret`, a default value will be used. This issue affects Apache Submarine Commons Utils: from 0.8.0. As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2025-22228 | 2025-03-20 | N/A | 7.4 HIGH | ||
| BCryptPasswordEncoder.matches(CharSequence,String) will incorrectly return true for passwords larger than 72 characters as long as the first 72 characters are the same. | |||||
| CVE-2024-12869 | 2025-03-20 | N/A | 4.3 MEDIUM | ||
| In infiniflow/ragflow version v0.12.0, there is an improper authentication vulnerability that allows a user to view another user's invite list. This can lead to a privacy breach where users' personal or private information, such as email addresses or usernames in the invite list, could be exposed without their consent. This data leakage can facilitate further attacks, such as phishing or spam, and result in loss of trust and potential regulatory issues. | |||||