Total
3539 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-41265 | 1 Dpgaspar | 1 Flask-appbuilder | 2025-03-07 | 6.5 MEDIUM | 8.1 HIGH |
| Flask-AppBuilder is a development framework built on top of Flask. Verions prior to 3.3.4 contain an improper authentication vulnerability in the REST API. The issue allows for a malicious actor with a carefully crafted request to successfully authenticate and gain access to existing protected REST API endpoints. This only affects non database authentication types and new REST API endpoints. Users should upgrade to Flask-AppBuilder 3.3.4 to receive a patch. | |||||
| CVE-2025-1475 | 2025-03-07 | N/A | 9.8 CRITICAL | ||
| The WPCOM Member plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.7.5. This is due to insufficient verification on the 'user_phone' parameter when logging in. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if SMS login is enabled. | |||||
| CVE-2022-48364 | 1 Joinmastodon | 1 Mastodon | 2025-03-06 | N/A | 4.3 MEDIUM |
| The undo_mark_statuses_as_sensitive method in app/services/approve_appeal_service.rb in Mastodon 3.5.x before 3.5.3 does not use the server's representative account, resulting in moderator identity disclosure when a moderator approves the appeal of a user whose status update was marked as sensitive. | |||||
| CVE-2023-42554 | 1 Samsung | 1 Pass | 2025-03-06 | N/A | 5.4 MEDIUM |
| Improper Authentication vulnerabiity in Samsung Pass prior to version 4.3.00.17 allows physical attackers to bypass authentication. | |||||
| CVE-2024-38426 | 1 Qualcomm | 328 205, 205 Firmware, 215 and 325 more | 2025-03-06 | N/A | 5.4 MEDIUM |
| While processing the authentication message in UE, improper authentication may lead to information disclosure. | |||||
| CVE-2025-27672 | 2025-03-05 | N/A | 9.8 CRITICAL | ||
| Vasion Print (formerly PrinterLogic) before Virtual Appliance Host 22.0.843 Application 20.0.1923 allows OAUTH Security Bypass OVE-20230524-0016. | |||||
| CVE-2024-5044 | 1 Emlog | 1 Emlog | 2025-03-05 | 2.6 LOW | 3.7 LOW |
| A vulnerability was found in Emlog Pro 2.3.4. It has been classified as problematic. This affects an unknown part of the component Cookie Handler. The manipulation of the argument AuthCookie leads to improper authentication. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The identifier VDB-264741 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-27641 | 2025-03-05 | N/A | 9.8 CRITICAL | ||
| Vasion Print (formerly PrinterLogic) before Virtual Appliance Host 22.0.951 Application 20.0.2368 allows Unauthenticated APIs for Single-Sign On V-2024-009. | |||||
| CVE-2025-23116 | 2025-03-04 | N/A | 9.6 CRITICAL | ||
| An Authentication Bypass vulnerability on UniFi Protect Application with Auto-Adopt Bridge Devices enabled could allow a malicious actor with access to UniFi Protect Cameras adjacent network to take control of UniFi Protect Cameras. | |||||
| CVE-2025-27425 | 2025-03-04 | N/A | 4.3 MEDIUM | ||
| Scanning certain QR codes that included text with a website URL could allow the URL to be opened without presenting the user with a confirmation alert first This vulnerability affects Firefox for iOS < 136. | |||||
| CVE-2025-1880 | 2025-03-03 | 1.2 LOW | 2.0 LOW | ||
| A vulnerability was found in i-Drive i11 and i12 up to 20250227. It has been classified as problematic. Affected is an unknown function of the component Device Pairing. The manipulation leads to authentication bypass by primary weakness. It is possible to launch the attack on the physical device. The complexity of an attack is rather high. The exploitability is told to be difficult. It was not possible to identify the current maintainer of the product. It must be assumed that the product is end-of-life. | |||||
| CVE-2025-27422 | 2025-03-03 | N/A | 7.5 HIGH | ||
| FACTION is a PenTesting Report Generation and Collaboration Framework. Authentication is bypassed when an attacker registers a new user with admin privileges. This is possible at any time without any authorization. The request must follow the validation rules (no missing information, secure password, etc) but there are no other controls stopping them. This vulnerability is fixed in 1.4.3. | |||||
| CVE-2025-1723 | 2025-03-03 | N/A | 8.1 HIGH | ||
| Zohocorp ManageEngine ADSelfService Plus versions 6510 and below are vulnerable to account takeover due to the session mishandling. Valid account holders in the setup only have the potential to exploit this bug. | |||||
| CVE-2025-27416 | 2025-03-01 | N/A | N/A | ||
| Scratch-Coding-Hut.github.io is the website for Coding Hut. The website as of 28 February 2025 contained a sign in with scratch username and password form. Any user who used the sign in page would be susceptible to any other user signing into their account. As of time of publication, a fix is not available but work on a fix is underway. As a workaround, users should avoid signing in. | |||||
| CVE-2024-38810 | 1 Vmware | 1 Spring Security | 2025-02-28 | N/A | 6.5 MEDIUM |
| Missing Authorization When Using @AuthorizeReturnObject in Spring Security 6.3.0 and 6.3.1 allows attacker to render security annotations inaffective. | |||||
| CVE-2025-27414 | 2025-02-28 | N/A | N/A | ||
| MinIO is a high performance object storage. Starting in RELEASE.2024-06-06T09-36-42Z and prior to RELEASE.2025-02-28T09-55-16Z, a bug in evaluating the trust of the SSH key used in an SFTP connection to MinIO allows authentication bypass and unauthorized data access. On a MinIO server with SFTP access configured and using LDAP as an external identity provider, MinIO supports SSH key based authentication for SFTP connections when the user has the `sshPublicKey` attribute set in their LDAP server. The server trusts the client's key only when the public key is the same as the `sshPublicKey` attribute. Due to the bug, when the user has no `sshPublicKey` property in LDAP, the server ends up trusting the key allowing the client to perform any FTP operations allowed by the MinIO access policies associated with the LDAP user (or any of their groups). Three requirements must be met in order to exploit the vulnerability. First, the MinIO server must be configured to allow SFTP access and use LDAP as an external identity provider. Second, the attacker must have knowledge of an LDAP username that does not have the `sshPublicKey` property set. Third, such an LDAP username or one of their groups must also have some MinIO access policy configured. When this bug is successfully exploited, the attacker can perform any FTP operations (i.e. reading, writing, deleting and listing objects) allowed by the access policy associated with the LDAP user account (and their groups). Version 1.2.0 fixes the issue. | |||||
| CVE-2025-21349 | 1 Microsoft | 13 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 10 more | 2025-02-28 | N/A | 6.8 MEDIUM |
| Windows Remote Desktop Configuration Service Tampering Vulnerability | |||||
| CVE-2025-27112 | 1 Navidrome | 1 Navidrome | 2025-02-27 | N/A | 6.5 MEDIUM |
| Navidrome is an open source web-based music collection server and streamer. Starting in version 0.52.0 and prior to version 0.54.5, in certain Subsonic API endpoints, a flaw in the authentication check process allows an attacker to specify any arbitrary username that does not exist on the system, along with a salted hash of an empty password. Under these conditions, Navidrome treats the request as authenticated, granting access to various Subsonic endpoints without requiring valid credentials. An attacker can use any non-existent username to bypass the authentication system and gain access to various read-only data in Navidrome, such as user playlists. However, any attempt to modify data fails with a "permission denied" error due to insufficient permissions, limiting the impact to unauthorized viewing of information. Version 0.54.5 contains a patch for this issue. | |||||
| CVE-2022-25768 | 1 Acquia | 1 Mautic | 2025-02-27 | N/A | 7.0 HIGH |
| The logic in place to facilitate the update process via the user interface lacks access control to verify if permission exists to perform the tasks. Prior to this patch being applied it might be possible for an attacker to access the Mautic version number or to execute parts of the upgrade process without permission. As upgrading in the user interface is deprecated, this functionality is no longer required. | |||||
| CVE-2023-4612 | 1 Apereo | 1 Central Authentication Service | 2025-02-26 | N/A | 9.8 CRITICAL |
| Improper Authentication vulnerability in Apereo CAS in jakarta.servlet.http.HttpServletRequest.getRemoteAddr method allows Multi-Factor Authentication bypass.This issue affects CAS: through 7.0.0-RC7. It is unknown whether in new versions the issue will be fixed. For the date of publication there is no patch, and the vendor does not treat it as a vulnerability. | |||||