Total
1325 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2020-26942 | 1 Axigen | 1 Axigen Mail Server | 2025-03-05 | N/A | 9.1 CRITICAL |
An issue discovered in Axigen Mail Server 10.3.x before 10.3.1.27 and 10.3.2.x before 10.3.3.1 allows unauthenticated attackers to submit a setAdminPassword operation request, subsequently setting a new arbitrary password for the admin account. | |||||
CVE-2025-24924 | 2025-03-05 | N/A | 9.8 CRITICAL | ||
Certain functionality within GMOD Apollo does not require authentication when passed with an administrative username | |||||
CVE-2025-24865 | 1 Myscada | 1 Mypro | 2025-03-04 | N/A | 10.0 CRITICAL |
The administrative web interface of mySCADA myPRO Manager can be accessed without authentication which could allow an unauthorized attacker to retrieve sensitive information and upload files without the associated password. | |||||
CVE-2022-25770 | 1 Acquia | 1 Mautic | 2025-02-27 | N/A | 7.8 HIGH |
Mautic allows you to update the application via an upgrade script. The upgrade logic isn't shielded off correctly, which may lead to vulnerable situation. This vulnerability is mitigated by the fact that Mautic needs to be installed in a certain way to be vulnerable. | |||||
CVE-2023-25589 | 1 Arubanetworks | 1 Clearpass Policy Manager | 2025-02-27 | N/A | 9.8 CRITICAL |
A vulnerability in the web-based management interface of ClearPass Policy Manager could allow an unauthenticated remote attacker to create arbitrary users on the platform. A successful exploit allows an attacker to achieve total cluster compromise. | |||||
CVE-2023-27060 | 1 Lightcms Project | 1 Lightcms | 2025-02-26 | N/A | 9.8 CRITICAL |
LightCMS v1.3.7 was discovered to contain a remote code execution (RCE) vulnerability via the image:make function. | |||||
CVE-2023-28470 | 1 Couchbase | 1 Couchbase Server | 2025-02-24 | N/A | 5.3 MEDIUM |
In Couchbase Server 5 through 7 before 7.1.4, the nsstats endpoint is accessible without authentication. | |||||
CVE-2022-26925 | 1 Microsoft | 17 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 14 more | 2025-02-24 | 4.3 MEDIUM | 8.1 HIGH |
Windows LSA Spoofing Vulnerability | |||||
CVE-2024-28179 | 1 Jupyter | 1 Jupyter Server Proxy | 2025-02-21 | N/A | 9.0 CRITICAL |
Jupyter Server Proxy allows users to run arbitrary external processes alongside their Jupyter notebook servers and provides authenticated web access. Prior to versions 3.2.3 and 4.1.1, Jupyter Server Proxy did not check user authentication appropriately when proxying websockets, allowing unauthenticated access to anyone who had network access to the Jupyter server endpoint. This vulnerability can allow unauthenticated remote access to any websocket endpoint set up to be accessible via Jupyter Server Proxy. In many cases, this leads to remote unauthenticated arbitrary code execution, due to how affected instances use websockets. The websocket endpoints exposed by `jupyter_server` itself is not affected. Projects that do not rely on websockets are also not affected. Versions 3.2.3 and 4.1.1 contain a fix for this issue. | |||||
CVE-2024-8943 | 1 Latepoint | 1 Latepoint | 2025-02-20 | N/A | 9.8 CRITICAL |
The LatePoint plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 5.0.12. This is due to insufficient verification on the user being supplied during the booking customer step. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the user id. Note that logging in as a WordPress user is only possible if the "Use WordPress users as customers" setting is enabled, which is disabled by default. The vulnerability is partially patched in version 5.0.12 and fully patched in version 5.0.13. | |||||
CVE-2025-21355 | 2025-02-19 | N/A | 8.6 HIGH | ||
Missing Authentication for Critical Function in Microsoft Bing allows an unauthorized attacker to execute code over a network | |||||
CVE-2024-57055 | 2025-02-19 | N/A | 5.0 MEDIUM | ||
Server-Side Access Control Bypass vulnerability in WombatDialer before 25.02 could allow unauthorized users to potentially call certain services without the necessary access level. This issue is limited to services used by the client (not the general-use JSON services) and requires reverse engineering of the proprietary serialization protocol, making it difficult to exploit. | |||||
CVE-2025-26345 | 2025-02-18 | N/A | 9.8 CRITICAL | ||
A CWE-306 "Missing Authentication for Critical Function" in maxprofile/menu/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to edit user group permissions via crafted HTTP requests. | |||||
CVE-2025-26344 | 2025-02-18 | N/A | 9.8 CRITICAL | ||
A CWE-306 "Missing Authentication for Critical Function" in maxprofile/guest-mode/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to enable passwordless guest mode via crafted HTTP requests. | |||||
CVE-2024-57725 | 2025-02-18 | N/A | 6.5 MEDIUM | ||
An issue in the Arcadyan Livebox Fibra PRV3399B_B_LT allows a remote or local attacker to modify the GPON link value without authentication, causing an internet service disruption via the /firstconnection.cgi endpoint. | |||||
CVE-2025-25224 | 2025-02-18 | N/A | 5.3 MEDIUM | ||
The LuxCal Web Calendar prior to 5.3.3M (MySQL version) and prior to 5.3.3L (SQLite version) contains a missing authentication vulnerability in dloader.php. If this vulnerability is exploited, arbitrary files on a server may be obtained. | |||||
CVE-2024-8584 | 1 Learningdigital | 1 Orca Hcm | 2025-02-17 | N/A | 9.8 CRITICAL |
Orca HCM from LEARNING DIGITAL has an Missing Authentication vulnerability, allowing unauthenticated remote attacker to exploit this functionality to create an account with administrator privilege and subsequently use it to log in. | |||||
CVE-2025-0896 | 2025-02-13 | N/A | 9.8 CRITICAL | ||
Orthanc server prior to version 1.5.8 does not enable basic authentication by default when remote access is enabled. This could result in unauthorized access by an attacker. | |||||
CVE-2025-26366 | 2025-02-12 | N/A | 7.5 HIGH | ||
A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to disable front panel authentication via crafted HTTP requests. | |||||
CVE-2025-26365 | 2025-02-12 | N/A | 7.5 HIGH | ||
A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to enable front panel authentication via crafted HTTP requests. |