Total
3925 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-53786 | 2025-08-06 | N/A | 8.0 HIGH | ||
| On April 18th 2025, Microsoft announced Exchange Server Security Changes for Hybrid Deployments and accompanying non-security Hot Fix. Microsoft made these changes in the general interest of improving the security of hybrid Exchange deployments. Following further investigation, Microsoft identified specific security implications tied to the guidance and configuration steps outlined in the April announcement. Microsoft is issuing CVE-2025-53786 to document a vulnerability that is addressed by taking the steps documented with the April 18th announcement. Microsoft strongly recommends reading the information, installing the April 2025 (or later) Hot Fix and implementing the changes in your Exchange Server and hybrid environment. | |||||
| CVE-2025-0217 | 1 Beyondtrust | 1 Privileged Remote Access | 2025-08-01 | N/A | 7.8 HIGH |
| BeyondTrust Privileged Remote Access (PRA) versions prior to 25.1 are vulnerable to a local authentication bypass. A local authenticated attacker can view the connection details of a ShellJump session that was initiated with external tools, allowing unauthorized access to connected sessions. | |||||
| CVE-2024-6576 | 1 Progress | 1 Moveit Transfer | 2025-08-01 | N/A | 7.3 HIGH |
| Improper Authentication vulnerability in Progress MOVEit Transfer (SFTP module) can lead to Privilege Escalation.This issue affects MOVEit Transfer: from 2023.0.0 before 2023.0.12, from 2023.1.0 before 2023.1.7, from 2024.0.0 before 2024.0.3. | |||||
| CVE-2025-30214 | 1 Frappe | 1 Frappe | 2025-08-01 | N/A | 7.5 HIGH |
| Frappe is a full-stack web application framework. Prior to versions 14.89.0 and 15.51.0, making crafted requests could lead to information disclosure that could further lead to account takeover. Versions 14.89.0 and 15.51.0 fix the issue. There's no workaround to fix this without upgrading. | |||||
| CVE-2024-10114 | 1 Wpwebelite | 1 Woocommerce Social Login | 2025-08-01 | N/A | 8.1 HIGH |
| The WooCommerce - Social Login plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.7.7. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email and the user does not have an already-existing account for the service returning the token. | |||||
| CVE-2017-12337 | 1 Cisco | 11 Emergency Responder, Finesse, Hosted Collaboration Solution and 8 more | 2025-07-31 | 10.0 HIGH | 9.8 CRITICAL |
| A vulnerability in the upgrade mechanism of Cisco collaboration products based on the Cisco Voice Operating System software platform could allow an unauthenticated, remote attacker to gain unauthorized, elevated access to an affected device. The vulnerability occurs when a refresh upgrade (RU) or Prime Collaboration Deployment (PCD) migration is performed on an affected device. When a refresh upgrade or PCD migration is completed successfully, an engineering flag remains enabled and could allow root access to the device with a known password. If the vulnerable device is subsequently upgraded using the standard upgrade method to an Engineering Special Release, service update, or a new major release of the affected product, this vulnerability is remediated by that action. Note: Engineering Special Releases that are installed as COP files, as opposed to the standard upgrade method, do not remediate this vulnerability. An attacker who can access an affected device over SFTP while it is in a vulnerable state could gain root access to the device. This access could allow the attacker to compromise the affected system completely. Cisco Bug IDs: CSCvg22923, CSCvg55112, CSCvg55128, CSCvg55145, CSCvg58619, CSCvg64453, CSCvg64456, CSCvg64464, CSCvg64475, CSCvg68797. | |||||
| CVE-2024-30939 | 1 Yealink | 1 Vp59 Firmware | 2025-07-30 | N/A | 6.8 MEDIUM |
| An issue discovered in Yealink VP59 Teams Editions with firmware version 91.15.0.118 allows a physically proximate attacker to gain control of an account via a flaw in the factory reset procedure. | |||||
| CVE-2025-31267 | 1 Apple | 1 App Store Connect | 2025-07-29 | N/A | 4.6 MEDIUM |
| An authentication issue was addressed with improved state management. This issue is fixed in App Store Connect 3.0. An attacker with physical access to an unlocked device may be able to view sensitive user information. | |||||
| CVE-2025-49812 | 1 Apache | 1 Http Server | 2025-07-29 | N/A | 7.4 HIGH |
| In some mod_ssl configurations on Apache HTTP Server versions through to 2.4.63, an HTTP desynchronisation attack allows a man-in-the-middle attacker to hijack an HTTP session via a TLS upgrade. Only configurations using "SSLEngine optional" to enable TLS upgrades are affected. Users are recommended to upgrade to version 2.4.64, which removes support for TLS upgrade. | |||||
| CVE-2025-54419 | 2025-07-29 | N/A | 10.0 CRITICAL | ||
| A SAML library not dependent on any frameworks that runs in Node. In version 5.0.1, Node-SAML loads the assertion from the (unsigned) original response document. This is different than the parts that are verified when checking signature. This allows an attacker to modify authentication details within a valid SAML assertion. For example, in one attack it is possible to remove any character from the SAML assertion username. To conduct the attack an attacker would need a validly signed document from the identity provider (IdP). This is fixed in version 5.1.0. | |||||
| CVE-2025-54452 | 1 Samsung | 1 Magicinfo 9 Server | 2025-07-28 | N/A | 7.3 HIGH |
| Improper Authentication vulnerability in Samsung Electronics MagicINFO 9 Server allows Authentication Bypass.This issue affects MagicINFO 9 Server: less than 21.1080.0. | |||||
| CVE-2024-51767 | 1 Hpe | 1 Autopass License Server | 2025-07-25 | N/A | 7.3 HIGH |
| An authentication bypass vulnerability exists in HPE AutoPass License Server (APLS) prior to 9.17. | |||||
| CVE-2024-12310 | 2025-07-25 | N/A | N/A | ||
| A vulnerability in Imprivata Enterprise Access Management (formerly Imprivata OneSign) allows bypassing the login screen of the shared kiosk workstation and allows unauthorized access to the underlying Windows system through the already logged-in autologon account due to insufficient handling of keyboard shortcuts. This issue affects Imprivata Enterprise Access Management versions 5.3 through 24.2. | |||||
| CVE-2025-37107 | 1 Hpe | 1 Autopass License Server | 2025-07-25 | N/A | 7.3 HIGH |
| An authentication bypass vulnerability exists in HPE AutoPass License Server (APLS) prior to 9.18. | |||||
| CVE-2025-37106 | 1 Hpe | 1 Autopass License Server | 2025-07-25 | N/A | 7.3 HIGH |
| An authentication bypass and disclosure of information vulnerability exists in HPE AutoPass License Server (APLS) prior to 9.18. | |||||
| CVE-2025-7862 | 1 Totolink | 2 T6, T6 Firmware | 2025-07-23 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability has been found in TOTOLINK T6 4.1.5cu.748_B20211015 and classified as critical. Affected by this vulnerability is the function setTelnetCfg of the file /cgi-bin/cstecgi.cgi of the component Telnet Service. The manipulation of the argument telnet_enabled with the input 1 leads to missing authentication. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2020-3411 | 1 Cisco | 1 Catalyst Center | 2025-07-23 | 5.0 MEDIUM | 7.5 HIGH |
| A vulnerability in Cisco DNA Center software could allow an unauthenticated remote attacker access to sensitive information on an affected system. The vulnerability is due to improper handling of authentication tokens by the affected software. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker access to sensitive device information, which includes configuration files. | |||||
| CVE-2024-7401 | 1 Netskope | 1 Netskope | 2025-07-23 | N/A | 7.5 HIGH |
| Netskope was notified about a security gap in Netskope Client enrollment process where NSClient is using a static token “Orgkey” as authentication parameter. Since this is a static token, if leaked, cannot be rotated or revoked. A malicious actor can use this token to enroll NSClient from a customer’s tenant and impersonate a user. | |||||
| CVE-2025-7897 | 2025-07-22 | 7.5 HIGH | 7.3 HIGH | ||
| A vulnerability was found in harry0703 MoneyPrinterTurbo up to 1.2.6 and classified as critical. Affected by this issue is the function verify_token of the file app/controllers/base.py of the component API Endpoint. The manipulation leads to missing authentication. The attack may be launched remotely. | |||||
| CVE-2025-41459 | 2025-07-22 | N/A | 7.8 HIGH | ||
| Insufficient protection against brute-force and runtime manipulation in the local authentication component in Two App Studio Journey 5.5.6 on iOS allows local attackers to bypass biometric and PIN-based access control via repeated PIN attempts or dynamic code injection. | |||||