Total
3920 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-9063 | 2025-10-14 | N/A | N/A | ||
| An authentication bypass security issue exists within FactoryTalk View Machine Edition Web Browser ActiveX control. Exploitation of this vulnerability allows unauthorized access to the PanelView Plus 7 Series B, including access to the file system, retrieval of diagnostic information, event logs, and more. | |||||
| CVE-2025-9265 | 2025-10-14 | N/A | N/A | ||
| A broken authorization vulnerability in Kiloview NDI N30 allows a remote unauthenticated attacker to deactivate user verification, giving them access to state changing actions that should only be initiated by administratorsThis issue affects Kiloview NDI N30 and was fixed in Firmware version later than 2.02.0246 | |||||
| CVE-2025-55340 | 2025-10-14 | N/A | 7.0 HIGH | ||
| Improper authentication in Windows Remote Desktop Protocol allows an authorized attacker to bypass a security feature locally. | |||||
| CVE-2024-25128 | 1 Dpgaspar | 1 Flask-appbuilder | 2025-10-14 | N/A | 9.1 CRITICAL |
| Flask-AppBuilder is an application development framework, built on top of Flask. When Flask-AppBuilder is set to AUTH_TYPE AUTH_OID, it allows an attacker to forge an HTTP request, that could deceive the backend into using any requested OpenID service. This vulnerability could grant an attacker unauthorised privilege access if a custom OpenID service is deployed by the attacker and accessible by the backend. This vulnerability is only exploitable when the application is using the OpenID 2.0 authorization protocol. Upgrade to Flask-AppBuilder 4.3.11 to fix the vulnerability. | |||||
| CVE-2024-34399 | 1 Bmc | 1 Remedy Mid-tier | 2025-10-14 | N/A | 9.8 CRITICAL |
| **UNSUPPORTED WHEN ASSIGNED** An issue was discovered in BMC Remedy Mid Tier 7.6.04. An unauthenticated remote attacker is able to access any user account without using any password. NOTE: This vulnerability only affects products that are no longer supported by the maintainer and the impacted version for this vulnerability is 7.6.04 only. | |||||
| CVE-2024-0799 | 1 Arcserve | 1 Udp | 2025-10-14 | N/A | 9.8 CRITICAL |
| An authentication bypass vulnerability exists in Arcserve Unified Data Protection 9.2 and 8.1 in the edge-app-base-webui.jar!com.ca.arcserve.edge.app.base.ui.server.EdgeLoginServiceImpl.doLogin() function within wizardLogin. | |||||
| CVE-2025-24949 | 1 Joturl | 1 Joturl | 2025-10-14 | N/A | 6.5 MEDIUM |
| In JotUrl 2.0, is possible to bypass security requirements during the password change process. | |||||
| CVE-2020-24029 | 1 Forlogic | 1 Qualiex | 2025-10-14 | 7.5 HIGH | 9.8 CRITICAL |
| Because of unauthenticated password changes in ForLogic Qualiex v1 and v3, customer and admin permissions and data can be accessed via a simple request. NOTE: as of 2025-10-14, the Supplier's perspective is that this is "corrected in all maintained versions. Password reset requests are validated against registered user emails and require a valid, short-lived token." | |||||
| CVE-2014-2373 | 1 Accuenergy | 2 Acuvim Ii, Axm-net | 2025-10-13 | 7.5 HIGH | N/A |
| The AXN-NET Ethernet module accessory 3.04 for the Accuenergy Acuvim II allows remote attackers to discover passwords and modify settings via vectors involving JavaScript. | |||||
| CVE-2022-41648 | 1 Heidenhain | 3 Heros, Tnc 640, Tnc 640 Programming Station | 2025-10-13 | N/A | 9.8 CRITICAL |
| The HEIDENHAIN Controller TNC 640 NC software Version 340590 07 SP5, is vulnerable to improper authentication in its DNC communication for CNC machines. Authentication is not enabled by default for DNC communication. This vulnerability may allow an attacker to deny service on the production line, steal sensitive data from the production line, and alter any products created by the production line. Note: CNC machines running the TNC 640 controller require DNC to be enabled for DNC communication to be present. | |||||
| CVE-2025-45777 | 1 Abeltechsoft | 1 Chavara Matrimony | 2025-10-10 | N/A | 9.8 CRITICAL |
| An issue in the OTP mechanism of Chavara Family Welfare Centre Chavara Matrimony Site v2.0 allows attackers to bypass authentication via supplying a crafted request. | |||||
| CVE-2025-4018 | 1 Xxyopen | 1 Novel-plus | 2025-10-10 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability, which was classified as critical, has been found in 20120630 Novel-Plus up to 0e156c04b4b7ce0563bef6c97af4476fcda8f160. This issue affects the function addCrawlSource of the file novel-crawl/src/main/java/com/java2nb/novel/controller/CrawlController.java. The manipulation leads to missing authentication. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-4019 | 1 Xxyopen | 1 Novel-plus | 2025-10-10 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability, which was classified as critical, was found in 20120630 Novel-Plus up to 0e156c04b4b7ce0563bef6c97af4476fcda8f160. Affected is the function genCode of the file novel-admin/src/main/java/com/java2nb/common/controller/GeneratorController.java. The manipulation leads to missing authentication. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-4494 | 1 Jadmin-java | 1 Jadmin | 2025-10-10 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability, which was classified as critical, was found in JAdmin-JAVA JAdmin 1.0. Affected is the function toLogin of the file NoNeedLoginController.java of the component Admin Backend. The manipulation leads to improper authentication. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-57278 | 1 Lb-link | 2 Bl-cpe300m, Bl-cpe300m Firmware | 2025-10-10 | N/A | 8.8 HIGH |
| The LB-Link BL-CPE300M AX300 4G LTE Router firmware version BL-R8800_B10_ALK_SL_V01.01.02P42U14_06 does not implement proper session handling. After a user authenticates from a specific IP address, the router grants access to any other client using that same IP, without requiring credentials or verifying client identity. There are no session tokens, cookies, or unique identifiers in place. This flaw allows an attacker to obtain full administrative access simply by configuring their device to use the same IP address as a previously authenticated user. This results in a complete authentication bypass. | |||||
| CVE-2025-2859 | 1 Arteche | 2 Satech Bcu, Satech Bcu Firmware | 2025-10-10 | N/A | 9.8 CRITICAL |
| An attacker with network access, could capture traffic and obtain user cookies, allowing the attacker to steal the active user session and make changes to the device via web, depending on the privileges obtained by the user. | |||||
| CVE-2024-25652 | 1 Delinea | 1 Secret Server | 2025-10-10 | N/A | 7.6 HIGH |
| In Delinea PAM Secret Server 11.4, it is possible for a user assigned "Administer Reports" permission and/or with access to Report functionality via UNLIMITED ADMIN MODE (with access to the Report functionality) to gain unauthorized access to remote sessions created by legitimate users through information obtained from the Custom Legacy Report functionality. | |||||
| CVE-2025-0249 | 1 Hcltech | 1 Intelliops Event Management | 2025-10-09 | N/A | 3.3 LOW |
| HCL IEM is affected by an improper invalidation of access or JWT token vulnerability. A token was not invalidated which may allow attackers to access sensitive data without authorization. | |||||
| CVE-2025-11287 | 1 Mcphubx | 1 Mcphub | 2025-10-09 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability was identified in samanhappy MCPHub up to 0.9.10. This vulnerability affects the function handleSseConnectionfunction of the file src/services/sseService.ts. Such manipulation leads to improper authentication. The attack may be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-11529 | 2025-10-09 | 7.5 HIGH | 7.3 HIGH | ||
| A security flaw has been discovered in ChurchCRM up to 5.18.0. This impacts the function AuthMiddleware of the file src/ChurchCRM/Slim/Middleware/AuthMiddleware.php of the component API Endpoint. The manipulation results in missing authentication. The attack can be executed remotely. The exploit has been released to the public and may be exploited. The patch is identified as 3a1cffd2aea63d884025949cfbcfd274d06216a4. A patch should be applied to remediate this issue. | |||||