Total
1450 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-24924 | 2025-03-05 | N/A | 9.8 CRITICAL | ||
| Certain functionality within GMOD Apollo does not require authentication when passed with an administrative username | |||||
| CVE-2025-24865 | 1 Myscada | 1 Mypro | 2025-03-04 | N/A | 10.0 CRITICAL |
| The administrative web interface of mySCADA myPRO Manager can be accessed without authentication which could allow an unauthorized attacker to retrieve sensitive information and upload files without the associated password. | |||||
| CVE-2022-25770 | 1 Acquia | 1 Mautic | 2025-02-27 | N/A | 7.8 HIGH |
| Mautic allows you to update the application via an upgrade script. The upgrade logic isn't shielded off correctly, which may lead to vulnerable situation. This vulnerability is mitigated by the fact that Mautic needs to be installed in a certain way to be vulnerable. | |||||
| CVE-2023-25589 | 1 Arubanetworks | 1 Clearpass Policy Manager | 2025-02-27 | N/A | 9.8 CRITICAL |
| A vulnerability in the web-based management interface of ClearPass Policy Manager could allow an unauthenticated remote attacker to create arbitrary users on the platform. A successful exploit allows an attacker to achieve total cluster compromise. | |||||
| CVE-2023-27060 | 1 Lightcms Project | 1 Lightcms | 2025-02-26 | N/A | 9.8 CRITICAL |
| LightCMS v1.3.7 was discovered to contain a remote code execution (RCE) vulnerability via the image:make function. | |||||
| CVE-2023-28470 | 1 Couchbase | 1 Couchbase Server | 2025-02-24 | N/A | 5.3 MEDIUM |
| In Couchbase Server 5 through 7 before 7.1.4, the nsstats endpoint is accessible without authentication. | |||||
| CVE-2022-26925 | 1 Microsoft | 17 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 14 more | 2025-02-24 | 4.3 MEDIUM | 8.1 HIGH |
| Windows LSA Spoofing Vulnerability | |||||
| CVE-2024-28179 | 1 Jupyter | 1 Jupyter Server Proxy | 2025-02-21 | N/A | 9.0 CRITICAL |
| Jupyter Server Proxy allows users to run arbitrary external processes alongside their Jupyter notebook servers and provides authenticated web access. Prior to versions 3.2.3 and 4.1.1, Jupyter Server Proxy did not check user authentication appropriately when proxying websockets, allowing unauthenticated access to anyone who had network access to the Jupyter server endpoint. This vulnerability can allow unauthenticated remote access to any websocket endpoint set up to be accessible via Jupyter Server Proxy. In many cases, this leads to remote unauthenticated arbitrary code execution, due to how affected instances use websockets. The websocket endpoints exposed by `jupyter_server` itself is not affected. Projects that do not rely on websockets are also not affected. Versions 3.2.3 and 4.1.1 contain a fix for this issue. | |||||
| CVE-2024-8943 | 1 Latepoint | 1 Latepoint | 2025-02-20 | N/A | 9.8 CRITICAL |
| The LatePoint plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 5.0.12. This is due to insufficient verification on the user being supplied during the booking customer step. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the user id. Note that logging in as a WordPress user is only possible if the "Use WordPress users as customers" setting is enabled, which is disabled by default. The vulnerability is partially patched in version 5.0.12 and fully patched in version 5.0.13. | |||||
| CVE-2025-21355 | 2025-02-19 | N/A | 8.6 HIGH | ||
| Missing Authentication for Critical Function in Microsoft Bing allows an unauthorized attacker to execute code over a network | |||||
| CVE-2024-57055 | 2025-02-19 | N/A | 5.0 MEDIUM | ||
| Server-Side Access Control Bypass vulnerability in WombatDialer before 25.02 could allow unauthorized users to potentially call certain services without the necessary access level. This issue is limited to services used by the client (not the general-use JSON services) and requires reverse engineering of the proprietary serialization protocol, making it difficult to exploit. | |||||
| CVE-2025-26345 | 2025-02-18 | N/A | 9.8 CRITICAL | ||
| A CWE-306 "Missing Authentication for Critical Function" in maxprofile/menu/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to edit user group permissions via crafted HTTP requests. | |||||
| CVE-2025-26344 | 2025-02-18 | N/A | 9.8 CRITICAL | ||
| A CWE-306 "Missing Authentication for Critical Function" in maxprofile/guest-mode/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to enable passwordless guest mode via crafted HTTP requests. | |||||
| CVE-2020-14140 | 1 Mi | 1 Xiaomi Router Firmware | 2025-02-18 | N/A | 7.5 HIGH |
| When Xiaomi router firmware is updated in 2020, there is an unauthenticated API that can reveal WIFI password vulnerability. This vulnerability is caused by the lack of access control policies on some API interfaces. Attackers can exploit this vulnerability to enter the background and execute background command injection. | |||||
| CVE-2024-57725 | 2025-02-18 | N/A | 6.5 MEDIUM | ||
| An issue in the Arcadyan Livebox Fibra PRV3399B_B_LT allows a remote or local attacker to modify the GPON link value without authentication, causing an internet service disruption via the /firstconnection.cgi endpoint. | |||||
| CVE-2021-39144 | 5 Debian, Fedoraproject, Netapp and 2 more | 15 Debian Linux, Fedora, Snapmanager and 12 more | 2025-02-18 | 6.0 MEDIUM | 8.5 HIGH |
| XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose. | |||||
| CVE-2025-25224 | 2025-02-18 | N/A | 5.3 MEDIUM | ||
| The LuxCal Web Calendar prior to 5.3.3M (MySQL version) and prior to 5.3.3L (SQLite version) contains a missing authentication vulnerability in dloader.php. If this vulnerability is exploited, arbitrary files on a server may be obtained. | |||||
| CVE-2024-8584 | 1 Learningdigital | 1 Orca Hcm | 2025-02-17 | N/A | 9.8 CRITICAL |
| Orca HCM from LEARNING DIGITAL has an Missing Authentication vulnerability, allowing unauthenticated remote attacker to exploit this functionality to create an account with administrator privilege and subsequently use it to log in. | |||||
| CVE-2023-34329 | 1 Ami | 1 Megarac Sp-x | 2025-02-13 | N/A | 9.1 CRITICAL |
| AMI MegaRAC SPx12 contains a vulnerability in BMC where a User may cause an authentication bypass by spoofing the HTTP header. A successful exploit of this vulnerability may lead to loss of confidentiality, integrity, and availability. | |||||
| CVE-2023-6942 | 1 Mitsubishielectric | 10 Ezsocket, Fr Configurator2, Got1000 and 7 more | 2025-02-13 | N/A | 7.5 HIGH |
| Missing Authentication for Critical Function vulnerability in Mitsubishi Electric Corporation EZSocket versions 3.0 to 5.92, GT Designer3 Version1(GOT1000) versions 1.325P and prior, GT Designer3 Version1(GOT2000) versions 1.320J and prior, GX Works2 versions 1.11M and later, GX Works3 versions 1.106L and prior, MELSOFT Navigator versions 1.04E to 2.102G, MT Works2 versions 1.190Y and prior, MX Component versions 4.00A to 5.007H and MX OPC Server DA/UA all versions allows a remote unauthenticated attacker to bypass authentication by sending specially crafted packets and connect to the products illegally. | |||||