Total
4274 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-10474 | 1 Mozilla | 2 Firefox Focus, Focus For Ios | 2025-03-13 | 9.1 Critical |
| Focus was incorrectly allowing internal links to utilize the app scheme used for deeplinking, which could result in links potentially circumventing some URL safety checks This vulnerability affects Focus for iOS < 132. | ||||
| CVE-2023-24093 | 1 H3c | 2 A210-g, A210-g Firmware | 2025-03-12 | 9.8 Critical |
| An access control issue in H3C A210-G A210-GV100R005 allows attackers to authenticate without a password. | ||||
| CVE-2023-51405 | 1 Reputeinfosystems | 1 Bookingpress | 2025-03-12 | 5.3 Medium |
| Improper Authentication vulnerability in Repute Infosystems BookingPress allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects BookingPress: from n/a through 1.0.74. | ||||
| CVE-2022-48305 | 1 Huawei | 2 Simba-al00, Simba-al00 Firmware | 2025-03-11 | 5.5 Medium |
| There is an identity authentication bypass vulnerability in Huawei Children Smart Watch (Simba-AL00) 1.1.1.274. Successful exploitation of this vulnerability may cause the access control function of specific applications to fail. | ||||
| CVE-2022-48254 | 1 Huawei | 2 Leia-b29, Leia-b29 Firmware | 2025-03-11 | 4.6 Medium |
| There is a data processing error vulnerability in Leia-B29 2.0.0.49(M03). Successful exploitation could bypass lock screen authentication. | ||||
| CVE-2023-46172 | 1 Ibm | 2 Ds8900f, Ds8900f Firmware | 2025-03-11 | 5.6 Medium |
| IBM DS8900F HMC 89.21.19.0, 89.21.31.0, 89.30.68.0, 89.32.40.0, and 89.33.48.0 could allow a remote attacker to bypass authentication restrictions for authorized user. IBM X-Force ID: 269409. | ||||
| CVE-2023-42662 | 1 Jfrog | 1 Artifactory | 2025-03-11 | 9.3 Critical |
| JFrog Artifactory versions 7.59 and above, but below 7.59.18, 7.63.18, 7.68.19, 7.71.8 are vulnerable to an issue whereby user interaction with specially crafted URLs could lead to exposure of user access tokens due to improper handling of the CLI / IDE browser based SSO integration. | ||||
| CVE-2023-23493 | 1 Apple | 1 Macos | 2025-03-11 | 3.3 Low |
| A logic issue was addressed with improved state management. This issue is fixed in macOS Ventura 13.2, macOS Monterey 12.6.3. An encrypted volume may be unmounted and remounted by a different user without prompting for the password. | ||||
| CVE-2023-22497 | 1 Netdata | 1 Netdata | 2025-03-10 | 6.5 Medium |
| Netdata is an open source option for real-time infrastructure monitoring and troubleshooting. Each Netdata Agent has an automatically generated MACHINE GUID. It is generated when the agent first starts and it is saved to disk, so that it will persist across restarts and reboots. Anyone who has access to a Netdata Agent has access to its MACHINE_GUID. Streaming is a feature that allows a Netdata Agent to act as parent for other Netdata Agents (children), offloading children from various functions (increased data retention, ML, health monitoring, etc) that can now be handled by the parent Agent. Configuration is done via `stream.conf`. On the parent side, users configure in `stream.conf` an API key (any random UUID can do) to provide common configuration for all children using this API key and per MACHINE GUID configuration to customize the configuration for each child. The way this was implemented, allowed an attacker to use a valid MACHINE_GUID as an API key. This affects all users who expose their Netdata Agents (children) to non-trusted users and they also expose to the same users Netdata Agent parents that aggregate data from all these children. The problem has been fixed in: Netdata agent v1.37 (stable) and Netdata agent v1.36.0-409 (nightly). As a workaround, do not enable streaming by default. If you have previously enabled this, it can be disabled. Limiting access to the port on the recipient Agent to trusted child connections may mitigate the impact of this vulnerability. | ||||
| CVE-2023-23612 | 1 Amazon | 1 Opensearch | 2025-03-10 | 4.7 Medium |
| OpenSearch is an open source distributed and RESTful search engine. OpenSearch uses JWTs to store role claims obtained from the Identity Provider (IdP) when the authentication backend is SAML or OpenID Connect. There is an issue in how those claims are processed from the JWTs where the leading and trailing whitespace is trimmed, allowing users to potentially claim roles they are not assigned to if any role matches the whitespace-stripped version of the roles they are a member of. This issue is only present for authenticated users, and it requires either the existence of roles that match, not considering leading/trailing whitespace, or the ability for users to create said matching roles. In addition, the Identity Provider must allow leading and trailing spaces in role names. OpenSearch 1.0.0-1.3.7 and 2.0.0-2.4.1 are affected. Users are advised to upgrade to OpenSearch 1.3.8 or 2.5.0. There are no known workarounds for this issue. | ||||
| CVE-2024-27767 | 1 Unitronics | 1 Unilogic | 2025-03-10 | 10 Critical |
| CWE-287: Improper Authentication may allow Authentication Bypass | ||||
| CVE-2023-25931 | 1 Medtronic | 2 Interstim X Clinician, Micro Clinician | 2025-03-07 | 6.4 Medium |
| Medtronic identified that the Pelvic Health clinician apps, which are installed on the Smart Programmer mobile device, have a password vulnerability that requires a security update to fix. Not updating could potentially result in unauthorized control of the clinician therapy application, which has greater control over therapy parameters than the patient app. Changes still cannot be made outside of the established therapy parameters of the programmer. For unauthorized access to occur, an individual would need physical access to the Smart Programmer. | ||||
| CVE-2023-1065 | 1 Snyk | 1 Kubernetes Monitor | 2025-03-07 | 6.5 Medium |
| This vulnerability in the Snyk Kubernetes Monitor can result in irrelevant data being posted to a Snyk Organization, which could in turn obfuscate other, relevant, security issues. It does not expose the user of the integration to any direct security risk and no user data can be leaked. To exploit the vulnerability the attacker does not need to be authenticated to Snyk but does need to know the target's Integration ID (which may or may not be the same as the Organization ID, although this is an unpredictable UUID in either case). | ||||
| CVE-2021-41265 | 1 Dpgaspar | 1 Flask-appbuilder | 2025-03-07 | 8.1 High |
| Flask-AppBuilder is a development framework built on top of Flask. Verions prior to 3.3.4 contain an improper authentication vulnerability in the REST API. The issue allows for a malicious actor with a carefully crafted request to successfully authenticate and gain access to existing protected REST API endpoints. This only affects non database authentication types and new REST API endpoints. Users should upgrade to Flask-AppBuilder 3.3.4 to receive a patch. | ||||
| CVE-2022-48364 | 1 Joinmastodon | 1 Mastodon | 2025-03-06 | 4.3 Medium |
| The undo_mark_statuses_as_sensitive method in app/services/approve_appeal_service.rb in Mastodon 3.5.x before 3.5.3 does not use the server's representative account, resulting in moderator identity disclosure when a moderator approves the appeal of a user whose status update was marked as sensitive. | ||||
| CVE-2023-42554 | 1 Samsung | 1 Pass | 2025-03-06 | 5.4 Medium |
| Improper Authentication vulnerabiity in Samsung Pass prior to version 4.3.00.17 allows physical attackers to bypass authentication. | ||||
| CVE-2023-0228 | 1 Abb | 1 Symphony Plus S\+ Operations | 2025-03-05 | 8.8 High |
| Improper Authentication vulnerability in ABB Symphony Plus S+ Operations.This issue affects Symphony Plus S+ Operations: from 2.X through 2.1 SP2, 2.2, from 3.X through 3.3 SP1, 3.3 SP2. | ||||
| CVE-2022-35401 | 1 Asus | 2 Rt-ax82u, Rt-ax82u Firmware | 2025-03-05 | 8.1 High |
| An authentication bypass vulnerability exists in the get_IFTTTTtoken.cgi functionality of Asus RT-AX82U 3.0.0.4.386_49674-ge182230. A specially-crafted HTTP request can lead to full administrative access to the device. An attacker would need to send a series of HTTP requests to exploit this vulnerability. | ||||
| CVE-2023-1477 | 1 Hypr | 1 Keycloak Authenticator | 2025-03-05 | 7.2 High |
| Improper Authentication vulnerability in HYPR Keycloak Authenticator Extension allows Authentication Abuse.This issue affects HYPR Keycloak Authenticator Extension: before 7.10.2, before 8.0.3. | ||||
| CVE-2024-5044 | 1 Emlog | 1 Emlog | 2025-03-05 | 3.7 Low |
| A vulnerability was found in Emlog Pro 2.3.4. It has been classified as problematic. This affects an unknown part of the component Cookie Handler. The manipulation of the argument AuthCookie leads to improper authentication. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The identifier VDB-264741 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||