Total
4273 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-47761 | 1 Glpi-project | 1 Glpi | 2025-01-23 | 7.2 High |
| GLPI is a free asset and IT management software package. Starting in version 0.80 and prior to version 10.0.17, an administrator with access to the sent notifications contents can take control of an account with higher privileges. Version 10.0.17 contains a patch for this issue. | ||||
| CVE-2023-23450 | 1 Sick | 14 Ftmg-esd15axx, Ftmg-esd15axx Firmware, Ftmg-esd20axx and 11 more | 2025-01-23 | 6.2 Medium |
| Use of Password Hash Instead of Password for Authentication in SICK FTMg AIR FLOW SENSOR with Partnumbers 1100214, 1100215, 1100216, 1120114, 1120116, 1122524, 1122526 allows an unprivileged remote attacker to use a password hash instead of an actual password to login to a valid user account via the REST interface. | ||||
| CVE-2024-52518 | 1 Nextcloud | 1 Nextcloud Server | 2025-01-23 | 4.4 Medium |
| Nextcloud Server is a self hosted personal cloud system. After an attacker got access to the session of a user or administrator, the attacker would be able to create, change or delete external storages without having to confirm the password. It is recommended that the Nextcloud Server is upgraded to 28.0.12, 29.0.9 or 30.0.2. | ||||
| CVE-2024-12919 | 1 Cozmoslabs | 1 Membership \& Content Restriction - Paid Member Subscriptions | 2025-01-22 | 9.8 Critical |
| The Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 2.13.7. This is due to the pms_pb_payment_redirect_link function using the user-controlled value supplied via the 'pms_payment_id' parameter to authenticate users without any further identity validation. This makes it possible for unauthenticated attackers with knowledge of a valid payment ID to log in as any user who has made a purchase on the targeted site. | ||||
| CVE-2023-0863 | 1 Abb | 16 Terra Ac Wallbox 80a, Terra Ac Wallbox 80a Firmware, Terra Ac Wallbox Ce Juno and 13 more | 2025-01-22 | 8.8 High |
| Improper Authentication vulnerability in ABB Terra AC wallbox (UL40/80A), ABB Terra AC wallbox (UL32A), ABB Terra AC wallbox (CE) (Terra AC MID), ABB Terra AC wallbox (CE) Terra AC Juno CE, ABB Terra AC wallbox (CE) Terra AC PTB, ABB Terra AC wallbox (CE) Symbiosis, ABB Terra AC wallbox (JP).This issue affects Terra AC wallbox (UL40/80A): from 1.0;0 through 1.5.5; Terra AC wallbox (UL32A) : from 1.0;0 through 1.6.5; Terra AC wallbox (CE) (Terra AC MID): from 1.0;0 through 1.6.5; Terra AC wallbox (CE) Terra AC Juno CE: from 1.0;0 through 1.6.5; Terra AC wallbox (CE) Terra AC PTB : from 1.0;0 through 1.5.25; Terra AC wallbox (CE) Symbiosis: from 1.0;0 through 1.2.7; Terra AC wallbox (JP): from 1.0;0 through 1.6.5. | ||||
| CVE-2024-3487 | 1 Microfocus | 1 Imanager | 2025-01-21 | 3.5 Low |
| Broken Authentication vulnerability discovered in OpenText™ iManager 3.2.6.0200. This vulnerability allows an attacker to manipulate certain parameters to bypass authentication. | ||||
| CVE-2023-28398 | 1 Propumpservice | 2 Osprey Pump Controller, Osprey Pump Controller Firmware | 2025-01-16 | 9.8 Critical |
| Osprey Pump Controller version 1.01 could allow an unauthenticated user to create an account and bypass authentication, thereby gaining unauthorized access to the system. A threat actor could exploit this vulnerability to create a user account without providing valid credentials. A threat actor who successfully exploits this vulnerability could gain access to the pump controller and cause disruption in operation, modify data, or shut down the controller. | ||||
| CVE-2023-1752 | 1 Getnexx | 8 Nxal-100, Nxal-100 Firmware, Nxg-100b and 5 more | 2025-01-16 | 8.1 High |
| The listed versions of Nexx Smart Home devices could allow any user to register an already registered alarm or associated device with only the device’s MAC address. | ||||
| CVE-2023-32347 | 1 Teltonika | 1 Remote Management System | 2025-01-16 | 8.1 High |
| Teltonika’s Remote Management System versions prior to 4.10.0 use device serial numbers and MAC addresses to identify devices from the user perspective for device claiming and from the device perspective for authentication. If an attacker obtained the serial number and MAC address of a device, they could authenticate as that device and steal communication credentials of the device. This could allow an attacker to enable arbitrary command execution as root by utilizing management options within the newly registered devices. | ||||
| CVE-2023-2586 | 1 Teltonika | 1 Remote Management System | 2025-01-16 | 9 Critical |
| Teltonika’s Remote Management System versions 4.14.0 is vulnerable to an unauthorized attacker registering previously unregistered devices through the RMS platform. If the user has not disabled the "RMS management feature" enabled by default, then an attacker could register that device to themselves. This could enable the attacker to perform different operations on the user's devices, including remote code execution with 'root' privileges (using the 'Task Manager' feature on RMS). | ||||
| CVE-2023-3638 | 1 Geovision | 2 Gv-adr2701, Gv-adr2701 Firmware | 2025-01-16 | 9.8 Critical |
| In GeoVision GV-ADR2701 cameras, an attacker could edit the login response to access the web application. | ||||
| CVE-2024-5806 | 1 Progress | 1 Moveit Transfer | 2025-01-16 | 9.1 Critical |
| Improper Authentication vulnerability in Progress MOVEit Transfer (SFTP module) can lead to Authentication Bypass.This issue affects MOVEit Transfer: from 2023.0.0 before 2023.0.11, from 2023.1.0 before 2023.1.6, from 2024.0.0 before 2024.0.2. | ||||
| CVE-2023-0117 | 1 Huawei | 1 Emui | 2025-01-15 | 5.3 Medium |
| The online authentication provided by the hwKitAssistant lacks strict identity verification of applications. Successful exploitation of this vulnerability may affect availability of features,such as MeeTime. | ||||
| CVE-2024-56445 | 1 Huawei | 1 Harmonyos | 2025-01-13 | 4.3 Medium |
| Instruction authentication bypass vulnerability in the Findnetwork module Impact: Successful exploitation of this vulnerability may cause features to perform abnormally. | ||||
| CVE-2023-52955 | 1 Huawei | 2 Emui, Harmonyos | 2025-01-13 | 6.5 Medium |
| Vulnerability of improper authentication in the ANS system service module Impact: Successful exploitation of this vulnerability may cause features to perform abnormally. | ||||
| CVE-2024-50339 | 1 Glpi-project | 1 Glpi | 2025-01-10 | 5.3 Medium |
| GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to version 10.0.17, an unauthenticated user can retrieve all the sessions IDs and use them to steal any valid session. Version 10.0.17 contains a patch for this issue. | ||||
| CVE-2023-3028 | 1 Hopechart | 2 Hqt401, Hqt401 Firmware | 2025-01-10 | 8.6 High |
| Insufficient authentication in the MQTT backend (broker) allows an attacker to access and even manipulate the telemetry data of the entire fleet of vehicles using the HopeChart HQT-401 telematics unit. Other models are possibly affected too. Multiple vulnerabilities were identified: - The MQTT backend does not require authentication, allowing unauthorized connections from an attacker. - The vehicles publish their telemetry data (e.g. GPS Location, speed, odometer, fuel, etc) as messages in public topics. The backend also sends commands to the vehicles as MQTT posts in public topics. As a result, an attacker can access the confidential data of the entire fleet that is managed by the backend. - The MQTT messages sent by the vehicles or the backend are not encrypted or authenticated. An attacker can create and post messages to impersonate a vehicle or the backend. The attacker could then, for example, send incorrect information to the backend about the vehicle's location. - The backend can inject data into a vehicle´s CAN bus by sending a specific MQTT message on a public topic. Because these messages are not authenticated or encrypted, an attacker could impersonate the backend, create a fake message and inject CAN data in any vehicle managed by the backend. The confirmed version is 201808021036, however further versions have been also identified as potentially impacted. | ||||
| CVE-2016-10394 | 1 Qualcomm | 10 Mdm9206, Mdm9206 Firmware, Mdm9607 and 7 more | 2025-01-09 | 9.8 Critical |
| Initial xbl_sec revision does not have all the debug policy features and critical checks. | ||||
| CVE-2018-11952 | 1 Qualcomm | 46 Mdm9206, Mdm9206 Firmware, Mdm9607 and 43 more | 2025-01-09 | 7.8 High |
| An image with a version lower than the fuse version may potentially be booted lead to improper authentication. | ||||
| CVE-2023-6451 | 1 Alayacare | 1 Procura | 2025-01-09 | 8.6 High |
| Publicly known cryptographic machine key in AlayaCare's Procura Portal before 9.0.1.2 allows attackers to forge their own authentication cookies and bypass the application's authentication mechanisms. | ||||