CVE Daily
← All tags

Tag: Unauthenticated/Unauthorized Access

All CVEs associated with "Unauthenticated/Unauthorized Access". Page 41/128 • 15326 CVEs.

Subscribe CVEs: RSS for “Unauthenticated/Unauthorized Access”  ·  RSS (High+Critical only)

About “Unauthenticated/Unauthorized Access”

A curated feed of “Unauthenticated/Unauthorized Access”-related CVEs appears below. We currently track 15326 CVEs for this tag (all time). In the last 365 days, 3832 were published. Average CVSS is 7.4 (all time; 7.4 over 365d), and 61% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-862 - Missing Authorization, CWE-306 - Missing Authentication for Critical Function, CWE-639 - Authorization Bypass Through User-Controlled Key.

In our taxonomy this topic maps to a HIGH impact class. Vendor advisories and release notes are key. Verify compatibility matrices, prefer supported long term versions, and stage rollouts with monitoring. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0
2025-01-07
High

CVE-2024-40702

IBM Cognos Controller 11.0.0 through 11.0.1 and IBM Controller 11.1.0 could allow an unauthorized user to obtain valid tokens to gain access to protected resources due to improper certificate validat…

CVSS: 8.2 CWE: CWE-295 - Improper Certificate Validation View on NVD
Medium

CVE-2024-12711

The RSVP and Event Management plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several AJAX functions like bulk_delete_attendees() and bulk_delete_questi…

CVSS: 5.3 CWE: CWE-862 - Missing Authorization View on NVD
Medium

CVE-2024-12316

The Jupiter X Core plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the export_popup_action() function in all versions up to, and including, 4.8.…

CVSS: 5.3 CWE: CWE-862 - Missing Authorization View on NVD
Medium

CVE-2024-12033

The Jupiter X Core plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the sync_libraries() function in all versions up to, and including, 4.8.5. This makes…

CVSS: 4.3 CWE: CWE-862 - Missing Authorization View on NVD
Medium

CVE-2024-12719

The WordPress File Upload plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'wfu_ajax_action_read_subfolders' function in all versions up to,…

CVSS: 4.3 CWE: CWE-862 - Missing Authorization View on NVD
Medium

CVE-2024-10866

The Export Import Menus plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the dsp_export_import_menus() function in all versions up to, and includ…

CVSS: 5.3 CWE: CWE-862 - Missing Authorization View on NVD
High

CVE-2024-12535

The Host PHP Info plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check when including the 'phpinfo' function in all versions up to, and including, 1.0.4…

CVSS: 8.6 CWE: CWE-862 - Missing Authorization View on NVD
Medium

CVE-2024-10536

The FancyPost – Best Ultimate Post Block, Post Grid, Layouts, Carousel, Slider For Gutenberg & Elementor plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability…

CVSS: 4.3 CWE: CWE-862 - Missing Authorization View on NVD
Medium

CVE-2024-12176

The WordLift – AI powered SEO – Schema plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'wl_config_plugin' AJAX action in all versions up to, and inc…

CVSS: 5.3 CWE: CWE-862 - Missing Authorization View on NVD
Low

CVE-2024-10527

The Spacer plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the motech_spacer_callback() function in all versions up to, and including, 3.0.7. Th…

CVSS: 3.1 CWE: CWE-862 - Missing Authorization View on NVD
2025-01-06
High

CVE-2024-54767

An access control issue in the component /juis_boxinfo.xml of AVM FRITZ!Box 7530 AX v7.59 allows attackers to obtain sensitive information without authentication. NOTE: this is disputed by the Suppli…

CVSS: 7.5 CWE: CWE-203 - Observable Discrepancy View on NVD
Medium

CVE-2024-54764

An access control issue in the component /login/hostinfo2.cgi of ipTIME A2004 v12.17.0 allows attackers to obtain sensitive information without authentication.

CVSS: 6.5 CWE: N/A View on NVD
Medium

CVE-2024-54763

An access control issue in the component /login/hostinfo.cgi of ipTIME A2004 v12.17.0 allows attackers to obtain sensitive information without authentication.

CVSS: 6.5 CWE: N/A View on NVD
2025-01-02
High

CVE-2024-9950

A vulnerability in Forescout SecureConnector v11.3.07.0109 on Windows allows unauthenticated user to modify compliance scripts due to insecure temporary directory.

CVSS: 7.8 CWE: CWE-379 - Creation of Temporary File in Directory with Insecure Permissions View on NVD
High

CVE-2024-39623

Cross-Site Request Forgery (CSRF) vulnerability in CridioStudio ListingPro listingpro allows Authentication Bypass.This issue affects ListingPro: from n/a through <= 2.9.4.

CVSS: 8.8 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD
Medium

CVE-2023-46611

Authentication Bypass by Primary Weakness vulnerability in yourownprogrammer YOP Poll allows Authentication Bypass.This issue affects YOP Poll: from n/a through 6.5.28.

CVSS: 5.3 CWE: CWE-305 - Authentication Bypass by Primary Weakness View on NVD
2024-12-31
High

CVE-2024-56206

Cross-Site Request Forgery (CSRF) vulnerability in krishankakkar gap-hub-user-role gap-hub-user-role allows Authentication Bypass.This issue affects gap-hub-user-role: from n/a through <= 3.4.1.

CVSS: 8.8 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD
Critical

CVE-2024-56044

Authentication Bypass Using an Alternate Path or Channel vulnerability in VibeThemes WPLMS wplms_plugin allows Authentication Bypass.This issue affects WPLMS: from n/a through <= 1.9.9.

CVSS: 9.8 CWE: CWE-288 - Authentication Bypass Using an Alternate Path or Channel View on NVD
Critical

CVE-2024-13061

The Electronic Official Document Management System from 2100 Technology has an Authentication Bypass vulnerability. Although the product enforces an IP whitelist for the API used to query user tokens…

CVSS: 9.8 CWE: CWE-290 - Authentication Bypass by Spoofing View on NVD
Critical

CVE-2024-12106

In WhatsUp Gold versions released before 2024.0.2, an unauthenticated attacker can configure LDAP settings.

CVSS: 9.4 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
High

CVE-2024-13040

The QOCA aim from Quanta Computer has an Authorization Bypass Through User-Controlled Key vulnerability. By controlling the user ID parameter, remote attackers with regular privileges could access ce…

CVSS: 8.8 CWE: CWE-639 - Authorization Bypass Through User-Controlled Key View on NVD
High

CVE-2024-12839

The login mechanism via device authentication of CGFIDO from Changing Information Technology has an Authentication Bypass vulnerability. If a user visits a forged website, the agent program deployed…

CVSS: 8.8 CWE: CWE-294 - Authentication Bypass by Capture-replay View on NVD
High

CVE-2024-12838

The passwordless login mechanism in CGFIDO from Changing Information Technology has an Authentication Bypass vulnerability, allowing remote attackers with regular privileges to send a crafted request…

CVSS: 8.8 CWE: CWE-302 - Authentication Bypass by Assumed-Immutable Data View on NVD
2024-12-30
Medium

CVE-2024-56733

Password Pusher is an open source application to communicate sensitive information over the web. A vulnerability has been reported in versions 1.50.3 and prior where an attacker can copy the session…

CVSS: 5.7 CWE: CWE-384 - Session Fixation View on NVD
2024-12-28
Medium

CVE-2022-48470

Huawei HiLink AI Life product has an identity authentication bypass vulnerability. Successful exploitation of this vulnerability may allow attackers to access restricted functions.(Vulnerability ID:H…

CVSS: 4.0 CWE: CWE-305 - Authentication Bypass by Primary Weakness View on NVD
2024-12-27
High

CVE-2024-56509

changedetection.io is a free open source web page change detection, website watcher, restock monitor and notification service. Improper input validation in the application can allow attackers to perf…

CVSS: 8.6 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
High

CVE-2024-3393

A Denial of Service vulnerability in the DNS Security feature of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to send a malicious packet through the data plane of the firewal…

CVSS: 7.5 CWE: CWE-754 - Improper Check for Unusual or Exceptional Conditions View on NVD
Medium

CVE-2020-9086

There is a buffer error vulnerability in some Huawei product. An unauthenticated attacker may send special UPNP message to the affected products. Due to insufficient input validation of some value, s…

CVSS: 4.3 CWE: CWE-124 - Buffer Underwrite ('Buffer Underflow') View on NVD
2024-12-26
High

CVE-2024-53850

The Addressing GLPI plugin enables you to create IP reports for visualize IP addresses used and free on a given network.. Starting with 3.0.0 and before 3.0.3, a poor security check allows an unauthe…

CVSS: 8.2 CWE: CWE-470 - Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') View on NVD
2024-12-25
Medium

CVE-2024-52534

Dell ECS, version(s) prior to ECS 3.8.1.3, contain(s) an Authentication Bypass by Capture-replay vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerabili…

CVSS: 5.4 CWE: CWE-294 - Authentication Bypass by Capture-replay View on NVD
High

CVE-2024-53291

Dell NativeEdge, version(s) 2.1.0.0, contain(s) an Exposure of Sensitive Information Through Metadata vulnerability. An unauthenticated attacker with remote access could potentially exploit this vuln…

CVSS: 7.5 CWE: CWE-1230 - Exposure of Sensitive Information Through Metadata View on NVD
Low

CVE-2023-5117

An issue was discovered in GitLab CE/EE affecting all versions before 17.6.0 in which users were unaware that files uploaded to comments on confidential issues and epics of public projects could be a…

CVSS: 3.7 CWE: CWE-213 - Exposure of Sensitive Information Due to Incompatible Policies View on NVD
Medium

CVE-2024-12413

The MarketKing — Ultimate WooCommerce Multivendor Marketplace Solution plugin for WordPress is vulnerable to unauthorized access due to missing capability checks on several functions like 'marketking…

CVSS: 5.3 CWE: CWE-862 - Missing Authorization View on NVD
Medium

CVE-2024-12190

The Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder plugin for WordPress is vulnerable to unauthorized access of data due to a…

CVSS: 4.3 CWE: CWE-862 - Missing Authorization View on NVD
2024-12-24
High

CVE-2019-2483

Vulnerability in the Oracle iStore product of Oracle E-Business Suite (component: Shopping Cart). Supported versions that are affected are 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.…

CVSS: 8.2 CWE: N/A View on NVD
Critical

CVE-2024-43441

Authentication Bypass by Assumed-Immutable Data vulnerability in Apache HugeGraph-Server. This issue affects Apache HugeGraph-Server: from 1.0.0 before 1.5.0. Users are recommended to upgrade to ve…

CVSS: 9.8 CWE: CWE-302 - Authentication Bypass by Assumed-Immutable Data View on NVD
Medium

CVE-2024-12617

The WC Price History for Omnibus plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several AJAX actions in all versions up to, and including, 2.1.3. This…

CVSS: 5.4 CWE: CWE-862 - Missing Authorization View on NVD
Medium

CVE-2024-12266

The ELEX WooCommerce Dynamic Pricing and Discounts plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the elex_dp_export_rules() and elex_dp_import…

CVSS: 6.5 CWE: CWE-862 - Missing Authorization View on NVD
2024-12-23
Medium

CVE-2024-52321

Multiple SHARP routers contain an improper authentication vulnerability in the configuration backup function. The product's backup files containing sensitive information may be retrieved by a remote…

CVSS: 5.9 CWE: CWE-497 - Exposure of Sensitive System Information to an Unauthorized Control Sphere View on NVD
Medium

CVE-2024-47864

home 5G HR02, Wi-Fi STATION SH-52B, and Wi-Fi STATION SH-54C contain a buffer overflow vulnerability in the hidden debug function. A remote unauthenticated attacker may get the web console of the pro…

CVSS: 5.3 CWE: CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') View on NVD
Critical

CVE-2024-46873

Multiple SHARP routers leave the hidden debug function enabled. An arbitrary OS command may be executed with the root privilege by a remote unauthenticated attacker.

CVSS: 9.8 CWE: CWE-489 - Active Debug Code View on NVD
2024-12-22
Medium

CVE-2024-11852

The Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid, Carousel and Remote Arrows) plugin for WordPress is vulnerable to unauthorized access of data due to a missing capabi…

CVSS: 4.3 CWE: CWE-862 - Missing Authorization View on NVD
2024-12-21
Medium

CVE-2024-12558

The WP BASE Booking of Appointments, Services and Events plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the export_db function in all versions…

CVSS: 6.5 CWE: CWE-862 - Missing Authorization View on NVD
Medium

CVE-2024-11722

The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to SQL Injection via the 'orderby' parameter in all versions up to, and including, 3.25.1 due to insufficient escaping on the user…

CVSS: 5.9 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
Critical

CVE-2024-11349

The AdForest theme for WordPress is vulnerable to authentication bypass in all versions up to, and including, 5.1.6. This is due to the plugin not properly verifying a user's identity prior to authen…

CVSS: 9.8 CWE: CWE-288 - Authentication Bypass Using an Alternate Path or Channel View on NVD
High

CVE-2023-31279

The AirVantage platform is vulnerable to an unauthorized attacker registering previously unregistered devices on the AirVantage platform when the owner has not disabled the AirVantage Management Se…

CVSS: 8.1 CWE: CWE-287 - Improper Authentication View on NVD
2024-12-20
Critical

CVE-2024-56333

Onyxia is a web app that aims at being the glue between multiple open source backend technologies to provide a state of art working environment for data scientists. This critical vulnerability allows…

CVSS: 9.4 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
Low

CVE-2024-12014

Path Traversal vulnerability in the eSignaViewer component in eSigna product versions 1.0 to 1.5 on all platforms allow an unauthenticated attacker to access arbitrary files in the document system vi…

CVSS: 2.0 CWE: CWE-20 - Improper Input Validation View on NVD
2024-12-19
Medium

CVE-2024-54009

Remote authentication bypass vulnerability in HPE Alletra Storage MP B10000 in versions prior to version 10.4.5 could be remotely exploited to allow disclosure of information.

CVSS: 4.0 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Critical

CVE-2024-54984

An issue in Quectel BG96 BG96MAR02A08M1G allows attackers to bypass authentication via a crafted NAS message. NOTE: this is disputed by the supplier.

CVSS: 9.8 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
Critical

CVE-2024-54983

An issue in Quectel BC95-CNV V100R001C00SPC051 allows attackers to bypass authentication via a crafted NAS message.

CVSS: 9.8 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
Unknown

CVE-2024-54982

An issue in Quectel BC25 with firmware version BC25PAR01A06 allows attackers to bypass authentication via a crafted NAS message. NOTE: Quectel disputes this because the issue is in the chipset supply…

CVSS: N/A CWE: N/A View on NVD
High

CVE-2024-12111

In a specific scenario a LDAP user can abuse the authentication process using injection attack in OpenText Privileged Access Manager that allows authentication bypass. This issue affects Privileged A…

CVSS: 8.0 CWE: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection') View on NVD
Medium

CVE-2024-56159

Astro is a web framework for content-driven websites. A bug in the build process allows any unauthenticated user to read parts of the server source code. During build, along with client assets such a…

CVSS: 5.3 CWE: CWE-219 - Storage of File with Sensitive Data Under Web Root View on NVD
Critical

CVE-2024-54150

cjwt is a C JSON Web Token (JWT) Implementation. Algorithm confusion occurs when a system improperly verifies the type of signature used, allowing attackers to exploit the lack of distinction between…

CVSS: 9.1 CWE: CWE-347 - Improper Verification of Cryptographic Signature View on NVD
Medium

CVE-2023-21586

Adobe Acrobat Reader versions 22.003.20282 (and earlier), 22.003.20281 (and earlier) and 20.005.30418 (and earlier) are affected by a NULL Pointer Dereference vulnerability. An unauthenticated attack…

CVSS: 5.5 CWE: CWE-476 - NULL Pointer Dereference View on NVD
2024-12-18
Critical

CVE-2024-12287

The Biagiotti Membership plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.0.2. This is due to the plugin not properly verifying a user's identity pr…

CVSS: 9.8 CWE: CWE-287 - Improper Authentication View on NVD
High

CVE-2024-4464

Authorization bypass through user-controlled key vulnerability in streaming service in Synology Media Server before 1.4-2680, 2.0.5-3152 and 2.2.0-3325 allows remote attackers to read specific files…

CVSS: 7.5 CWE: CWE-639 - Authorization Bypass Through User-Controlled Key View on NVD
2024-12-17
Medium

CVE-2024-55057

Phpgurukul Online Birth Certificate System 1.0 suffers from insufficient password requirements which can lead to unauthorized access to user accounts.

CVSS: 5.4 CWE: CWE-916 - Use of Password Hash With Insufficient Computational Effort View on NVD
Critical

CVE-2024-55516

A vulnerability was found in Raisecom MSG1200, MSG2100E, MSG2200, and MSG2300 v3.90. The component affected by this issue is /upload_sysconfig.php on the web interface. By crafting a suitable form na…

CVSS: 9.1 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
Medium

CVE-2024-55514

A vulnerability was found in Raisecom MSG1200, MSG2100E, MSG2200, and MSG2300 3.90. The component affected by this issue is /upload_sfmig.php on the web interface. By crafting a suitable form name, a…

CVSS: 6.3 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
Critical

CVE-2024-55513

A vulnerability was found in Raisecom MSG1200, MSG2100E, MSG2200, and MSG2300 3.90. The component affected by this issue is /upload_netaction.php on the web interface. By crafting a suitable form nam…

CVSS: 9.1 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
High

CVE-2024-36832

A NULL pointer dereference in D-Link DAP-1513 REVA_FIRMWARE_1.01 allows attackers to cause a Denial of Service (DoS) via a crafted web request without authentication. The vulnerability occurs in the…

CVSS: 7.5 CWE: CWE-476 - NULL Pointer Dereference View on NVD
Medium

CVE-2024-36831

A NULL pointer dereference in the plugins_call_handle_uri_clean function of D-Link DAP-1520 REVA_FIRMWARE_1.10B04_BETA02_HOTFIX allows attackers to cause a Denial of Service (DoS) via a crafted HTTP…

CVSS: 5.3 CWE: CWE-476 - NULL Pointer Dereference View on NVD
Medium

CVE-2024-9819

Authorization Bypass Through User-Controlled Key vulnerability in NextGeography NG Analyser allows Functionality Misuse. This issue affects NG Analyser: before 2.2.711.

CVSS: 6.5 CWE: CWE-639 - Authorization Bypass Through User-Controlled Key View on NVD
Medium

CVE-2024-8475

Authentication Bypass by Assumed-Immutable Data vulnerability in Digital Operation Services WiFiBurada allows Manipulating User-Controlled Variables. This issue affects WiFiBurada: before 1.0.5.

CVSS: 6.5 CWE: CWE-302 - Authentication Bypass by Assumed-Immutable Data View on NVD
Critical

CVE-2024-12356

A critical vulnerability has been discovered in Privileged Remote Access (PRA) and Remote Support (RS) products which can allow an unauthenticated attacker to inject commands that are run as a site u…

CVSS: 9.8 CWE: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection') View on NVD
Critical

CVE-2024-10205

Authentication Bypass vulnerability in Hitachi Ops Center Analyzer on Linux, 64 bit (Hitachi Ops Center Analyzer detail view component), Hitachi Infrastructure Analytics Advisor on Linux, 64 bit (Hit…

CVSS: 9.4 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
2024-12-16
Critical

CVE-2024-43234

Authentication Bypass Using an Alternate Path or Channel vulnerability in WofficeIO Woffice woffice allows Authentication Bypass.This issue affects Woffice: from n/a through <= 5.4.14.

CVSS: 9.8 CWE: CWE-288 - Authentication Bypass Using an Alternate Path or Channel View on NVD
High

CVE-2024-56013

Authentication Bypass Using an Alternate Path or Channel vulnerability in wovax Wovax IDX wovax-idx allows Authentication Bypass.This issue affects Wovax IDX: from n/a through <= 1.2.2.

CVSS: 8.8 CWE: CWE-288 - Authentication Bypass Using an Alternate Path or Channel View on NVD
Medium

CVE-2024-8116

An issue has been discovered in GitLab CE/EE affecting all versions from 16.9 before 17.4.6, 17.5 before 17.5.4, and 17.6 before 17.6.2. By using a specific GraphQL query, under specific conditions a…

CVSS: 5.3 CWE: CWE-863 - Incorrect Authorization View on NVD
2024-12-14
Medium

CVE-2024-11715

The WP Job Portal – A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the assignUserRole()…

CVSS: 4.8 CWE: CWE-862 - Missing Authorization View on NVD
Medium

CVE-2024-11712

The WP Job Portal – A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the getResume…

CVSS: 5.3 CWE: CWE-359 - Exposure of Private Personal Information to an Unauthorized Actor View on NVD
2024-12-13
Critical

CVE-2024-55956

In Cleo Harmony before 5.8.0.24, VLTrader before 5.8.0.24, and LexiCom before 5.8.0.24, an unauthenticated user can import and execute arbitrary Bash or PowerShell commands on the host system by leve…

CVSS: 9.8 CWE: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection') View on NVD
High

CVE-2024-54336

Authentication Bypass Using an Alternate Path or Channel vulnerability in Projectopia Projectopia projectopia-core allows Authentication Bypass.This issue affects Projectopia: from n/a through <= 5.1…

CVSS: 8.8 CWE: CWE-288 - Authentication Bypass Using an Alternate Path or Channel View on NVD
Critical

CVE-2024-54297

Authentication Bypass Using an Alternate Path or Channel vulnerability in extremeidea vBSSO-lite vbsso-lite allows Authentication Bypass.This issue affects vBSSO-lite: from n/a through <= 1.4.3.

CVSS: 9.8 CWE: CWE-288 - Authentication Bypass Using an Alternate Path or Channel View on NVD
Critical

CVE-2024-54296

Authentication Bypass Using an Alternate Path or Channel vulnerability in Codexpert, Inc CoSchool LMS coschool allows Authentication Bypass.This issue affects CoSchool LMS: from n/a through <= 1.4.3.

CVSS: 9.8 CWE: CWE-288 - Authentication Bypass Using an Alternate Path or Channel View on NVD
Critical

CVE-2024-54295

Authentication Bypass Using an Alternate Path or Channel vulnerability in FluxBuilder ListApp Mobile Manager listapp-mobile-manager allows Authentication Bypass.This issue affects ListApp Mobile Mana…

CVSS: 9.8 CWE: CWE-288 - Authentication Bypass Using an Alternate Path or Channel View on NVD
Critical

CVE-2024-54294

Authentication Bypass Using an Alternate Path or Channel vulnerability in Appgenix Infotech Firebase OTP Authentication authentication-via-otp-using-firebase allows Authentication Bypass.This issue a…

CVSS: 9.8 CWE: CWE-288 - Authentication Bypass Using an Alternate Path or Channel View on NVD
Medium

CVE-2024-28980

Dell RecoverPoint for VMs, version(s) 6.0.x contain(s) a Use of a Broken or Risky Cryptographic Algorithm vulnerability in the SSH. An unauthenticated attacker with remote access could potentially ex…

CVSS: 6.5 CWE: CWE-327 - Use of a Broken or Risky Cryptographic Algorithm View on NVD
Medium

CVE-2023-41133

Authentication Bypass by Spoofing vulnerability in Michal Novák Secure Admin IP allows Functionality Bypass.This issue affects Secure Admin IP: from n/a through 2.0.

CVSS: 5.3 CWE: CWE-290 - Authentication Bypass by Spoofing View on NVD
Medium

CVE-2024-48007

Dell RecoverPoint for Virtual Machines 6.0.x contains use of hard-coded credentials vulnerability. A Remote unauthenticated attacker could potentially exploit this vulnerability by gaining access to…

CVSS: 5.3 CWE: CWE-798 - Use of Hard-coded Credentials View on NVD
Critical

CVE-2024-11986

Improper input handling in the 'Host Header' allows an unauthenticated attacker to store a payload in web application logs. When an Administrator views the logs using the application's standard funct…

CVSS: 9.6 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
High

CVE-2024-21543

Versions of the package djoser before 2.3.0 are vulnerable to Authentication Bypass when the authenticate() function fails. This is because the system falls back to querying the database directly, gr…

CVSS: 7.1 CWE: CWE-287 - Improper Authentication View on NVD
2024-12-12
Critical

CVE-2024-49147

Deserialization of untrusted data in Microsoft Update Catalog allows an unauthorized attacker to elevate privileges on the website’s webserver.

CVSS: 9.3 CWE: CWE-502 - Deserialization of Untrusted Data View on NVD
Medium

CVE-2024-28145

An unauthenticated attacker can perform an SQL injection by accessing the /class/dbconnect.php file and supplying malicious GET parameters. The HTTP GET parameters search, table, field, and value are…

CVSS: 5.9 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
Medium

CVE-2024-12329

The Essential Real Estate plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on several pages/post types in all versions up to, and including, 5.1.6.…

CVSS: 4.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Medium

CVE-2024-12201

The Hash Form – Drag & Drop Form Builder plugin for WordPress is vulnerable to unauthorized access due to a missing capability check when creating form styles in all versions up to, and including, 1.…

CVSS: 4.3 CWE: CWE-862 - Missing Authorization View on NVD
Medium

CVE-2024-12265

The Web3 Crypto Payments by DePay for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the /wp-json/depay/wc/debug REST API endpoint…

CVSS: 5.3 CWE: CWE-862 - Missing Authorization View on NVD
High

CVE-2024-12172

The WP Courses LMS – Online Courses Builder, eLearning Courses, Courses Solution, Education Courses plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the…

CVSS: 7.5 CWE: CWE-862 - Missing Authorization View on NVD
Critical

CVE-2024-11015

The Sign In With Google plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.8.0. This is due to the 'authenticate_user' user function not implementing…

CVSS: 9.8 CWE: CWE-287 - Improper Authentication View on NVD
High

CVE-2024-10111

The OAuth Single Sign On – SSO (OAuth Client) plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 6.26.3. This is due to insufficient verification on the…

CVSS: 8.1 CWE: CWE-287 - Improper Authentication View on NVD
Medium

CVE-2024-50339

GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to version 10.0.17, an unauthenticated user can retrieve all the sessions IDs and use them to steal any va…

CVSS: 5.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
High

CVE-2024-49128

Sensitive data storage in improperly locked memory in Windows Remote Desktop Services allows an unauthorized attacker to execute code over a network.

CVSS: 8.1 CWE: CWE-416 - Use After Free View on NVD
Critical

CVE-2024-45337

Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be susceptible to an authorization bypass. The documentation for ServerCo…

CVSS: 9.1 CWE: N/A View on NVD
High

CVE-2024-37401

An out-of-bounds read in IPsec of Ivanti Connect Secure before version 22.7R2.1 allows a remote unauthenticated attacker to cause a denial of service.

CVSS: 7.5 CWE: CWE-125 - Out-of-bounds Read View on NVD
High

CVE-2024-37377

A heap-based buffer overflow in IPsec of Ivanti Connect Secure before version 22.7R2.3 allows a remote unauthenticated attacker to cause a denial of service.

CVSS: 7.5 CWE: CWE-787 - Out-of-bounds Write View on NVD
Low

CVE-2024-12483

A vulnerability classified as problematic has been found in Dromara UJCMS up to 9.6.3. This affects an unknown part of the file /users/id of the component User ID Handler. The manipulation leads to a…

CVSS: 3.7 CWE: CWE-285 - Improper Authorization View on NVD
2024-12-11
High

CVE-2024-11840

The RapidLoad – Optimize Web Vitals Automatically plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on the uucss_data, updat…

CVSS: 7.1 CWE: CWE-862 - Missing Authorization View on NVD
High

CVE-2024-53290

Dell ThinOS version 2408 contains an Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability. An unauthenticated attacker with local access could potentially…

CVSS: 8.4 CWE: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection') View on NVD
2024-12-10
Medium

CVE-2024-54048

Adobe Connect versions 12.6, 11.4.7 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an unauthenticated attacker is able to convince a victim to visit a URL refere…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2024-54047

Adobe Connect versions 12.6, 11.4.7 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an unauthenticated attacker is able to convince a victim to visit a URL refere…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2024-54046

Adobe Connect versions 12.6, 11.4.7 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an unauthenticated attacker is able to convince a victim to visit a URL refere…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2024-54045

Adobe Connect versions 12.6, 11.4.7 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an unauthenticated attacker is able to convince a victim to visit a URL refere…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2024-54044

Adobe Connect versions 12.6, 11.4.7 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an unauthenticated attacker is able to convince a victim to visit a URL refere…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2024-54043

Adobe Connect versions 12.6, 11.4.7 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an unauthenticated attacker is able to convince a victim to visit a URL refere…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2024-54042

Adobe Connect versions 12.6, 11.4.7 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an unauthenticated attacker is able to convince a victim to visit a URL refere…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Critical

CVE-2024-46442

An issue in the BYD Dilink Headunit System v3.0 to v4.0 allows attackers to bypass authentication via a bruteforce attack.

CVSS: 9.8 CWE: CWE-307 - Improper Restriction of Excessive Authentication Attempts View on NVD
Critical

CVE-2024-11639

An authentication bypass in the admin web console of Ivanti CSA before 5.0.3 allows a remote unauthenticated attacker to gain administrative access

CVSS: 10.0 CWE: CWE-288 - Authentication Bypass Using an Alternate Path or Channel View on NVD
High

CVE-2024-47484

Dell Avamar, versions prior to 19.12 with patch 338905, excluding 19.10 and 19.10SP1 with patch 338869, contains an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'…

CVSS: 8.2 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
High

CVE-2024-28138

An unauthenticated attacker with network access to the affected device's web interface can execute any system command via the "msg_events.php" script as the www-data user. The HTTP GET parameter "dat…

CVSS: 7.3 CWE: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') View on NVD
High

CVE-2024-37144

Dell PowerFlex appliance versions prior to IC 46.381.00 and IC 46.376.00, Dell PowerFlex rack versions prior to RCM 3.8.1.0 (for RCM 3.8.x train) and prior to RCM 3.7.6.0 (for RCM 3.7.x train), Dell…

CVSS: 8.2 CWE: CWE-922 - Insecure Storage of Sensitive Information View on NVD
Critical

CVE-2024-37143

Dell PowerFlex appliance versions prior to IC 46.381.00 and IC 46.376.00, Dell PowerFlex rack versions prior to RCM 3.8.1.0 (for RCM 3.8.x train) and prior to RCM 3.7.6.0 (for RCM 3.7.x train), Dell…

CVSS: 10.0 CWE: CWE-59 - Improper Link Resolution Before File Access ('Link Following') View on NVD
Medium

CVE-2024-47582

Due to missing validation of XML input, an unauthenticated attacker could send malicious input to an endpoint which leads to XML Entity Expansion attack. This causes limited impact on availability of…

CVSS: 5.3 CWE: CWE-611 - Improper Restriction of XML External Entity Reference View on NVD
2024-12-09
High

CVE-2024-50626

An issue was discovered in Digi ConnectPort LTS before 1.4.12. A Directory Traversal vulnerability exists in WebFS. This allows an attacker on the local area network to manipulate URLs to include tra…

CVSS: 8.8 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
High

CVE-2024-54151

Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 11.0.0 and prior to version 11.3.0, when setting `WEBSOCKETS_GRAPHQL_AUTH` or `WEBSOCKETS_REST_AUT…

CVSS: 7.5 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Low

CVE-2024-12057

User credentials (login & password) are inserted into log files when a user tries to authenticate using a version of a Web client that is not compatible with that of the PcVue Web back end. By exploi…

CVSS: 1.8 CWE: CWE-532 - Insertion of Sensitive Information into Log File View on NVD
High

CVE-2024-53450

RAGFlow 0.13.0 suffers from improper access control in document-hooks.ts, allowing unauthorized access to user documents.

CVSS: 7.5 CWE: CWE-125 - Out-of-bounds Read View on NVD
Medium

CVE-2024-12306

Multiple access control vulnerabilities in Unifiedtransform version 2.0 and potentially earlier versions allow unauthorized access to personal information of students and teachers. The vulnerabilitie…

CVSS: 4.3 CWE: CWE-284 - Improper Access Control View on NVD
Medium

CVE-2024-12305

An object-level access control vulnerability in Unifiedtransform version 2.0 and potentially earlier versions allows unauthorized access to student grades. A malicious student user can view grades of…

CVSS: 4.3 CWE: CWE-639 - Authorization Bypass Through User-Controlled Key View on NVD