CVE Daily
← All tags

Tag: Unauthenticated/Unauthorized Access

All CVEs associated with "Unauthenticated/Unauthorized Access". Page 48/128 • 15328 CVEs.

Subscribe CVEs: RSS for “Unauthenticated/Unauthorized Access”  ·  RSS (High+Critical only)

About “Unauthenticated/Unauthorized Access”

A curated feed of “Unauthenticated/Unauthorized Access”-related CVEs appears below. We currently track 15328 CVEs for this tag (all time). In the last 365 days, 3832 were published. Average CVSS is 7.4 (all time; 7.4 over 365d), and 61% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-862 - Missing Authorization, CWE-306 - Missing Authentication for Critical Function, CWE-639 - Authorization Bypass Through User-Controlled Key.

In our taxonomy this topic maps to a HIGH impact class. Vendor advisories and release notes are key. Verify compatibility matrices, prefer supported long term versions, and stage rollouts with monitoring. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0
2024-07-16
Low

CVE-2024-21131

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE…

CVSS: 3.7 CWE: N/A View on NVD
Medium

CVE-2024-21126

Vulnerability in the Oracle Database Portable Clusterware component of Oracle Database Server. Supported versions that are affected are 19.3-19.23 and 21.3-21.14. Easily exploitable vulnerability a…

CVSS: 5.8 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
Medium

CVE-2024-6395

An exposure of sensitive information vulnerability in GitHub Enterprise Server would allow an attacker to enumerate the names of private repositories that utilize deploy keys. This vulnerability did…

CVSS: 5.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Medium

CVE-2020-25836

Exposure of Sensitive Information to an Unauthorized Access vulnerability in OpenText NetIQ Directory and Resource Administrator. This issue affects NetIQ Directory and Resource Administrator version…

CVSS: 6.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Critical

CVE-2024-22442

The vulnerability could be remotely exploited to bypass authentication.

CVSS: 9.8 CWE: CWE-287 - Improper Authentication View on NVD
2024-07-15
Medium

CVE-2024-40627

Fastapi OPA is an opensource fastapi middleware which includes auth flow. HTTP `OPTIONS` requests are always allowed by `OpaMiddleware`, even when they lack authentication, and are passed through dir…

CVSS: 5.8 CWE: CWE-204 - Observable Response Discrepancy View on NVD
Medium

CVE-2024-37016

Mengshen Wireless Door Alarm M70 2024-05-24 allows Authentication Bypass via a Capture-Replay approach.

CVSS: 6.8 CWE: CWE-294 - Authentication Bypass by Capture-replay View on NVD
Critical

CVE-2024-38492

This vulnerability allows an unauthenticated attacker to achieve remote command execution on the affected PAM system by uploading a specially crafted PAM upgrade file.

CVSS: 9.4 CWE: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection') View on NVD
High

CVE-2024-38491

The vulnerability allows an unauthenticated attacker to read arbitrary information from the database.

CVSS: 8.4 CWE: N/A View on NVD
Critical

CVE-2024-36456

This vulnerability allows an unauthenticated attacker to achieve remote command execution on the affected PAM system by uploading a specially crafted PAM upgrade file.

CVSS: 9.4 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
Critical

CVE-2024-36455

An improper input validation allows an unauthenticated attacker to achieve remote command execution on the affected PAM system by sending a specially crafted HTTP request.

CVSS: 9.4 CWE: CWE-665 - Improper Initialization View on NVD
2024-07-13
Critical

CVE-2024-5450

The Bug Library WordPress plugin before 2.1.1 does not check the file type on user-submitted bug reports, allowing an unauthenticated user to upload PHP files

CVSS: 9.1 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
2024-07-12
Critical

CVE-2024-6328

The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 4.14.7. This is due to insufficient ve…

CVSS: 9.8 CWE: CWE-288 - Authentication Bypass Using an Alternate Path or Channel View on NVD
2024-07-11
Critical

CVE-2024-36435

An issue was discovered on Supermicro BMC firmware in select X11, X12, H12, B12, X13, H13, and B13 motherboards (and CMM6 modules). An unauthenticated user can post crafted data to the interface that…

CVSS: 9.8 CWE: CWE-121 - Stack-based Buffer Overflow View on NVD
High

CVE-2024-39552

An Improper Handling of Exceptional Conditions vulnerability in the routing protocol daemon (RPD) of Juniper Networks Junos OS and Junos OS Evolved allows a network based, unauthenticated attacker to…

CVSS: 7.5 CWE: CWE-755 - Improper Handling of Exceptional Conditions View on NVD
High

CVE-2024-39531

An Improper Handling of Values vulnerability in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS Evolved on ACX 7000 Series allows a network-based, unauthenticated attacker to cause a…

CVSS: 7.5 CWE: CWE-229 - Improper Handling of Values View on NVD
Medium

CVE-2024-38433

Nuvoton - CWE-305: Authentication Bypass by Primary Weakness An attacker with write access to the SPI-Flash on an NPCM7xx BMC subsystem that uses the Nuvoton BootBlock reference code can modify the…

CVSS: 6.7 CWE: CWE-305 - Authentication Bypass by Primary Weakness View on NVD
Critical

CVE-2024-6397

The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 0.1.0.44. This is due to insufficient verificati…

CVSS: 9.8 CWE: CWE-288 - Authentication Bypass Using an Alternate Path or Channel View on NVD
2024-07-10
Medium

CVE-2024-39559

An Improper Check for Unusual or Exceptional Conditions vulnerability in packet processing of Juniper Networks Junos OS Evolved may allow a network-based unauthenticated attacker to crash the device…

CVSS: 5.9 CWE: CWE-754 - Improper Check for Unusual or Exceptional Conditions View on NVD
Medium

CVE-2024-39558

An Unchecked Return Value vulnerability in the Routing Protocol Daemon (rpd) on Juniper Networks Junos OS and Juniper Networks Junos OS Evolved allows a logically adjacent, unauthenticated attacker s…

CVSS: 6.5 CWE: CWE-252 - Unchecked Return Value View on NVD
Medium

CVE-2024-38353

CodiMD allows realtime collaborative markdown notes on all platforms. CodiMD before 2.5.4 is missing authentication and access control vulnerability allowing an unauthenticated attacker to gain unaut…

CVSS: 5.3 CWE: CWE-338 - Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) View on NVD
Critical

CVE-2024-25077

An issue was discovered on Renesas SmartBond DA14691, DA14695, DA14697, and DA14699 devices. The Nonce used for on-the-fly decryption of flash images is stored in an unsigned header, allowing its val…

CVSS: 9.8 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
Medium

CVE-2024-5492

Open redirect vulnerability allows a remote unauthenticated attacker to redirect users to arbitrary websites in NetScaler ADC and NetScaler Gateway

CVSS: 6.1 CWE: CWE-601 - URL Redirection to Untrusted Site ('Open Redirect') View on NVD
Critical

CVE-2024-5217

ServiceNow has addressed an input validation vulnerability that was identified in the Washington DC, Vancouver, and earlier Now Platform releases. This vulnerability could enable an unauthenticated u…

CVSS: 9.8 CWE: CWE-184 - Incomplete List of Disallowed Inputs View on NVD
Medium

CVE-2024-5178

ServiceNow has addressed a sensitive file read vulnerability that was identified in the Washington DC, Vancouver, and Utah Now Platform releases. This vulnerability could allow an administrative user…

CVSS: 4.9 CWE: CWE-184 - Incomplete List of Disallowed Inputs View on NVD
Critical

CVE-2024-4879

ServiceNow has addressed an input validation vulnerability that was identified in Vancouver and Washington DC Now Platform releases. This vulnerability could enable an unauthenticated user to remotel…

CVSS: 9.8 CWE: CWE-1287 - Improper Validation of Specified Type of Input View on NVD
High

CVE-2024-36451

Improper handling of insufficient permissions or privileges vulnerability exists in ajaxterm module of Webmin prior to 2.003. If this vulnerability is exploited, a console session may be hijacked by…

CVSS: 8.8 CWE: CWE-280 - Improper Handling of Insufficient Permissions or Privileges View on NVD
2024-07-09
High

CVE-2024-34722

In smp_proc_rand of smp_act.cc, there is a possible authentication bypass during legacy BLE pairing due to incorrect implementation of a protocol. This could lead to remote escalation of privilege wi…

CVSS: 8.8 CWE: CWE-303 - Incorrect Implementation of Authentication Algorithm View on NVD
Medium

CVE-2024-39899

PrivateBin is an online pastebin where the server has zero knowledge of pasted data. In v1.5, PrivateBin introduced the YOURLS server-side proxy. The idea was to allow using the YOURLs URL shortener…

CVSS: 5.3 CWE: CWE-305 - Authentication Bypass by Primary Weakness View on NVD
Medium

CVE-2024-6237

A flaw was found in the 389 Directory Server. This flaw allows an unauthenticated user to cause a systematic server crash while sending a specific extended search request, leading to a denial of serv…

CVSS: 6.5 CWE: CWE-230 - Improper Handling of Missing Values View on NVD
Medium

CVE-2024-33509

An improper certificate validation vulnerability [CWE-295] in FortiWeb 7.2.0 through 7.2.1, 7.0 all versions, 6.4 all versions and 6.3 all versions may allow a remote and unauthenticated attacker in…

CVSS: 4.8 CWE: CWE-295 - Improper Certificate Validation View on NVD
Low

CVE-2024-26015

An incorrect parsing of numbers with different radices vulnerability [CWE-1389] in FortiProxy version 7.4.3 and below, version 7.2.10 and below, version 7.0.17 and below and FortiOS version 7.4.3 and…

CVSS: 3.4 CWE: CWE-1389 - Incorrect Parsing of Numbers with Different Radices View on NVD
Medium

CVE-2024-21759

An authorization bypass through user-controlled key in Fortinet FortiPortal version 7.2.0, and versions 7.0.0 through 7.0.6 allows attacker to view unauthorized resources via HTTP or HTTPS requests.

CVSS: 4.3 CWE: CWE-639 - Authorization Bypass Through User-Controlled Key View on NVD
Medium

CVE-2023-50179

An improper certificate validation vulnerability [CWE-295] in FortiADC 7.4.0, 7.2 all versions, 7.1 all versions, 7.0 all versions may allow a remote and unauthenticated attacker to perform a Man-in-…

CVSS: 4.8 CWE: CWE-295 - Improper Certificate Validation View on NVD
High

CVE-2023-50178

An improper certificate validation vulnerability [CWE-295] in FortiADC 7.4.0, 7.2.0 through 7.2.3, 7.1 all versions, 7.0 all versions, 6.2 all versions, 6.1 all versions and 6.0 all versions may allo…

CVSS: 7.4 CWE: CWE-295 - Improper Certificate Validation View on NVD
Critical

CVE-2024-6527

SQL Injection vulnerability in parameter "w" in file "druk.php" in MegaBIP software allows unauthorized attacker to disclose the contents of the database and obtain administrator's token to modify th…

CVSS: 9.3 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
High

CVE-2024-39868

A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2 SP1). Affected devices do not properly validate the authentication when performing certain actions in the web…

CVSS: 7.6 CWE: CWE-425 - Direct Request ('Forced Browsing') View on NVD
High

CVE-2024-39867

A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2 SP1). Affected devices do not properly validate the authentication when performing certain actions in the web…

CVSS: 7.6 CWE: CWE-425 - Direct Request ('Forced Browsing') View on NVD
Medium

CVE-2024-38867

A vulnerability has been identified in SIPROTEC 5 6MD84 (CP300) (All versions < V9.64), SIPROTEC 5 6MD85 (CP200) (All versions), SIPROTEC 5 6MD85 (CP300) (All versions < V9.64), SIPROTEC 5 6MD86 (CP2…

CVSS: 5.9 CWE: CWE-326 - Inadequate Encryption Strength View on NVD
Medium

CVE-2024-37430

Authentication Bypass by Spoofing vulnerability in patreon Patreon WordPress patreon-connect.This issue affects Patreon WordPress: from n/a through <= 1.9.0.

CVSS: 5.3 CWE: CWE-290 - Authentication Bypass by Spoofing View on NVD
Critical

CVE-2023-38055

A BOLA vulnerability in GET, PUT, DELETE /services/{serviceId} allows a low privileged user to fetch, modify or delete the services of any user (including admin). This results in unauthorized access…

CVSS: 9.6 CWE: CWE-639 - Authorization Bypass Through User-Controlled Key View on NVD
Critical

CVE-2023-38054

A BOLA vulnerability in GET, PUT, DELETE /customers/{customerId} allows a low privileged user to fetch, modify or delete a low privileged user (customer). This results in unauthorized access and unau…

CVSS: 9.9 CWE: CWE-639 - Authorization Bypass Through User-Controlled Key View on NVD
Critical

CVE-2023-38053

A BOLA vulnerability in GET, PUT, DELETE /settings/{settingName} allows a low privileged user to fetch, modify or delete the settings of any user (including admin). This results in unauthorized acces…

CVSS: 9.9 CWE: CWE-639 - Authorization Bypass Through User-Controlled Key View on NVD
Critical

CVE-2023-38052

A BOLA vulnerability in GET, PUT, DELETE /admins/{adminId} allows a low privileged user to fetch, modify or delete a high privileged user (admin). This results in unauthorized access and unauthorized…

CVSS: 9.9 CWE: CWE-639 - Authorization Bypass Through User-Controlled Key View on NVD
Critical

CVE-2023-38051

A BOLA vulnerability in GET, PUT, DELETE /secretaries/{secretaryId} allows a low privileged user to fetch, modify or delete a low privileged user (secretary). This results in unauthorized access and…

CVSS: 9.9 CWE: CWE-639 - Authorization Bypass Through User-Controlled Key View on NVD
Critical

CVE-2023-38050

A BOLA vulnerability in GET, PUT, DELETE /webhooks/{webhookId} allows a low privileged user to fetch, modify or delete a webhook of any user (including admin). This results in unauthorized access and…

CVSS: 9.1 CWE: CWE-639 - Authorization Bypass Through User-Controlled Key View on NVD
Critical

CVE-2023-38049

A BOLA vulnerability in GET, PUT, DELETE /appointments/{appointmentId} allows a low privileged user to fetch, modify or delete an appointment of any user (including admin). This results in unauthoriz…

CVSS: 9.9 CWE: CWE-639 - Authorization Bypass Through User-Controlled Key View on NVD
Critical

CVE-2023-38048

A BOLA vulnerability in GET, PUT, DELETE /providers/{providerId} allows a low privileged user to fetch, modify or delete a privileged user (provider). This results in unauthorized access and unauthor…

CVSS: 9.9 CWE: CWE-639 - Authorization Bypass Through User-Controlled Key View on NVD
High

CVE-2023-38047

A BOLA vulnerability in GET, PUT, DELETE /categories/{categoryId} allows a low privileged user to fetch, modify or delete the category of any user (including admin). This results in unauthorized acce…

CVSS: 8.5 CWE: CWE-639 - Authorization Bypass Through User-Controlled Key View on NVD
Medium

CVE-2024-6167

The Just Custom Fields plugin for WordPress is vulnerable to unauthorized access of functionality due to a missing capability check on several AJAX functions in all versions up to, and including, 3.3…

CVSS: 4.3 CWE: CWE-862 - Missing Authorization View on NVD
Medium

CVE-2024-5810

The WP2Speed Faster – Optimize PageSpeed Insights Score 90-100 plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 1.0.1. This is due to the use of hardcod…

CVSS: 5.3 CWE: CWE-798 - Use of Hard-coded Credentials View on NVD
Medium

CVE-2024-4102

The Pricing Table plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ajax() function in all versions up to, and including, 2.0.1. This makes it…

CVSS: 5.4 CWE: CWE-862 - Missing Authorization View on NVD
Medium

CVE-2024-37173

Due to insufficient input validation, SAP CRM WebClient UI allows an unauthenticated attacker to craft a URL link which embeds a malicious script. When a victim clicks on this link, the script wi…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2024-07-08
Medium

CVE-2024-23562

A security vulnerability in HCL Domino could allow disclosure of sensitive configuration information. A remote unauthenticated attacker could exploit this vulnerability to obtain information to laun…

CVSS: 5.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Medium

CVE-2024-4341

Authorization Bypass Through User-Controlled Key, Missing Authorization vulnerability in ExtremePacs Extreme XDS allows Collect Data as Provided by Users. This issue affects Extreme XDS: before 3928.

CVSS: 6.5 CWE: CWE-639 - Authorization Bypass Through User-Controlled Key View on NVD
High

CVE-2024-39742

IBM MQ Operator 3.2.2 and IBM MQ Operator 2.0.24 could allow a user to bypass authentication under certain configurations due to a partial string comparison vulnerability. IBM X-Force ID: 297169.

CVSS: 8.1 CWE: CWE-187 - Partial String Comparison View on NVD
Medium

CVE-2024-6163

Certain http endpoints of Checkmk in Checkmk < 2.3.0p10 < 2.2.0p31, < 2.1.0p46, <= 2.0.0p39 allows remote attacker to bypass authentication and access data

CVSS: 5.3 CWE: CWE-290 - Authentication Bypass by Spoofing View on NVD
2024-07-06
Medium

CVE-2024-6095

A vulnerability in the /models/apply endpoint of mudler/localai versions 2.15.0 allows for Server-Side Request Forgery (SSRF) and partial Local File Inclusion (LFI). The endpoint supports both http(s…

CVSS: 5.8 CWE: CWE-918 - Server-Side Request Forgery (SSRF) View on NVD
2024-07-05
Medium

CVE-2024-32498

An issue was discovered in OpenStack Cinder through 24.0.0, Glance before 28.0.2, and Nova before 29.0.3. Arbitrary file access can occur via custom QCOW2 external data. By supplying a crafted QCOW2…

CVSS: 6.5 CWE: CWE-552 - Files or Directories Accessible to External Parties View on NVD
2024-07-04
Medium

CVE-2024-1573

Missing Authentication for Critical Function vulnerability in the mobile monitoring feature of Mitsubishi Electric GENESIS64 versions 10.97.2 and prior, Mitsubishi Electric ICONICS Suite versions 10.…

CVSS: 5.9 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
2024-07-03
Medium

CVE-2024-5821

The vulnerability allows an attacker to access sensitive files on the server by confusing the agent with incorrect file names. When a user requests the content of a file with a misspelled name, the a…

CVSS: 6.2 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
Medium

CVE-2024-31223

Fides is an open-source privacy engineering platform, and `SERVER_SIDE_FIDES_API_URL` is a server-side configuration environment variable used by the Fides Privacy Center to communicate with the Fide…

CVSS: 5.3 CWE: CWE-497 - Exposure of Sensitive System Information to an Unauthorized Control Sphere View on NVD
Critical

CVE-2024-39223

An authentication bypass in the SSH service of gost v2.11.5 allows attackers to intercept communications via setting the HostKeyCallback function to ssh.InsecureIgnoreHostKey

CVSS: 9.8 CWE: CWE-639 - Authorization Bypass Through User-Controlled Key View on NVD
2024-07-02
Medium

CVE-2024-6088

The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to unauthorized user registration due to a missing capability check on the 'register' function in all versions up to, and incl…

CVSS: 5.3 CWE: CWE-862 - Missing Authorization View on NVD
Medium

CVE-2024-20894

Improper handling of exceptional conditions in Secure Folder prior to SMR Jul-2024 Release 1 allows physical attackers to bypass authentication under certain condition. User interaction is required f…

CVSS: 4.3 CWE: CWE-755 - Improper Handling of Exceptional Conditions View on NVD
High

CVE-2024-4836

Web services managed by Edito CMS (Content Management System) in versions from 3.5 through 3.25 leak sensitive data as they allow downloading configuration files by an unauthenticated user. The issue…

CVSS: 7.5 CWE: CWE-552 - Files or Directories Accessible to External Parties View on NVD
Critical

CVE-2023-41919

Hardcoded credentials are discovered within the application's source code, creating a potential security risk for unauthorized access.

CVSS: 9.8 CWE: CWE-798 - Use of Hard-coded Credentials View on NVD
Critical

CVE-2023-41918

A vulnerability allows unauthorized access to functionality inadequately constrained by ACLs. Attackers may exploit this to unauthenticated execute commands potentially leading to unauthorized data m…

CVSS: 10.0 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
2024-07-01
Critical

CVE-2024-5322

The N-central server is vulnerable to session rebinding of already authenticated users when using Entra SSO, which can lead to authentication bypass. This vulnerability is present in all Entra-supp…

CVSS: 9.1 CWE: CWE-288 - Authentication Bypass Using an Alternate Path or Channel View on NVD
Critical

CVE-2024-28200

The N-central server is vulnerable to an authentication bypass of the user interface. This vulnerability is present in all deployments of N-central prior to 2024.2. This vulnerability was discovered…

CVSS: 9.1 CWE: CWE-288 - Authentication Bypass Using an Alternate Path or Channel View on NVD
Medium

CVE-2024-39303

Weblate is a web based localization tool. Prior to version 5.6.2, Weblate didn't correctly validate filenames when restoring project backup. It may be possible to gain unauthorized access to files on…

CVSS: 4.4 CWE: CWE-73 - External Control of File Name or Path View on NVD
Critical

CVE-2024-38513

Fiber is an Express-inspired web framework written in Go A vulnerability present in versions prior to 2.52.5 is a session middleware issue in GoFiber versions 2 and above. This vulnerability allows u…

CVSS: 10.0 CWE: CWE-384 - Session Fixation View on NVD
Critical

CVE-2024-6424

External server-side request vulnerability in MESbook 20221021.03 version, which could allow a remote, unauthenticated attacker to exploit the endpoint "/api/Proxy/Post?userName=&password=&uri=<FILE|…

CVSS: 9.3 CWE: CWE-918 - Server-Side Request Forgery (SSRF) View on NVD
2024-06-29
Critical

CVE-2024-39848

Internet2 Grouper before 5.6 allows authentication bypass when LDAP authentication is used in certain ways. This is related to internet2.middleware.grouper.ws.security.WsGrouperLdapAuthentication and…

CVSS: 9.1 CWE: CWE-1390 - Weak Authentication View on NVD
Low

CVE-2024-39846

NewPass before 1.2.0 stores passwords (rather than password hashes) directly, which makes it easier to obtain unauthorized access to sensitive information. NOTE: in each case, data at rest is encrypt…

CVSS: 3.5 CWE: CWE-312 - Cleartext Storage of Sensitive Information View on NVD
2024-06-28
High

CVE-2024-5735

Full Path Disclosure vulnerability in AdmirorFrames Joomla! extension in afHelper.php script allows an unauthorised attacker to retrieve location of web root folder. This issue affects AdmirorFrames:…

CVSS: 7.5 CWE: CWE-497 - Exposure of Sensitive System Information to an Unauthorized Control Sphere View on NVD
High

CVE-2024-39350

A vulnerability regarding authentication bypass by spoofing is found in the RTSP functionality. This allows man-in-the-middle attackers to obtain privileges without consent via unspecified vectors. T…

CVSS: 7.5 CWE: CWE-290 - Authentication Bypass by Spoofing View on NVD
Low

CVE-2024-30111

HCL DRYiCE AEX product is impacted by Missing Root Detection vulnerability in the mobile application. The mobile app can be installed in the rooted device due to which malicious users can gain unaut…

CVSS: 3.3 CWE: CWE-1326 - Missing Immutable Root of Trust in Hardware View on NVD
2024-06-27
Critical

CVE-2024-2973

An Authentication Bypass Using an Alternate Path or Channel vulnerability in Juniper Networks Session Smart Router or conductor running with a redundant peer allows a network based attacker to bypass…

CVSS: 10.0 CWE: CWE-288 - Authentication Bypass Using an Alternate Path or Channel View on NVD
Critical

CVE-2024-6127

BC Security Empire before 5.9.3 is vulnerable to a path traversal issue that can lead to remote code execution. A remote, unauthenticated attacker can exploit this vulnerability over HTTP by acting a…

CVSS: 9.8 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
High

CVE-2024-5548

A directory traversal vulnerability exists in the stitionai/devika repository, specifically within the /api/download-project endpoint. Attackers can exploit this vulnerability by manipulating the 'pr…

CVSS: 7.5 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
High

CVE-2024-5334

A local file read vulnerability exists in the stitionai/devika repository, affecting the latest version. The vulnerability is due to improper handling of the 'snapshot_path' parameter in the '/api/ge…

CVSS: 7.5 CWE: CWE-73 - External Control of File Name or Path View on NVD
Critical

CVE-2024-39376

TELSAT marKoni FM Transmitters are vulnerable to users gaining unauthorized access to sensitive information or performing actions beyond their designated permissions.

CVSS: 9.8 CWE: CWE-284 - Improper Access Control View on NVD
High

CVE-2024-39373

TELSAT marKoni FM Transmitters are vulnerable to a command injection vulnerability through the manipulation of settings and could allow an attacker to gain unauthorized access to the system with admi…

CVSS: 7.2 CWE: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection') View on NVD
Medium

CVE-2024-31883

IBM Security Verify Access 10.0.0.0 through 10.0.7.1, under certain configurations, could allow an unauthenticated attacker to cause a denial of service due to asymmetric resource consumption. IBM…

CVSS: 5.3 CWE: CWE-703 - Improper Check or Handling of Exceptional Conditions View on NVD
Critical

CVE-2024-1107

Authorization Bypass Through User-Controlled Key vulnerability in Talya Informatics Travel APPS allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Travel APP…

CVSS: 9.8 CWE: CWE-639 - Authorization Bypass Through User-Controlled Key View on NVD
Critical

CVE-2024-0949

Missing Authentication, Files or Directories Accessible to External Parties, Use of Hard-coded Credentials vulnerability in Talya Informatics Elektraweb allows Authentication Bypass. This issue affe…

CVSS: 9.8 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
2024-06-26
High

CVE-2024-33329

A hardcoded privileged ID within Lumisxp v15.0.x to v16.1.x allows attackers to bypass authentication and access internal pages and other sensitive information.

CVSS: 7.5 CWE: CWE-798 - Use of Hard-coded Credentials View on NVD
Low

CVE-2024-29177

Dell PowerProtect DD, versions prior to 8.0, LTS 7.13.1.0, LTS 7.10.1.30, LTS 7.7.5.40 contain a disclosure of temporary sensitive information vulnerability. A remote high privileged attacker could p…

CVSS: 2.7 CWE: CWE-532 - Insertion of Sensitive Information into Log File View on NVD
Medium

CVE-2024-29175

Dell PowerProtect Data Domain, versions prior to 7.13.0.0, LTS 7.7.5.40, LTS 7.10.1.30 contain an weak cryptographic algorithm vulnerability. A remote unauthenticated attacker could potentially explo…

CVSS: 5.9 CWE: CWE-327 - Use of a Broken or Risky Cryptographic Algorithm View on NVD
Medium

CVE-2024-29174

Dell Data Domain, versions prior to 7.13.0.0, LTS 7.7.5.30, LTS 7.10.1.20 contain an SQL Injection vulnerability. A local low privileged attacker could potentially exploit this vulnerability, leading…

CVSS: 4.4 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
2024-06-25
High

CVE-2024-5013

In WhatsUp Gold versions released before 2023.1.3, an unauthenticated Denial of Service vulnerability was identified. An unauthenticated attacker can put the application into the SetAdminPassword i…

CVSS: 7.5 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
Critical

CVE-2024-4883

In WhatsUp Gold versions released before 2023.1.3, a Remote Code Execution issue exists in Progress WhatsUp Gold. This vulnerability allows an unauthenticated attacker to achieve the RCE as a service…

CVSS: 9.8 CWE: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection') View on NVD
High

CVE-2024-6238

pgAdmin <= 8.8 has an installation Directory permission issue. Because of this issue, attackers can gain unauthorised access to the installation directory on the Debian or RHEL 8 platforms.

CVSS: 7.4 CWE: CWE-276 - Incorrect Default Permissions View on NVD
Critical

CVE-2024-5806

Improper Authentication vulnerability in Progress MOVEit Transfer (SFTP module) can lead to Authentication Bypass.This issue affects MOVEit Transfer: from 2023.0.0 before 2023.0.11, from 2023.1.0 bef…

CVSS: 9.1 CWE: CWE-287 - Improper Authentication View on NVD
Critical

CVE-2024-5805

Improper Authentication vulnerability in Progress MOVEit Gateway (SFTP modules) allows Authentication Bypass.This issue affects MOVEit Gateway: 2024.0.0.

CVSS: 9.1 CWE: CWE-287 - Improper Authentication View on NVD
Medium

CVE-2024-37085

VMware ESXi contains an authentication bypass vulnerability. A malicious actor with sufficient Active Directory (AD) permissions can gain full access to an ESXi host that was previously configured t…

CVSS: 6.8 CWE: CWE-287 - Improper Authentication View on NVD
Low

CVE-2023-37541

HCL Connections contains a broken access control vulnerability that may allow unauthorized user to update data in certain scenarios.

CVSS: 3.5 CWE: N/A View on NVD
Medium

CVE-2024-4846

Authentication bypass in the 2FA feature in Devolutions Server 2024.1.14.0 and earlier allows an authenticated attacker to authenticate to another user without being asked for the 2FA via another bro…

CVSS: 6.3 CWE: CWE-290 - Authentication Bypass by Spoofing View on NVD
Critical

CVE-2023-6198

Use of Hard-coded Credentials vulnerability in Baicells Snap Router BaiCE_BMI on EP3011 (User Passwords modules) allows unauthorized access to the device.

CVSS: 9.3 CWE: CWE-798 - Use of Hard-coded Credentials View on NVD
2024-06-24
Critical

CVE-2024-33898

Axiros AXESS Auto Configuration Server (ACS) 4.x and 5.0.0 is affected by an Incorrect Access Control vulnerability. An authorization bypass allows remote attackers to achieve unauthenticated remote…

CVSS: 9.8 CWE: CWE-284 - Improper Access Control View on NVD
Medium

CVE-2024-39337

Click Studios Passwordstate Core before 9.8 build 9858 allows Authentication Bypass.

CVSS: 6.5 CWE: CWE-290 - Authentication Bypass by Spoofing View on NVD
2024-06-22
High

CVE-2024-21514

This affects versions of the package opencart/opencart from 0.0.0. An SQL Injection issue was identified in the Divido payment extension for OpenCart, which is included by default in version 3.0.3.9.…

CVSS: 7.4 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
2024-06-21
Medium

CVE-2024-1639

The License Manager for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the showLicenseKey() and showAllLicenseKeys() functions in a…

CVSS: 6.5 CWE: CWE-862 - Missing Authorization View on NVD
2024-06-20
High

CVE-2023-25646

There is an unauthorized access vulnerability in ZTE H388X. If H388X is caused by brute-force serial port cracking,attackers with common user permissions can use this vulnerability to obtain elevated…

CVSS: 7.1 CWE: CWE-281 - Improper Preservation of Permissions View on NVD
Critical

CVE-2024-5432

The Lifeline Donation plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.2.6. This is due to insufficient verification on the user being supplied during t…

CVSS: 9.8 CWE: CWE-288 - Authentication Bypass Using an Alternate Path or Channel View on NVD
2024-06-19
Medium

CVE-2024-4450

The AliExpress Dropshipping with AliNext Lite plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions in the ImportAjaxController.php file in…

CVSS: 6.3 CWE: CWE-862 - Missing Authorization View on NVD
2024-06-18
Medium

CVE-2024-21685

This High severity Information Disclosure vulnerability was introduced in versions 9.4.0, 9.12.0, and 9.15.0 of Jira Core Data Center. This Information Disclosure vulnerability, with a CVSS Sco…

CVSS: 6.5 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2024-06-17
Critical

CVE-2024-34833

Sourcecodester Payroll Management System v1.0 is vulnerable to File Upload. Users can upload images via the "save_settings" page. An unauthenticated attacker can leverage this functionality to upload…

CVSS: 9.8 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
High

CVE-2024-37896

Gin-vue-admin is a backstage management system based on vue and gin. Gin-vue-admin <= v2.6.5 has SQL injection vulnerability. The SQL injection vulnerabilities occur when a web application allows use…

CVSS: 8.8 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
2024-06-16
High

CVE-2024-38467

Shenzhen Guoxin Synthesis image system before 8.3.0 allows unauthorized user information retrieval via the queryUser API.

CVSS: 7.5 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2024-06-15
High

CVE-2023-6696

The Popup Builder – Create highly converting, mobile friendly marketing popups. plugin for WordPress is vulnerable to unauthorized access of functionality due to a missing capability check on several…

CVSS: 8.1 CWE: CWE-862 - Missing Authorization View on NVD
2024-06-14
Critical

CVE-2024-33374

Incorrect access control in the UART/Serial interface on the LB-LINK BL-W1210M v2.0 router allows attackers to access the root terminal without authentication.

CVSS: 9.8 CWE: CWE-269 - Improper Privilege Management View on NVD
Critical

CVE-2024-2472

The LatePoint Plugin plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on the 'start_or_use_session_for_customer' function i…

CVSS: 9.1 CWE: CWE-639 - Authorization Bypass Through User-Controlled Key View on NVD
High

CVE-2024-27169

Toshiba printers provides API without authentication for internal access. A local attacker can bypass authentication in applications, providing administrative access. As for the affected products/mod…

CVSS: 8.4 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
High

CVE-2024-27168

It appears that some hardcoded keys are used for authentication to internal API. Knowing these private keys may allow attackers to bypass authentication and reach administrative interfaces. As for th…

CVSS: 7.1 CWE: CWE-798 - Use of Hard-coded Credentials View on NVD
Critical

CVE-2024-3080

Certain ASUS router models have authentication bypass vulnerability, allowing unauthenticated remote attackers to log in the device.

CVSS: 9.8 CWE: CWE-287 - Improper Authentication View on NVD
Critical

CVE-2024-27144

The Toshiba printers provide several ways to upload files using the web interface without authentication. An attacker can overwrite any insecure files. And the Toshiba printers are vulnerable to a Lo…

CVSS: 9.8 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
Medium

CVE-2024-27141

Toshiba printers use XML communication for the API endpoint provided by the printer. For the endpoint, XML parsing library is used and it is vulnerable to a time-based blind XML External Entity (XXE)…

CVSS: 5.9 CWE: CWE-776 - Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') View on NVD
2024-06-13
Medium

CVE-2024-5952

Deep Sea Electronics DSE855 Restart Missing Authentication Denial-of-Service Vulnerability. This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of…

CVSS: 6.5 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD