CVE Daily
← All tags

Tag: Unauthenticated/Unauthorized Access

All CVEs associated with "Unauthenticated/Unauthorized Access". Page 56/128 • 15328 CVEs.

Subscribe CVEs: RSS for “Unauthenticated/Unauthorized Access”  ·  RSS (High+Critical only)

About “Unauthenticated/Unauthorized Access”

A curated feed of “Unauthenticated/Unauthorized Access”-related CVEs appears below. We currently track 15328 CVEs for this tag (all time). In the last 365 days, 3832 were published. Average CVSS is 7.4 (all time; 7.4 over 365d), and 61% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-862 - Missing Authorization, CWE-306 - Missing Authentication for Critical Function, CWE-639 - Authorization Bypass Through User-Controlled Key.

In our taxonomy this topic maps to a HIGH impact class. Vendor advisories and release notes are key. Verify compatibility matrices, prefer supported long term versions, and stage rollouts with monitoring. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0
2024-01-10
Medium

CVE-2023-48260

The vulnerability allows a remote unauthenticated attacker to read arbitrary content of the results database via a crafted HTTP request.

CVSS: 5.3 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
Medium

CVE-2023-48259

The vulnerability allows a remote unauthenticated attacker to read arbitrary content of the results database via a crafted HTTP request.

CVSS: 5.3 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
Critical

CVE-2020-26629

A JQuery Unrestricted Arbitrary File Upload vulnerability was discovered in Hospital Management System V4.0 which allows an unauthenticated attacker to upload any file to the server.

CVSS: 9.8 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
2024-01-09
Medium

CVE-2023-5770

Proofpoint Enterprise Protection contains a vulnerability in the email delivery agent that allows an unauthenticated attacker to inject improperly encoded HTML into the email body of a message throug…

CVSS: 5.3 CWE: CWE-838 - Inappropriate Encoding for Output Context View on NVD
Critical

CVE-2023-51438

A vulnerability has been identified in SIMATIC IPC1047E (All versions with maxView Storage Manager < V4.14.00.26068 on Windows), SIMATIC IPC647E (All versions with maxView Storage Manager < V4.14.00.…

CVSS: 10.0 CWE: CWE-20 - Improper Input Validation View on NVD
High

CVE-2023-49252

A vulnerability has been identified in SIMATIC CN 4100 (All versions < V2.7). The affected application allows IP configuration change without authentication to the device. This could allow an attacke…

CVSS: 7.5 CWE: CWE-20 - Improper Input Validation View on NVD
Critical

CVE-2023-51717

Dataiku DSS before 11.4.5 and 12.4.1 has Incorrect Access Control that could lead to a full authentication bypass.

CVSS: 9.8 CWE: CWE-287 - Improper Authentication View on NVD
2024-01-08
High

CVE-2023-6383

The Debug Log Manager WordPress plugin before 2.3.0 contains a Directory listing vulnerability was discovered, which allows you to download the debug log without authorization and gain access to sens…

CVSS: 7.5 CWE: CWE-862 - Missing Authorization View on NVD
High

CVE-2023-6042

Any unauthenticated user may send e-mail from the site with any title or content to the admin

CVSS: 7.5 CWE: N/A View on NVD
High

CVE-2024-21644

pyLoad is the free and open-source Download Manager written in pure Python. Any unauthenticated user can browse to a specific URL to expose the Flask config, including the `SECRET_KEY` variable. This…

CVSS: 7.5 CWE: CWE-284 - Improper Access Control View on NVD
High

CVE-2023-29048

A component for parsing OXMF templates could be abused to execute arbitrary system commands that would be executed as the non-privileged runtime user. Users and attackers could run system commands wi…

CVSS: 8.8 CWE: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') View on NVD
Critical

CVE-2024-22216

In default installations of Microchip maxView Storage Manager (for Adaptec Smart Storage Controllers) where Redfish server is configured for remote system management, unauthorized access can occur, w…

CVSS: 10.0 CWE: CWE-284 - Improper Access Control View on NVD
2024-01-07
High

CVE-2024-0264

A vulnerability was found in SourceCodester Clinic Queuing System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /LoginRegistration.php. The manipulation o…

CVSS: 7.3 CWE: CWE-639 - Authorization Bypass Through User-Controlled Key View on NVD
2024-01-05
High

CVE-2023-51502

Authorization Bypass Through User-Controlled Key vulnerability in WooCommerce WooCommerce Stripe Payment Gateway.This issue affects WooCommerce Stripe Payment Gateway: from n/a through 7.6.1.

CVSS: 7.5 CWE: CWE-639 - Authorization Bypass Through User-Controlled Key View on NVD
2024-01-04
Medium

CVE-2024-22049

httparty before 0.21.0 is vulnerable to an assumed-immutable web parameter vulnerability. A remote and unauthenticated attacker can provide a crafted filename parameter during multipart/form-data upl…

CVSS: 5.3 CWE: CWE-472 - External Control of Assumed-Immutable Web Parameter View on NVD
High

CVE-2024-0241

encoded_id-rails versions before 1.0.0.beta2 are affected by an uncontrolled resource consumption vulnerability. A remote and unauthenticated attacker might cause a denial of service condition by sen…

CVSS: 7.5 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
2024-01-03
High

CVE-2023-5881

Unauthenticated access permitted to web interface page The Genie Company Aladdin Connect (Retrofit-Kit Model ALDCM) "Garage Door Control Module Setup" and modify the Garage door's SSID settings.

CVSS: 8.2 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
Medium

CVE-2024-21910

TinyMCE versions before 5.10.0 are affected by a cross-site scripting vulnerability. A remote and unauthenticated attacker could introduce crafted image or link URLs that would result in the executio…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2023-7068

The WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on theprint_packing…

CVSS: 4.3 CWE: CWE-862 - Missing Authorization View on NVD
Medium

CVE-2023-50344

HCL DRYiCE MyXalytics is impacted by improper access control (Unauthenticated File Download) vulnerability. An unauthenticated user can download certain files.

CVSS: 5.4 CWE: CWE-284 - Improper Access Control View on NVD
2023-12-31
Medium

CVE-2023-51503

Authorization Bypass Through User-Controlled Key vulnerability in Automattic WooPayments – Fully Integrated Solution Built and Supported by Woo.This issue affects WooPayments – Fully Integrated Solut…

CVSS: 5.9 CWE: CWE-639 - Authorization Bypass Through User-Controlled Key View on NVD
2023-12-30
High

CVE-2023-50110

TestLink through 1.9.20 allows type juggling for authentication bypass because === is not used.

CVSS: 7.5 CWE: N/A View on NVD
2023-12-29
Medium

CVE-2023-31292

An issue was discovered in Sesami Cash Point & Transport Optimizer (CPTO) 6.3.8.6 (#718), allows local attackers to obtain sensitive information and bypass authentication via "Back Button Refresh" at…

CVSS: 5.5 CWE: CWE-287 - Improper Authentication View on NVD
2023-12-26
Medium

CVE-2023-6155

The Quiz Maker WordPress plugin before 6.4.9.5 does not adequately authorize the `ays_quiz_author_user_search` AJAX action, allowing an unauthenticated attacker to perform a search for users of the s…

CVSS: 5.3 CWE: CWE-287 - Improper Authentication View on NVD
Medium

CVE-2023-51363

VR-S1000 firmware Ver. 2.37 and earlier allows a network-adjacent unauthenticated attacker who can access the product's web management page to obtain sensitive information.

CVSS: 6.5 CWE: N/A View on NVD
Medium

CVE-2023-50297

Open redirect vulnerability in PowerCMS (6 Series, 5 Series, and 4 Series) allows a remote unauthenticated attacker to redirect users to arbitrary web sites via a specially crafted URL. Note that all…

CVSS: 6.1 CWE: CWE-601 - URL Redirection to Untrusted Site ('Open Redirect') View on NVD
2023-12-25
Critical

CVE-2022-34268

An issue was discovered in RWS WorldServer before 11.7.3. /clientLogin deserializes Java objects without authentication, leading to command execution on the host.

CVSS: 9.8 CWE: CWE-502 - Deserialization of Untrusted Data View on NVD
Medium

CVE-2023-40236

In Pexip VMR self-service portal before 3, the same SSH host key is used across different customers' installations, which allows authentication bypass.

CVSS: 5.3 CWE: CWE-798 - Use of Hard-coded Credentials View on NVD
2023-12-24
High

CVE-2023-51767

OpenSSH through 10.0, when common types of DRAM are used, might allow row hammer attacks (for authentication bypass) because the integer value of authenticated in mm_answer_authpassword does not resi…

CVSS: 7.0 CWE: N/A View on NVD
2023-12-22
High

CVE-2023-51650

Hertzbeat is an open source, real-time monitoring system. Prior to version 1.4.1, Spring Boot permission configuration issues caused unauthorized access vulnerabilities to three interfaces. This coul…

CVSS: 7.5 CWE: CWE-862 - Missing Authorization View on NVD
Medium

CVE-2023-50712

Iris is a web collaborative platform aiming to help incident responders sharing technical details during investigations. A stored Cross-Site Scripting (XSS) vulnerability has been identified in iris-…

CVSS: 4.6 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
High

CVE-2023-42465

Sudo before 1.9.15 might allow row hammer attacks (for authentication bypass or privilege escalation) because application logic sometimes is based on not equaling an error value (instead of equaling…

CVSS: 7.0 CWE: N/A View on NVD
High

CVE-2022-39337

Hertzbeat is an open source, real-time monitoring system with custom-monitoring, high performance cluster, prometheus-like and agentless. Hertzbeat versions 1.20 and prior have a permission bypass vu…

CVSS: 7.5 CWE: CWE-284 - Improper Access Control View on NVD
High

CVE-2023-51708

Bentley eB System Management Console applications within Assetwise Integrity Information Server allow an unauthenticated user to view configuration options via a crafted request, leading to informati…

CVSS: 8.6 CWE: CWE-287 - Improper Authentication View on NVD
2023-12-21
Medium

CVE-2023-48298

ClickHouse® is an open-source column-oriented database management system that allows generating analytical data reports in real-time. This vulnerability is an integer underflow resulting in crash due…

CVSS: 5.9 CWE: CWE-191 - Integer Underflow (Wrap or Wraparound) View on NVD
Medium

CVE-2023-27319

ONTAP Mediator versions prior to 1.7 are susceptible to a vulnerability that can allow an unauthenticated attacker to enumerate URLs via REST API.

CVSS: 5.3 CWE: CWE-209 - Generation of Error Message Containing Sensitive Information View on NVD
Medium

CVE-2023-51379

An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed issue comments to be updated with an improperly scoped token. This vulnerability did not allow unautho…

CVSS: 4.9 CWE: CWE-863 - Incorrect Authorization View on NVD
Medium

CVE-2023-46646

Improper access control in all versions of GitHub Enterprise Server allows unauthorized users to view private repository names via the "Get a check run" API endpoint. This vulnerability did not allow…

CVSS: 5.3 CWE: CWE-639 - Authorization Bypass Through User-Controlled Key View on NVD
Medium

CVE-2023-49765

Authorization Bypass Through User-Controlled Key vulnerability in Blaz K. Rate my Post – WP Rating System.This issue affects Rate my Post – WP Rating System: from n/a through 3.4.1.

CVSS: 4.3 CWE: CWE-639 - Authorization Bypass Through User-Controlled Key View on NVD
Medium

CVE-2023-47191

Authorization Bypass Through User-Controlled Key vulnerability in KaineLabs Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress.This issue affects Youzify –…

CVSS: 6.5 CWE: CWE-639 - Authorization Bypass Through User-Controlled Key View on NVD
Medium

CVE-2023-32799

Authorization Bypass Through User-Controlled Key vulnerability in WooCommerce Shipping Multiple Addresses.This issue affects Shipping Multiple Addresses: from n/a through 3.8.3.

CVSS: 6.5 CWE: CWE-639 - Authorization Bypass Through User-Controlled Key View on NVD
Medium

CVE-2023-32747

Authorization Bypass Through User-Controlled Key vulnerability in WooCommerce WooCommerce Bookings.This issue affects WooCommerce Bookings: from n/a through 1.15.78.

CVSS: 5.4 CWE: CWE-639 - Authorization Bypass Through User-Controlled Key View on NVD
High

CVE-2023-51442

Navidrome is an open source web-based music collection server and streamer. A security vulnerability has been identified in navidrome's subsonic endpoint, allowing for authentication bypass. This exp…

CVSS: 8.6 CWE: CWE-287 - Improper Authentication View on NVD
Low

CVE-2023-2585

Keycloak's device authorization grant does not correctly validate the device code and client ID. An attacker client could abuse the missing validation to spoof a client consent request and trick an a…

CVSS: 3.5 CWE: CWE-358 - Improperly Implemented Security Check for Standard View on NVD
2023-12-20
High

CVE-2023-35916

Authorization Bypass Through User-Controlled Key vulnerability in Automattic WooPayments – Fully Integrated Solution Built and Supported by Woo.This issue affects WooPayments – Fully Integrated Solut…

CVSS: 7.5 CWE: CWE-639 - Authorization Bypass Through User-Controlled Key View on NVD
High

CVE-2023-35914

Authorization Bypass Through User-Controlled Key vulnerability in WooCommerce Woo Subscriptions.This issue affects Woo Subscriptions: from n/a through 5.1.2.

CVSS: 7.5 CWE: CWE-639 - Authorization Bypass Through User-Controlled Key View on NVD
Medium

CVE-2023-36520

Authorization Bypass Through User-Controlled Key vulnerability in MarketingFire Editorial Calendar.This issue affects Editorial Calendar: from n/a through 3.7.12.

CVSS: 5.4 CWE: CWE-639 - Authorization Bypass Through User-Controlled Key View on NVD
High

CVE-2023-35876

Authorization Bypass Through User-Controlled Key vulnerability in WooCommerce WooCommerce Square.This issue affects WooCommerce Square: from n/a through 3.8.1.

CVSS: 8.1 CWE: CWE-639 - Authorization Bypass Through User-Controlled Key View on NVD
Low

CVE-2023-46311

Authorization Bypass Through User-Controlled Key vulnerability in gVectors Team Comments – wpDiscuz.This issue affects Comments – wpDiscuz: from n/a through 7.6.3.

CVSS: 2.7 CWE: CWE-639 - Authorization Bypass Through User-Controlled Key View on NVD
Medium

CVE-2023-41796

Authorization Bypass Through User-Controlled Key vulnerability in WP Sunshine Sunshine Photo Cart: Free Client Galleries for Photographers.This issue affects Sunshine Photo Cart: Free Client Gallerie…

CVSS: 5.3 CWE: CWE-639 - Authorization Bypass Through User-Controlled Key View on NVD
Medium

CVE-2023-38513

Authorization Bypass Through User-Controlled Key vulnerability in Jordy Meow Photo Engine (Media Organizer & Lightroom).This issue affects Photo Engine (Media Organizer & Lightroom): from n/a through…

CVSS: 5.4 CWE: CWE-639 - Authorization Bypass Through User-Controlled Key View on NVD
High

CVE-2023-37871

Authorization Bypass Through User-Controlled Key vulnerability in WooCommerce GoCardless.This issue affects GoCardless: from n/a through 2.5.6.

CVSS: 8.2 CWE: CWE-639 - Authorization Bypass Through User-Controlled Key View on NVD
Critical

CVE-2023-6768

Authentication bypass vulnerability in Amazing Little Poll affecting versions 1.3 and 1.4. This vulnerability could allow an unauthenticated user to access the admin panel without providing any crede…

CVSS: 9.4 CWE: CWE-287 - Improper Authentication View on NVD
High

CVE-2023-37544

Improper Authentication vulnerability in Apache Pulsar WebSocket Proxy allows an attacker to connect to the /pingpong endpoint without authentication. This issue affects Apache Pulsar WebSocket Prox…

CVSS: 7.5 CWE: CWE-287 - Improper Authentication View on NVD
Medium

CVE-2023-50703

An attacker with network access could perform a man-in-the-middle (MitM) attack and capture sensitive information to gain unauthorized access to the application.

CVSS: 6.3 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
2023-12-19
Critical

CVE-2023-6930

EuroTel ETL3100 versions v01c01 and v01x37 suffer from an unauthenticated configuration and log download vulnerability. This enables the attacker to disclose sensitive information and assist in authe…

CVSS: 9.4 CWE: CWE-284 - Improper Access Control View on NVD
Medium

CVE-2022-43450

Authorization Bypass Through User-Controlled Key vulnerability in XWP Stream.This issue affects Stream: from n/a through 3.9.2.

CVSS: 4.3 CWE: CWE-639 - Authorization Bypass Through User-Controlled Key View on NVD
Medium

CVE-2023-49812

Authorization Bypass Through User-Controlled Key vulnerability in J.N. Breetvelt a.K.A. OpaJaap WP Photo Album Plus.This issue affects WP Photo Album Plus: from n/a through 8.5.02.005.

CVSS: 5.3 CWE: CWE-639 - Authorization Bypass Through User-Controlled Key View on NVD
High

CVE-2023-50272

A potential security vulnerability has been identified in HPE Integrated Lights-Out 5 (iLO 5) and Integrated Lights-Out 6 (iLO 6). The vulnerability could be remotely exploited to allow authenticatio…

CVSS: 7.5 CWE: CWE-288 - Authentication Bypass Using an Alternate Path or Channel View on NVD
2023-12-18
Medium

CVE-2023-35867

An improper handling of a malformed API answer packets to API clients in Bosch BT software products can allow an unauthenticated attacker to cause a Denial of Service (DoS) situation. To exploit this…

CVSS: 5.9 CWE: CWE-703 - Improper Check or Handling of Exceptional Conditions View on NVD
High

CVE-2023-32230

An improper handling of a malformed API request to an API server in Bosch BT software products can allow an unauthenticated attacker to cause a Denial of Service (DoS) situation.

CVSS: 7.5 CWE: CWE-703 - Improper Check or Handling of Exceptional Conditions View on NVD
Medium

CVE-2022-41677

An information disclosure vulnerability was discovered in Bosch IP camera devices allowing an unauthenticated attacker to retrieve information (like capabilities) about the device itself and network…

CVSS: 5.3 CWE: CWE-284 - Improper Access Control View on NVD
Medium

CVE-2023-28053

Dell NetWorker Virtual Edition versions 19.8 and below contain the use of deprecated cryptographic algorithms in the SSH component. A remote unauthenticated attacker could potentially exploit this vu…

CVSS: 5.3 CWE: CWE-327 - Use of a Broken or Risky Cryptographic Algorithm View on NVD
High

CVE-2023-41314

The api /api/snapshot and /api/get_log_file would allow unauthenticated access. It could allow a DoS attack or get arbitrary files from FE node. Please upgrade to 2.0.3 to fix these issues.

CVSS: 8.2 CWE: CWE-863 - Incorrect Authorization View on NVD
2023-12-16
High

CVE-2021-42797

Path traversal vulnerability in AVEVA Edge (formerly InduSoft Web Studio) versions R2020 and prior allows an unauthenticated user to steal the Windows access token of the user account configured for…

CVSS: 7.5 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2023-12-15
High

CVE-2023-48389

Multisuns EasyLog web+ has a path traversal vulnerability within its parameter in a specific URL. An unauthenticated remote attacker can exploit this vulnerability to bypass authentication and downlo…

CVSS: 7.5 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
High

CVE-2023-48378

Softnext Mail SQR Expert has a path traversal vulnerability within its parameter in a specific URL. An unauthenticated remote attacker can exploit this vulnerability to bypass authentication and down…

CVSS: 7.5 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
High

CVE-2023-48373

ITPison OMICARD EDM has a path traversal vulnerability within its parameter “FileName” in a specific function. An unauthenticated remote attacker can exploit this vulnerability to bypass authenticati…

CVSS: 7.5 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2023-12-14
High

CVE-2023-6595

In WhatsUp Gold versions released before 2023.1, an API endpoint was found to be missing an authentication mechanism. It is possible for an unauthenticated attacker to enumerate ancillary credential…

CVSS: 7.5 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
Medium

CVE-2023-6368

In WhatsUp Gold versions released before 2023.1, an API endpoint was found to be missing an authentication mechanism. It is possible for an unauthenticated attacker to enumerate information related t…

CVSS: 5.9 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
High

CVE-2023-44286

Dell PowerProtect DD , versions prior to 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110 contain a DOM-based Cross-Site Scripting vulnerability. A remote unauthenticated attacker could potentially…

CVSS: 8.8 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Critical

CVE-2023-46141

Incorrect Permission Assignment for Critical Resource vulnerability in multiple products of the PHOENIX CONTACT classic line allow an remote unauthenticated attacker to gain full access of the affect…

CVSS: 9.8 CWE: CWE-732 - Incorrect Permission Assignment for Critical Resource View on NVD
2023-12-13
Medium

CVE-2023-50443

Encrypted disks created by PRIMX CRYHOD for Windows before Q.2020.4 (ANSSI qualification submission) or CRYHOD for Windows before 2023.5 can be modified by an unauthenticated attacker to include a UN…

CVSS: 4.6 CWE: N/A View on NVD
Medium

CVE-2023-50440

ZED containers produced by PRIMX ZED! for Windows before Q.2020.3 (ANSSI qualification submission); ZED! for Windows before Q.2021.2 (ANSSI qualification submission); ZONECENTRAL for Windows before Q…

CVSS: 5.5 CWE: CWE-284 - Improper Access Control View on NVD
Medium

CVE-2023-50439

ZED containers produced by PRIMX ZED! for Windows before Q.2020.3 (ANSSI qualification submission), ZED! for Windows before Q.2021.2 (ANSSI qualification submission), ZONECENTRAL for Windows before Q…

CVSS: 5.3 CWE: N/A View on NVD
High

CVE-2023-50444

By default, .ZED containers produced by PRIMX ZED! for Windows before Q.2020.3 (ANSSI qualification submission); ZED! for Windows before Q.2021.2 (ANSSI qualification submission); ZONECENTRAL for Win…

CVSS: 7.5 CWE: CWE-307 - Improper Restriction of Excessive Authentication Attempts View on NVD
Medium

CVE-2023-50441

Encrypted folders created by PRIMX ZONECENTRAL for Windows before Q.2021.2 (ANSSI qualification submission) or ZONECENTRAL for Windows before 2023.5 can be modified by an unauthenticated attacker to…

CVSS: 5.5 CWE: N/A View on NVD
Medium

CVE-2023-47076

Adobe InDesign versions 19.0 (and earlier) and 17.4.2 (and earlier) are affected by a NULL Pointer Dereference vulnerability. An unauthenticated attacker could leverage this vulnerability to achieve…

CVSS: 5.5 CWE: CWE-476 - NULL Pointer Dereference View on NVD
Critical

CVE-2023-6718

An authentication bypass vulnerability has been found in Repox, which allows a remote user to send a specially crafted POST request, due to the lack of any authentication method, resulting in the alt…

CVSS: 9.4 CWE: CWE-288 - Authentication Bypass Using an Alternate Path or Channel View on NVD
Low

CVE-2023-47536

An improper access control vulnerability [CWE-284] in FortiOS version 7.2.0, version 7.0.13 and below, version 6.4.14 and below and FortiProxy version 7.2.3 and below, version 7.0.9 and below, versio…

CVSS: 3.1 CWE: CWE-284 - Improper Access Control View on NVD
High

CVE-2022-27488

A cross-site request forgery (CSRF) in Fortinet FortiVoiceEnterprise version 6.4.x, 6.0.x, FortiSwitch version 7.0.0 through 7.0.4, 6.4.0 through 6.4.10, 6.2.0 through 6.2.7, 6.0.x, FortiMail version…

CVSS: 8.3 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD
2023-12-12
Low

CVE-2023-50263

Nautobot is a Network Source of Truth and Network Automation Platform built as a web application atop the Django Python framework with a PostgreSQL or MySQL database. In Nautobot 1.x and 2.0.x prior…

CVSS: 3.7 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
High

CVE-2023-49713

Denial-of-service (DoS) vulnerability exists in NetBIOS service of HMI GC-A2 series. If a remote unauthenticated attacker sends a specially crafted packets to specific ports, a denial-of-service (DoS…

CVSS: 7.5 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
High

CVE-2023-49143

Denial-of-service (DoS) vulnerability exists in rfe service of HMI GC-A2 series. If a remote unauthenticated attacker sends a specially crafted packets to specific ports, a denial-of-service (DoS) co…

CVSS: 7.5 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
High

CVE-2023-49140

Denial-of-service (DoS) vulnerability exists in commplex-link service of HMI GC-A2 series. If a remote unauthenticated attacker sends a specially crafted packets to specific ports, a denial-of-servic…

CVSS: 7.5 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
High

CVE-2023-41963

Denial-of-service (DoS) vulnerability exists in FTP service of HMI GC-A2 series. If a remote unauthenticated attacker sends a specially crafted packets to specific ports, a denial-of-service (DoS) co…

CVSS: 7.5 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
Critical

CVE-2023-50424

SAP BTP Security Services Integration Library ([Golang] github.com/sap/cloud-security-client-go) - versions < 0.17.0, allow under certain conditions an escalation of privileges. On successful exploit…

CVSS: 9.1 CWE: CWE-749 - Exposed Dangerous Method or Function View on NVD
Critical

CVE-2023-50423

SAP BTP Security Services Integration Library ([Python] sap-xssec) - versions < 4.1.0, allow under certain conditions an escalation of privileges. On successful exploitation, an unauthenticated attac…

CVSS: 9.1 CWE: CWE-749 - Exposed Dangerous Method or Function View on NVD
Critical

CVE-2023-50422

SAP BTP Security Services Integration Library ([Java] cloud-security-services-integration-library) - versions below 2.17.0 and versions from 3.0.0 to before 3.3.0, allow under certain conditions an e…

CVSS: 9.1 CWE: CWE-749 - Exposed Dangerous Method or Function View on NVD
Critical

CVE-2023-49583

SAP BTP Security Services Integration Library ([Node.js] @sap/xssec - versions < 3.6.0, allow under certain conditions an escalation of privileges. On successful exploitation, an unauthenticated atta…

CVSS: 9.1 CWE: CWE-749 - Exposed Dangerous Method or Function View on NVD
Medium

CVE-2023-49581

SAP GUI for Windows and SAP GUI for Java allow an unauthenticated attacker to access information which would otherwise be restricted and confidential. In addition, this vulnerability allows the unaut…

CVSS: 4.1 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
High

CVE-2023-49580

SAP GUI for Windows and SAP GUI for Java - versions SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, allow an unauthenticated attacker to access information which would otherwise be restri…

CVSS: 7.3 CWE: CWE-732 - Incorrect Permission Assignment for Critical Resource View on NVD
Medium

CVE-2023-42923

This issue was addressed through improved state management. This issue is fixed in iOS 17.2 and iPadOS 17.2. Private Browsing tabs may be accessed without authentication.

CVSS: 5.3 CWE: N/A View on NVD
Medium

CVE-2023-42479

An unauthenticated attacker can embed a hidden access to a Biller Direct URL in a frame which, when loaded by the user, will submit a cross-site scripting request to the Biller Direct system. This ca…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Critical

CVE-2023-36649

Insertion of sensitive information in the centralized (Grafana) logging system in ProLion CryptoSpike 3.0.15P2 allows remote attackers to impersonate other users in web management and the REST API by…

CVSS: 9.1 CWE: CWE-532 - Insertion of Sensitive Information into Log File View on NVD
2023-12-11
Medium

CVE-2023-49804

Uptime Kuma is an easy-to-use self-hosted monitoring tool. Prior to version 1.23.9, when a user changes their login password in Uptime Kuma, a previously logged-in user retains access without being l…

CVSS: 6.7 CWE: CWE-384 - Session Fixation View on NVD
Critical

CVE-2023-48417

Missing Permission checks resulting in unauthorized access and Manipulation in KeyChainActivity Application

CVSS: 9.8 CWE: CWE-862 - Missing Authorization View on NVD
2023-12-09
High

CVE-2023-6394

A flaw was found in Quarkus. This issue occurs when receiving a request over websocket with no role-based permission specified on the GraphQL operation, Quarkus processes the request without authenti…

CVSS: 7.4 CWE: CWE-862 - Missing Authorization View on NVD
2023-12-08
Critical

CVE-2023-43742

An authentication bypass in Zultys MX-SE, MX-SE II, MX-E, MX-Virtual, MX250, and MX30 with firmware versions prior to 17.0.10 patch 17161 and 16.04 patch 16109 allows an unauthenticated attacker to o…

CVSS: 9.8 CWE: CWE-287 - Improper Authentication View on NVD
2023-12-07
Critical

CVE-2023-39172

The affected devices transmit sensitive information unencrypted allowing a remote unauthenticated attacker to capture and modify network traffic.

CVSS: 9.1 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
Critical

CVE-2023-48823

A Blind SQL injection issue in ajax.php in GaatiTrack Courier Management System 1.0 allows an unauthenticated attacker to inject a payload via the email parameter during login.

CVSS: 9.8 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
Medium

CVE-2023-5714

The System Dashboard plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the sd_db_specs() function hooked via an AJAX action in all versions up to,…

CVSS: 4.3 CWE: CWE-862 - Missing Authorization View on NVD
Medium

CVE-2023-5713

The System Dashboard plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the sd_option_value() function hooked via an AJAX action in all versions up…

CVSS: 4.3 CWE: CWE-862 - Missing Authorization View on NVD
Medium

CVE-2023-5712

The System Dashboard plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the sd_global_value() function hooked via an AJAX action in all versions up…

CVSS: 4.3 CWE: CWE-862 - Missing Authorization View on NVD
Medium

CVE-2023-5711

The System Dashboard plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the sd_php_info() function hooked via an AJAX action in all versions up to,…

CVSS: 4.3 CWE: CWE-862 - Missing Authorization View on NVD
Medium

CVE-2023-5710

The System Dashboard plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the sd_constants() function hooked via an AJAX action in all versions up to…

CVSS: 4.3 CWE: CWE-862 - Missing Authorization View on NVD
2023-12-06
High

CVE-2023-49096

Jellyfin is a Free Software Media System for managing and streaming media. In affected versions there is an argument injection in the VideosController, specifically the `/Videos/<itemId>/stream` and…

CVSS: 7.7 CWE: CWE-88 - Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') View on NVD
High

CVE-2023-6514

The Bluetooth module of some Huawei Smart Screen products has an identity authentication bypass vulnerability. Successful exploitation of this vulnerability may allow attackers to access restricted f…

CVSS: 8.8 CWE: CWE-840 View on NVD
High

CVE-2023-49246

Unauthorized access vulnerability in the card management module. Successful exploitation of this vulnerability may affect service confidentiality.

CVSS: 7.5 CWE: CWE-863 - Incorrect Authorization View on NVD
High

CVE-2023-49245

Unauthorized access vulnerability in the Huawei Share module. Successful exploitation of this vulnerability may affect service confidentiality.

CVSS: 7.5 CWE: N/A View on NVD
High

CVE-2023-49243

Vulnerability of unauthorized access to email attachments in the email module. Successful exploitation of this vulnerability may affect service confidentiality.

CVSS: 7.5 CWE: N/A View on NVD
High

CVE-2023-49240

Unauthorized access vulnerability in the launcher module. Successful exploitation of this vulnerability may affect service confidentiality.

CVSS: 7.5 CWE: CWE-601 - URL Redirection to Untrusted Site ('Open Redirect') View on NVD
High

CVE-2023-49239

Unauthorized access vulnerability in the card management module. Successful exploitation of this vulnerability may affect service confidentiality.

CVSS: 7.5 CWE: CWE-863 - Incorrect Authorization View on NVD
Medium

CVE-2023-46688

Open redirect vulnerability in Pleasanter 1.3.47.0 and earlier allows a remote unauthenticated attacker to redirect users to arbitrary web sites via a specially crafted URL.

CVSS: 6.1 CWE: CWE-601 - URL Redirection to Untrusted Site ('Open Redirect') View on NVD
2023-12-05
Critical

CVE-2023-6448

Unitronics VisiLogic before version 9.9.00, used in Vision and Samba PLCs and HMIs, uses a default administrative password. An unauthenticated attacker with network access can take administrative con…

CVSS: 9.8 CWE: CWE-1188 - Initialization of a Resource with an Insecure Default View on NVD
Critical

CVE-2023-6269

An argument injection vulnerability has been identified in the administrative web interface of the Atos Unify OpenScape products "Session Border Controller" (SBC) and "Branch", before version V10 R3…

CVSS: 10.0 CWE: CWE-88 - Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') View on NVD
High

CVE-2023-5188

The MMS Interpreter of WagoAppRTU in versions below 1.4.6.0 which is used by the WAGO Telecontrol Configurator is vulnerable to malformed packets. An remote unauthenticated attacker could send specif…

CVSS: 7.5 CWE: CWE-20 - Improper Input Validation View on NVD
High

CVE-2023-39248

Dell OS10 Networking Switches running 10.5.2.x and above contain an Uncontrolled Resource Consumption (Denial of Service) vulnerability, when switches are configured with VLT and VRRP. A remote unaut…

CVSS: 7.5 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
Medium

CVE-2023-42576

Improper Authentication vulnerability in Samsung Pass prior to version 4.3.00.17 allows physical attackers to bypass authentication due to invalid exception handler.

CVSS: 5.4 CWE: CWE-287 - Improper Authentication View on NVD
Medium

CVE-2023-42575

Improper Authentication vulnerability in Samsung Pass prior to version 4.3.00.17 allows physical attackers to bypass authentication due to invalid flag setting.

CVSS: 5.4 CWE: CWE-863 - Incorrect Authorization View on NVD