Total
9 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-55138 | 2025-08-07 | N/A | N/A | ||
| LinkJoin through 882f196 mishandles token ownership in password reset. | |||||
| CVE-2024-9216 | 1 Gaizhenbiao | 1 Chuanhuchatgpt | 2025-08-01 | N/A | N/A |
| An authentication bypass vulnerability exists in gaizhenbiao/ChuanhuChatGPT, as of commit 3856d4f, allowing any user to read and delete other users' chat history. The vulnerability arises because the username is provided via an HTTP request from the client side, rather than being read from a secure source like a cookie. This allows an attacker to pass another user's username to the get_model function, thereby gaining unauthorized access to that user's chat history. | |||||
| CVE-2024-52965 | 1 Fortinet | 2 Fortios, Fortiproxy | 2025-07-22 | N/A | N/A |
| A missing critical step in authentication vulnerability [CWE-304] in Fortinet FortiOS version 7.6.0 through 7.6.1, 7.4.0 through 7.4.5, 7.2.0 through 7.2.10, and before 7.0.16 & FortiProxy version 7.6.0 through 7.6.1, 7.4.0 through 7.4.8, 7.2.0 through 7.2.13 and before 7.0.20 allows an API-user using api-key + PKI user certificate authentication to login even if the certificate is invalid. | |||||
| CVE-2024-8954 | 1 Composio | 1 Composio | 2025-07-15 | N/A | N/A |
| In composiohq/composio version 0.5.10, the API does not validate the `x-api-key` header's value during the authentication step. This vulnerability allows an attacker to bypass authentication by providing any random value in the `x-api-key` header, thereby gaining unauthorized access to the server. | |||||
| CVE-2024-9919 | 1 Lollms | 1 Lollms Web Ui | 2025-07-09 | N/A | N/A |
| A missing authentication check in the uninstall endpoint of parisneo/lollms-webui V13 allows attackers to perform unauthorized directory deletions. The /uninstall/{app_name} API endpoint does not call the check_access() function to verify the client_id, enabling attackers to delete directories without proper authentication. | |||||
| CVE-2025-43014 | 1 Jetbrains | 1 Toolbox | 2025-04-23 | N/A | 6.5 MEDIUM |
| In JetBrains Toolbox App before 2.6 the SSH plugin established connections without sufficient user confirmation | |||||
| CVE-2024-11302 | 2025-03-20 | N/A | N/A | ||
| A missing check_access() function in the lollms_binding_infos module of the parisneo/lollms repository, version V14, allows attackers to add, modify, and remove bindings arbitrarily. This vulnerability affects the /install_binding and /reinstall_binding endpoints, among others, enabling unauthorized access and manipulation of binding settings without requiring the client_id value. | |||||
| CVE-2022-2821 | 1 Namelessmc | 1 Nameless | 2022-08-16 | N/A | 7.5 HIGH |
| Missing Critical Step in Authentication in GitHub repository namelessmc/nameless prior to v2.0.2. | |||||
| CVE-2021-41179 | 1 Nextcloud | 1 Server | 2021-10-29 | 4.0 MEDIUM | 6.5 MEDIUM |
| Nextcloud is an open-source, self-hosted productivity platform. Prior to Nextcloud Server versions 20.0.13, 21.0.5, and 22.2.0, the Two-Factor Authentication wasn't enforced for pages marked as public. Any page marked as `@PublicPage` could thus be accessed with a valid user session that isn't authenticated. This particularly affects the Nextcloud Talk application, as this could be leveraged to gain access to any private chat channel without going through the Two-Factor flow. It is recommended that the Nextcloud Server be upgraded to 20.0.13, 21.0.5 or 22.2.0. There are no known workarounds aside from upgrading. | |||||