Total
1252 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-37265 | 1 Icewhale | 2 Casaos, Casaos-gateway | 2025-04-07 | N/A | 9.8 CRITICAL |
| CasaOS is an open-source Personal Cloud system. Due to a lack of IP address verification an unauthenticated attackers can execute arbitrary commands as `root` on CasaOS instances. The problem was addressed by improving the detection of client IP addresses in `391dd7f`. This patch is part of CasaOS 0.4.4. Users should upgrade to CasaOS 0.4.4. If they can't, they should temporarily restrict access to CasaOS to untrusted users, for instance by not exposing it publicly. | |||||
| CVE-2022-26501 | 1 Veeam | 1 Veeam Backup \& Replication | 2025-04-04 | 10.0 HIGH | 9.8 CRITICAL |
| Veeam Backup & Replication 10.x and 11.x has Incorrect Access Control (issue 1 of 2). | |||||
| CVE-2024-51567 | 1 Cyberpanel | 1 Cyberpanel | 2025-04-03 | N/A | 9.8 CRITICAL |
| upgrademysqlstatus in databases/views.py in CyberPanel (aka Cyber Panel) before 5b08cd6 allows remote attackers to bypass authentication and execute arbitrary commands via /dataBases/upgrademysqlstatus by bypassing secMiddleware (which is only for a POST request) and using shell metacharacters in the statusfile property, as exploited in the wild in October 2024 by PSAUX. Versions through 2.3.6 and (unpatched) 2.3.7 are affected. | |||||
| CVE-2021-37415 | 1 Zohocorp | 1 Manageengine Servicedesk Plus | 2025-04-03 | 7.5 HIGH | 9.8 CRITICAL |
| Zoho ManageEngine ServiceDesk Plus before 11302 is vulnerable to authentication bypass that allows a few REST-API URLs without authentication. | |||||
| CVE-2023-46747 | 1 F5 | 20 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Advanced Web Application Firewall and 17 more | 2025-04-02 | N/A | 9.8 CRITICAL |
| Undisclosed requests may bypass configuration utility authentication, allowing an attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated | |||||
| CVE-2021-33658 | 2 Huawei, Openatom | 2 Atune, Openeuler | 2025-04-02 | 4.6 MEDIUM | 7.8 HIGH |
| atune before 0.3-0.8 log in as a local user and run the curl command to access the local atune url interface to escalate the local privilege or modify any file. Authentication is not forcibly enabled in the default configuration. | |||||
| CVE-2022-1388 | 1 F5 | 11 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Analytics and 8 more | 2025-04-02 | 7.5 HIGH | N/A |
| On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions, undisclosed requests may bypass iControl REST authentication. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated | |||||
| CVE-2021-43447 | 1 Onlyoffice | 1 Server | 2025-04-02 | N/A | 7.5 HIGH |
| ONLYOFFICE all versions as of 2021-11-08 is affected by Incorrect Access Control. An authentication bypass in the document editor allows attackers to edit documents without authentication. | |||||
| CVE-2025-25060 | 2025-04-02 | N/A | N/A | ||
| Missing authentication for critical function vulnerability exists in AssetView and AssetView CLOUD. If exploited, the files on the server where the product is running may be obtained and/or deleted by a remote unauthenticated attacker. | |||||
| CVE-2024-13771 | 1 Uxper | 1 Civi | 2025-03-28 | N/A | 5.9 MEDIUM |
| The Civi - Job Board & Freelance Marketplace WordPress Theme plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.1.4. This is due to a lack of user validation before changing a password. This makes it possible for unauthenticated attackers to change the password of arbitrary users, including administrators, if the attacker knows the username of the victim. | |||||
| CVE-2025-25068 | 1 Mattermost | 1 Mattermost Server | 2025-03-27 | N/A | 8.8 HIGH |
| Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8, 10.5.x <= 10.5.0 fail to enforce MFA on plugin endpoints, which allows authenticated attackers to bypass MFA protections via API requests to plugin-specific routes. | |||||
| CVE-2024-8053 | 1 Openwebui | 1 Open Webui | 2025-03-27 | N/A | 8.2 HIGH |
| In version v0.3.10 of open-webui/open-webui, the `api/v1/utils/pdf` endpoint lacks authentication mechanisms, allowing unauthenticated attackers to access the PDF generation service. This vulnerability can be exploited by sending a POST request with an excessively large payload, potentially leading to server resource exhaustion and denial of service (DoS). Additionally, unauthorized users can misuse the endpoint to generate PDFs without verification, resulting in service misuse and potential operational and financial impacts. | |||||
| CVE-2023-25014 | 1 In2code | 1 Femanager | 2025-03-26 | N/A | 7.5 HIGH |
| An issue was discovered in the femanager extension before 5.5.3, 6.x before 6.3.4, and 7.x before 7.1.0 for TYPO3. Missing access checks in the InvitationController allow an unauthenticated user to delete all frontend users. | |||||
| CVE-2023-25013 | 1 In2code | 1 Femanager | 2025-03-26 | N/A | 7.5 HIGH |
| An issue was discovered in the femanager extension before 5.5.3, 6.x before 6.3.4, and 7.x before 7.1.0 for TYPO3. Missing access checks in the InvitationController allow an unauthenticated user to set the password of all frontend users. | |||||
| CVE-2021-37234 | 1 Modern Honey Network Project | 1 Modern Honey Network | 2025-03-26 | N/A | 6.5 MEDIUM |
| Incorrect Access Control vulnerability in Modern Honey Network commit 0abf0db9cd893c6d5c727d036e1f817c02de4c7b allows remote attackers to view sensitive information via crafted PUT request to Web API. | |||||
| CVE-2024-23783 | 1 Sharp | 4 Jh-rv11, Jh-rv11 Firmware, Jh-rvb1 and 1 more | 2025-03-25 | N/A | 8.8 HIGH |
| Improper authentication vulnerability in Energy Management Controller with Cloud Services JH-RVB1 /JH-RV11 Ver.B0.1.9.1 and earlier allows a network-adjacent unauthenticated attacker to access the affected product without authentication. | |||||
| CVE-2022-45190 | 1 Microchip | 2 Rn4870, Rn4870 Firmware | 2025-03-25 | N/A | 5.3 MEDIUM |
| An issue was discovered on Microchip RN4870 1.43 devices. An attacker within BLE radio range can bypass passkey entry in the legacy pairing of the device. | |||||
| CVE-2022-48299 | 1 Huawei | 2 Emui, Harmonyos | 2025-03-25 | N/A | 7.5 HIGH |
| The WMS module lacks the authentication mechanism in some APIs. Successful exploitation of this vulnerability may affect data confidentiality. | |||||
| CVE-2024-45483 | 2025-03-25 | N/A | N/A | ||
| A Missing Authentication for Critical Function vulnerability in the GRUB configuration used B&R APROL <4.4-01 may allow an unauthenticated physical attacker to alter the boot configuration of the operating system. | |||||
| CVE-2022-48288 | 1 Huawei | 2 Emui, Harmonyos | 2025-03-24 | N/A | 7.5 HIGH |
| The bundle management module lacks authentication and control mechanisms in some APIs. Successful exploitation of this vulnerability may affect data confidentiality. | |||||