Total
1252 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-6207 | 1 Sap | 1 Solution Manager | 2025-03-13 | 10.0 HIGH | 9.8 CRITICAL |
| SAP Solution Manager (User Experience Monitoring), version- 7.2, due to Missing Authentication Check does not perform any authentication for a service resulting in complete compromise of all SMDAgents connected to the Solution Manager. | |||||
| CVE-2020-6287 | 1 Sap | 1 Netweaver Application Server Java | 2025-03-13 | 10.0 HIGH | 10.0 CRITICAL |
| SAP NetWeaver AS JAVA (LM Configuration Wizard), versions - 7.30, 7.31, 7.40, 7.50, does not perform an authentication check which allows an attacker without prior authentication to execute configuration tasks to perform critical actions against the SAP Java system, including the ability to create an administrative user, and therefore compromising Confidentiality, Integrity and Availability of the system, leading to Missing Authentication Check. | |||||
| CVE-2020-3952 | 1 Vmware | 1 Vcenter Server | 2025-03-13 | 6.8 MEDIUM | 9.8 CRITICAL |
| Under certain conditions, vmdir that ships with VMware vCenter Server, as part of an embedded or external Platform Services Controller (PSC), does not correctly implement access controls. | |||||
| CVE-2022-23227 | 1 Nuuo | 2 Nvrmini2, Nvrmini2 Firmware | 2025-03-13 | 10.0 HIGH | 9.8 CRITICAL |
| NUUO NVRmini2 through 3.11 allows an unauthenticated attacker to upload an encrypted TAR archive, which can be abused to add arbitrary users because of the lack of handle_import_user.php authentication. When combined with another flaw (CVE-2011-5325), it is possible to overwrite arbitrary files under the web root and achieve code execution as root. | |||||
| CVE-2025-1315 | 1 Sfwebservice | 1 Injob | 2025-03-13 | N/A | 9.8 CRITICAL |
| The InWave Jobs plugin for WordPress is vulnerable to privilege escalation via password reset in all versions up to, and including, 3.5.1. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account. | |||||
| CVE-2024-9658 | 1 Dasinfomedia | 1 School Management System | 2025-03-13 | N/A | 8.8 HIGH |
| The School Management System for Wordpress plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 93.0.0. This is due to the plugin not properly validating a user's identity prior to updating their details like email and password through the mj_smgt_update_user() and mj_smgt_add_admission() functions, along with a local file inclusion vulnerability. This makes it possible for authenticated attackers, with student-level access and above, to change arbitrary user's email addresses and passwords, including administrators, and leverage that to gain access to their account. This was escalated four months ago after no response to our initial outreach, yet it still vulnerable. | |||||
| CVE-2022-21587 | 1 Oracle | 1 E-business Suite | 2025-03-12 | N/A | 9.8 CRITICAL |
| Vulnerability in the Oracle Web Applications Desktop Integrator product of Oracle E-Business Suite (component: Upload). Supported versions that are affected are 12.2.3-12.2.11. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Web Applications Desktop Integrator. Successful attacks of this vulnerability can result in takeover of Oracle Web Applications Desktop Integrator. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). | |||||
| CVE-2023-41187 | 1 Dlink | 2 Dap-1325, Dap-1325 Firmware | 2025-03-12 | N/A | 8.8 HIGH |
| D-Link DAP-1325 HNAP Missing Authentication Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DAP-1325 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of the HNAP interface. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-18807. | |||||
| CVE-2023-41186 | 1 Dlink | 2 Dap-1325, Dap-1325 Firmware | 2025-03-12 | N/A | 6.5 MEDIUM |
| D-Link DAP-1325 CGI Missing Authentication Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to access various functionality on affected installations of D-Link DAP-1325 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of the CGI interface. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-18804. | |||||
| CVE-2025-1717 | 1 Pluginly | 1 Login Me Now | 2025-03-11 | N/A | 8.1 HIGH |
| The Login Me Now plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.7.2. This is due to insecure authentication based on an arbitrary transient name in the 'AutoLogin::listen()' function. This makes it possible for unauthenticated attackers to log in an existing user on the site, even an administrator. Note: this vulnerability requires using a transient name and value from another software, so the plugin is not inherently vulnerable on it's own. | |||||
| CVE-2024-52285 | 2025-03-11 | N/A | 5.3 MEDIUM | ||
| A vulnerability has been identified in SiPass integrated AC5102 (ACC-G2) (All versions < V6.4.8), SiPass integrated ACC-AP (All versions < V6.4.8). Affected devices expose several MQTT URLs without authentication. This could allow an unauthenticated remote attacker to access sensitive data. | |||||
| CVE-2025-23194 | 2025-03-11 | N/A | 5.3 MEDIUM | ||
| SAP NetWeaver Enterprise Portal OBN does not perform proper authentication check for a particular configuration setting. As result, a non-authenticated user can set it to an undesired value causing low impact on integrity. There is no impact on confidentiality or availability of the application. | |||||
| CVE-2023-50199 | 1 Dlink | 2 G416, G416 Firmware | 2025-03-10 | N/A | 8.8 HIGH |
| D-Link G416 httpd Missing Authentication for Critical Function Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link G416 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the HTTP service listening on TCP port 80. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage this vulnerability to gain access to critical functions on the device. Was ZDI-CAN-21287. | |||||
| CVE-2023-20857 | 1 Vmware | 1 Workspace One Content | 2025-03-10 | N/A | 6.8 MEDIUM |
| VMware Workspace ONE Content contains a passcode bypass vulnerability. A malicious actor, with access to a users rooted device, may be able to bypass the VMware Workspace ONE Content passcode. | |||||
| CVE-2023-42793 | 1 Jetbrains | 1 Teamcity | 2025-03-07 | N/A | 9.8 CRITICAL |
| In JetBrains TeamCity before 2023.05.4 authentication bypass leading to RCE on TeamCity Server was possible | |||||
| CVE-2020-13927 | 1 Apache | 1 Airflow | 2025-03-06 | 7.5 HIGH | 9.8 CRITICAL |
| The previous default setting for Airflow's Experimental API was to allow all API requests without authentication, but this poses security risks to users who miss this fact. From Airflow 1.10.11 the default has been changed to deny all requests by default and is documented at https://airflow.apache.org/docs/1.10.11/security.html#api-authentication. Note this change fixes it for new installs but existing users need to change their config to default `[api]auth_backend = airflow.api.auth.backend.deny_all` as mentioned in the Updating Guide: https://github.com/apache/airflow/blob/1.10.11/UPDATING.md#experimental-api-will-deny-all-request-by-default | |||||
| CVE-2025-21355 | 1 Microsoft | 1 Bing | 2025-03-05 | N/A | 9.8 CRITICAL |
| Missing Authentication for Critical Function in Microsoft Bing allows an unauthorized attacker to execute code over a network | |||||
| CVE-2025-24924 | 2025-03-05 | N/A | N/A | ||
| Certain functionality within GMOD Apollo does not require authentication when passed with an administrative username | |||||
| CVE-2025-24865 | 1 Myscada | 1 Mypro | 2025-03-04 | N/A | 9.8 CRITICAL |
| The administrative web interface of mySCADA myPRO Manager can be accessed without authentication which could allow an unauthorized attacker to retrieve sensitive information and upload files without the associated password. | |||||
| CVE-2022-25770 | 1 Acquia | 1 Mautic | 2025-02-27 | N/A | 7.5 HIGH |
| Mautic allows you to update the application via an upgrade script. The upgrade logic isn't shielded off correctly, which may lead to vulnerable situation. This vulnerability is mitigated by the fact that Mautic needs to be installed in a certain way to be vulnerable. | |||||