Total
3849 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-26685 | 2025-05-17 | 6.5 Medium | ||
| Improper authentication in Microsoft Defender for Identity allows an unauthorized attacker to perform spoofing over an adjacent network. | ||||
| CVE-2024-45404 | 1 Citeum | 1 Opencti | 2025-05-17 | 8.1 High |
| OpenCTI is an open-source cyber threat intelligence platform. In versions below 6.2.18, because the function to limit the rate of OTP does not exist, an attacker with valid credentials or a malicious user who commits internal fraud can break through the two-factor authentication and hijack the account. This is because the otpLogin mutation does not implement One Time Password rate limiting. As of time of publication, it is unknown whether a patch is available. | ||||
| CVE-2025-4755 | 2025-05-16 | 7.3 High | ||
| A vulnerability was found in D-Link DI-7003GV2 24.04.18D1 R(68125). It has been classified as critical. This affects the function sub_497DE4 of the file /H5/netconfig.asp. The manipulation leads to improper authentication. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-47790 | 2025-05-16 | 6.4 Medium | ||
| Nextcloud Server is a self hosted personal cloud system. Nextcloud Server prior to 29.0.15, 30.0.9, and 31.0.3 and Nextcloud Enterprise Server prior to 26.0.13.15, 27.1.11.15, 28.0.14.6, 29.0.15, 30.0.9, and 31.0.3 have a bug with session handling. The bug caused skipping the second factor confirmation after a successful login with the username and password when the server was configured with `remember_login_cookie_lifetime` set to `0`, once the session expired on the page to select the second factor and the page is reloaded. Nextcloud Server 29.0.15, 30.0.9, and 31.0.3 and Nextcloud Enterprise Server is upgraded to 26.0.13.15, 27.1.11.15, 28.0.14.6, 29.0.15, 30.0.9 and 31.0.3 contain a patch. As a workaround, set the `remember_login_cookie_lifetime` in config.php to a value other than `0`, e.g. `900`. Beware that this is only a workaround for new sessions created after the configuration change. System administration can delete affected sessions. | ||||
| CVE-2025-20083 | 2025-05-16 | 7.5 High | ||
| Improper authentication in the firmware for the Intel(R) Slim Bootloader may allow a privileged user to potentially enable escalation of privilege via local access. | ||||
| CVE-2025-47275 | 2025-05-16 | 9.1 Critical | ||
| Auth0-PHP provides the PHP SDK for Auth0 Authentication and Management APIs. Starting in version 8.0.0-BETA1 and prior to version 8.14.0, session cookies of applications using the Auth0-PHP SDK configured with CookieStore have authentication tags that can be brute forced, which may result in unauthorized access. Certain pre-conditions are required to be vulnerable to this issue: Applications using the Auth0-PHP SDK, or the Auth0/symfony, Auth0/laravel-auth0, and Auth0/wordpress SDKs that rely on the Auth0-PHP SDK; and session storage configured with CookieStore. Upgrade Auth0/Auth0-PHP to v8.14.0 to receive a patch. As an additional precautionary measure, rotating cookie encryption keys is recommended. Note that once updated, any previous session cookies will be rejected. | ||||
| CVE-2024-42172 | 1 Hcltech | 1 Dryice Myxalytics | 2025-05-16 | 5.3 Medium |
| HCL MyXalytics is affected by broken authentication. It allows attackers to compromise keys, passwords, and session tokens, potentially leading to identity theft and system control. This vulnerability arises from poor configuration, logic errors, or software bugs and can affect any application with access control, including databases, network infrastructure, and web applications. | ||||
| CVE-2024-35248 | 1 Microsoft | 1 Dynamics 365 Business Central | 2025-05-16 | 7.3 High |
| Microsoft Dynamics 365 Business Central Elevation of Privilege Vulnerability | ||||
| CVE-2021-36369 | 2 Debian, Dropbear Ssh Project | 2 Debian Linux, Dropbear Ssh | 2025-05-15 | 7.5 High |
| An issue was discovered in Dropbear through 2020.81. Due to a non-RFC-compliant check of the available authentication methods in the client-side SSH code, it is possible for an SSH server to change the login process in its favor. This attack can bypass additional security measures such as FIDO2 tokens or SSH-Askpass. Thus, it allows an attacker to abuse a forwarded agent for logging on to another server unnoticed. | ||||
| CVE-2022-35135 | 1 Boodskap | 1 Iot Platform | 2025-05-15 | 8.8 High |
| Boodskap IoT Platform v4.4.9-02 allows attackers to escalate privileges via a crafted request sent to /api/user/upsert/<uuid>. | ||||
| CVE-2022-40664 | 1 Apache | 1 Shiro | 2025-05-15 | 9.8 Critical |
| Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher. | ||||
| CVE-2022-38982 | 1 Huawei | 1 Harmonyos | 2025-05-15 | 9.8 Critical |
| The fingerprint module has service logic errors.Successful exploitation of this vulnerability will cause the phone lock to be cracked. | ||||
| CVE-2022-41436 | 1 Oxhoo | 2 Tp50, Tp50 Firmware | 2025-05-14 | 9.1 Critical |
| An issue in OXHOO TP50 OXH1.50 allows unauthenticated attackers to access the administrative panel via browsing to the URL http://device_ip/index1.html. | ||||
| CVE-2022-42488 | 1 Openharmony | 1 Openharmony | 2025-05-14 | 8.4 High |
| OpenHarmony-v3.1.2 and prior versions have a Missing permission validation vulnerability in param service of startup subsystem. An malicious application installed on the device could elevate its privileges to the root user, disable security features, or cause DoS by disabling particular services. | ||||
| CVE-2024-6235 | 1 Citrix | 1 Netscaler Console | 2025-05-14 | 8.8 High |
| Sensitive information disclosure in NetScaler Console | ||||
| CVE-2022-42463 | 1 Openharmony | 1 Openharmony | 2025-05-14 | 8.3 High |
| OpenHarmony-v3.1.2 and prior versions have an authenication bypass vulnerability in a callback handler function of Softbus_server in communication subsystem. Attackers can launch attacks on distributed networks by sending Bluetooth rfcomm packets to any remote device and executing arbitrary commands. | ||||
| CVE-2025-41450 | 2025-05-14 | 8.2 High | ||
| Improper Authentication vulnerability in Danfoss AKSM8xxA Series.This issue affects Danfoss AK-SM 8xxA Series prior to version 4.2 | ||||
| CVE-2025-22477 | 1 Dell | 1 Storage Manager | 2025-05-13 | 8.3 High |
| Dell Storage Center - Dell Storage Manager, version(s) 20.1.20, contain(s) an Improper Authentication vulnerability. An unauthenticated attacker with adjacent network access could potentially exploit this vulnerability, leading to Elevation of privileges. | ||||
| CVE-2025-31228 | 2025-05-13 | 6.8 Medium | ||
| The issue was addressed with improved authentication. This issue is fixed in iPadOS 17.7.7, iOS 18.5 and iPadOS 18.5. An attacker with physical access to a device may be able to access notes from the lock screen. | ||||
| CVE-2022-2533 | 1 Gitlab | 1 Gitlab | 2025-05-13 | 6.5 Medium |
| An issue has been discovered in GitLab affecting all versions starting from 12.10 before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2. GitLab was not performing correct authentication with some Package Registries when IP address restrictions were configured, allowing an attacker already in possession of a valid Deploy Token to misuse it from any location. | ||||