Total
1628 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2024-35342 | 2025-02-13 | 4.6 Medium | ||
Certain Anpviz products allow unauthenticated users to modify or disable camera related settings such as microphone volume, speaker volume, LED lighting, NTP, motion detection, etc. This affects IPC-D250, IPC-D260, IPC-B850, IPC-D850, IPC-D350, IPC-D3150, IPC-D4250, IPC-D380, IPC-D880, IPC-D280, IPC-D3180, MC800N, YM500L, YM800N_N2, YMF50B, YM800SV2, YM500L8, and YM200E10 firmware v3.2.2.2 and lower and possibly more vendors/models of IP camera. | ||||
CVE-2024-31684 | 2025-02-13 | 3.5 Low | ||
Incorrect access control in the fingerprint authentication mechanism of Bitdefender Mobile Security v4.11.3-gms allows attackers to bypass fingerprint authentication due to the use of a deprecated API. | ||||
CVE-2022-32503 | 1 Nuki | 2 Fob, Keypad | 2025-02-13 | 7.6 High |
An issue was discovered on certain Nuki Home Solutions devices. An attacker with physical access to this JTAG port may be able to connect to the device and bypass both hardware and software security protections. This affects Nuki Keypad before 1.9.2 and Nuki Fob before 1.8.1. | ||||
CVE-2024-12857 | 1 Scriptsbundle | 1 Adforest | 2025-02-12 | 9.8 Critical |
The AdForest theme for WordPress is vulnerable to authentication bypass in all versions up to, and including, 5.1.8. This is due to the plugin not properly verifying a user's identity prior to logging them in as that user. This makes it possible for unauthenticated attackers to authenticate as any user as long as they have configured OTP login by phone number. | ||||
CVE-2023-30604 | 1 Hitrontech | 2 Coda-5310, Coda-5310 Firmware | 2025-02-12 | 9.8 Critical |
It is identified a vulnerability of insufficient authentication in the system configuration interface of Hitron Technologies CODA-5310. An unauthorized remote attacker can exploit this vulnerability to access system configuration interface, resulting in performing arbitrary system operation or disrupt service. | ||||
CVE-2023-32680 | 1 Metabase | 1 Metabase | 2025-02-12 | 5.8 Medium |
Metabase is an open source business analytics engine. To edit SQL Snippets, Metabase should have required people to be in at least one group with native query editing permissions to a database–but affected versions of Metabase didn't enforce that requirement. This lack of enforcement meant that: Anyone–including people in sandboxed groups–could edit SQL snippets. They could edit snippets via the API or, in the application UI, when editing the metadata for a model based on a SQL question, and people in sandboxed groups could edit a SQL snippet used in a query that creates their sandbox. If the snippet contained logic that restricted which data that person could see, they could potentially edit that snippet and change their level of data access. The permissions model for SQL snippets has been fixed in Metabase versions 0.46.3, 0.45.4, 0.44.7, 1.46.3, 1.45.4, and 1.44.7. Users are advised to upgrade. Users unable to upgrade should ensure that SQL queries used to create sandboxes exclude SQL snippets. | ||||
CVE-2024-6635 | 1 Wpwebelite | 1 Woocommerce Social Login | 2025-02-11 | 7.3 High |
The WooCommerce - Social Login plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.7.3. This is due to insufficient controls in the 'woo_slg_login_email' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, excluding an administrator, if they know the email of user. | ||||
CVE-2024-10649 | 2025-02-11 | N/A | ||
wandb/openui latest commit c945bb859979659add5f490a874140ad17c56a5d contains a vulnerability where unauthenticated endpoints allow file uploads and downloads from an AWS S3 bucket. This can lead to multiple security issues including denial of service, stored XSS, and information disclosure. The affected endpoints are '/v1/share/{id:str}' for uploading and '/v1/share/{id:str}' for downloading JSON files. The lack of authentication allows any user to upload and overwrite files, potentially causing the S3 bucket to run out of space, injecting malicious scripts, and accessing sensitive information. | ||||
CVE-2024-36555 | 2025-02-10 | 9.8 Critical | ||
Built-in SMS-configuration command in Forever KidsWatch Call Me KW50 R36_YDR_A3PW_GM7S_V1.0_2019_07_15_16.19.24_cob_h and Forever KidsWatch Call Me 2 KW-60 R36CW_YDE_S4_A29_2_V1.0_2023.05.24_22.49.44_cob_b allows malicious users to change the device IMEI-number which allows for forging the identity of the device. | ||||
CVE-2024-36470 | 1 Jetbrains | 1 Teamcity | 2025-02-07 | 8.1 High |
In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 authentication bypass was possible in specific edge cases | ||||
CVE-2023-24527 | 1 Sap | 1 Netweaver As Java For Deploy Service | 2025-02-07 | 5.3 Medium |
SAP NetWeaver AS Java for Deploy Service - version 7.5, does not perform any access control checks for functionalities that require user identity enabling an unauthenticated attacker to attach to an open interface and make use of an open naming and directory API to access a service which will enable them to access but not modify server settings and data with no effect on availability and integrity. | ||||
CVE-2023-27267 | 1 Sap | 1 Diagnostics Agent | 2025-02-07 | 9 Critical |
Due to missing authentication and insufficient input validation, the OSCommand Bridge of SAP Diagnostics Agent - version 720, allows an attacker with deep knowledge of the system to execute scripts on all connected Diagnostics Agents. On successful exploitation, the attacker can completely compromise confidentiality, integrity and availability of the system. | ||||
CVE-2023-27497 | 2 Microsoft, Sap | 2 Windows, Diagnostics Agent | 2025-02-07 | 10 Critical |
Due to missing authentication and input sanitization of code the EventLogServiceCollector of SAP Diagnostics Agent - version 720, allows an attacker to execute malicious scripts on all connected Diagnostics Agents running on Windows. On successful exploitation, the attacker can completely compromise confidentiality, integrity and availability of the system. | ||||
CVE-2023-27747 | 1 Blackvue | 4 Dr750-2ch Ir Lte, Dr750-2ch Ir Lte Firmware, Dr750-2ch Lte and 1 more | 2025-02-07 | 7.5 High |
BlackVue DR750-2CH LTE v.1.012_2022.10.26 does not employ authentication in its web server. This vulnerability allows attackers to access sensitive information such as configurations and recordings. | ||||
CVE-2023-28761 | 1 Sap | 1 Netweaver Enterprise Portal | 2025-02-07 | 6.5 Medium |
In SAP NetWeaver Enterprise Portal - version 7.50, an unauthenticated attacker can attach to an open interface and make use of an open API to access a service which will enable them to access or modify server settings and data, leading to limited impact on confidentiality and integrity. | ||||
CVE-2024-7503 | 2 Wpweb, Wpwebelite | 2 Woocommerce Social Login, Woocommerce Social Login | 2025-02-07 | 9.8 Critical |
The WooCommerce - Social Login plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.7.5. This is due to the use of loose comparison of the activation code in the 'woo_slg_confirm_email_user' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the userID. This requires the email module to be enabled. | ||||
CVE-2024-27942 | 1 Siemens | 1 Ruggedcom Crossbow | 2025-02-06 | 7.5 High |
A vulnerability has been identified in RUGGEDCOM CROSSBOW (All versions < V5.5). The affected systems allow any unauthenticated client to disconnect any active user from the server. An attacker could use this vulnerability to prevent any user to perform actions in the system, causing a denial of service situation. | ||||
CVE-2024-2860 | 1 Broadcom | 1 Brocade Sannav | 2025-02-06 | 7.8 High |
The PostgreSQL implementation in Brocade SANnav versions before 2.3.0a is vulnerable to an incorrect local authentication flaw. An attacker accessing the VM where the Brocade SANnav is installed can gain access to sensitive data inside the PostgreSQL database. | ||||
CVE-2023-29411 | 2 Microsoft, Schneider-electric | 7 Windows 10, Windows 11, Windows Server 2016 and 4 more | 2025-02-05 | 9.8 Critical |
A CWE-306: Missing Authentication for Critical Function vulnerability exists that could allow changes to administrative credentials, leading to potential remote code execution without requiring prior authentication on the Java RMI interface. | ||||
CVE-2023-29413 | 2 Microsoft, Schneider-electric | 7 Windows 10, Windows 11, Windows Server 2016 and 4 more | 2025-02-05 | 7.5 High |
A CWE-306: Missing Authentication for Critical Function vulnerability exists that could cause Denial-of-Service when accessed by an unauthenticated user on the Schneider UPS Monitor service. |