Total
3923 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-23637 | 1 Octoprint | 1 Octoprint | 2025-06-17 | 4.2 Medium |
| OctoPrint is a web interface for 3D printer.s OctoPrint versions up until and including 1.9.3 contain a vulnerability that allows malicious admins to change the password of other admin accounts, including their own, without having to repeat their password. An attacker who managed to hijack an admin account might use this to lock out actual admins from their OctoPrint instance. The vulnerability will be patched in version 1.10.0. | ||||
| CVE-2024-23647 | 1 Goauthentik | 1 Authentik | 2025-06-17 | 6.5 Medium |
| Authentik is an open-source Identity Provider. There is a bug in our implementation of PKCE that allows an attacker to circumvent the protection that PKCE offers. PKCE adds the code_challenge parameter to the authorization request and adds the code_verifier parameter to the token request. Prior to 2023.8.7 and 2023.10.7, a downgrade scenario is possible: if the attacker removes the code_challenge parameter from the authorization request, authentik will not do the PKCE check. Because of this bug, an attacker can circumvent the protection PKCE offers, such as CSRF attacks and code injection attacks. Versions 2023.8.7 and 2023.10.7 fix the issue. | ||||
| CVE-2024-0879 | 1 Mintplexlabs | 1 Vector Admin | 2025-06-17 | 6.5 Medium |
| Authentication bypass in vector-admin allows a user to register to a vector-admin server while “domain restriction” is active, even when not owning an authorized email address. | ||||
| CVE-2023-48257 | 1 Bosch | 21 Nexo-os, Nexo Cordless Nutrunner Nxa011s-36v-b \(0608842012\), Nexo Cordless Nutrunner Nxa011s-36v \(0608842011\) and 18 more | 2025-06-17 | 7.8 High |
| The vulnerability allows a remote attacker to access sensitive data inside exported packages or obtain up to Remote Code Execution (RCE) with root privileges on the device. The vulnerability can be exploited directly by authenticated users, via crafted HTTP requests, or indirectly by unauthenticated users, by accessing already-exported backup packages, or crafting an import package and inducing an authenticated victim into sending the HTTP upload request. | ||||
| CVE-2024-3701 | 1 Tecno | 1 Hios | 2025-06-17 | 9.8 Critical |
| The system application (com.transsion.kolun.aiservice) component does not perform an authentication check, which allows attackers to perform malicious exploitations and affect system services. | ||||
| CVE-2023-48865 | 1 Reportico | 1 Reportico | 2025-06-17 | 6.5 Medium |
| An issue discovered in Reportico Till 8.1.0 allows attackers to obtain sensitive information via execute_mode parameter of the URL. | ||||
| CVE-2024-29757 | 1 Google | 1 Android | 2025-06-17 | 7.3 High |
| there is a possible permission bypass due to Debug certs being allowlisted. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | ||||
| CVE-2025-5985 | 1 Fabian | 1 School Fees Payment System | 2025-06-17 | 7.3 High |
| A vulnerability was found in code-projects School Fees Payment System 1.0 and classified as critical. Affected by this issue is some unknown functionality. The manipulation leads to improper authentication. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2024-21632 | 1 Recognizeapp | 1 Omniauth\ | 2025-06-17 | 8.6 High |
| omniauth-microsoft_graph provides an Omniauth strategy for the Microsoft Graph API. Prior to versions 2.0.0, the implementation did not validate the legitimacy of the `email` attribute of the user nor did it give/document an option to do so, making it susceptible to nOAuth misconfiguration in cases when the `email` is used as a trusted user identifier. This could lead to account takeover. Version 2.0.0 contains a fix for this issue. | ||||
| CVE-2024-11917 | 2025-06-17 | 8.1 High | ||
| The JobSearch WP Job Board plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.9.2. This is due to improper configurations in the 'jobsearch_xing_response_data_callback', 'set_access_tokes', and 'google_callback' functions. This makes it possible for unauthenticated attackers to log in as the first connected Xing user, or any connected Xing user if the Xing id is known. It is also possible for unauthenticated attackers to log in as the first connected Google user if the user has logged in, without subsequently logging out, in thirty days. The vulnerability was partially patched in version 2.8.4. | ||||
| CVE-2024-24279 | 1 Secdiskapp | 1 Secdiskapp | 2025-06-17 | 8.8 High |
| An issue in secdiskapp 1.5.1 (management program for NewQ Fingerprint Encryption Super Speed Flash Disk) allows attackers to gain escalated privileges via vsVerifyPassword and vsSetFingerPrintPower functions. | ||||
| CVE-2025-6083 | 2025-06-17 | N/A | ||
| In ExtremeCloud Universal ZTNA, a syntax error in the 'searchKeyword' condition caused queries to bypass the owner_id filter. This issue may allow users to search data across the entire table instead of being restricted to their specific owner_id. | ||||
| CVE-2023-47256 | 1 Connectwise | 2 Automate, Screenconnect | 2025-06-17 | 5.5 Medium |
| ConnectWise ScreenConnect through 23.8.4 allows local users to connect to arbitrary relay servers via implicit trust of proxy settings | ||||
| CVE-2021-3784 | 1 Garudalinux | 1 Garuda Linux | 2025-06-17 | 5.3 Medium |
| Garuda Linux performs an insecure user creation and authentication that allows any user to impersonate the created account. By creating users from the 'Garuda settings manager', an insecure procedure is performed that keeps the created user without an assigned password during some seconds. This could allow a potential attacker to exploit this vulnerability in order to authenticate without knowing the password. | ||||
| CVE-2025-25504 | 1 Niceforyou | 2 Gefen Gf-avip-mc Firmware, Gefen Webfwc | 2025-06-17 | 6.5 Medium |
| An issue in the /usr/local/bin/jncs.sh script of Gefen WebFWC (In AV over IP products) v1.85h, v1.86v, and v1.70 allows attackers with network access to connect to the device over TCP port 4444 without authentication and execute arbitrary commands with root privileges. | ||||
| CVE-2024-28735 | 2 Coda, Unit4 | 2 Unit 4 Financials, Financials By Coda | 2025-06-17 | 8.1 High |
| Unit4 Financials by Coda versions prior to 2023Q4 suffer from an incorrect access control authorization bypass vulnerability which allows an authenticated user to modify the password of any user of the application via a crafted request. | ||||
| CVE-2023-51717 | 1 Dataiku | 1 Data Science Studio | 2025-06-16 | 9.8 Critical |
| Dataiku DSS before 11.4.5 and 12.4.1 has Incorrect Access Control that could lead to a full authentication bypass. | ||||
| CVE-2024-38822 | 2025-06-16 | 2.7 Low | ||
| Multiple methods in the salt master skip minion token validation. Therefore a misbehaving minion can impersonate another minion. | ||||
| CVE-2025-6172 | 2025-06-16 | 9.8 Critical | ||
| Permission vulnerability in the mobile application (com.afmobi.boomplayer) may lead to the risk of unauthorized operation. | ||||
| CVE-2024-38825 | 2025-06-16 | 6.4 Medium | ||
| The salt.auth.pki module does not properly authenticate callers. The "password" field contains a public certificate which is validated against a CA certificate by the module. This is not pki authentication, as the caller does not need access to the corresponding private key for the authentication attempt to be accepted. | ||||