ReportizFlow
Filtered by vendor
Subscriptions
Total
4327 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-46773 | 1 Ibm | 3 Robotic Process Automation, Robotic Process Automation As A Service, Robotic Process Automation For Cloud Pak | 2025-02-26 | 4.3 Medium |
| IBM Robotic Process Automation 21.0.0 - 21.0.7 and 23.0.0 is vulnerable to client-side validation bypass for credential pools. Invalid credential pools may be created as a result. IBM X-Force ID: 242951. | ||||
| CVE-2025-1024 | 1 Churchcrm | 1 Churchcrm | 2025-02-26 | 4.8 Medium |
| A vulnerability exists in ChurchCRM 5.13.0 that allows an attacker to execute arbitrary JavaScript in a victim's browser via Reflected Cross-Site Scripting (XSS) in the EditEventAttendees.php page. This requires Administration privileges and affects the EID parameter. The flaw allows an attacker to steal session cookies, perform actions on behalf of an authenticated user, and gain unauthorized access to the application. | ||||
| CVE-2023-21027 | 1 Google | 1 Android | 2025-02-25 | 7.5 High |
| In multiple functions of PasspointXmlUtils.java, there is a possible authentication misconfiguration due to a logic error in the code. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-216854451 | ||||
| CVE-2023-27482 | 1 Home-assistant | 2 Home-assistant, Supervisor | 2025-02-25 | 10 Critical |
| homeassistant is an open source home automation tool. A remotely exploitable vulnerability bypassing authentication for accessing the Supervisor API through Home Assistant has been discovered. This impacts all Home Assistant installation types that use the Supervisor 2023.01.1 or older. Installation types, like Home Assistant Container (for example Docker), or Home Assistant Core manually in a Python environment, are not affected. The issue has been mitigated and closed in Supervisor version 2023.03.1, which has been rolled out to all affected installations via the auto-update feature of the Supervisor. This rollout has been completed at the time of publication of this advisory. Home Assistant Core 2023.3.0 included mitigation for this vulnerability. Upgrading to at least that version is thus advised. In case one is not able to upgrade the Home Assistant Supervisor or the Home Assistant Core application at this time, it is advised to not expose your Home Assistant instance to the internet. | ||||
| CVE-2023-27582 | 1 Maddy Project | 1 Maddy | 2025-02-25 | 9.1 Critical |
| maddy is a composable, all-in-one mail server. Starting with version 0.2.0 and prior to version 0.6.3, maddy allows a full authentication bypass if SASL authorization username is specified when using the PLAIN authentication mechanisms. Instead of validating the specified username, it is accepted as is after checking the credentials for the authentication username. maddy 0.6.3 includes the fix for the bug. There are no known workarounds. | ||||
| CVE-2025-0981 | 1 Churchcrm | 1 Churchcrm | 2025-02-21 | 6.1 Medium |
| A vulnerability exists in ChurchCRM 5.13.0 and prior that allows an attacker to hijack a user's session by exploiting a Stored Cross Site Scripting (XSS) vulnerability in the Group Editor page. This allows admin users to inject malicious JavaScript in the description field, which captures the session cookie of authenticated users. The cookie can then be sent to an external server, enabling session hijacking. It can also lead to information disclosure, as exposed session cookies can be used to impersonate users and gain unauthorised access to sensitive information. | ||||
| CVE-2022-28666 | 1 Yikesinc | 1 Custom Product Tabs For Woocommerce | 2025-02-20 | 5.3 Medium |
| Broken Access Control vulnerability in YIKES Inc. Custom Product Tabs for WooCommerce plugin <= 1.7.7 at WordPress leading to &yikes-the-content-toggle option update. | ||||
| CVE-2022-36296 | 1 Jumpdemand | 1 Activedemand | 2025-02-20 | 6.5 Medium |
| Broken Authentication vulnerability in JumpDEMAND Inc. ActiveDEMAND plugin <= 0.2.27 at WordPress allows unauthenticated post update/create/delete. | ||||
| CVE-2022-34149 | 1 Miniorange | 1 Wp Oauth Server | 2025-02-20 | 9.8 Critical |
| Authentication Bypass vulnerability in miniOrange WP OAuth Server plugin <= 3.0.4 at WordPress. | ||||
| CVE-2022-4126 | 4 Abb, Apple, Linux and 1 more | 4 Rccmd, Macos, Linux Kernel and 1 more | 2025-02-19 | 9.6 Critical |
| Use of Default Password vulnerability in ABB RCCMD on Windows, Linux, MacOS allows Try Common or Default Usernames and Passwords.This issue affects RCCMD: before 4.40 230207. | ||||
| CVE-2025-1044 | 1 Logsign | 1 Unified Secops Platform | 2025-02-19 | 9.8 Critical |
| Logsign Unified SecOps Platform Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of Logsign Unified SecOps Platform. Authentication is not required to exploit this vulnerability. The specific flaw exists within the web service, which listens on TCP port 443 by default. The issue results from the lack of proper implementation of the authentication algorithm. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-25336. | ||||
| CVE-2023-27091 | 1 Teacms Project | 1 Teacms | 2025-02-18 | 7.2 High |
| An unauthorized access issue found in XiaoBingby TeaCMS 2.3.3 allows attackers to escalate privileges via the id and keywords parameter(s). | ||||
| CVE-2021-28235 | 2 Etcd, Redhat | 2 Etcd, Openstack | 2025-02-18 | 9.8 Critical |
| Authentication vulnerability found in Etcd-io v.3.4.10 allows remote attackers to escalate privileges via the debug function. | ||||
| CVE-2023-28503 | 2 Linux, Rocketsoftware | 3 Linux Kernel, Unidata, Universe | 2025-02-18 | 9.8 Critical |
| Rocket Software UniData versions prior to 8.2.4 build 3003 and UniVerse versions prior to 11.3.5 build 1001 or 12.2.1 build 2002 suffer from an authentication bypass vulnerability, where a special username with a deterministic password can be leveraged to bypass authentication checks and execute OS commands as the root user. | ||||
| CVE-2023-28862 | 1 Lemonldap-ng | 1 Lemonldap\ | 2025-02-14 | 9.8 Critical |
| An issue was discovered in LemonLDAP::NG before 2.16.1. Weak session ID generation in the AuthBasic handler and incorrect failure handling during a password check allow attackers to bypass 2FA verification. Any plugin that tries to deny session creation after the store step does not deny an AuthBasic session. | ||||
| CVE-2021-4073 | 1 Metagauss | 1 Registrationmagic | 2025-02-14 | 9.8 Critical |
| The RegistrationMagic WordPress plugin made it possible for unauthenticated users to log in as any site user, including administrators, if they knew a valid username on the site due to missing identity validation in the social login function social_login_using_email() of the plugin. This affects versions equal to, and less than, 5.0.1.7. | ||||
| CVE-2022-43620 | 1 Dlink | 2 Dir-1935, Dir-1935 Firmware | 2025-02-14 | 8.8 High |
| This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DIR-1935 1.03 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of HNAP login requests. The issue results from the lack of proper implementation of the authentication algorithm. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-16142. | ||||
| CVE-2023-27536 | 6 Debian, Fedoraproject, Haxx and 3 more | 16 Debian Linux, Fedora, Libcurl and 13 more | 2025-02-14 | 5.9 Medium |
| An authentication bypass vulnerability exists libcurl <8.0.0 in the connection reuse feature which can reuse previously established connections with incorrect user permissions due to a failure to check for changes in the CURLOPT_GSSAPI_DELEGATION option. This vulnerability affects krb5/kerberos/negotiate/GSSAPI transfers and could potentially result in unauthorized access to sensitive information. The safest option is to not reuse connections if the CURLOPT_GSSAPI_DELEGATION option has been changed. | ||||
| CVE-2023-38372 | 1 Ibm | 1 Watson Iot Platform | 2025-02-14 | 5.9 Medium |
| An unauthorized attacker who has obtained an IBM Watson IoT Platform 1.0 security authentication token can use it to impersonate an authorized platform user. IBM X-Force ID: 261201. | ||||
| CVE-2023-39196 | 1 Apache | 1 Ozone | 2025-02-13 | 5.3 Medium |
| Improper Authentication vulnerability in Apache Ozone. The vulnerability allows an attacker to download metadata internal to the Storage Container Manager service without proper authentication. The attacker is not allowed to do any modification within the Ozone Storage Container Manager service using this vulnerability. The accessible metadata does not contain sensitive information that can be used to exploit the system later on, and the accessible data does not make it possible to gain access to actual user data within Ozone. This issue affects Apache Ozone: 1.2.0 and subsequent releases up until 1.3.0. Users are recommended to upgrade to version 1.4.0, which fixes the issue. | ||||