Filtered by CWE-287
Filtered by vendor Subscriptions
Total 3675 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2023-37226 1 Loftware 1 Spectrum 2024-09-10 9.8 Critical
Loftware Spectrum before 4.6 HF14 has Missing Authentication for a Critical Function.
CVE-2024-40713 1 Veeam 1 Backup \& Replication 2024-09-09 N/A
A vulnerability that allows a user who has been assigned a low-privileged role within Veeam Backup & Replication to alter Multi-Factor Authentication (MFA) settings and bypass MFA.
CVE-2024-5956 1 Trellix 1 Intrusion Prevention System Manager 2024-09-06 6.5 Medium
This vulnerability allows unauthenticated remote attackers to bypass authentication and gain partial data access to the vulnerable Trellix IPS Manager with garbage data in response mostly
CVE-2024-5957 1 Trellix 1 Intrusion Prevention System Manager 2024-09-06 6.3 Medium
This vulnerability allows unauthenticated remote attackers to bypass authentication and gain APIs access of the Manager.
CVE-2024-8181 1 Flowiseai 1 Flowise 2024-09-06 9.8 Critical
An Authentication Bypass vulnerability exists in Flowise version 1.8.2. This could allow a remote, unauthenticated attacker to access API endpoints as an administrator and allow them to access restricted functionality.
CVE-2024-7401 1 Netskope 1 Netskope 2024-09-05 7.5 High
Netskope was notified about a security gap in Netskope Client enrollment process where NSClient is using a static token “Orgkey” as authentication parameter. Since this is a static token, if leaked, cannot be rotated or revoked. A malicious actor can use this token to enroll NSClient from a customer’s tenant and impersonate a user.
CVE-2024-7346 1 Progress 1 Openedge 2024-09-05 7.2 High
Host name validation for TLS certificates is bypassed when the installed OpenEdge default certificates are used to perform the TLS handshake for a networked connection.  This has been corrected so that default certificates are no longer capable of overriding host name validation and will need to be replaced where full TLS certificate validation is needed for network security.  The existing certificates should be replaced with CA-signed certificates from a recognized certificate authority that contain the necessary information to support host name validation.
CVE-2024-44821 1 Zzcms 1 Zzcms 2024-09-05 5.3 Medium
ZZCMS 2023 contains a vulnerability in the captcha reuse logic located in /inc/function.php. The checkyzm function does not properly refresh the captcha value after a failed validation attempt. As a result, an attacker can exploit this flaw by repeatedly submitting the same incorrect captcha response, allowing them to capture the correct captcha value through error messages.
CVE-2024-7745 1 Progress 1 Ws Ftp Server 2024-09-04 6.5 Medium
In WS_FTP Server versions before 8.8.8 (2022.0.8), a Missing Critical Step in Multi-Factor Authentication of the Web Transfer Module allows users to skip the second-factor verification and log in with username and password only.
CVE-2024-43409 1 Ghost 1 Ghost 2024-09-03 6.5 Medium
Ghost is a Node.js content management system. Improper authentication on some endpoints used for member actions would allow an attacker to perform member-only actions, and read member information. This security vulnerability is present in Ghost v4.46.0-v5.89.4. v5.89.5 contains a fix for this issue.
CVE-2024-42164 1 Fiware 1 Keyrock 2024-08-29 4.3 Medium
Insufficiently random values for generating password reset token in FIWARE Keyrock <= 8.4 allow attackers to disable two factor authorization of any user by predicting the token for the disable_2fa link.
CVE-2024-4784 1 Gitlab 1 Gitlab 2024-08-29 4.2 Medium
An issue was discovered in GitLab EE starting from version 16.7 before 17.0.6, version 17.1 before 17.1.4 and 17.2 before 17.2.2 that allowed bypassing the password re-entry requirement to approve a policy.
CVE-2024-25157 1 Fortra 1 Goanywhere Managed File Transfer 2024-08-29 6.5 Medium
An authentication bypass vulnerability in GoAnywhere MFT prior to 7.6.0 allows Admin Users with access to the Agent Console to circumvent some permission checks when attempting to visit other pages. This could lead to unauthorized information disclosure or modification.
CVE-2024-42462 1 Upkeeper 1 Upkeeper Manager 2024-08-28 9.8 Critical
Improper Authentication vulnerability in upKeeper Solutions product upKeeper Manager allows Authentication Bypass.This issue affects upKeeper Manager: through 5.1.9.
CVE-2024-45036 2024-08-27 N/A
Tophat is a mobile applications testing harness. An Improper Access Control vulnerability can expose the `TOPHAT_APP_TOKEN` token stored in `~/.tophatrc` through use of a malicious Tophat URL controlled by the attacker. The vulnerability allows Tophat to send this token to the attacker's server without any checks to ensure that the server is trusted. This token can then be used to access internal build artifacts, for mobile applications, not intended to be public. The issue has been patched as of version 1.10.0. The ability to request artifacts using a Tophat API has been deprecated as this flow was inherently insecure. Systems that have implemented this kind of endpoint should cease use and invalidate the token immediately. There are no workarounds and all users should update as soon as possible.
CVE-2024-42336 1 Servision 1 Ivg Webmax 2024-08-27 8.2 High
Servision - CWE-287: Improper Authentication
CVE-2024-7746 1 Traccar 2 Server, Traccar 2024-08-22 9.8 Critical
Use of Default Credentials vulnerability in Tananaev Solutions Traccar Server on Administrator Panel modules allows Authentication Abuse.This issue affects the privileged transactions implemented by the Traccar solution that should otherwise be protected by the authentication mechanism.  These transactions could have an impact on any sensitive aspect of the platform, including Confidentiality, Integrity and Availability.
CVE-2024-37028 1 F5 1 Big-ip Next Central Manager 2024-08-20 5.3 Medium
BIG-IP Next Central Manager may allow an attacker to lock out an account that has never been logged in.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
CVE-2024-38810 2024-08-20 6.5 Medium
Missing Authorization When Using @AuthorizeReturnObject in Spring Security 6.3.0 and 6.3.1 allows attacker to render security annotations inaffective.
CVE-2024-6078 1 Rockwellautomation 1 Datamosaix 2024-08-19 N/A
CVE-2024-6078 IMPACT An improper authentication vulnerability exists in the affected product, which could allow a malicious user to generate cookies for any user ID without the use of a username or password. If exploited, a malicious user could take over the account of a legitimate user. The malicious user would be able to view and modify data stored in the cloud.