Total
4302 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-23612 | 1 Amazon | 1 Opensearch | 2025-03-10 | 4.7 Medium |
| OpenSearch is an open source distributed and RESTful search engine. OpenSearch uses JWTs to store role claims obtained from the Identity Provider (IdP) when the authentication backend is SAML or OpenID Connect. There is an issue in how those claims are processed from the JWTs where the leading and trailing whitespace is trimmed, allowing users to potentially claim roles they are not assigned to if any role matches the whitespace-stripped version of the roles they are a member of. This issue is only present for authenticated users, and it requires either the existence of roles that match, not considering leading/trailing whitespace, or the ability for users to create said matching roles. In addition, the Identity Provider must allow leading and trailing spaces in role names. OpenSearch 1.0.0-1.3.7 and 2.0.0-2.4.1 are affected. Users are advised to upgrade to OpenSearch 1.3.8 or 2.5.0. There are no known workarounds for this issue. | ||||
| CVE-2024-27767 | 1 Unitronics | 1 Unilogic | 2025-03-10 | 10 Critical |
| CWE-287: Improper Authentication may allow Authentication Bypass | ||||
| CVE-2023-25931 | 1 Medtronic | 2 Interstim X Clinician, Micro Clinician | 2025-03-07 | 6.4 Medium |
| Medtronic identified that the Pelvic Health clinician apps, which are installed on the Smart Programmer mobile device, have a password vulnerability that requires a security update to fix. Not updating could potentially result in unauthorized control of the clinician therapy application, which has greater control over therapy parameters than the patient app. Changes still cannot be made outside of the established therapy parameters of the programmer. For unauthorized access to occur, an individual would need physical access to the Smart Programmer. | ||||
| CVE-2023-1065 | 1 Snyk | 1 Kubernetes Monitor | 2025-03-07 | 6.5 Medium |
| This vulnerability in the Snyk Kubernetes Monitor can result in irrelevant data being posted to a Snyk Organization, which could in turn obfuscate other, relevant, security issues. It does not expose the user of the integration to any direct security risk and no user data can be leaked. To exploit the vulnerability the attacker does not need to be authenticated to Snyk but does need to know the target's Integration ID (which may or may not be the same as the Organization ID, although this is an unpredictable UUID in either case). | ||||
| CVE-2021-41265 | 1 Dpgaspar | 1 Flask-appbuilder | 2025-03-07 | 8.1 High |
| Flask-AppBuilder is a development framework built on top of Flask. Verions prior to 3.3.4 contain an improper authentication vulnerability in the REST API. The issue allows for a malicious actor with a carefully crafted request to successfully authenticate and gain access to existing protected REST API endpoints. This only affects non database authentication types and new REST API endpoints. Users should upgrade to Flask-AppBuilder 3.3.4 to receive a patch. | ||||
| CVE-2022-48364 | 1 Joinmastodon | 1 Mastodon | 2025-03-06 | 4.3 Medium |
| The undo_mark_statuses_as_sensitive method in app/services/approve_appeal_service.rb in Mastodon 3.5.x before 3.5.3 does not use the server's representative account, resulting in moderator identity disclosure when a moderator approves the appeal of a user whose status update was marked as sensitive. | ||||
| CVE-2023-42554 | 1 Samsung | 1 Pass | 2025-03-06 | 5.4 Medium |
| Improper Authentication vulnerabiity in Samsung Pass prior to version 4.3.00.17 allows physical attackers to bypass authentication. | ||||
| CVE-2023-0228 | 1 Abb | 1 Symphony Plus S\+ Operations | 2025-03-05 | 8.8 High |
| Improper Authentication vulnerability in ABB Symphony Plus S+ Operations.This issue affects Symphony Plus S+ Operations: from 2.X through 2.1 SP2, 2.2, from 3.X through 3.3 SP1, 3.3 SP2. | ||||
| CVE-2022-35401 | 1 Asus | 2 Rt-ax82u, Rt-ax82u Firmware | 2025-03-05 | 8.1 High |
| An authentication bypass vulnerability exists in the get_IFTTTTtoken.cgi functionality of Asus RT-AX82U 3.0.0.4.386_49674-ge182230. A specially-crafted HTTP request can lead to full administrative access to the device. An attacker would need to send a series of HTTP requests to exploit this vulnerability. | ||||
| CVE-2023-1477 | 1 Hypr | 1 Keycloak Authenticator | 2025-03-05 | 7.2 High |
| Improper Authentication vulnerability in HYPR Keycloak Authenticator Extension allows Authentication Abuse.This issue affects HYPR Keycloak Authenticator Extension: before 7.10.2, before 8.0.3. | ||||
| CVE-2024-5044 | 1 Emlog | 1 Emlog | 2025-03-05 | 3.7 Low |
| A vulnerability was found in Emlog Pro 2.3.4. It has been classified as problematic. This affects an unknown part of the component Cookie Handler. The manipulation of the argument AuthCookie leads to improper authentication. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The identifier VDB-264741 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-38810 | 1 Vmware | 1 Spring Security | 2025-02-28 | 6.5 Medium |
| Missing Authorization When Using @AuthorizeReturnObject in Spring Security 6.3.0 and 6.3.1 allows attacker to render security annotations inaffective. | ||||
| CVE-2022-44574 | 1 Ivanti | 1 Avalanche | 2025-02-28 | 7.5 High |
| An improper authentication vulnerability exists in Avalanche version 6.3.x and below allows unauthenticated attacker to modify properties on specific port. | ||||
| CVE-2023-29463 | 1 Rockwellautomation | 1 Pavilion8 | 2025-02-27 | 8.8 High |
| The JMX Console within the Rockwell Automation Pavilion8 is exposed to application users and does not require authentication. If exploited, a malicious user could potentially retrieve other application users’ session data and or log users out of their session. | ||||
| CVE-2023-28540 | 1 Qualcomm | 304 315 5g Iot Modem, 315 5g Iot Modem Firmware, Apq5053-aa and 301 more | 2025-02-27 | 9.1 Critical |
| Cryptographic issue in Data Modem due to improper authentication during TLS handshake. | ||||
| CVE-2023-4562 | 1 Mitsubishielectric | 380 Fx3g-14 Mr\/ds, Fx3g-14 Mr\/ds Firmware, Fx3g-14 Mr\/es and 377 more | 2025-02-27 | 9.1 Critical |
| Improper Authentication vulnerability in Mitsubishi Electric Corporation MELSEC-F Series main modules allows a remote unauthenticated attacker to obtain sequence programs from the product or write malicious sequence programs or improper data in the product without authentication by sending illegitimate messages. | ||||
| CVE-2023-46290 | 1 Rockwellautomation | 1 Factorytalk Services Platform | 2025-02-27 | 8.1 High |
| Due to inadequate code logic, a previously unauthenticated threat actor could potentially obtain a local Windows OS user token through the FactoryTalk® Services Platform web service and then use the token to log in into FactoryTalk® Services Platform . This vulnerability can only be exploited if the authorized user did not previously log in into the FactoryTalk® Services Platform web service. | ||||
| CVE-2025-27112 | 1 Navidrome | 1 Navidrome | 2025-02-27 | 6.5 Medium |
| Navidrome is an open source web-based music collection server and streamer. Starting in version 0.52.0 and prior to version 0.54.5, in certain Subsonic API endpoints, a flaw in the authentication check process allows an attacker to specify any arbitrary username that does not exist on the system, along with a salted hash of an empty password. Under these conditions, Navidrome treats the request as authenticated, granting access to various Subsonic endpoints without requiring valid credentials. An attacker can use any non-existent username to bypass the authentication system and gain access to various read-only data in Navidrome, such as user playlists. However, any attempt to modify data fails with a "permission denied" error due to insufficient permissions, limiting the impact to unauthorized viewing of information. Version 0.54.5 contains a patch for this issue. | ||||
| CVE-2022-25768 | 1 Acquia | 1 Mautic | 2025-02-27 | 7 High |
| The logic in place to facilitate the update process via the user interface lacks access control to verify if permission exists to perform the tasks. Prior to this patch being applied it might be possible for an attacker to access the Mautic version number or to execute parts of the upgrade process without permission. As upgrading in the user interface is deprecated, this functionality is no longer required. | ||||
| CVE-2023-23857 | 1 Sap | 1 Netweaver Application Server For Java | 2025-02-27 | 9.9 Critical |
| Due to missing authentication check, SAP NetWeaver AS for Java - version 7.50, allows an unauthenticated attacker to attach to an open interface and make use of an open naming and directory API to access services which can be used to perform unauthorized operations affecting users and services across systems. On a successful exploitation, the attacker can read and modify some sensitive information but can also be used to lock up any element or operation of the system making that it unresponsive or unavailable. | ||||