Total
3369 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-2437 | 1 Userproplugin | 1 Userpro | 2024-02-28 | N/A | 8.1 HIGH |
| The UserPro plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 5.1.1. This is due to insufficient verification on the user being supplied during a Facebook login through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email. An attacker can leverage CVE-2023-2448 and CVE-2023-2446 to get the user's email address to successfully exploit this vulnerability. | |||||
| CVE-2023-40038 | 1 Arris | 4 Dg1670a, Dg1670a Firmware, Dg860a and 1 more | 2024-02-28 | N/A | 8.8 HIGH |
| Arris DG860A and DG1670A devices have predictable default WPA2 PSKs that could lead to unauthorized remote access. (They use the first 6 characters of the SSID and the last 6 characters of the BSSID, decrementing the last digit.) | |||||
| CVE-2023-6354 | 1 Tylertech | 1 Court Case Management Plus | 2024-02-28 | N/A | 9.4 CRITICAL |
| Tyler Technologies Magistrate Court Case Management Plus allows an unauthenticated, remote attacker to upload, delete, and view files by manipulating the PDFViewer.aspx 'filename' parameter. | |||||
| CVE-2023-50275 | 1 Hp | 1 Oneview | 2024-02-28 | N/A | 7.5 HIGH |
| HPE OneView may allow clusterService Authentication Bypass resulting in denial of service. | |||||
| CVE-2024-24592 | 1 Clear | 1 Clearml | 2024-02-28 | N/A | 9.8 CRITICAL |
| Lack of authentication in all versions of the fileserver component of Allegro AI’s ClearML platform allows a remote attacker to arbitrarily access, create, modify and delete files. | |||||
| CVE-2023-48121 | 1 Ezviz | 8 Cs-c3n-a0-3h2wfrl, Cs-c3n-a0-3h2wfrl Firmware, Cs-c6cn-a0-3h2wfr and 5 more | 2024-02-28 | N/A | 5.3 MEDIUM |
| An authentication bypass vulnerability in the Direct Connection Module in Ezviz CS-C6N-xxx prior to v5.3.x build 20230401, Ezviz CS-CV310-xxx prior to v5.3.x build 20230401, Ezviz CS-C6CN-xxx prior to v5.3.x build 20230401, Ezviz CS-C3N-xxx prior to v5.3.x build 20230401 allows remote attackers to obtain sensitive information by sending crafted messages to the affected devices. | |||||
| CVE-2023-32453 | 1 Dell | 222 Alienware M15 R7, Alienware M15 R7 Firmware, Alienware M16 and 219 more | 2024-02-28 | N/A | 3.9 LOW |
| Dell BIOS contains an improper authentication vulnerability. A malicious user with physical access to the system may potentially exploit this vulnerability in order to modify a security-critical UEFI variable without knowledge of the BIOS administrator. | |||||
| CVE-2023-44397 | 1 Fit2cloud | 1 Cloudexplorer Lite | 2024-02-28 | N/A | 9.8 CRITICAL |
| CloudExplorer Lite is an open source, lightweight cloud management platform. Prior to version 1.4.1, the gateway filter of CloudExplorer Lite uses a controller with path starting with `matching/API/`, which can cause a permission bypass. Version 1.4.1 contains a patch for this issue. | |||||
| CVE-2023-41751 | 2 Acronis, Microsoft | 2 Agent, Windows | 2024-02-28 | N/A | 5.5 MEDIUM |
| Sensitive information disclosure due to improper token expiration validation. The following products are affected: Acronis Agent (Windows) before build 32047. | |||||
| CVE-2023-41900 | 2 Debian, Eclipse | 2 Debian Linux, Jetty | 2024-02-28 | N/A | 4.3 MEDIUM |
| Jetty is a Java based web server and servlet engine. Versions 9.4.21 through 9.4.51, 10.0.15, and 11.0.15 are vulnerable to weak authentication. If a Jetty `OpenIdAuthenticator` uses the optional nested `LoginService`, and that `LoginService` decides to revoke an already authenticated user, then the current request will still treat the user as authenticated. The authentication is then cleared from the session and subsequent requests will not be treated as authenticated. So a request on a previously authenticated session could be allowed to bypass authentication after it had been rejected by the `LoginService`. This impacts usages of the jetty-openid which have configured a nested `LoginService` and where that `LoginService` will is capable of rejecting previously authenticated users. Versions 9.4.52, 10.0.16, and 11.0.16 have a patch for this issue. | |||||
| CVE-2023-38735 | 1 Ibm | 1 Cognos Dashboards On Cloud Pak For Data | 2024-02-28 | N/A | 6.5 MEDIUM |
| IBM Cognos Dashboards on Cloud Pak for Data 4.7.0 could allow a remote attacker to bypass security restrictions, caused by a reverse tabnabbing flaw. An attacker could exploit this vulnerability and redirect a victim to a phishing site. IBM X-Force ID: 262482. | |||||
| CVE-2023-43809 | 1 Charm | 1 Soft Serve | 2024-02-28 | N/A | 7.5 HIGH |
| Soft Serve is a self-hostable Git server for the command line. Prior to version 0.6.2, a security vulnerability in Soft Serve could allow an unauthenticated, remote attacker to bypass public key authentication when keyboard-interactive SSH authentication is active, through the `allow-keyless` setting, and the public key requires additional client-side verification for example using FIDO2 or GPG. This is due to insufficient validation procedures of the public key step during SSH request handshake, granting unauthorized access if the keyboard-interaction mode is utilized. An attacker could exploit this vulnerability by presenting manipulated SSH requests using keyboard-interactive authentication mode. This could potentially result in unauthorized access to the Soft Serve. Users should upgrade to the latest Soft Serve version `v0.6.2` to receive the patch for this issue. To workaround this vulnerability without upgrading, users can temporarily disable Keyboard-Interactive SSH Authentication using the `allow-keyless` setting. | |||||
| CVE-2023-40376 | 1 Ibm | 1 Urbancode Deploy | 2024-02-28 | N/A | 6.5 MEDIUM |
| IBM UrbanCode Deploy (UCD) 7.1 - 7.1.2.12, 7.2 through 7.2.3.5, and 7.3 through 7.3.2.0 under certain configurations could allow an authenticated user to make changes to environment variables due to improper authentication controls. IBM X-Force ID: 263581. | |||||
| CVE-2023-43805 | 1 Nexryai | 1 Nexkey | 2024-02-28 | N/A | 7.5 HIGH |
| Nexkey is a fork of Misskey, an open source, decentralized social media platform. Prior to version 12.121.9, incomplete URL validation can allow users to bypass authentication for access to the job queue dashboard. Version 12.121.9 contains a fix for this issue. As a workaround, it may be possible to avoid this by blocking access using tools such as Cloudflare's WAF. | |||||
| CVE-2023-43793 | 1 Misskey | 1 Misskey | 2024-02-28 | N/A | 7.5 HIGH |
| Misskey is an open source, decentralized social media platform. Prior to version 2023.9.0, by editing the URL, a user can bypass the authentication of the Bull dashboard, which is the job queue management UI, and access it. Version 2023.9.0 contains a fix. There are no known workarounds. | |||||
| CVE-2023-26150 | 1 Freeopcua | 1 Opcua-asyncio | 2024-02-28 | N/A | 7.5 HIGH |
| Versions of the package asyncua before 0.9.96 are vulnerable to Improper Authentication such that it is possible to access Address Space without encryption and authentication. **Note:** This issue is a result of missing checks for services that require an active session. | |||||
| CVE-2023-37284 | 1 Tp-link | 2 Archer C20, Archer C20 Firmware | 2024-02-28 | N/A | 8.8 HIGH |
| Improper authentication vulnerability in Archer C20 firmware versions prior to 'Archer C20(JP)_V1_230616' allows a network-adjacent unauthenticated attacker to execute an arbitrary OS command via a crafted request to bypass authentication. | |||||
| CVE-2023-34998 | 1 Openautomationsoftware | 1 Oas Platform | 2024-02-28 | N/A | 8.1 HIGH |
| An authentication bypass vulnerability exists in the OAS Engine functionality of Open Automation Software OAS Platform v18.00.0072. A specially crafted series of network requests can lead to arbitrary authentication. An attacker can sniff network traffic to trigger this vulnerability. | |||||
| CVE-2023-21307 | 1 Google | 1 Android | 2024-02-28 | N/A | 5.0 MEDIUM |
| In Bluetooth, there is a possible way for a paired Bluetooth device to access a long term identifier for an Android device due to a permissions bypass. This could lead to local information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. | |||||
| CVE-2023-40260 | 1 Empowerid | 1 Empowerid | 2024-02-28 | N/A | 9.1 CRITICAL |
| EmpowerID before 7.205.0.1 allows an attacker to bypass an MFA (multi factor authentication) requirement if the first factor (username and password) is known, because the first factor is sufficient to change an account's email address, and the product would then send MFA codes to the new email address (which may be attacker-controlled). NOTE: this is different from CVE-2023-4177, which claims to be about "some unknown processing of the component Multi-Factor Authentication Code Handler" and thus cannot be correlated with other vulnerability information. | |||||