Total
3327 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2023-6155 | 1 Ays-pro | 1 Quiz Maker | 2024-09-12 | N/A | 5.3 MEDIUM |
The Quiz Maker WordPress plugin before 6.4.9.5 does not adequately authorize the `ays_quiz_author_user_search` AJAX action, allowing an unauthenticated attacker to perform a search for users of the system, ultimately leaking user email addresses. | |||||
CVE-2024-23470 | 1 Solarwinds | 1 Access Rights Manager | 2024-09-11 | N/A | 9.8 CRITICAL |
The SolarWinds Access Rights Manager was found to be susceptible to a pre-authentication remote code execution vulnerability. If exploited, this vulnerability allows an unauthenticated user to run commands and executables. | |||||
CVE-2024-23465 | 1 Solarwinds | 1 Access Rights Manager | 2024-09-10 | N/A | 9.8 CRITICAL |
The SolarWinds Access Rights Manager was found to be susceptible to an authentication bypass vulnerability. This vulnerability allows an unauthenticated user to gain domain admin access within the Active Directory environment. | |||||
CVE-2024-23471 | 1 Solarwinds | 1 Access Rights Manager | 2024-09-10 | N/A | 9.8 CRITICAL |
The SolarWinds Access Rights Manager was found to be susceptible to a Remote Code Execution Vulnerability. If exploited, this vulnerability allows an authenticated user to abuse a SolarWinds service resulting in remote code execution. | |||||
CVE-2023-37226 | 2024-09-10 | N/A | 9.8 CRITICAL | ||
Loftware Spectrum before 4.6 HF14 has Missing Authentication for a Critical Function. | |||||
CVE-2023-45246 | 4 Acronis, Apple, Linux and 1 more | 4 Agent, Macos, Linux Kernel and 1 more | 2024-09-10 | N/A | 7.1 HIGH |
Sensitive information disclosure and manipulation due to missing authorization. The following products are affected: Acronis Cyber Protect Cloud Agent (Linux, macOS, Windows) before build 36343. | |||||
CVE-2023-44152 | 4 Acronis, Apple, Linux and 1 more | 4 Cyber Protect, Macos, Linux Kernel and 1 more | 2024-09-10 | N/A | 9.1 CRITICAL |
Sensitive information disclosure and manipulation due to improper authentication. The following products are affected: Acronis Cyber Protect 15 (Linux, macOS, Windows) before build 35979. | |||||
CVE-2024-40713 | 2024-09-09 | N/A | 7.8 HIGH | ||
A vulnerability that allows a user who has been assigned a low-privileged role within Veeam Backup & Replication to alter Multi-Factor Authentication (MFA) settings and bypass MFA. | |||||
CVE-2023-45038 | 2024-09-09 | N/A | 4.3 MEDIUM | ||
An improper authentication vulnerability has been reported to affect Music Station. If exploited, the vulnerability could allow users to compromise the security of the system via a network. We have already fixed the vulnerability in the following version: Music Station 5.4.0 and later | |||||
CVE-2024-30939 | 2024-09-06 | N/A | 6.8 MEDIUM | ||
An issue discovered in Yealink VP59 Teams Editions with firmware version 91.15.0.118 allows a physically proximate attacker to gain control of an account via a flaw in the factory reset procedure. | |||||
CVE-2024-7593 | 1 Ivanti | 1 Virtual Traffic Management | 2024-09-06 | N/A | 9.8 CRITICAL |
Incorrect implementation of an authentication algorithm in Ivanti vTM other than versions 22.2R1 or 22.7R2 allows a remote unauthenticated attacker to bypass authentication of the admin panel. | |||||
CVE-2024-37408 | 2024-09-06 | N/A | 7.3 HIGH | ||
fprintd through 1.94.3 lacks a security attention mechanism, and thus unexpected actions might be authorized by "auth sufficient pam_fprintd.so" for Sudo. NOTE: the supplier disputes this because they believe issue resolution would involve modifying the PAM configuration to restrict pam_fprintd.so to front-ends that implement a proper attention mechanism, not modifying pam_fprintd.so or fprintd. | |||||
CVE-2024-5956 | 1 Trellix | 1 Intrusion Prevention System Manager | 2024-09-06 | N/A | 5.3 MEDIUM |
This vulnerability allows unauthenticated remote attackers to bypass authentication and gain partial data access to the vulnerable Trellix IPS Manager with garbage data in response mostly | |||||
CVE-2024-5957 | 1 Trellix | 1 Intrusion Prevention System Manager | 2024-09-06 | N/A | 7.5 HIGH |
This vulnerability allows unauthenticated remote attackers to bypass authentication and gain APIs access of the Manager. | |||||
CVE-2024-8181 | 1 Flowiseai | 1 Flowise | 2024-09-06 | N/A | 8.1 HIGH |
An Authentication Bypass vulnerability exists in Flowise version 1.8.2. This could allow a remote, unauthenticated attacker to access API endpoints as an administrator and allow them to access restricted functionality. | |||||
CVE-2024-7012 | 1 Redhat | 1 Satellite | 2024-09-05 | N/A | 9.8 CRITICAL |
An authentication bypass vulnerability has been identified in Foreman when deployed with External Authentication, due to the puppet-foreman configuration. This issue arises from Apache's mod_proxy not properly unsetting headers because of restrictions on underscores in HTTP headers, allowing authentication through a malformed header. This flaw impacts all active Satellite deployments (6.13, 6.14 and 6.15) and could potentially enable unauthorized users to gain administrative access. | |||||
CVE-2024-7923 | 1 Redhat | 1 Satellite | 2024-09-05 | N/A | 9.8 CRITICAL |
An authentication bypass vulnerability has been identified in Pulpcore when deployed with Gunicorn versions prior to 22.0, due to the puppet-pulpcore configuration. This issue arises from Apache's mod_proxy not properly unsetting headers because of restrictions on underscores in HTTP headers, allowing authentication through a malformed header. This flaw impacts all active Satellite deployments (6.13, 6.14 and 6.15) which are using Pulpcore version 3.0+ and could potentially enable unauthorized users to gain administrative access. | |||||
CVE-2022-44569 | 1 Ivanti | 1 Automation | 2024-09-05 | N/A | 7.8 HIGH |
A locally authenticated attacker with low privileges can bypass authentication due to insecure inter-process communication. | |||||
CVE-2024-7401 | 1 Netskope | 1 Netskope | 2024-09-05 | N/A | 7.5 HIGH |
Netskope was notified about a security gap in Netskope Client enrollment process where NSClient is using a static token “Orgkey” as authentication parameter. Since this is a static token, if leaked, cannot be rotated or revoked. A malicious actor can use this token to enroll NSClient from a customer’s tenant and impersonate a user. | |||||
CVE-2024-22441 | 1 Hpe | 1 Cray Parallel Application Launch Service | 2024-09-05 | N/A | 9.8 CRITICAL |
HPE Cray Parallel Application Launch Service (PALS) is subject to an authentication bypass. |