Vulnerabilities (CVE)

Filtered by CWE-288
Total 103 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2024-2055 2024-11-21 N/A 9.8 CRITICAL
The "Rich Filemanager" feature of Artica Proxy provides a web-based interface for file management capabilities. When the feature is enabled, it does not require authentication by default, and runs as the root user.
CVE-2024-2013 1 Hitachienergy 2 Foxman-un, Unem 2024-11-21 N/A 10.0 CRITICAL
An authentication bypass vulnerability exists in the FOXMAN-UN/UNEM server / API Gateway component that if exploited allows attackers without any access to interact with the services and the post-authentication attack surface.
CVE-2024-2012 1 Hitachienergy 2 Foxman-un, Unem 2024-11-21 N/A 9.1 CRITICAL
vulnerability exists in the FOXMAN-UN/UNEM server / API Gateway that if exploited an attacker could use to allow unintended commands or code to be executed on the UNEM server allowing sensitive data to be read or modified or could cause other unintended behavior
CVE-2024-29853 2024-11-21 N/A 7.8 HIGH
An authentication bypass vulnerability in Veeam Agent for Microsoft Windows allows for local privilege escalation.
CVE-2024-28200 1 N-able 1 N-central 2024-11-21 N/A 9.1 CRITICAL
The N-central server is vulnerable to an authentication bypass of the user interface. This vulnerability is present in all deployments of N-central prior to 2024.2. This vulnerability was discovered through internal N-central source code review and N-able has not observed any exploitation in the wild.
CVE-2024-27198 1 Jetbrains 1 Teamcity 2024-11-21 N/A 9.8 CRITICAL
In JetBrains TeamCity before 2023.11.4 authentication bypass allowing to perform admin actions was possible
CVE-2024-26566 2024-11-21 N/A 8.2 HIGH
An issue in Cute Http File Server v.3.1 allows a remote attacker to escalate privileges via the password verification component.
CVE-2024-21491 1 Svix 1 Svix 2024-11-21 N/A 5.9 MEDIUM
Versions of the package svix before 1.17.0 are vulnerable to Authentication Bypass due to an issue in the verify function where signatures of different lengths are incorrectly compared. An attacker can bypass signature verification by providing a shorter signature that matches the beginning of the actual signature. **Note:** The attacker would need to know a victim uses the Rust library for verification,no easy way to automatically check that; and uses webhooks by a service that uses Svix, and then figure out a way to craft a malicious payload that will actually include all of the correct identifiers needed to trick the receivers to cause actual issues.
CVE-2024-1646 2024-11-21 N/A 8.2 HIGH
parisneo/lollms-webui is vulnerable to authentication bypass due to insufficient protection over sensitive endpoints. The application checks if the host parameter is not '0.0.0.0' to restrict access, which is inadequate when the application is bound to a specific interface, allowing unauthorized access to endpoints such as '/restart_program', '/update_software', '/check_update', '/start_recording', and '/stop_recording'. This vulnerability can lead to denial of service, unauthorized disabling or overriding of recordings, and potentially other impacts if certain features are enabled in the configuration.
CVE-2024-1525 1 Gitlab 1 Gitlab 2024-11-21 N/A 5.3 MEDIUM
An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.1 before 16.7.6, all versions starting from 16.8 before 16.8.3, all versions starting from 16.9 before 16.9.1. Under some specialized conditions, an LDAP user may be able to reset their password using their verified secondary email address and sign-in using direct authentication with the reset password, bypassing LDAP.
CVE-2023-4957 1 Zebra 2 Zt410, Zt410 Firmware 2024-11-21 N/A 5.4 MEDIUM
A vulnerability of authentication bypass has been found on a Zebra Technologies ZTC ZT410-203dpi ZPL printer. This vulnerability allows an attacker that is in the same network as the printer, to change the username and password for the Web Page by sending a specially crafted POST request to the setvarsResults.cgi file. For this vulnerability to be exploitable, the printers protected mode must be disabled.
CVE-2023-4702 1 Yepas 1 Digital Yepas 2024-11-21 N/A 9.8 CRITICAL
Authentication Bypass Using an Alternate Path or Channel vulnerability in Yepas Digital Yepas allows Authentication Bypass.This issue affects Digital Yepas: before 1.0.1.
CVE-2023-46319 1 Wallix 1 Bastion 2024-11-21 N/A 7.5 HIGH
WALLIX Bastion 9.x before 9.0.9 and 10.x before 10.0.5 allows unauthenticated access to sensitive information by bypassing access control on a network access administration web interface.
CVE-2023-42793 1 Jetbrains 1 Teamcity 2024-11-21 N/A 9.8 CRITICAL
In JetBrains TeamCity before 2023.05.4 authentication bypass leading to RCE on TeamCity Server was possible
CVE-2023-42771 1 Furunosystems 4 Acera 1310, Acera 1310 Firmware, Acera 1320 and 1 more 2024-11-21 N/A 8.8 HIGH
Authentication bypass vulnerability in ACERA 1320 firmware ver.01.26 and earlier, and ACERA 1310 firmware ver.01.26 and earlier allows a network-adjacent unauthenticated attacker who can access the affected product to download configuration files and/or log files, and upload configuration files and/or firmware. They are affected when running in ST(Standalone) mode.
CVE-2023-41256 1 Doverfuelingsolutions 2 Maglink Lx 3, Maglink Lx Web Console Configuration 2024-11-21 N/A 9.1 CRITICAL
Dover Fueling Solutions MAGLINK LX Web Console Configuration versions 2.5.1, 2.5.2, 2.5.3, 2.6.1, 2.11, 3.0, 3.2, and 3.3 are vulnerable to authentication bypass that could allow an unauthorized attacker to obtain user access.
CVE-2023-32002 1 Nodejs 1 Node.js 2024-11-21 N/A 9.8 CRITICAL
The use of `Module._load()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.
CVE-2022-47578 1 Zohocorp 1 Manageengine Device Control Plus 2024-11-21 N/A 7.1 HIGH
An issue was discovered in the endpoint protection agent in Zoho ManageEngine Device Control Plus 10.1.2228.15. Despite configuring complete restrictions on USB pendrives, USB HDD devices, memory cards, USB connections to mobile devices, etc., it is still possible to bypass the USB restrictions by booting into Safe Mode. This allows a file to be exchanged outside the laptop/system. Safe Mode can be launched by any user (even without admin rights). Data exfiltration can occur, and also malware might be introduced onto the system. NOTE: the vendor's position is "it's not a vulnerability in our product."
CVE-2022-35869 1 Inductiveautomation 1 Ignition 2024-11-21 N/A 9.8 CRITICAL
This vulnerability allows remote attackers to bypass authentication on affected installations of Inductive Automation Ignition 8.1.15 (b2022030114). Authentication is not required to exploit this vulnerability. The specific flaw exists within com.inductiveautomation.ignition.gateway.web.pages. The issue results from the lack of proper authentication prior to access to functionality. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-17211.
CVE-2022-31022 1 Couchbase 1 Bleve 2024-11-21 2.1 LOW 6.2 MEDIUM
Bleve is a text indexing library for go. Bleve includes HTTP utilities under bleve/http package, that are used by its sample application. These HTTP methods pave way for exploitation of a node’s filesystem where the bleve index resides, if the user has used bleve’s own HTTP (bleve/http) handlers for exposing the access to the indexes. For instance, the CreateIndexHandler (`http/index_create.go`) and DeleteIndexHandler (`http/index_delete.go`) enable an attacker to create a bleve index (directory structure) anywhere where the user running the server has the write permissions and to delete recursively any directory owned by the same user account. Users who have used the bleve/http package for exposing access to bleve index without the explicit handling for the Role Based Access Controls(RBAC) of the index assets would be impacted by this issue. There is no patch for this issue because the http package is purely intended to be used for demonstration purposes. Bleve was never designed handle the RBACs, nor it was ever advertised to be used in that way. The collaborators of this project have decided to stay away from adding any authentication or authorization to bleve project at the moment. The bleve/http package is mainly for demonstration purposes and it lacks exhaustive validation of the user inputs as well as any authentication and authorization measures. It is recommended to not use bleve/http in production use cases.