Total
118 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-3757 | 1 Openpubkey | 1 Openpubkey | 2025-05-23 | N/A | 9.8 CRITICAL |
| Versions of OpenPubkey library prior to 0.10.0 contained a vulnerability that would allow a specially crafted JWS to bypass signature verification. | |||||
| CVE-2025-4658 | 1 Openpubkey | 2 Openpubkey, Opkssh | 2025-05-22 | N/A | 9.8 CRITICAL |
| Versions of OpenPubkey library prior to 0.10.0 contained a vulnerability that would allow a specially crafted JWS to bypass signature verification. As OPKSSH depends on the OpenPubkey library for authentication, this vulnerability in OpenPubkey also applies to OPKSSH versions prior to 0.5.0 and would allow an attacker to bypass OPKSSH authentication. | |||||
| CVE-2025-46750 | 2025-05-12 | N/A | 4.4 MEDIUM | ||
| SEL BIOS packages prior to 1.3.49152.117 or 2.6.49152.98 allow a local attacker to bypass password authentication and change password-protected BIOS settings by importing a BIOS settings file with no password set. | |||||
| CVE-2025-24522 | 2025-05-02 | N/A | 10.0 CRITICAL | ||
| KUNBUS Revolution Pi OS Bookworm 01/2025 is vulnerable because authentication is not configured by default for the Node-RED server. This can give an unauthenticated remote attacker full access to the Node-RED server where they can run arbitrary commands on the underlying operating system. | |||||
| CVE-2025-32011 | 2025-05-02 | N/A | 9.8 CRITICAL | ||
| KUNBUS PiCtory versions 2.5.0 through 2.11.1 have an authentication bypass vulnerability where a remote attacker can bypass authentication to get access due to a path traversal. | |||||
| CVE-2025-27371 | 2025-04-25 | N/A | 6.9 MEDIUM | ||
| In certain IETF OAuth 2.0-related specifications, when the JSON Web Token Profile for OAuth 2.0 Client Authentication mechanism is used, there are ambiguities in the audience values of JWTs sent to authorization servers. The affected RFCs may include RFC 7523, and also RFC 7521, RFC 7522, RFC 9101 (JAR), and RFC 9126 (PAR). | |||||
| CVE-2025-27370 | 2025-04-25 | N/A | 6.9 MEDIUM | ||
| OpenID Connect Core through 1.0 errata set 2 allows audience injection in certain situations. When the private_key_jwt authentication mechanism is used, a malicious Authorization Server could trick a Client into writing attacker-controlled values into the audience, including token endpoints or issuer identifiers of other Authorization Servers. The malicious Authorization Server could then use these private key JWTs to impersonate the Client. | |||||
| CVE-2023-34124 | 1 Sonicwall | 2 Analytics, Global Management System | 2025-04-08 | N/A | 9.8 CRITICAL |
| The authentication mechanism in SonicWall GMS and Analytics Web Services had insufficient checks, allowing authentication bypass. This issue affects GMS: 9.3.2-SP1 and earlier versions; Analytics: 2.5.0.4-R7 and earlier versions. | |||||
| CVE-2022-3100 | 2 Openstack, Redhat | 5 Barbican, Enterprise Linux Eus, Openstack and 2 more | 2025-04-03 | N/A | 5.9 MEDIUM |
| A flaw was found in the openstack-barbican component. This issue allows an access policy bypass via a query string when accessing the API. | |||||
| CVE-2025-1880 | 1 I-drive | 4 I11, I11 Firmware, I12 and 1 more | 2025-03-05 | 1.2 LOW | 2.0 LOW |
| A vulnerability was found in i-Drive i11 and i12 up to 20250227. It has been classified as problematic. Affected is an unknown function of the component Device Pairing. The manipulation leads to authentication bypass by primary weakness. It is possible to launch the attack on the physical device. The complexity of an attack is rather high. The exploitability is told to be difficult. It was not possible to identify the current maintainer of the product. It must be assumed that the product is end-of-life. | |||||
| CVE-2024-36388 | 2 Canonical, Milesight | 2 Ubuntu Linux, Devicehub | 2025-03-04 | N/A | 10.0 CRITICAL |
| MileSight DeviceHub - CWE-305 Missing Authentication for Critical Function | |||||
| CVE-2023-7103 | 1 Zksoftware | 1 Uface 5 | 2025-03-04 | N/A | 9.8 CRITICAL |
| Authentication Bypass by Primary Weakness vulnerability in ZKSoftware Biometric Security Solutions UFace 5 allows Authentication Bypass.This issue affects UFace 5: through 12022024. | |||||
| CVE-2025-23017 | 2025-02-24 | N/A | 6.0 MEDIUM | ||
| WorkOS Hosted AuthKit before 2025-01-07 allows a password authentication MFA bypass (by enrolling a new authentication factor) when the attacker knows the user's password. No exploitation occurred. | |||||
| CVE-2023-27536 | 5 Debian, Fedoraproject, Haxx and 2 more | 14 Debian Linux, Fedora, Libcurl and 11 more | 2025-02-14 | N/A | 5.9 MEDIUM |
| An authentication bypass vulnerability exists libcurl <8.0.0 in the connection reuse feature which can reuse previously established connections with incorrect user permissions due to a failure to check for changes in the CURLOPT_GSSAPI_DELEGATION option. This vulnerability affects krb5/kerberos/negotiate/GSSAPI transfers and could potentially result in unauthorized access to sensitive information. The safest option is to not reuse connections if the CURLOPT_GSSAPI_DELEGATION option has been changed. | |||||
| CVE-2024-12054 | 2025-02-13 | N/A | 5.4 MEDIUM | ||
| ZF Roll Stability Support Plus (RSSPlus) is vulnerable to an authentication bypass vulnerability targeting deterministic RSSPlus SecurityAccess service seeds, which may allow an attacker to remotely (proximal/adjacent with RF equipment or via pivot from J2497 telematics devices) call diagnostic functions intended for workshop or repair scenarios. This can impact system availability, potentially degrading performance or erasing software, however the vehicle remains in a safe vehicle state. | |||||
| CVE-2024-12582 | 2025-02-13 | N/A | 7.1 HIGH | ||
| A flaw was found in the skupper console, a read-only interface that renders cluster network, traffic details, and metrics for a network application that a user sets up across a hybrid multi-cloud environment. When the default authentication method is used, a random password is generated for the "admin" user and is persisted in either a Kubernetes secret or a podman volume in a plaintext file. This authentication method can be manipulated by an attacker, leading to the reading of any user-readable file in the container filesystem, directly impacting data confidentiality. Additionally, the attacker may induce skupper to read extremely large files into memory, resulting in resource exhaustion and a denial of service attack. | |||||
| CVE-2023-28727 | 1 Panasonic | 2 Aiseg2, Aiseg2 Firmware | 2025-02-12 | N/A | 9.6 CRITICAL |
| Panasonic AiSEG2 versions 2.00J through 2.93A allows adjacent attackers bypass authentication due to mishandling of X-Forwarded-For headers. | |||||
| CVE-2024-1403 | 1 Progress | 1 Openedge | 2025-02-11 | N/A | 10.0 CRITICAL |
| In OpenEdge Authentication Gateway and AdminServer prior to 11.7.19, 12.2.14, 12.8.1 on all platforms supported by the OpenEdge product, an authentication bypass vulnerability has been identified. The vulnerability is a bypass to authentication based on a failure to properly handle username and password. Certain unexpected content passed into the credentials can lead to unauthorized access without proper authentication. | |||||
| CVE-2024-6637 | 1 Wpwebelite | 1 Woocommerce Social Login | 2025-02-11 | N/A | 7.3 HIGH |
| The WooCommerce - Social Login plugin for WordPress is vulnerable to unauthenticated privilege escalation in all versions up to, and including, 2.7.3. This is due to a lack of brute force controls on a weak one-time password. This makes it possible for unauthenticated attackers to brute force the one-time password for any user, except an Administrator, if they know the email of user. | |||||
| CVE-2023-28126 | 1 Ivanti | 1 Avalanche | 2025-01-29 | N/A | 5.9 MEDIUM |
| An authentication bypass vulnerability exists in Avalanche versions 6.3.x and below that could allow an attacker to gain access by exploiting the SetUser method or can exploit the Race Condition in the authentication message. | |||||