Total
3419 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-5805 | 2024-06-28 | 9.1 Critical | ||
| Improper Authentication vulnerability in Progress MOVEit Gateway (SFTP modules) allows Authentication Bypass.This issue affects MOVEit Gateway: 2024.0.0. | ||||
| CVE-2024-3080 | 2024-06-28 | 9.8 Critical | ||
| Certain ASUS router models have authentication bypass vulnerability, allowing unauthenticated remote attackers to log in the device. | ||||
| CVE-2024-38523 | 2024-06-27 | 7.5 High | ||
| Hush Line is a free and open-source, anonymous-tip-line-as-a-service for organizations or individuals. The TOTP authentication flow has multiple issues that weakens its one-time nature. Specifically, the lack of 2FA for changing security settings allows attacker with CSRF or XSS primitives to change such settings without user interaction and credentials are required. This vulnerability has been patched in version 0.10. | ||||
| CVE-2024-37233 | 2024-06-27 | 4.3 Medium | ||
| Improper Authentication vulnerability in Play.Ht allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Play.Ht: from n/a through 3.6.4. | ||||
| CVE-2023-20867 | 3 Debian, Fedoraproject, Vmware | 3 Debian Linux, Fedora, Tools | 2024-06-27 | 3.9 Low |
| A fully compromised ESXi host can force VMware Tools to fail to authenticate host-to-guest operations, impacting the confidentiality and integrity of the guest virtual machine. | ||||
| CVE-2023-35078 | 1 Ivanti | 1 Endpoint Manager Mobile | 2024-06-27 | 9.8 Critical |
| An authentication bypass vulnerability in Ivanti EPMM allows unauthorized users to access restricted functionality or resources of the application without proper authentication. | ||||
| CVE-2024-35248 | 1 Microsoft | 1 Dynamics 365 Business Central | 2024-06-27 | 7.3 High |
| Microsoft Dynamics 365 Business Central Elevation of Privilege Vulnerability | ||||
| CVE-2023-50804 | 1 Samsung | 26 Exynos 1080, Exynos 1080 Firmware, Exynos 1280 and 23 more | 2024-06-27 | 5.3 Medium |
| An issue was discovered in Samsung Mobile Processor, and Modem Exynos 9820, Exynos 9825, Exynos 980, Exynos 990, Exynos 850, Exynos 1080, Exynos 2100, Exynos 2200, Exynos 1280, Exynos 1380, Exynos 1330, Exynos Modem 5123, Exynos Modem 5300. The baseband software does not properly check format types specified by the NAS (Non-Access-Stratum) module. This can lead to bypass of authentication. | ||||
| CVE-2024-5806 | 2024-06-27 | 9.1 Critical | ||
| Improper Authentication vulnerability in Progress MOVEit Transfer (SFTP module) can lead to Authentication Bypass.This issue affects MOVEit Transfer: from 2023.0.0 before 2023.0.11, from 2023.1.0 before 2023.1.6, from 2024.0.0 before 2024.0.2. | ||||
| CVE-2024-5012 | 2024-06-26 | 8.6 High | ||
| In WhatsUp Gold versions released before 2023.1.3, there is a missing authentication vulnerability in WUGDataAccess.Credentials. This vulnerability allows unauthenticated attackers to disclose Windows Credentials stored in the product Credential Library. | ||||
| CVE-2018-18014 | 1 Citrix | 1 Xenmobile Server | 2024-06-26 | N/A |
| * Lack of authentication in Citrix Xen Mobile through 10.8 allows low-privileged local users to execute system commands as root by making requests to private services listening on ports 8000, 30000 and 30001. NOTE: the vendor disputes that this is a vulnerability, stating it is "already mitigated by the internal firewall that limits access to configuration services to localhost. | ||||
| CVE-2023-47256 | 1 Connectwise | 2 Automate, Screenconnect | 2024-06-25 | 5.5 Medium |
| ConnectWise ScreenConnect through 23.8.4 allows local users to connect to arbitrary relay servers via implicit trust of proxy settings | ||||
| CVE-2024-24554 | 2024-06-24 | N/A | ||
| Bludit uses predictable methods in combination with the MD5 hashing algorithm to generate sensitive tokens such as the API token and the user token. This allows attackers to authenticate against the Bludit API. | ||||
| CVE-2022-23541 | 1 Auth0 | 1 Jsonwebtoken | 2024-06-21 | 6.3 Medium |
| jsonwebtoken is an implementation of JSON Web Tokens. Versions `<= 8.5.1` of `jsonwebtoken` library can be misconfigured so that passing a poorly implemented key retrieval function referring to the `secretOrPublicKey` argument from the readme link will result in incorrect verification of tokens. There is a possibility of using a different algorithm and key combination in verification, other than the one that was used to sign the tokens. Specifically, tokens signed with an asymmetric public key could be verified with a symmetric HS256 algorithm. This can lead to successful validation of forged tokens. If your application is supporting usage of both symmetric key and asymmetric key in jwt.verify() implementation with the same key retrieval function. This issue has been patched, please update to version 9.0.0. | ||||
| CVE-2022-23540 | 1 Auth0 | 1 Jsonwebtoken | 2024-06-21 | 7.6 High |
| In versions `<=8.5.1` of `jsonwebtoken` library, lack of algorithm definition in the `jwt.verify()` function can lead to signature validation bypass due to defaulting to the `none` algorithm for signature verification. Users are affected if you do not specify algorithms in the `jwt.verify()` function. This issue has been fixed, please update to version 9.0.0 which removes the default support for the none algorithm in the `jwt.verify()` method. There will be no impact, if you update to version 9.0.0 and you don’t need to allow for the `none` algorithm. If you need 'none' algorithm, you have to explicitly specify that in `jwt.verify()` options. | ||||
| CVE-2024-37897 | 2024-06-21 | 5.4 Medium | ||
| SFTPGo is a full-featured and highly configurable SFTP, HTTP/S, FTP/S and WebDAV server - S3, Google Cloud Storage, Azure Blob. SFTPGo WebAdmin and WebClient support password reset. This feature is disabled in the default configuration. In SFTPGo versions prior to v2.6.1, if the feature is enabled, even users with access restrictions (e.g. expired) can reset their password and log in. Users are advised to upgrade to version 2.6.1. Users unable to upgrade may keep the password reset feature disabled or set a blank email address for users and admins with access restrictions so they cannot receive the email with the reset code and exploit the vulnerability. | ||||
| CVE-2024-27767 | 2024-06-20 | 10.0 Critical | ||
| CWE-287: Improper Authentication may allow Authentication Bypass | ||||
| CVE-2024-4024 | 2024-06-20 | 7.3 High | ||
| An issue has been discovered in GitLab CE/EE affecting all versions starting from 7.8 before 16.9.6, all versions starting from 16.10 before 16.10.4, all versions starting from 16.11 before 16.11.1. Under certain conditions, an attacker with their Bitbucket account credentials may be able to take over a GitLab account linked to another user's Bitbucket account, if Bitbucket is used as an OAuth 2.0 provider on GitLab. | ||||
| CVE-2024-1347 | 2024-06-20 | 4.3 Medium | ||
| An issue has been discovered in GitLab CE/EE affecting all versions before 16.9.6, all versions starting from 16.10 before 16.10.4, all versions starting from 16.11 before 16.11.1. Under certain conditions, an attacker through a crafted email address may be able to bypass domain based restrictions on an instance or a group. | ||||
| CVE-2024-37893 | 2024-06-20 | 5.9 Medium | ||
| Firefly III is a free and open source personal finance manager. In affected versions an MFA bypass in the Firefly III OAuth flow may allow malicious users to bypass the MFA-check. This allows malicious users to use password spraying to gain access to Firefly III data using passwords stolen from other sources. As OAuth applications are easily enumerable using an incrementing id, an attacker could try sign an OAuth application up to a users profile quite easily if they have created one. The attacker would also need to know the victims username and password. This problem has been patched in Firefly III v6.1.17 and up. Users are advised to upgrade. Users unable to upgrade should Use a unique password for their Firefly III instance and store their password securely, i.e. in a password manager. | ||||