| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Rasa Pro is a framework for building scalable, dynamic conversational AI assistants that integrate large language models (LLMs). A vulnerability has been identified in Rasa Pro where voice connectors in Rasa Pro do not properly implement authentication even when a token is configured in the credentials.yml file. This could allow an attacker to submit voice data to the Rasa Pro assistant from an unauthenticated source. This issue has been patched for audiocodes, audiocodes_stream, and genesys connectors in versions 3.9.20, 3.10.19, 3.11.7 and 3.12.6. |
| Sensitive data disclosure and manipulation due to missing authentication. The following products are affected: Acronis Cyber Protect Cloud Agent (Linux, macOS, Windows) before build 39870, Acronis Cyber Protect 16 (Linux, macOS, Windows) before build 39938, Acronis Cyber Protect 15 (Linux, macOS, Windows) before build 41800. |
| The OTP Integration Kit for PingFederate fails to enforce HTTP method validation and state validation properly. The server advances the authentication state without verifying the OTP, thereby bypassing multi-factor authentication. |
| Missing Authentication - User & System Configuration |
| Incorrect access control in the component l_0_0.xml of TP-Link ARCHER-C7 v5 allows attackers to access sensitive information. |
| microCLAUDIA in v3.2.0 and prior has an improper access control vulnerability.
This flaw allows an authenticated user to perform unauthorized actions on other organizations' systems by sending direct API requests. To do so, the attacker can use organization identifiers obtained through a compromised endpoint or deduced manually.
This vulnerability allows access between tenants, enabling an attacker to list and manage remote assets, uninstall agents, and even delete vaccines configurations. |
| SAP NetWeaver Enterprise Portal OBN does not perform proper authentication check for a particular configuration setting. As result, a non-authenticated user can set it to an undesired value causing low impact on integrity. There is no impact on confidentiality or availability of the application. |
| The SupportCandy – Helpdesk & Customer Support Ticket System plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 3.3.7. This is due to missing rate limiting on the OTP verification for guest login. This makes it possible for unauthenticated attackers to bypass authentication and gain unauthorized access to customer support tickets by brute forcing the 6-digit OTP code. |
| A security issue exists within the 5032 16pt Digital Configurable module’s web server. Intercepted session credentials can be used within a 3-minute timeout window, allowing unauthorized users to perform privileged actions. |
| NUP Portal developed by NewType Infortech has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to directly upload files. If the attacker manages to bypass the file extension restrictions, they could upload a webshell and execute it on the server side. |
| The MinigameCenter module has insufficient restrictions on loading URLs, which may lead to some information leakage. |
| A vulnerability was found in Excitel Broadband Private my Excitel App 3.13.0 on Android. It has been classified as problematic. Affected is an unknown function of the component One-Time Password Handler. The manipulation leads to improper restriction of excessive authentication attempts. The vendor was contacted early about this disclosure but did not respond in any way. |
| A unauthenticated adjacent attacker could potentially disrupt operations by switching between multiple configuration presets via CAN. |
| An unauthenticated remote attacker can gain full access on the affected devices as they are shipped without a password by default and setting one is not enforced. |
| The Archify application contains a local privilege escalation vulnerability due to insufficient client validation in its privileged helper tool, com.oct4pie.archifyhelper, which is exposed via XPC. Archify follows the "factored applications" model, delegating privileged operations—such as arbitrary file deletion and file permission changes—to this helper running as root. However, the helper does not verify the code signature, entitlements, or signing flags of the connecting client. Although macOS provides secure validation mechanisms like auditToken, these are not implemented. As a result, any local process can establish a connection to the helper and invoke privileged functionality, leading to unauthorized execution of actions with root-level privileges. |
| A vulnerability was found in Apeman ID71 218.53.203.117. The impacted element is an unknown function of the file /onvif/device_service of the component ONVIF Service. Performing manipulation results in missing authentication. The attack is possible to be carried out remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. |
| SiRcom SMART Alert (SiSA) allows unauthorized access to backend APIs. This allows an unauthenticated attacker to bypass the login screen using browser developer tools, gaining access to restricted parts of the application. |
| A potential vulnerability was reported in the BIOS update tool driver for some Desktop, Smart Edge, Smart Office, and ThinkStation products that could allow a local user with elevated privileges to execute arbitrary code. |
| A vulnerability, which was classified as critical, has been found in IROAD Dash Cam X5 and Dash Cam X6 up to 20250308. Affected by this issue is some unknown functionality of the component API Endpoint. The manipulation leads to missing authentication. The attack may be launched remotely. The vendor was contacted early about this disclosure but did not respond in any way. |
| EasyFlow .NET and EasyFlow AiNet, developed by Digiwin, has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to obtain database administrator credentials via a specific functionality. |