Search Results (4508 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2025-32879 1 Yftech 2 Coros Pace 3, Coros Pace 3 Firmware 2025-07-08 8.8 High
An issue was discovered on COROS PACE 3 devices through 3.0808.0. It starts advertising if no device is connected via Bluetooth. This allows an attacker to connect with the device via BLE if no other device is connected. While connected, none of the BLE services and characteristics of the device require any authentication or security level. Therefore, any characteristic, depending on their mode of operation (read/write/notify), can be used by the connected attacker. This allows, for example, configuring the device, sending notifications, resetting the device to factory settings, or installing software.
CVE-2024-57046 1 Netgear 2 Dgn2200, Dgn2200 Firmware 2025-07-07 8.8 High
A vulnerability in the Netgear DGN2200 router with firmware version v1.0.0.46 and earlier permits unauthorized individuals to bypass the authentication. When adding "?x=1.gif" to the the requested url, it will be recognized as passing the authentication.
CVE-2025-6916 1 Totolink 2 T6, T6 Firmware 2025-07-07 8.8 High
A vulnerability, which was classified as critical, was found in TOTOLINK T6 4.1.5cu.748_B20211015. This affects the function Form_Login of the file /formLoginAuth.htm. The manipulation of the argument authCode/goURL leads to missing authentication. The attack needs to be initiated within the local network. The exploit has been disclosed to the public and may be used.
CVE-2024-29849 1 Veeam 2 Backup Enterprise Manager, Veeam Backup \& Replication 2025-07-03 N/A
Veeam Backup Enterprise Manager allows unauthenticated users to log in as any user to enterprise manager web interface.
CVE-2025-25205 1 Audiobookshelf 1 Audiobookshelf 2025-07-03 8.2 High
Audiobookshelf is a self-hosted audiobook and podcast server. Starting in version 2.17.0 and prior to version 2.19.1, a flaw in the authentication bypass logic allows unauthenticated requests to match certain unanchored regex patterns in the URL. Attackers can craft URLs containing substrings like "/api/items/1/cover" in a query parameter (?r=/api/items/1/cover) to partially bypass authentication or trigger server crashes under certain routes. This could lead to information disclosure of otherwise protected data and, in some cases, a complete denial of service (server crash) if downstream code expects an authenticated user object. Version 2.19.1 contains a patch for the issue.
CVE-2014-0769 3 3s-software, Festo, Softmotion3d 4 Codesys Runtime System, Cecx-x-c1 Modular Master Controller, Cecx-x-m1 Modular Controller and 1 more 2025-07-02 N/A
The Festo CECX-X-C1 Modular Master Controller with CoDeSys and CECX-X-M1 Modular Controller with CoDeSys and SoftMotion do not require authentication for connections to certain TCP ports, which allows remote attackers to (1) modify the configuration via a request to the debug service on port 4000 or (2) delete log entries via a request to the log service on port 4001.
CVE-2014-0760 3 3s-software, Festo, Softmotion3d 4 Codesys Runtime System, Cecx-x-c1 Modular Master Controller, Cecx-x-m1 Modular Controller and 1 more 2025-07-02 N/A
The Festo CECX-X-C1 Modular Master Controller with CoDeSys and CECX-X-M1 Modular Controller with CoDeSys and SoftMotion provide an undocumented access method involving the FTP protocol, which could allow a remote attacker to execute arbitrary code or cause a denial of service (application crash) via unspecified vectors.
CVE-2025-49851 1 Assaabloy 1 Control Id Idsecure 2025-07-02 9.8 Critical
ControlID iDSecure On-premises versions 4.7.48.0 and prior are vulnerable to an improper authentication vulnerability which could allow an attacker to bypass authentication and gain permissions in the product.
CVE-2025-46548 2 Akka, Apache 2 Akka Management, Pekko Management 2025-07-02 6.5 Medium
If you enable Basic Authentication in Pekko Management using the Java DSL, the authenticator may not be properly applied. Users that rely on authentication instead of making sure the Management API ports are only available to trusted users are recommended to upgrade to version 1.1.1, which fixes this issue. Akka was affected by the same issue and has released the fix in version 1.6.1.
CVE-2024-45106 1 Apache 1 Ozone 2025-07-01 8.1 High
Improper authentication of an HTTP endpoint in the S3 Gateway of Apache Ozone 1.4.0 allows any authenticated Kerberos user to revoke and regenerate the S3 secrets of any other user. This is only possible if: * ozone.s3g.secret.http.enabled is set to true. The default value of this configuration is false. * The user configured in ozone.s3g.kerberos.principal is also configured in ozone.s3.administrators or ozone.administrators. Users are recommended to upgrade to Apache Ozone version 1.4.1 which disables the affected endpoint.
CVE-2024-45216 1 Apache 1 Solr 2025-07-01 9.8 Critical
Improper Authentication vulnerability in Apache Solr. Solr instances using the PKIAuthenticationPlugin, which is enabled by default when Solr Authentication is used, are vulnerable to Authentication bypass. A fake ending at the end of any Solr API URL path, will allow requests to skip Authentication while maintaining the API contract with the original URL Path. This fake ending looks like an unprotected API path, however it is stripped off internally after authentication but before API routing. This issue affects Apache Solr: from 5.3.0 before 8.11.4, from 9.0.0 before 9.7.0. Users are recommended to upgrade to version 9.7.0, or 8.11.4, which fix the issue.
CVE-2023-40282 1 Rakuten 2 Wifi Pocket, Wifi Pocket Firmware 2025-07-01 5.4 Medium
Improper authentication vulnerability in Rakuten WiFi Pocket all versions allows a network-adjacent attacker to log in to the product's Management Screen. As a result, sensitive information may be obtained and/or the settings may be changed.
CVE-2025-48746 1 Netwrix 1 Directory Manager 2025-06-24 6.5 Medium
Netwrix Directory Manager (formerly Imanami GroupID) v.11.0.0.0 and before, as well as after v.11.1.25134.03 lacks Authentication for a Critical Function.
CVE-2025-3627 1 Moodle 1 Moodle 2025-06-24 4.3 Medium
A security vulnerability was discovered in Moodle that allows some users to access sensitive information about other students before they finish verifying their identities using two-factor authentication (2FA).
CVE-2025-3634 1 Moodle 1 Moodle 2025-06-24 4.3 Medium
A security vulnerability was discovered in Moodle that allows students to enroll themselves in courses without completing all the necessary safety checks. Specifically, users can sign up for courses prematurely, even if they haven't finished two-step verification processes.
CVE-2025-27086 1 Hpe 1 Performance Cluster Manager 2025-06-23 8.1 High
A vulnerability in the HPE Performance Cluster Manager (HPCM) GUI could allow an attacker to bypass authentication.
CVE-2023-50275 1 Hp 1 Oneview 2025-06-20 7.5 High
HPE OneView may allow clusterService Authentication Bypass resulting in denial of service.
CVE-2023-50127 1 Hozard 1 Alarm System 2025-06-20 5.9 Medium
Hozard alarm system (Alarmsysteem) v1.0 is vulnerable to Improper Authentication. Commands sent via the SMS functionality are accepted from random phone numbers, which allows an attacker to bring the alarm system to a disarmed state from any given phone number.
CVE-2024-23637 1 Octoprint 1 Octoprint 2025-06-17 4.2 Medium
OctoPrint is a web interface for 3D printer.s OctoPrint versions up until and including 1.9.3 contain a vulnerability that allows malicious admins to change the password of other admin accounts, including their own, without having to repeat their password. An attacker who managed to hijack an admin account might use this to lock out actual admins from their OctoPrint instance. The vulnerability will be patched in version 1.10.0.
CVE-2024-23647 1 Goauthentik 1 Authentik 2025-06-17 6.5 Medium
Authentik is an open-source Identity Provider. There is a bug in our implementation of PKCE that allows an attacker to circumvent the protection that PKCE offers. PKCE adds the code_challenge parameter to the authorization request and adds the code_verifier parameter to the token request. Prior to 2023.8.7 and 2023.10.7, a downgrade scenario is possible: if the attacker removes the code_challenge parameter from the authorization request, authentik will not do the PKCE check. Because of this bug, an attacker can circumvent the protection PKCE offers, such as CSRF attacks and code injection attacks. Versions 2023.8.7 and 2023.10.7 fix the issue.