Total
281 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-52475 | 1 Automation Web Platform | 1 Wawp | 2024-11-29 | 9.8 Critical |
| Authentication Bypass Using an Alternate Path or Channel vulnerability in Automation Web Platform Wawp allows Authentication Bypass.This issue affects Wawp: from n/a before 3.0.18. | ||||
| CVE-2024-11925 | 1 Eyecix | 1 Jobsearch Wp Job Board | 2024-11-29 | 9.8 Critical |
| The JobSearch WP Job Board plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 2.6.7. This is due to the plugin not properly verifying a users identity when verifying an email address through the user_account_activation function. This makes it possible for unauthenticated attackers to log in as any user, including site administrators if the users email is known. | ||||
| CVE-2024-11981 | 1 Billion Electric | 4 M100, M120n, M150 and 1 more | 2024-11-29 | 7.5 High |
| Certain models of routers from Billion Electric has an Authentication Bypass vulnerability, allowing unautheticated attackers to retrive contents of arbitrary web pages. | ||||
| CVE-2024-7027 | 2024-11-21 | 7.3 High | ||
| The WooCommerce - PDF Vouchers plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 4.9.3. This is due to insufficient verification on the user being supplied during a QR code login through the plugin. This makes it possible for unauthenticated attackers to log in as any existing Voucher Vendor user on the site, if they have access to the user id. | ||||
| CVE-2024-7007 | 1 Positron | 2 Tra7005, Tra7005 Firmware | 2024-11-21 | 9.8 Critical |
| Positron Broadcast Signal Processor TRA7005 v1.20 is vulnerable to an authentication bypass exploit that could allow an attacker to have unauthorized access to protected areas of the application. | ||||
| CVE-2024-5620 | 2024-11-21 | 6.5 Medium | ||
| Authentication Bypass Using an Alternate Path or Channel vulnerability in PruvaSoft Informatics Apinizer Management Console allows Authentication Bypass.This issue affects Apinizer Management Console: before 2024.05.1. | ||||
| CVE-2024-5322 | 2024-11-21 | 9.1 Critical | ||
| The N-central server is vulnerable to session rebinding of already authenticated users when using Entra SSO, which can lead to authentication bypass. This vulnerability is present in all Entra-supported deployments of N-central prior to 2024.3. | ||||
| CVE-2024-3496 | 2024-11-21 | 8.8 High | ||
| Attackers can bypass the web login authentication process to gain access to the printer's system information and upload malicious drivers to the printer. As for the affected products/models/versions, see the reference URL. | ||||
| CVE-2024-39309 | 1 Parse Community | 1 Parse Server | 2024-11-21 | 9.8 Critical |
| Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. A vulnerability in versions prior to 6.5.7 and 7.1.0 allows SQL injection when Parse Server is configured to use the PostgreSQL database. The algorithm to detect SQL injection has been improved in versions 6.5.7 and 7.1.0. No known workarounds are available. | ||||
| CVE-2024-38437 | 1 Dlink | 2 Dsl-225, Dsl-225 Firmware | 2024-11-21 | 9.8 Critical |
| D-Link - CWE-288:Authentication Bypass Using an Alternate Path or Channel | ||||
| CVE-2024-38394 | 2024-11-21 | 4.3 Medium | ||
| Mismatches in interpreting USB authorization policy between GNOME Settings Daemon (GSD) through 46.0 and the Linux kernel's underlying device matching logic allow a physically proximate attacker to access some unintended Linux kernel USB functionality, such as USB device-specific kernel modules and filesystem implementations. NOTE: the GSD supplier indicates that consideration of a mitigation for this within GSD would be in the context of "a new feature, not a CVE." | ||||
| CVE-2024-38279 | 2 Motorola, Motorolasolutions | 3 Vigilant Fixed Lpr Coms Box, Vigilant Fixed Lpr Coms Box Firmware, Vigilant Fixed Lpr Coms Box Bcav1f2 C600 | 2024-11-21 | 4.6 Medium |
| The affected product is vulnerable to an attacker modifying the bootloader by using custom arguments to bypass authentication and gain access to the file system and obtain password hashes. | ||||
| CVE-2024-37893 | 2024-11-21 | 5.9 Medium | ||
| Firefly III is a free and open source personal finance manager. In affected versions an MFA bypass in the Firefly III OAuth flow may allow malicious users to bypass the MFA-check. This allows malicious users to use password spraying to gain access to Firefly III data using passwords stolen from other sources. As OAuth applications are easily enumerable using an incrementing id, an attacker could try sign an OAuth application up to a users profile quite easily if they have created one. The attacker would also need to know the victims username and password. This problem has been patched in Firefly III v6.1.17 and up. Users are advised to upgrade. Users unable to upgrade should Use a unique password for their Firefly III instance and store their password securely, i.e. in a password manager. | ||||
| CVE-2024-35214 | 1 Blackberry | 1 Cylanceoptics | 2024-11-21 | N/A |
| A tampering vulnerability in the CylanceOPTICS Windows Installer Package of CylanceOPTICS for Windows version 3.2 and 3.3 could allow an attacker to potentially uninstall CylanceOPTICS from a system thereby leaving it with only the protection of CylancePROTECT. | ||||
| CVE-2024-34524 | 2024-11-21 | 9.1 Critical | ||
| In XLANG OpenAgents through fe73ac4, the allowed_file protection mechanism can be bypassed by using an incorrect file extension for the nature of the file content. | ||||
| CVE-2024-31916 | 1 Ibm | 1 Openbmc | 2024-11-21 | 7.5 High |
| IBM OpenBMC FW1050.00 through FW1050.10 BMCWeb HTTPS server component could disclose sensitive URI content to an unauthorized actor that bypasses authentication channels. IBM X-ForceID: 290026. | ||||
| CVE-2024-31463 | 1 Redhat | 1 Openshift | 2024-11-21 | 4.7 Medium |
| Ironic-image is an OpenStack Ironic deployment packaged and configured by Metal3. When the reverse proxy mode is enabled by the `IRONIC_REVERSE_PROXY_SETUP` variable set to `true`, 1) HTTP basic credentials are validated on the HTTPD side in a separate container, not in the Ironic service itself and 2) Ironic listens in host network on a private port 6388 on localhost by default. As a result, when the reverse proxy mode is used, any Pod or local Unix user on the control plane Node can access the Ironic API on the private port without authentication. A similar problem affects Ironic Inspector (`INSPECTOR_REVERSE_PROXY_SETUP` set to `true`), although the attack potential is smaller there. This issue affects operators deploying ironic-image in the reverse proxy mode, which is the recommended mode when TLS is used (also recommended), with the `IRONIC_PRIVATE_PORT` variable unset or set to a numeric value. In this case, an attacker with enough privileges to launch a pod on the control plane with host networking can access Ironic API and use it to modify bare-metal machine, e.g. provision them with a new image or change their BIOS settings. This vulnerability is fixed in 24.1.1. | ||||
| CVE-2024-2973 | 2024-11-21 | 10 Critical | ||
| An Authentication Bypass Using an Alternate Path or Channel vulnerability in Juniper Networks Session Smart Router or conductor running with a redundant peer allows a network based attacker to bypass authentication and take full control of the device. Only routers or conductors that are running in high-availability redundant configurations are affected by this vulnerability. No other Juniper Networks products or platforms are affected by this issue. This issue affects: Session Smart Router: * All versions before 5.6.15, * from 6.0 before 6.1.9-lts, * from 6.2 before 6.2.5-sts. Session Smart Conductor: * All versions before 5.6.15, * from 6.0 before 6.1.9-lts, * from 6.2 before 6.2.5-sts. WAN Assurance Router: * 6.0 versions before 6.1.9-lts, * 6.2 versions before 6.2.5-sts. | ||||
| CVE-2024-2013 | 1 Hitachienergy | 2 Foxman-un, Unem | 2024-11-21 | 10 Critical |
| An authentication bypass vulnerability exists in the FOXMAN-UN/UNEM server / API Gateway component that if exploited allows attackers without any access to interact with the services and the post-authentication attack surface. | ||||
| CVE-2024-2012 | 1 Hitachienergy | 2 Foxman-un, Unem | 2024-11-21 | 9.1 Critical |
| vulnerability exists in the FOXMAN-UN/UNEM server / API Gateway that if exploited an attacker could use to allow unintended commands or code to be executed on the UNEM server allowing sensitive data to be read or modified or could cause other unintended behavior | ||||