Total
204 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-47009 | 1 Ivanti | 1 Avalanche | 2024-10-16 | 7.3 High |
| Path Traversal in Ivanti Avalanche before version 6.4.5 allows a remote unauthenticated attacker to bypass authentication. | ||||
| CVE-2024-21491 | 1 Svix | 1 Svix | 2024-10-16 | 5.9 Medium |
| Versions of the package svix before 1.17.0 are vulnerable to Authentication Bypass due to an issue in the verify function where signatures of different lengths are incorrectly compared. An attacker can bypass signature verification by providing a shorter signature that matches the beginning of the actual signature. **Note:** The attacker would need to know a victim uses the Rust library for verification,no easy way to automatically check that; and uses webhooks by a service that uses Svix, and then figure out a way to craft a malicious payload that will actually include all of the correct identifiers needed to trick the receivers to cause actual issues. | ||||
| CVE-2023-45539 | 2 Haproxy, Redhat | 7 Haproxy, Enterprise Linux, Openshift and 4 more | 2024-10-15 | 8.2 High |
| HAProxy before 2.8.2 accepts # as part of the URI component, which might allow remote attackers to obtain sensitive information or have unspecified other impact upon misinterpretation of a path_end rule, such as routing index.html#.png to a static server. | ||||
| CVE-2024-9522 | 1 Lagunaisw | 1 Wp Users Masquerade | 2024-10-15 | 8.8 High |
| The WP Users Masquerade plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.0.0. This is due to incorrect authentication and capability checking in the 'ajax_masq_login' function. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to log in as any existing user on the site, such as an administrator. | ||||
| CVE-2024-8943 | 1 Latepoint | 1 Latepoint | 2024-10-10 | 9.8 Critical |
| The LatePoint plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 5.0.12. This is due to insufficient verification on the user being supplied during the booking customer step. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the user id. Note that logging in as a WordPress user is only possible if the "Use WordPress users as customers" setting is enabled, which is disabled by default. The vulnerability is partially patched in version 5.0.12 and fully patched in version 5.0.13. | ||||
| CVE-2023-32002 | 2 Nodejs, Redhat | 4 Node.js, Nodejs, Enterprise Linux and 1 more | 2024-10-07 | 9.8 Critical |
| The use of `Module._load()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js. | ||||
| CVE-2024-9289 | 1 Redefiningtheweb | 1 Affiliate Pro | 2024-10-07 | 9.8 Critical |
| The WordPress & WooCommerce Affiliate Program plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 8.4.1. This is due to the rtwwwap_login_request_callback() function not properly validating a user's identity prior to authenticating them to the site. This makes it possible for unauthenticated attackers to log in as any user, including administrators, granted they have access to the administrator's email. | ||||
| CVE-2024-9106 | 1 Xunhuweb | 1 Wechat Social Login | 2024-10-04 | 9.8 Critical |
| The Wechat Social login plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.3.0. This is due to insufficient verification on the user being supplied during the social login. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the user id. This is only exploitable if the app secret is not set, so it has a default empty value. | ||||
| CVE-2024-38279 | 2 Motorola, Motorolasolutions | 3 Vigilant Fixed Lpr Coms Box, Vigilant Fixed Lpr Coms Box Firmware, Vigilant Fixed Lpr Coms Box Bcav1f2 C600 | 2024-10-03 | 4.6 Medium |
| The affected product is vulnerable to an attacker modifying the bootloader by using custom arguments to bypass authentication and gain access to the file system and obtain password hashes. | ||||
| CVE-2024-1525 | 1 Gitlab | 1 Gitlab | 2024-10-03 | 5.3 Medium |
| An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.1 before 16.7.6, all versions starting from 16.8 before 16.8.3, all versions starting from 16.9 before 16.9.1. Under some specialized conditions, an LDAP user may be able to reset their password using their verified secondary email address and sign-in using direct authentication with the reset password, bypassing LDAP. | ||||
| CVE-2024-7781 | 1 Artbees | 1 Jupiter X Core | 2024-10-02 | 8.1 High |
| The Jupiter X Core plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 4.7.5. This is due to improper authentication via the Social Login widget. This makes it possible for unauthenticated attackers to log in as the first user to have logged in with a social media account, including administrator accounts. Attackers can exploit the vulnerability even if the Social Login element has been disabled, as long as it was previously enabled and used. The vulnerability was partially patched in version 4.7.5, and fully patched in version 4.7.8. | ||||
| CVE-2024-43692 | 1 Doverfuelingsolutions | 6 Maglink Lx4 Console, Maglink Lx Console, Progauge Maglink Lx4 Console and 3 more | 2024-10-01 | 9.8 Critical |
| An attacker can directly request the ProGauge MAGLINK LX CONSOLE resource sub page with full privileges by requesting the URL directly. | ||||
| CVE-2023-6718 | 1 Europeana | 1 Repox | 2024-10-01 | 9.4 Critical |
| An authentication bypass vulnerability has been found in Repox, which allows a remote user to send a specially crafted POST request, due to the lack of any authentication method, resulting in the alteration or creation of users. | ||||
| CVE-2024-35214 | 1 Blackberry | 1 Cylanceoptics | 2024-09-29 | N/A |
| A tampering vulnerability in the CylanceOPTICS Windows Installer Package of CylanceOPTICS for Windows version 3.2 and 3.3 could allow an attacker to potentially uninstall CylanceOPTICS from a system thereby leaving it with only the protection of CylancePROTECT. | ||||
| CVE-2024-8277 | 1 Villatheme | 1 Woocommerce Photo Reviews | 2024-09-26 | 9.8 Critical |
| The WooCommerce Photo Reviews Premium plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.3.13.2. This is due to the plugin not properly validating what user transient is being used in the login() function and not properly verifying the user's identity. This makes it possible for unauthenticated attackers to log in as user that has dismissed an admin notice in the past 30 days, which is often an administrator. Alternatively, a user can log in as any user with any transient that has a valid user_id as the value, though it would be more difficult to exploit this successfully. | ||||
| CVE-2023-42771 | 1 Furunosystems | 4 Acera 1310, Acera 1310 Firmware, Acera 1320 and 1 more | 2024-09-20 | 8.3 High |
| Authentication bypass vulnerability in ACERA 1320 firmware ver.01.26 and earlier, and ACERA 1310 firmware ver.01.26 and earlier allows a network-adjacent unauthenticated attacker who can access the affected product to download configuration files and/or log files, and upload configuration files and/or firmware. They are affected when running in ST(Standalone) mode. | ||||
| CVE-2024-8012 | 1 Ivanti | 1 Workspace Control | 2024-09-18 | 7.8 High |
| An authentication bypass weakness in the message broker service of Ivanti Workspace Control version 10.18.0.0 and below allows a local authenticated attacker to escalate their privileges. | ||||
| CVE-2023-39930 | 1 Pingidentity | 1 Pingid Radius Pcv | 2024-09-17 | 7.5 High |
| A first-factor authentication bypass vulnerability exists in the PingFederate with PingID Radius PCV when a MSCHAP authentication request is sent via a maliciously crafted RADIUS client request. | ||||
| CVE-2019-9510 | 1 Microsoft | 2 Windows 10, Windows Server 2019 | 2024-09-17 | 5.3 Medium |
| A vulnerability in Microsoft Windows 10 1803 and Windows Server 2019 and later systems can allow authenticated RDP-connected clients to gain access to user sessions without needing to interact with the Windows lock screen. Should a network anomaly trigger a temporary RDP disconnect, Automatic Reconnection of the RDP session will be restored to an unlocked state, regardless of how the remote system was left. By interrupting network connectivity of a system, an attacker with access to a system being used as a Windows RDP client can gain access to a connected remote system, regardless of whether or not the remote system was locked. This issue affects Microsoft Windows 10, version 1803 and later, and Microsoft Windows Server 2019, version 2019 and later. | ||||
| CVE-2018-8859 | 1 Echelon | 8 I.lon 100, I.lon 100 Firmware, I.lon 600 and 5 more | 2024-09-17 | N/A |
| Echelon SmartServer 1 all versions, SmartServer 2 all versions prior to release 4.11.007, i.LON 100 all versions, and i.LON 600 all versions. An attacker can bypass the required authentication specified in the security configuration file by including extra characters in the directory name when specifying the directory to be accessed. This vulnerability does not affect the i.LON 600 product. | ||||