Total
351 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-0316 | 1 Wordpress | 1 Wordpress | 2025-02-12 | 9.8 Critical |
| The WP Directorybox Manager plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.5. This is due to incorrect authentication in the 'wp_dp_enquiry_agent_contact_form_submit_callback' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username. | ||||
| CVE-2025-23217 | 1 Mitmproxy | 1 Mitmproxy | 2025-02-12 | N/A |
| mitmproxy is a interactive TLS-capable intercepting HTTP proxy for penetration testers and software developers and mitmweb is a web-based interface for mitmproxy. In mitmweb 11.1.1 and below, a malicious client can use mitmweb's proxy server (bound to `*:8080` by default) to access mitmweb's internal API (bound to `127.0.0.1:8081` by default). In other words, while the cannot access the API directly, they can access the API through the proxy. An attacker may be able to escalate this SSRF-style access to remote code execution. The mitmproxy and mitmdump tools are unaffected. Only mitmweb is affected. This vulnerability has been fixed in mitmproxy 11.1.2 and above. Users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2025-0674 | 2025-02-12 | 9.8 Critical | ||
| Multiple Elber products are affected by an authentication bypass vulnerability which allows unauthorized access to the password management functionality. Attackers can exploit this issue by manipulating the endpoint to overwrite any user's password within the system. This grants them unauthorized administrative access to protected areas of the application, compromising the device's system security. | ||||
| CVE-2024-12857 | 1 Scriptsbundle | 1 Adforest | 2025-02-12 | 9.8 Critical |
| The AdForest theme for WordPress is vulnerable to authentication bypass in all versions up to, and including, 5.1.8. This is due to the plugin not properly verifying a user's identity prior to logging them in as that user. This makes it possible for unauthenticated attackers to authenticate as any user as long as they have configured OTP login by phone number. | ||||
| CVE-2024-6635 | 1 Wpwebelite | 1 Woocommerce Social Login | 2025-02-11 | 7.3 High |
| The WooCommerce - Social Login plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.7.3. This is due to insufficient controls in the 'woo_slg_login_email' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, excluding an administrator, if they know the email of user. | ||||
| CVE-2024-36470 | 1 Jetbrains | 1 Teamcity | 2025-02-07 | 8.1 High |
| In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 authentication bypass was possible in specific edge cases | ||||
| CVE-2024-7503 | 2 Wpweb, Wpwebelite | 2 Woocommerce Social Login, Woocommerce Social Login | 2025-02-07 | 9.8 Critical |
| The WooCommerce - Social Login plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.7.5. This is due to the use of loose comparison of the activation code in the 'woo_slg_confirm_email_user' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the userID. This requires the email module to be enabled. | ||||
| CVE-2025-1061 | 2 Nextendweb, Wordpress | 2 Nextend Social Login Pro, Wordpress | 2025-02-07 | 9.8 Critical |
| The Nextend Social Login Pro plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.1.16. This is due to insufficient verification on the user being supplied during the Apple OAuth authenticate request through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email. | ||||
| CVE-2023-21098 | 1 Google | 1 Android | 2025-02-05 | 7.8 High |
| In multiple functions of AccountManagerService.java, there is a possible loading of arbitrary code into the System Settings app due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-12 Android-12L Android-13Android ID: A-260567867 | ||||
| CVE-2022-40725 | 1 Pingidentity | 1 Desktop | 2025-02-04 | 7.3 High |
| PingID Desktop prior to the latest released version 1.7.4 contains a vulnerability that can be exploited to bypass the maximum PIN attempts permitted before the time-based lockout is activated. | ||||
| CVE-2025-24456 | 1 Jetbrains | 1 Hub | 2025-01-30 | 6.7 Medium |
| In JetBrains Hub before 2024.3.55417 privilege escalation was possible via LDAP authentication mapping | ||||
| CVE-2024-10284 | 1 Ce21 | 2 Ce21-suite, Ce21 Suite | 2025-01-29 | 9.8 Critical |
| The CE21 Suite plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.2.0. This is due to hardcoded encryption key in the 'ce21_authentication_phrase' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email. | ||||
| CVE-2024-9861 | 1 Miniorange | 1 Otp Verification With Firebase | 2025-01-28 | 8.1 High |
| The Miniorange OTP Verification with Firebase plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.6.0. This is due to missing validation on the token being supplied during the otp login through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they know the phone number associated with that user. | ||||
| CVE-2023-31152 | 1 Selinc | 20 Sel-2241 Rtac Module, Sel-2241 Rtac Module Firmware, Sel-3350 and 17 more | 2025-01-24 | 4 Medium |
| An Authentication Bypass Using an Alternate Path or Channel vulnerability in the Schweitzer Engineering Laboratories Real-Time Automation Controller (SEL RTAC) Web Interface allows Authentication Bypass. See SEL Service Bulletin dated 2022-11-15 for more details. | ||||
| CVE-2024-47574 | 1 Fortinet | 2 Forticlient, Forticlientwindows | 2025-01-21 | 7.4 High |
| A authentication bypass using an alternate path or channel in Fortinet FortiClientWindows version 7.4.0, versions 7.2.4 through 7.2.0, versions 7.0.12 through 7.0.0, and 6.4.10 through 6.4.0 allows low privilege attacker to execute arbitrary code with high privilege via spoofed named pipe messages. | ||||
| CVE-2024-7125 | 2 Hitachi, Linux | 2 Ops Center Common Services, Linux Kernel | 2025-01-21 | 7.8 High |
| Authentication Bypass vulnerability in Hitachi Ops Center Common Services.This issue affects Hitachi Ops Center Common Services: from 10.9.3-00 before 11.0.2-01. | ||||
| CVE-2024-11639 | 1 Ivanti | 1 Cloud Services Appliance | 2025-01-17 | 10 Critical |
| An authentication bypass in the admin web console of Ivanti CSA before 5.0.3 allows a remote unauthenticated attacker to gain administrative access | ||||
| CVE-2023-41256 | 1 Doverfuelingsolutions | 2 Maglink Lx 3, Maglink Lx Web Console Configuration | 2025-01-16 | 9.1 Critical |
| Dover Fueling Solutions MAGLINK LX Web Console Configuration versions 2.5.1, 2.5.2, 2.5.3, 2.6.1, 2.11, 3.0, 3.2, and 3.3 are vulnerable to authentication bypass that could allow an unauthorized attacker to obtain user access. | ||||
| CVE-2024-13181 | 1 Ivanti | 1 Avalanche | 2025-01-16 | 7.3 High |
| Path Traversal in Ivanti Avalanche before version 6.4.7 allows a remote unauthenticated attacker to bypass authentication. This CVE addresses incomplete fixes from CVE-2024-47010. | ||||
| CVE-2024-13179 | 1 Ivanti | 1 Avalanche | 2025-01-16 | 7.3 High |
| Path Traversal in Ivanti Avalanche before version 6.4.7 allows a remote unauthenticated attacker to bypass authentication. | ||||