Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by CWE-287
Total 2926 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2022-38119 1 Upspowercom 1 Upsmon Pro 2022-11-15 N/A 9.8 CRITICAL
UPSMON Pro login function has insufficient authentication. An unauthenticated remote attacker can exploit this vulnerability to bypass authentication and get administrator privilege to access, control system or disrupt service.
CVE-2022-39038 1 Flowring 1 Agentflow 2022-11-15 N/A 8.8 HIGH
Agentflow BPM enterprise management system has improper authentication. A remote attacker with general user privilege can change the name of the user account to acquire arbitrary account privilege, and access, manipulate system or disrupt service.
CVE-2022-31686 1 Vmware 1 Workspace One Assist 2022-11-10 N/A 9.8 CRITICAL
VMware Workspace ONE Assist prior to 22.10 contains a Broken Authentication Method vulnerability. A malicious actor with network access to Workspace ONE Assist may be able to obtain administrative access without the need to authenticate to the application.
CVE-2022-27510 1 Citrix 3 Application Delivery Controller, Application Delivery Controller Firmware, Gateway 2022-11-09 N/A 9.8 CRITICAL
Unauthorized access to Gateway user capabilities
CVE-2022-39387 1 Xwiki 1 Openid Connect 2022-11-07 N/A 7.5 HIGH
XWiki OIDC has various tools to manipulate OpenID Connect protocol in XWiki. Prior to version 1.29.1, even if a wiki has an OpenID provider configured through its xwiki.properties, it is possible to provide a third party provider its details through request parameters. One can then bypass the XWiki authentication altogether by specifying its own provider through the oidc.endpoint.* request parameters (or by using an XWiki-based OpenID provider with oidc.xwikiprovider. With the same approach, one could also provide a specific group mapping through oidc.groups.mapping that would make his user automatically part of the XWikiAdminGroup. This issue has been patched, please upgrade to 1.29.1. There is no workaround, an upgrade of the authenticator is required.
CVE-2020-24987 1 Tendacn 2 Ac18, Ac18 Firmware 2022-11-07 6.8 MEDIUM 9.8 CRITICAL
Tenda AC18 Router through V15.03.05.05_EN and through V15.03.05.19(6318) CN devices could cause a remote code execution due to incorrect authentication handling of vulnerable logincheck() function in /usr/lib/lua/ngx_authserver/ngx_wdas.lua file if the administrator UI Interface is set to "radius".
CVE-2021-22057 2 Linux, Vmware 2 Linux Kernel, Workspace One Access 2022-11-03 6.5 MEDIUM 8.8 HIGH
VMware Workspace ONE Access 21.08, 20.10.0.1, and 20.10 contain an authentication bypass vulnerability. A malicious actor, who has successfully provided first-factor authentication, may be able to obtain second-factor authentication provided by VMware Verify.
CVE-2022-41648 1 Heidenhain 3 Heros, Tnc 640, Tnc 640 Programming Station 2022-11-03 N/A 9.8 CRITICAL
The HEIDENHAIN Controller TNC 640, version 340590 07 SP5, running HEROS 5.08.3 controlling the HARTFORD 5A-65E CNC machine is vulnerable to improper authentication, which may allow an attacker to deny service to the production line, steal sensitive data from the production line, and alter any products created by the production line.
CVE-2022-26119 1 Fortinet 1 Fortisiem 2022-11-03 N/A 7.8 HIGH
A improper authentication vulnerability in Fortinet FortiSIEM before 6.5.0 allows a local attacker with CLI access to perform operations on the Glassfish server directly via a hardcoded password.
CVE-2022-22656 1 Apple 2 Mac Os X, Macos 2022-11-02 2.1 LOW 3.3 LOW
An authentication issue was addressed with improved state management. This issue is fixed in macOS Big Sur 11.6.5, macOS Monterey 12.3, Security Update 2022-003 Catalina. A local attacker may be able to view the previous logged in user’s desktop from the fast user switching screen.
CVE-2022-39018 1 M-files 1 Hubshare 2022-11-01 N/A 7.5 HIGH
Broken access controls on PDFtron data in M-Files Hubshare before 3.3.11.3 allows unauthenticated attackers to access restricted PDF files via a known URL.
CVE-2022-39019 1 M-files 1 Hubshare 2022-11-01 N/A 7.5 HIGH
Broken access controls on PDFtron WebviewerUI in M-Files Hubshare before 3.3.11.3 allows unauthenticated attackers to upload malicious files to the application server.
CVE-2022-2572 1 Octopus 1 Octopus Server 2022-11-01 N/A 9.8 CRITICAL
In affected versions of Octopus Server where access is managed by an external authentication provider, it was possible that the API key/keys of a disabled/deleted user were still valid after the access was revoked.
CVE-2022-37913 1 Arubanetworks 1 Aruba Edgeconnect Enterprise Orchestrator 2022-11-01 N/A 9.8 CRITICAL
Vulnerabilities in the web-based management interface of Aruba EdgeConnect Enterprise Orchestrator could allow an unauthenticated remote attacker to bypass authentication. Successful exploitation of these vulnerabilities could allow an attacker to gain administrative privileges leading to a complete compromise of the Aruba EdgeConnect Enterprise Orchestrator with versions 9.1.2.40051 and below, 9.0.7.40108 and below, 8.10.23.40009 and below, and any older branches of Orchestrator not specifically mentioned.
CVE-2022-37914 1 Arubanetworks 1 Aruba Edgeconnect Enterprise Orchestrator 2022-11-01 N/A 9.8 CRITICAL
Vulnerabilities in the web-based management interface of Aruba EdgeConnect Enterprise Orchestrator could allow an unauthenticated remote attacker to bypass authentication. Successful exploitation of these vulnerabilities could allow an attacker to gain administrative privileges leading to a complete compromise of the Aruba EdgeConnect Enterprise Orchestrator with versions 9.1.2.40051 and below, 9.0.7.40108 and below, 8.10.23.40009 and below, and any older branches of Orchestrator not specifically mentioned.
CVE-2022-38744 1 Rockwellautomation 1 Factorytalk Alarms And Events 2022-10-31 N/A 7.5 HIGH
An unauthenticated attacker with network access to a victim's Rockwell Automation FactoryTalk Alarm and Events service could open a connection, causing the service to fault and become unavailable. The affected port could be used as a server ping port and uses messages structured with XML.
CVE-2022-40703 1 Alivecor 1 Kardia 2022-10-28 N/A 6.1 MEDIUM
CWE-302 Authentication Bypass by Assumed-Immutable Data in AliveCor Kardia App version 5.17.1-754993421 and prior on Android allows an unauthenticated attacker with physical access to the Android device containing the app to bypass application authentication and alter information in the app.
CVE-2022-39355 1 Discourse 1 Patreon 2022-10-28 N/A 9.8 CRITICAL
Discourse Patreon enables syncronization between Discourse Groups and Patreon rewards. On sites with Patreon login enabled, an improper authentication vulnerability could be used to take control of a victim's forum account. This vulnerability is patched in commit number 846d012151514b35ce42a1636c7d70f6dcee879e of the discourse-patreon plugin. Out of an abundance of caution, any Discourse accounts which have logged in with an unverified-email Patreon account will be logged out and asked to verify their email address on their next login. As a workaround, disable the patreon integration and log out all users with associated Patreon accounts.
CVE-2022-38064 1 Openharmony 1 Openharmony 2022-10-28 N/A 5.5 MEDIUM
OpenHarmony-v3.1.2 and prior versions have a permission bypass vulnerability. Local attackers can bypass permission control and get sensitive information.
CVE-2022-39360 1 Metabase 1 Metabase 2022-10-28 N/A 6.5 MEDIUM
Metabase is data visualization software. Prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9 single sign on (SSO) users were able to do password resets on Metabase, which could allow a user access without going through the SSO IdP. This issue is patched in versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9. Metabase now blocks password reset for all users who use SSO for their Metabase login.