Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by CWE-287
Total 2926 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2023-25264 1 Docmosis 1 Tornado 2023-03-07 N/A 7.5 HIGH
An issue was discovered in Docmosis Tornado prior to version 2.9.5. An unauthenticated attacker can bypass the authentication check filter completely by introducing a specially crafted request with relative path segments.
CVE-2022-48254 1 Huawei 2 Leia-b29, Leia-b29 Firmware 2023-03-07 N/A 4.6 MEDIUM
There is a data processing error vulnerability in Leia-B29 2.0.0.49(M03). Successful exploitation could bypass lock screen authentication.
CVE-2022-32570 1 Intel 1 Quartus Prime 2023-03-06 N/A 7.8 HIGH
Improper authentication in the Intel(R) Quartus Prime Pro and Standard edition software may allow an authenticated user to potentially enable escalation of privilege via local access.
CVE-2022-26562 1 Kopano 1 Groupware Core 2023-03-06 7.5 HIGH 9.8 CRITICAL
An issue in provider/libserver/ECKrbAuth.cpp of Kopano-Core v11.0.2.51 contains an issue which allows attackers to authenticate even if the user account or password is expired.
CVE-2022-39263 1 Nextauth.js 1 Next-auth 2023-03-03 N/A 8.1 HIGH
`@next-auth/upstash-redis-adapter` is the Upstash Redis adapter for NextAuth.js, which provides authentication for Next.js. Applications that use `next-auth` Email Provider and `@next-auth/upstash-redis-adapter` before v3.0.2 are affected by this vulnerability. The Upstash Redis adapter implementation did not check for both the identifier (email) and the token, but only checking for the identifier when verifying the token in the email callback flow. An attacker who knows about the victim's email could easily sign in as the victim, given the attacker also knows about the verification token's expired duration. The vulnerability is patched in v3.0.2. A workaround is available. Using Advanced Initialization, developers can check the requests and compare the query's token and identifier before proceeding.
CVE-2022-39264 2 Fedoraproject, Nheko-reborn 2 Fedora, Nheko 2023-03-03 N/A 5.9 MEDIUM
nheko is a desktop client for the Matrix communication application. All versions below 0.10.2 are vulnerable homeservers inserting malicious secrets, which could lead to man-in-the-middle attacks. Users can upgrade to version 0.10.2 to protect against this issue. As a workaround, one may apply the patch manually, avoid doing verifications of one's own devices, and/or avoid pressing the request button in the settings menu.
CVE-2023-24093 1 H3c 2 A210-g, A210-g Firmware 2023-03-02 N/A 9.8 CRITICAL
An access control issue in H3C A210-G A210-GV100R005 allows attackers to authenticate without a password.
CVE-2015-10083 1 Harrys 1 Dynosaur-rails 2023-03-02 N/A 9.8 CRITICAL
A vulnerability has been found in harrystech Dynosaur-Rails and classified as critical. Affected by this vulnerability is the function basic_auth of the file app/controllers/application_controller.rb. The manipulation leads to improper authentication. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The name of the patch is 04b223813f0e336aab50bff140d0f5889c31dbec. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-221503.
CVE-2019-10661 1 Grandstream 2 Gxv3611ir Hd, Gxv3611ir Hd Firmware 2023-03-01 10.0 HIGH 9.8 CRITICAL
On Grandstream GXV3611IR_HD before 1.0.3.23 devices, the root account lacks a password.
CVE-2022-45378 1 Apache 1 Soap 2023-02-28 N/A 9.8 CRITICAL
** UNSUPPPORTED WHEN ASSIGNED **In the default configuration of Apache SOAP, an RPCRouterServlet is available without authentication. This gives an attacker the possibility to invoke methods on the classpath that meet certain criteria. Depending on what classes are available on the classpath this might even lead to arbitrary remote code execution. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
CVE-2018-3761 1 Nextcloud 1 Nextcloud Server 2023-02-28 5.8 MEDIUM 8.1 HIGH
Nextcloud Server before 12.0.8 and 13.0.3 suffer from improper authentication on the OAuth2 token endpoint. Missing checks potentially allowed handing out new tokens in case the OAuth2 client was partly compromised.
CVE-2019-13372 1 Dlink 1 Central Wifimanager 2023-02-28 7.5 HIGH 9.8 CRITICAL
/web/Lib/Action/IndexAction.class.php in D-Link Central WiFi Manager CWM(100) before v1.03R0100_BETA6 allows remote attackers to execute arbitrary PHP code via a cookie because a cookie's username field allows eval injection, and an empty password bypasses authentication.
CVE-2022-33946 1 Intel 1 System Usage Report 2023-02-27 N/A 7.8 HIGH
Improper authentication in the Intel(R) SUR software before version 2.4.8902 may allow an authenticated user to potentially enable escalation of privilege via local access.
CVE-2022-32971 1 Intel 1 System Usage Report 2023-02-27 N/A 7.2 HIGH
Improper authentication in the Intel(R) SUR software before version 2.4.8902 may allow a privileged user to potentially enable escalation of privilege via network access.
CVE-2023-0905 1 Employee Task Management System Project 1 Employee Task Management System 2023-02-27 N/A 7.5 HIGH
A vulnerability classified as critical has been found in SourceCodester Employee Task Management System 1.0. Affected is an unknown function of the file changePasswordForEmployee.php. The manipulation leads to improper authentication. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-221454 is the identifier assigned to this vulnerability.
CVE-2018-3775 1 Nextcloud 1 Nextcloud Server 2023-02-27 4.0 MEDIUM 8.8 HIGH
Improper Authentication in Nextcloud Server prior to version 12.0.3 would allow an attacker that obtained user credentials to bypass the 2 Factor Authentication.
CVE-2023-23460 1 Priority-software 1 Priority 2023-02-24 N/A 9.8 CRITICAL
Priority Web version 19.1.0.68, parameter manipulation on an unspecified end-point may allow authentication bypass.
CVE-2019-5473 1 Gitlab 1 Gitlab 2023-02-22 6.5 MEDIUM 7.2 HIGH
An authentication issue was discovered in GitLab that allowed a bypass of email verification. This was addressed in GitLab 12.1.2 and 12.0.4.
CVE-2019-9564 1 Wyze 6 Cam Pan V2, Cam Pan V2 Firmware, Cam V2 and 3 more 2023-02-22 7.5 HIGH 9.8 CRITICAL
A vulnerability in the authentication logic of Wyze Cam Pan v2, Cam v2, Cam v3 allows an attacker to bypass login and control the devices. This issue affects: Wyze Cam Pan v2 versions prior to 4.49.1.47. Wyze Cam v2 versions prior to 4.9.8.1002. Wyze Cam v3 versions prior to 4.36.8.32.
CVE-2023-21437 1 Samsung 1 Android 2023-02-21 N/A 5.5 MEDIUM
Improper access control vulnerability in Phone application prior to SMR Feb-2023 Release 1 allows local attackers to access sensitive information via implicit broadcast.