Total
3987 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-22245 | 2024-11-21 | 9.6 Critical | ||
| Arbitrary Authentication Relay and Session Hijack vulnerabilities in the deprecated VMware Enhanced Authentication Plug-in (EAP) could allow a malicious actor that could trick a target domain user with EAP installed in their web browser into requesting and relaying service tickets for arbitrary Active Directory Service Principal Names (SPNs). | ||||
| CVE-2024-22206 | 1 Clerk | 1 Javascript | 2024-11-21 | 9.1 Critical |
| Clerk helps developers build user management. Unauthorized access or privilege escalation due to a logic flaw in auth() in the App Router or getAuth() in the Pages Router. This vulnerability was patched in version 4.29.3. | ||||
| CVE-2024-21899 | 1 Qnap | 3 Qts, Quts Hero, Qutscloud | 2024-11-21 | 9.8 Critical |
| An improper authentication vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to compromise the security of the system via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.3.2578 build 20231110 and later QTS 4.5.4.2627 build 20231225 and later QuTS hero h5.1.3.2578 build 20231110 and later QuTS hero h4.5.4.2626 build 20231225 and later QuTScloud c5.1.5.2651 and later | ||||
| CVE-2024-21654 | 1 Rubygems | 1 Rubygems.org | 2024-11-21 | 4.8 Medium |
| Rubygems.org is the Ruby community's gem hosting service. Rubygems.org users with MFA enabled would normally be protected from account takeover in the case of email account takeover. However, a workaround on the forgotten password form allows an attacker to bypass the MFA requirement and takeover the account. This vulnerability has been patched in commit 0b3272a. | ||||
| CVE-2024-20900 | 1 Samsung | 1 Android | 2024-11-21 | 4 Medium |
| Improper authentication in MTP application prior to SMR Jul-2024 Release 1 allows local attackers to enter MTP mode without proper authentication. | ||||
| CVE-2024-20890 | 1 Samsung | 1 Android | 2024-11-21 | 5.3 Medium |
| Improper input validation in BLE prior to SMR Jul-2024 Release 1 allows adjacent attackers to trigger abnormal behavior. | ||||
| CVE-2024-20889 | 1 Samsung | 1 Android | 2024-11-21 | 5.9 Medium |
| Improper authentication in BLE prior to SMR Jul-2024 Release 1 allows adjacent attackers to pair with devices. | ||||
| CVE-2024-20816 | 1 Samsung | 1 Android | 2024-11-21 | 8 High |
| Improper authentication vulnerability in onCharacteristicWriteRequest in Auto Hotspot prior to SMR Feb-2024 Release 1 allows adjacent attackers connect to victim's mobile hotspot without user awareness. | ||||
| CVE-2024-20815 | 1 Samsung | 1 Android | 2024-11-21 | 8 High |
| Improper authentication vulnerability in onCharacteristicReadRequest in Auto Hotspot prior to SMR Feb-2024 Release 1 allows adjacent attackers connect to victim's mobile hotspot without user awareness. | ||||
| CVE-2024-20803 | 1 Samsung | 1 Android | 2024-11-21 | 6.8 Medium |
| Improper authentication vulnerability in Bluetooth pairing process prior to SMR Jan-2024 Release 1 allows remote attackers to establish pairing process without user interaction. | ||||
| CVE-2024-20738 | 2 Adobe, Microsoft | 2 Framemaker Publishing Server, Windows | 2024-11-21 | 9.8 Critical |
| Adobe FrameMaker Publishing Server versions 2022.1 and earlier are affected by an Improper Authentication vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass authentication mechanisms and gain unauthorized access. Exploitation of this issue does not require user interaction. | ||||
| CVE-2024-1573 | 2024-11-21 | 5.9 Medium | ||
| Improper Authentication vulnerability in the mobile monitoring feature of ICONICS GENESIS64 versions 10.97 to 10.97.2, Mitsubishi Electric GENESIS64 versions 10.97 to 10.97.2 and Mitsubishi Electric MC Works64 all versions allows a remote unauthenticated attacker to bypass proper authentication and log in to the system when all of the following conditions are met: * Active Directory is used in the security setting. * “Automatic log in” option is enabled in the security setting. * The IcoAnyGlass IIS Application Pool is running under an Active Directory Domain Account. * The IcoAnyGlass IIS Application Pool account is included in GENESIS64TM and MC Works64 Security and has permission to log in. | ||||
| CVE-2024-1148 | 1 Opentext | 1 Pvcs Version Manager | 2024-11-21 | 9.8 Critical |
| Weak access control in OpenText PVCS Version Manager allows potential bypassing of authentication and uploading of files. | ||||
| CVE-2024-1147 | 1 Opentext | 1 Pvcs Version Manager | 2024-11-21 | 9.8 Critical |
| Weak access control in OpenText PVCS Version Manager allows potential bypassing of authentication and download of files. | ||||
| CVE-2024-0988 | 1 Kuerp Project | 1 Kuerp | 2024-11-21 | 6.3 Medium |
| A vulnerability classified as critical was found in Sichuan Yougou Technology KuERP up to 1.0.4. Affected by this vulnerability is the function checklogin of the file /application/index/common.php. The manipulation of the argument App_User_id/App_user_Token leads to improper authentication. The exploit has been disclosed to the public and may be used. The identifier VDB-252253 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-0799 | 2024-11-21 | 9.8 Critical | ||
| An authentication bypass vulnerability exists in Arcserve Unified Data Protection 9.2 and 8.1 in the edge-app-base-webui.jar!com.ca.arcserve.edge.app.base.ui.server.EdgeLoginServiceImpl.doLogin() function within wizardLogin. | ||||
| CVE-2023-7210 | 1 Onenav | 1 Onenav | 2024-11-21 | 7.3 High |
| A vulnerability was found in OneNav up to 0.9.33. It has been classified as critical. This affects an unknown part of the file /index.php?c=api of the component API. The manipulation of the argument X-Token leads to improper authentication. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-249765 was assigned to this vulnerability. | ||||
| CVE-2023-7079 | 1 Cloudflare | 1 Wrangler | 2024-11-21 | 6.4 Medium |
| Sending specially crafted HTTP requests and inspector messages to Wrangler's dev server could result in any file on the user's computer being accessible over the local network. An attacker that could trick any user on the local network into opening a malicious website could also read any file. | ||||
| CVE-2023-6907 | 1 Codelyfe | 1 Stupid Simple Cms | 2024-11-21 | 5.4 Medium |
| A vulnerability has been found in codelyfe Stupid Simple CMS up to 1.2.4 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /file-manager/delete.php of the component Deletion Interface. The manipulation of the argument file leads to improper authentication. The exploit has been disclosed to the public and may be used. The identifier VDB-248269 was assigned to this vulnerability. | ||||
| CVE-2023-6847 | 1 Github | 1 Enterprise Server | 2024-11-21 | 7.5 High |
| An improper authentication vulnerability was identified in GitHub Enterprise Server that allowed a bypass of Private Mode by using a specially crafted API request. To exploit this vulnerability, an attacker would need network access to the Enterprise Server appliance configured in Private Mode. This vulnerability affected all versions of GitHub Enterprise Server since 3.9 and was fixed in version 3.9.7, 3.10.4, and 3.11.1. This vulnerability was reported via the GitHub Bug Bounty program. | ||||