Total
1480 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-27585 | 1 Sick | 2 Sim1000 Fx, Sim1000 Fx Firmware | 2025-05-02 | 9.8 Critical |
| Password recovery vulnerability in SICK SIM1000 FX Partnumber 1097816 and 1097817 with firmware version <1.6.0 allows an unprivileged remote attacker to gain access to the userlevel defined as RecoverableUserLevel by invocating the password recovery mechanism method. This leads to an increase in their privileges on the system and thereby affecting the confidentiality integrity and availability of the system. An attacker can expect repeatable success by exploiting the vulnerability. The recommended solution is to update the firmware to a version >= 1.6.0 as soon as possible (available in SICK Support Portal). | ||||
| CVE-2022-3675 | 1 Redhat | 1 Fedora Coreos | 2025-05-02 | 2.6 Low |
| Fedora CoreOS supports setting a GRUB bootloader password using a Butane config. When this feature is enabled, GRUB requires a password to access the GRUB command-line, modify kernel command-line arguments, or boot non-default OSTree deployments. Recent Fedora CoreOS releases have a misconfiguration which allows booting non-default OSTree deployments without entering a password. This allows someone with access to the GRUB menu to boot into an older version of Fedora CoreOS, reverting any security fixes that have recently been applied to the machine. A password is still required to modify kernel command-line arguments and to access the GRUB command line. | ||||
| CVE-2022-30515 | 1 Zkteco | 1 Biotime | 2025-05-01 | 5.3 Medium |
| ZKTeco BioTime 8.5.4 is missing authentication on folders containing employee photos, allowing an attacker to view them through filename enumeration. | ||||
| CVE-2022-42785 | 1 Wut | 34 At-modem-emulator, At-modem-emulator Firmware, Com-server 20ma and 31 more | 2025-05-01 | 9.8 Critical |
| Multiple W&T products of the ComServer Series are prone to an authentication bypass. An unathenticated remote attacker, can log in without knowledge of the password by crafting a modified HTTP GET Request. | ||||
| CVE-2021-46852 | 1 Huawei | 2 Emui, Harmonyos | 2025-05-01 | 7.5 High |
| The memory management module has the logic bypass vulnerability. Successful exploitation of this vulnerability may affect data confidentiality. | ||||
| CVE-2025-3474 | 1 Drupal | 1 Panels | 2025-05-01 | 6.5 Medium |
| Missing Authentication for Critical Function vulnerability in Drupal Panels allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Panels: from 0.0.0 before 4.9.0. | ||||
| CVE-2024-40408 | 1 Cybelesoft | 1 Thinfinity Workspace | 2025-05-01 | 7.3 High |
| Cybele Software Thinfinity Workspace before v7.0.2.113 was discovered to contain an access control issue in the Create Profile section. This vulnerability allows attackers to create arbitrary user profiles with elevated privileges. | ||||
| CVE-2024-40405 | 1 Cybelesoft | 1 Thinfinity Workspace | 2025-05-01 | 8.1 High |
| Incorrect access control in Cybele Software Thinfinity Workspace before v7.0.3.109 allows attackers to gain access to a secondary broker via a crafted request. | ||||
| CVE-2024-40404 | 1 Cybelesoft | 1 Thinfinity Workspace | 2025-05-01 | 9.8 Critical |
| Cybele Software Thinfinity Workspace before v7.0.2.113 was discovered to contain an access control issue in the API endpoint where Web Sockets connections are established. | ||||
| CVE-2023-46381 | 1 Loytec | 6 Linx-212, Linx-212 Firmware, Liob-586 and 3 more | 2025-05-01 | 8.2 High |
| LOYTEC LINX-151, LINX-212, LVIS-3ME12-A1, LIOB-586, LIOB-580 V2, LIOB-588, L-INX Configurator devices (all versions) lack authentication for the preinstalled version of LWEB-802 via an lweb802_pre/ URI. An unauthenticated attacker can edit any project (or create a new project) and control its GUI. | ||||
| CVE-2024-48952 | 1 Logpoint | 1 Soar | 2025-04-30 | 6.4 Medium |
| An issue was discovered in Logpoint before 7.5.0. SOAR uses a static JWT secret key to generate tokens that allow access to SOAR API endpoints without authentication. This static key vulnerability enables attackers to create custom JWT secret keys for unauthorized access to these endpoints. | ||||
| CVE-2024-48953 | 1 Logpoint | 2 Logpoint, Siem | 2025-04-30 | 7.5 High |
| An issue was discovered in Logpoint before 7.5.0. Endpoints for creating, editing, or deleting third-party authentication modules lacked proper authorization checks. This allowed unauthenticated users to register their own authentication plugins in Logpoint, resulting in unauthorized access. | ||||
| CVE-2025-24271 | 1 Apple | 5 Ipados, Iphone Os, Macos and 2 more | 2025-04-30 | 5.4 Medium |
| An access issue was addressed with improved access restrictions. This issue is fixed in macOS Sequoia 15.4, tvOS 18.4, macOS Ventura 13.7.5, iPadOS 17.7.6, macOS Sonoma 14.7.5, iOS 18.4 and iPadOS 18.4, visionOS 2.4. An unauthenticated user on the same network as a signed-in Mac could send it AirPlay commands without pairing. | ||||
| CVE-2022-44000 | 1 Backclick | 1 Backclick | 2025-04-30 | 9.8 Critical |
| An issue was discovered in BACKCLICK Professional 5.9.63. Due to an exposed internal communications interface, it is possible to execute arbitrary system commands on the server. | ||||
| CVE-2022-43999 | 1 Backclick | 1 Backclick | 2025-04-30 | 9.8 Critical |
| An issue was discovered in BACKCLICK Professional 5.9.63. Due to exposed CORBA management services, arbitrary system commands can be executed on the server. | ||||
| CVE-2022-42982 | 1 Bund | 1 Bkg Professional Ntripcaster | 2025-04-30 | 7.5 High |
| BKG Professional NtripCaster 2.0.39 allows querying information over the UDP protocol without authentication. The NTRIP sourcetable is typically quite long (tens of kBs) and can be requested with a packet of only 30 bytes. This presents a vector that can be used for UDP amplification attacks. Normally, only authenticated streaming data will be provided over UDP and not the sourcetable. | ||||
| CVE-2022-44784 | 1 Maggioli | 1 Appalti \& Contratti | 2025-04-29 | 8.8 High |
| An issue was discovered in Appalti & Contratti 9.12.2. The target web applications LFS and DL229 expose a set of services provided by the Axis 1.4 instance, embedded directly into the applications, as hinted by the WEB-INF/web.xml file leaked through Local File Inclusion. Among the exposed services, there is the Axis AdminService, which, through the default configuration, should normally be accessible only by the localhost. Nevertheless, by trying to access the mentioned service, both in LFS and DL229, the service can actually be reached even by remote users, allowing creation of arbitrary services on the server side. When an attacker can reach the AdminService, they can use it to instantiate arbitrary services on the server. The exploit procedure is well known and described in Generic AXIS-SSRF exploitation. Basically, the attack consists of writing a JSP page inside the root directory of the web application, through the org.apache.axis.handlers.LogHandler class. | ||||
| CVE-2022-44001 | 1 Backclick | 1 Backclick | 2025-04-29 | 9.8 Critical |
| An issue was discovered in BACKCLICK Professional 5.9.63. User authentication for accessing the CORBA back-end services can be bypassed. | ||||
| CVE-2022-45933 | 1 Kubeview Project | 1 Kubeview | 2025-04-29 | 9.8 Critical |
| KubeView through 0.1.31 allows attackers to obtain control of a Kubernetes cluster because api/scrape/kube-system does not require authentication, and retrieves certificate files that can be used for authentication as kube-admin. NOTE: the vendor's position is that KubeView was a "fun side project and a learning exercise," and not "very secure." | ||||
| CVE-2022-24190 | 1 Sz-fujia | 1 Ourphoto | 2025-04-29 | 7.5 High |
| The /device/acceptBind end-point for Ourphoto App version 1.4.1 does not require authentication or authorization. The user_token header is not implemented or present on this end-point. An attacker can send a request to bind their account to any users picture frame, then send a POST request to accept their own bind request, without the end-users approval or interaction. | ||||