Total
456 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-36119 | 1 Ibm | 1 I | 2025-08-15 | 7.1 High |
| IBM i 7.3, 7.4, 7.5, and 7.6 is affected by an authenticated user obtaining elevated privileges with IBM Digital Certificate Manager for i (DCM) due to a web session hijacking vulnerability. An authenticated user without administrator privileges could exploit this vulnerability to perform actions in DCM as an administrator. | ||||
| CVE-2023-37865 | 1 Ip2location | 1 Country Blocker | 2025-08-12 | 5.3 Medium |
| Authentication Bypass by Spoofing vulnerability in IP2Location Download IP2Location Country Blocker allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Download IP2Location Country Blocker: from n/a through 2.29.1. | ||||
| CVE-2025-8853 | 1 2100 Technology | 1 Official Document Management System | 2025-08-12 | 9.8 Critical |
| Official Document Management System developed by 2100 Technology has an Authentication Bypass vulnerability, allowing unauthenticated remote attackers to obtain any user's connection token and use it to log into the system as that user. | ||||
| CVE-2025-36594 | 1 Dell | 2 Powerprotect Data Domain, Powerprotect Dd | 2025-08-12 | 9.8 Critical |
| Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 7.7.1.0 through 8.3.0.15, LTS2024 release Versions 7.13.1.0 through 7.13.1.25, LTS 2023 release versions 7.10.1.0 through 7.10.1.60, contain an Authentication Bypass by Spoofing vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to Protection mechanism bypass. Remote unauthenticated user can create account that potentially expose customer info, affect system integrity and availability. | ||||
| CVE-2025-31511 | 2025-08-10 | 7.3 High | ||
| An issue was discovered in AlertEnterprise Guardian 4.1.14.2.2.1. One can bypass manager approval by changing the user ID in a Request%20Building%20Access requestSubmit API call. | ||||
| CVE-2023-50224 | 1 Tp-link | 2 Tl-wr841n, Tl-wr841n Firmware | 2025-08-07 | N/A |
| TP-Link TL-WR841N dropbearpwd Improper Authentication Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of TP-Link TL-WR841N routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the httpd service, which listens on TCP port 80 by default. The issue results from improper authentication. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. . Was ZDI-CAN-19899. | ||||
| CVE-2025-50454 | 1 Blue Access | 1 Cobalt X1 | 2025-08-06 | 6.5 Medium |
| An Authentication Bypass vulnerability in Blue Access' Cobalt X1 thru 02.000.187 allows an unauthorized attacker to log into the application as an administrator without valid credentials. | ||||
| CVE-2025-46018 | 2025-08-04 | 5.4 Medium | ||
| CSC Pay Mobile App 2.19.4 (fixed in version 2.20.0) contains a vulnerability allowing users to bypass payment authorization by disabling Bluetooth at a specific point during a transaction. This could result in unauthorized use of laundry services and potential financial loss. | ||||
| CVE-2024-20299 | 1 Cisco | 3 Adaptive Security Appliance Software, Firepower Threat Defense, Firepower Threat Defense Software | 2025-08-01 | 5.8 Medium |
| A vulnerability in the AnyConnect firewall for Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to bypass a configured access control list (ACL) and allow traffic that should have been denied to flow through an affected device. This vulnerability is due to a logic error in populating group ACLs when an AnyConnect client establishes a new session toward an affected device. An attacker could exploit this vulnerability by establishing an AnyConnect connection to the affected device. A successful exploit could allow the attacker to bypass configured ACL rules. | ||||
| CVE-2024-20297 | 1 Cisco | 3 Adaptive Security Appliance Software, Firepower Threat Defense, Firepower Threat Defense Software | 2025-08-01 | 5.8 Medium |
| A vulnerability in the AnyConnect firewall for Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to bypass a configured access control list (ACL) and allow traffic that should have been denied to flow through an affected device. This vulnerability is due to a logic error in populating group ACLs when an AnyConnect client establishes a new session toward an affected device. An attacker could exploit this vulnerability by establishing an AnyConnect connection to the affected device. A successful exploit could allow the attacker to bypass configured ACL rules. | ||||
| CVE-2024-20384 | 1 Cisco | 4 Adaptive Security Appliance, Adaptive Security Appliance Software, Firepower Threat Defense and 1 more | 2025-08-01 | 5.8 Medium |
| A vulnerability in the Network Service Group (NSG) feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to bypass a configured access control list (ACL) and allow traffic that should be denied to flow through an affected device. This vulnerability is due to a logic error that occurs when NSG ACLs are populated on an affected device. An attacker could exploit this vulnerability by establishing a connection to the affected device. A successful exploit could allow the attacker to bypass configured ACL rules. | ||||
| CVE-2025-43245 | 1 Apple | 4 Macos, Macos Sequoia, Macos Sonoma and 1 more | 2025-07-31 | 9.8 Critical |
| A downgrade issue was addressed with additional code-signing restrictions. This issue is fixed in macOS Sequoia 15.6, macOS Sonoma 14.7.7, macOS Ventura 13.7.7. An app may be able to access protected user data. | ||||
| CVE-2025-54576 | 1 Oauth2 Proxy Project | 1 Oauth2 Proxy | 2025-07-31 | 9.1 Critical |
| OAuth2-Proxy is an open-source tool that can act as either a standalone reverse proxy or a middleware component integrated into existing reverse proxy or load balancer setups. In versions 7.10.0 and below, oauth2-proxy deployments are vulnerable when using the skip_auth_routes configuration option with regex patterns. Attackers can bypass authentication by crafting URLs with query parameters that satisfy configured regex patterns, allowing unauthorized access to protected resources. The issue stems from skip_auth_routes matching against the full request URI. Deployments using skip_auth_routes with regex patterns containing wildcards or broad matching patterns are most at risk. This issue is fixed in version 7.11.0. Workarounds include: auditing all skip_auth_routes configurations for overly permissive patterns, replacing wildcard patterns with exact path matches where possible, ensuring regex patterns are properly anchored (starting with ^ and ending with $), or implementing custom validation that strips query parameters before regex matching. | ||||
| CVE-2022-23131 | 1 Zabbix | 1 Zabbix | 2025-07-30 | 9.1 Critical |
| In the case of instances where the SAML SSO authentication is enabled (non-default), session data can be modified by a malicious actor, because a user login stored in the session was not verified. Malicious unauthenticated actor may exploit this issue to escalate privileges and gain admin access to Zabbix Frontend. To perform the attack, SAML authentication is required to be enabled and the actor has to know the username of Zabbix user (or use the guest account, which is disabled by default). | ||||
| CVE-2022-24112 | 1 Apache | 1 Apisix | 2025-07-30 | 9.8 Critical |
| An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. When the admin key was changed or the port of Admin API was changed to a port different from the data panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX's data panel. There is a check in the batch-requests plugin which overrides the client IP with its real remote IP. But due to a bug in the code, this check can be bypassed. | ||||
| CVE-2024-4358 | 2 Progress Software, Telerik | 2 Telerik Report Server, Report Server 2024 | 2025-07-30 | 9.8 Critical |
| In Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, on IIS, an unauthenticated attacker can gain access to Telerik Report Server restricted functionality via an authentication bypass vulnerability. | ||||
| CVE-2024-54085 | 2 Ami, Netapp | 19 Megarac Sp-x, H300s, H300s Firmware and 16 more | 2025-07-30 | 9.8 Critical |
| AMI’s SPx contains a vulnerability in the BMC where an Attacker may bypass authentication remotely through the Redfish Host Interface. A successful exploitation of this vulnerability may lead to a loss of confidentiality, integrity, and/or availability. | ||||
| CVE-2022-47648 | 1 Bosch | 2 B420, B420 Firmware | 2025-07-23 | 7.6 High |
| An Improper Access Control vulnerability allows an attacker to access the control panel of the B420 without requiring any sort of authorization or authentication due to the IP based authorization. If an authorized user has accessed a publicly available B420 product using valid credentials, an insider attacker can gain access to the same panel without requiring any sort of authorization. The B420 module was already obsolete at the time this vulnerability was found (The End of Life announcement was made in 2013). | ||||
| CVE-2022-44713 | 1 Microsoft | 2 Office, Office Long Term Servicing Channel | 2025-07-22 | 7.5 High |
| Microsoft Outlook for Mac Spoofing Vulnerability | ||||
| CVE-2024-30058 | 2025-07-16 | 5.4 Medium | ||
| Microsoft Edge (Chromium-based) Spoofing Vulnerability | ||||