High
CVSS: 7.2
The protocol used for remote linking over RF for End-of-Train and
Head-of-Train (also known as a FRED) relies on a BCH checksum for packet
creation. It is possible to create these EoT and HoT packets with a
software defined radio and iss…
High
CVSS: 7.0
Weak authentication in EOL ASP.NET Core allows an unauthorized attacker to elevate privileges over a network.
NOTE: This CVE affects only End Of Life (EOL) software components. The vendor, Microsoft, has indicated there will be no future u…
Critical
CVSS: 9.8
Weak Authentication vulnerability in AresIT WP Compress wp-compress-image-optimizer allows Authentication Abuse.This issue affects WP Compress: from n/a through
High
CVSS: 7.6
A username and password are required to authenticate to the central
SinoTrack device management interface. The username for all devices is
an identifier printed on the receiver. The default password is
well-known and common to all device…
Medium
CVSS: 4.8
An improper authentication vulnerability [CWE-287] in Fortinet FortiClientEMS version 7.4.0 and before 7.2.4 allows an unauthenticated attacker with the knowledge of the targeted user's FCTUID and VDOM to perform operations such as uploadin…
Medium
CVSS: 4.6
An issue has been discovered in GitLab CE/EE affecting all versions from 16.8 before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. Group access controls could allow certain users to bypass two-factor authentication requirements.
Medium
CVSS: 6.5
An issue was discovered on goTenna v1 devices with app 5.5.3 and firmware 0.25.5. The app there makes it possible to inject any custom message (into existing v1 networks) with any GID and Callsign via a software defined radio. This can be e…
Unknown
CVSS: -
Weak Authentication vulnerability in Quentn.com GmbH Quentn WP quentn-wp allows Privilege Escalation.This issue affects Quentn WP: from n/a through
High
CVSS: 8.8
Weak authentication in Windows Active Directory Certificate Services allows an authorized attacker to elevate privileges over a network.
Medium
CVSS: 6.5
Weak authentication in Windows Hello allows an authorized attacker to bypass a security feature over a network.
Critical
CVSS: 9.3
A vulnerability has been identified in Industrial Edge Device Kit - arm64 V1.17 (All versions), Industrial Edge Device Kit - arm64 V1.18 (All versions), Industrial Edge Device Kit - arm64 V1.19 (All versions), Industrial Edge Device Kit - a…
Medium
CVSS: 6.2
Cryptographic issue occurs during PIN/password verification using Gatekeeper, where RPMB writes can be dropped on verification failure, potentially leading to a user throttling bypass.
Low
CVSS: 2.2
Yubico YubiKey 5.4.1 through 5.7.3 before 5.7.4 has an incorrect FIDO CTAP PIN/UV Auth Protocol Two implementation. It uses the signature length from CTAP PIN/UV Auth Protocol One, even when CTAP PIN/UV Auth Protocol Two was chosen, resulti…
High
CVSS: 8.8
Weak Authentication vulnerability in Drupal Email TFA allows Brute Force.This issue affects Email TFA: from 0.0.0 before 2.0.3.
High
CVSS: 8.2
This vulnerability exists in the CAP back office application due to improper authentication check at the API endpoint. An unauthenticated remote attacker with a valid login ID could exploit this vulnerability by manipulating API input param…
High
CVSS: 7.0
Weak authentication in ASP.NET Core & Visual Studio allows an unauthorized attacker to elevate privileges over a network.
High
CVSS: 8.2
Hermes versions up to 0.4.0 improperly validated the JWT provided when using the AWS ALB authentication mode, potentially allowing for authentication bypass. This vulnerability, CVE-2025-1293, was fixed in Hermes 0.5.0.
High
CVSS: 8.2
Dell Client Platform BIOS contains a Weak Authentication vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of Privileges.
Critical
CVSS: 9.8
Orca HCM from LEARNING DIGITAL has an Improper Authentication vulnerability, allowing unauthenticated remote attackers to log in to the system as any user.
High
CVSS: 8.1
A CWE-1390 "Weak Authentication" in the PIN authentication mechanism in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to brute-force user PINs via multiple crafted HTTP requests.