Low
CVSS: 3.7
The MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 4.1.0. This is due to the use of a forgeable cookie value d…
Critical
CVSS: 9.8
An issue was discovered in Dynamicweb before 9.12.8. An attacker can add a new administrator user without authentication. This flaw exists due to a logic issue when determining if the setup phases of the product can be run again. Once an at…
High
CVSS: 8.1
Horilla is a free and open source Human Resource Management System (HRMS). In version 1.4.0, the OTP handling logic has a flawed equality check that can be bypassed. When an OTP expires, the server returns None, and if an attacker omits the…
Medium
CVSS: 6.3
A weakness has been identified in CRMEB up to 5.6.3. The impacted element is the function remoteRegister of the file crmeb/app/services/user/LoginServices.php of the component JSON Token Handler. Executing a manipulation of the argument uid…
Medium
CVSS: 6.9
A security flaw has been discovered in CRMEB up to 5.6.3. The affected element is the function appleLogin of the file crmeb/app/api/controller/v1/LoginController.php. Performing a manipulation of the argument openId results in improper auth…
High
CVSS: 8.7
Authentication bypass in the password recovery feature of the local web interface across multiple VIGI camera models allows an attacker on the LAN to reset the admin password without verification by manipulating client-side state. Attackers…
Critical
CVSS: 9.4
A vulnerability in the Provisioning Manager component of Mitel MiVoice MX-ONE 7.3 (7.3.0.0.50) through 7.8 SP1 (7.8.1.0.14) could allow an unauthenticated attacker to conduct an authentication bypass attack due to improper authentication me…
Critical
CVSS: 9.8
A vulnerability exists in an Orchestrator service that could allow an unauthenticated remote attacker to bypass multi-factor authentication requirements. Successful exploitation could allow an attacker to create an admin user account withou…
Critical
CVSS: 10.0
The vulnerability exists in BLUVOYIX due to improper authentication in the BLUVOYIX backend APIs. An unauthenticated remote attacker could exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable APIs. Success…
Medium
CVSS: 5.1
A Improper Authentication vulnerability in TLP allows local users to arbitrarily control the power
profile in use as well as the daemon’s log settings.This issue affects TLP: from 1.9 before 1.9.1.
High
CVSS: 8.7
Jervis is a library for Job DSL plugin scripts and shared Jenkins pipeline libraries. Prior to 2.2, AES/CBC/PKCS5Padding lacks authentication, making it vulnerable to padding oracle attacks and ciphertext manipulation. This vulnerability is…
Medium
CVSS: 6.1
A path traversal vulnerability in NETGEAR WiFi range extenders allows
an attacker with LAN authentication to access the router's IP and
review the contents of the dynamically generated webproc file, which
records the username and passwor…
Medium
CVSS: 6.1
An insufficient authentication vulnerability in NETGEAR WiFi range
extenders allows a network adjacent attacker with WiFi authentication or
a physical Ethernet port connection to bypass the authentication
process and access the admin pan…
Medium
CVSS: 6.1
An authentication bypass vulnerability in NETGEAR Orbi devices allows
users connected to the local network to access the router web interface
as an admin.
High
CVSS: 8.6
An issue in Semantic machines v5.4.8 allows attackers to bypass authentication via sending a crafted HTTP request to various API endpoints.
High
CVSS: 8.7
Improper Authentication vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows Authentication Bypass.This issue affects DX NetOps Spectrum: 24.3.10 and earlier.
Medium
CVSS: 5.3
A flaw has been found in Flycatcher Toys smART Sketcher up to 2.0. This affects an unknown part of the component Bluetooth Low Energy Interface. This manipulation causes missing authentication. The attack can only be done within the local n…
High
CVSS: 8.1
Ghost is a Node.js content management system. In versions 5.105.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost's 2FA mechanism allows staff users to skip email 2FA. This issue has been patched in versions 5.130.6 and 6…
Critical
CVSS: 9.4
KAYSUS KS-WR3600 routers with firmware 1.0.5.9.1 allow authentication bypass during session validation. If any user is logged in, endpoints such as /cgi-bin/system-tool accept unauthenticated requests with empty or invalid session values. T…
Critical
CVSS: 9.4
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In versions up to and including 1.5.0, the application checks the validity of the username but appears to skip, misinterpret, or incorrectly vali…