Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2012-10001

Summary
Assigner-mitre
Assigner Org ID-8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At-06 Jan, 2021 | 14:40
Updated At-06 Aug, 2024 | 21:36
Rejected At-
Credits

The Limit Login Attempts plugin before 1.7.1 for WordPress does not clear auth cookies upon a lockout, which might make it easier for remote attackers to conduct brute-force authentication attempts.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:mitre
Assigner Org ID:8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At:06 Jan, 2021 | 14:40
Updated At:06 Aug, 2024 | 21:36
Rejected At:
▼CVE Numbering Authority (CNA)

The Limit Login Attempts plugin before 1.7.1 for WordPress does not clear auth cookies upon a lockout, which might make it easier for remote attackers to conduct brute-force authentication attempts.

Affected Products
Vendor
n/a
Product
n/a
Versions
Affected
  • n/a
Problem Types
TypeCWE IDDescription
textN/An/a
Type: text
CWE ID: N/A
Description: n/a
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://wordpress.org/plugins/limit-login-attempts/#developers
x_refsource_MISC
Hyperlink: https://wordpress.org/plugins/limit-login-attempts/#developers
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://wordpress.org/plugins/limit-login-attempts/#developers
x_refsource_MISC
x_transferred
Hyperlink: https://wordpress.org/plugins/limit-login-attempts/#developers
Resource:
x_refsource_MISC
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cve@mitre.org
Published At:06 Jan, 2021 | 15:15
Updated At:08 Jan, 2021 | 20:19

The Limit Login Attempts plugin before 1.7.1 for WordPress does not clear auth cookies upon a lockout, which might make it easier for remote attackers to conduct brute-force authentication attempts.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.19.8CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary2.05.0MEDIUM
AV:N/AC:L/Au:N/C:P/I:N/A:N
Type: Primary
Version: 3.1
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Type: Primary
Version: 2.0
Base score: 5.0
Base severity: MEDIUM
Vector:
AV:N/AC:L/Au:N/C:P/I:N/A:N
CPE Matches

limit_login_attempts_project
limit_login_attempts_project
>>limit_login_attempts>>Versions before 1.7.1(exclusive)
cpe:2.3:a:limit_login_attempts_project:limit_login_attempts:*:*:*:*:*:wordpress:*:*
Weaknesses
CWE IDTypeSource
CWE-287Primarynvd@nist.gov
CWE ID: CWE-287
Type: Primary
Source: nvd@nist.gov
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://wordpress.org/plugins/limit-login-attempts/#developerscve@mitre.org
Release Notes
Third Party Advisory
Hyperlink: https://wordpress.org/plugins/limit-login-attempts/#developers
Source: cve@mitre.org
Resource:
Release Notes
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

1029Records found

CVE-2022-0787
Matching Score-8
Assigner-WPScan
ShareView Details
Matching Score-8
Assigner-WPScan
CVSS Score-9.8||CRITICAL
EPSS-8.85% / 94.57%
||
7 Day CHG~0.00%
Published-28 Mar, 2022 | 17:23
Updated-02 Aug, 2024 | 23:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Limit Login Attempts (Spam Protection) < 5.1 - Unauthenticated SQLi

The Limit Login Attempts (Spam Protection) WordPress plugin before 5.1 does not sanitise and escape some parameters before using them in SQL statements via AJAX actions (available to unauthenticated users), leading to SQL Injections

Action-Not Available
Vendor-limit_login_attempts_projectUnknown
Product-limit_login_attemptsLimit Login Attempts (Spam Protection)
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-8737
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.40% / 32.23%
||
7 Day CHG~0.00%
Published-17 May, 2026 | 06:45
Updated-18 May, 2026 | 17:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Sanluan PublicCMS Trade Address Query TradeAddressListDirective.java execute missing authentication

A weakness has been identified in Sanluan PublicCMS 5.202506.d. This issue affects the function execute of the file publiccms-trade/src/main/java/com/publiccms/views/directive/trade/TradeAddressListDirective.java of the component Trade Address Query Handler. Executing a manipulation of the argument userId/id can lead to missing authentication. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-Sanluan
Product-PublicCMS
CWE ID-CWE-287
Improper Authentication
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2023-1460
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.5||MEDIUM
EPSS-0.97% / 57.60%
||
7 Day CHG~0.00%
Published-17 Mar, 2023 | 07:51
Updated-02 Aug, 2024 | 05:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SourceCodester Online Pizza Ordering System Password Change improper authentication

A vulnerability was found in SourceCodester Online Pizza Ordering System 1.0. It has been classified as critical. This affects an unknown part of the file admin/ajax.php?action=save_user of the component Password Change Handler. The manipulation leads to improper authentication. It is possible to initiate the attack remotely. The identifier VDB-223305 was assigned to this vulnerability.

Action-Not Available
Vendor-oretnom23SourceCodester
Product-online_pizza_ordering_systemOnline Pizza Ordering System
CWE ID-CWE-287
Improper Authentication
CVE-2014-2128
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-5||MEDIUM
EPSS-1.91% / 77.24%
||
7 Day CHG~0.00%
Published-10 Apr, 2014 | 01:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The SSL VPN implementation in Cisco Adaptive Security Appliance (ASA) Software 8.2 before 8.2(5.47, 8.3 before 8.3(2.40), 8.4 before 8.4(7.3), 8.6 before 8.6(1.13), 9.0 before 9.0(3.8), and 9.1 before 9.1(3.2) allows remote attackers to bypass authentication via (1) a crafted cookie value within modified HTTP POST data or (2) a crafted URL, aka Bug ID CSCua85555.

Action-Not Available
Vendor-n/aCisco Systems, Inc.
Product-adaptive_security_appliance_softwaren/a
CWE ID-CWE-287
Improper Authentication
CVE-2025-68926
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-9.8||CRITICAL
EPSS-29.03% / 97.92%
||
7 Day CHG~0.00%
Published-30 Dec, 2025 | 16:59
Updated-16 Jan, 2026 | 19:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
RustFS has a gRPC Hardcoded Token Authentication Bypass

RustFS is a distributed object storage system built in Rust. In versions prior to 1.0.0-alpha.78, RustFS implements gRPC authentication using a hardcoded static token `"rustfs rpc"` that is publicly exposed in the source code repository, hardcoded on both client and server sides, non-configurable with no mechanism for token rotation, and universally valid across all RustFS deployments. Any attacker with network access to the gRPC port can authenticate using this publicly known token and execute privileged operations including data destruction, policy manipulation, and cluster configuration changes. Version 1.0.0-alpha.78 contains a fix for the issue.

Action-Not Available
Vendor-rustfsrustfs
Product-rustfsrustfs
CWE ID-CWE-287
Improper Authentication
CWE ID-CWE-798
Use of Hard-coded Credentials
CVE-2020-35219
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.67% / 73.88%
||
7 Day CHG~0.00%
Published-04 Jan, 2021 | 17:50
Updated-04 Aug, 2024 | 17:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The ASUS DSL-N17U modem with firmware 1.1.0.2 allows attackers to access the admin interface by changing the admin password without authentication via a POST request to Advanced_System_Content.asp with the uiViewTools_username=admin&uiViewTools_Password= and uiViewTools_PasswordConfirm= substrings.

Action-Not Available
Vendor-n/aASUS (ASUSTeK Computer Inc.)
Product-dsl-n17u_firmwaredsl-n17un/a
CWE ID-CWE-287
Improper Authentication
CVE-2014-0733
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-5||MEDIUM
EPSS-1.80% / 75.76%
||
7 Day CHG~0.00%
Published-20 Feb, 2014 | 11:00
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Enterprise License Manager (ELM) component in Cisco Unified Communications Manager (Unified CM) 10.0(1) and earlier does not properly enforce authentication requirements, which allows remote attackers to read ELM files via a direct request to a URL, aka Bug ID CSCum46494.

Action-Not Available
Vendor-n/aCisco Systems, Inc.
Product-unified_communications_managern/a
CWE ID-CWE-287
Improper Authentication
CVE-2025-2344
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.47% / 37.34%
||
7 Day CHG~0.00%
Published-16 Mar, 2025 | 18:00
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IROAD Dash Cam X5/Dash Cam X6 API Endpoint missing authentication

A vulnerability, which was classified as critical, has been found in IROAD Dash Cam X5 and Dash Cam X6 up to 20250308. Affected by this issue is some unknown functionality of the component API Endpoint. The manipulation leads to missing authentication. The attack may be launched remotely. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-IROAD
Product-Dash Cam X5Dash Cam X6
CWE ID-CWE-287
Improper Authentication
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2025-2339
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.84% / 53.35%
||
7 Day CHG~0.00%
Published-16 Mar, 2025 | 13:00
Updated-26 Aug, 2025 | 20:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
otale Tale Blog logs improper authentication

A vulnerability was found in otale Tale Blog 2.0.5. It has been classified as problematic. This affects an unknown part of the file /%61dmin/api/logs. The manipulation leads to improper authentication. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. This vulnerability only affects products that are no longer supported by the maintainer.

Action-Not Available
Vendor-otaleotale
Product-tale_blogTale Blog
CWE ID-CWE-287
Improper Authentication
CVE-2014-0732
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-5||MEDIUM
EPSS-1.80% / 75.89%
||
7 Day CHG~0.00%
Published-20 Feb, 2014 | 02:00
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Real Time Monitoring Tool (RTMT) web application in Cisco Unified Communications Manager (Unified CM) 10.0(1) and earlier does not properly enforce authentication requirements, which allows remote attackers to read application files via a direct request to a URL, aka Bug ID CSCum46495.

Action-Not Available
Vendor-n/aCisco Systems, Inc.
Product-unified_communications_managern/a
CWE ID-CWE-287
Improper Authentication
CVE-2014-0357
Matching Score-4
Assigner-CERT/CC
ShareView Details
Matching Score-4
Assigner-CERT/CC
CVSS Score-5||MEDIUM
EPSS-1.83% / 76.29%
||
7 Day CHG~0.00%
Published-15 Apr, 2014 | 10:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Amtelco miSecureMessages allows remote attackers to read the messages of arbitrary users via an XML request containing a valid license key and a modified contactID value, as demonstrated by a request from the iOS or Android application.

Action-Not Available
Vendor-amtelcon/a
Product-misecuremessagesn/a
CWE ID-CWE-287
Improper Authentication
CVE-2026-7722
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.45% / 36.21%
||
7 Day CHG~0.00%
Published-04 May, 2026 | 02:15
Updated-04 May, 2026 | 22:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PrefectHQ prefect Health Check API health endswith improper authentication

A vulnerability was detected in PrefectHQ prefect up to 3.6.21. This impacts the function endswith of the file /api/health of the component Health Check API. Performing a manipulation results in improper authentication. The attack is possible to be carried out remotely. The exploit is now public and may be used. Upgrading to version 3.6.22 will fix this issue. The patch is named e21617125335025b4b27e7d6f0ca028e8e8f3b79. Upgrading the affected component is recommended. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.

Action-Not Available
Vendor-PrefectHQ
Product-prefect
CWE ID-CWE-287
Improper Authentication
CVE-2020-27780
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-9.8||CRITICAL
EPSS-1.96% / 77.89%
||
7 Day CHG~0.00%
Published-17 Dec, 2020 | 23:55
Updated-04 Aug, 2024 | 16:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A flaw was found in Linux-Pam in versions prior to 1.5.1 in the way it handle empty passwords for non-existing users. When the user doesn't exist PAM try to authenticate with root and in the case of an empty password it successfully authenticate.

Action-Not Available
Vendor-linux-pamn/a
Product-linux-pampam
CWE ID-CWE-287
Improper Authentication
CVE-2014-0725
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-5||MEDIUM
EPSS-1.28% / 66.45%
||
7 Day CHG~0.00%
Published-13 Feb, 2014 | 02:00
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cisco Unified Communications Manager (UCM) does not require authentication for reading WAR files, which allows remote attackers to obtain sensitive information via unspecified access to a "file storage location," aka Bug ID CSCum05337.

Action-Not Available
Vendor-n/aCisco Systems, Inc.
Product-unified_communications_managern/a
CWE ID-CWE-287
Improper Authentication
CVE-2020-28970
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-3.90% / 88.99%
||
7 Day CHG~0.00%
Published-01 Dec, 2020 | 15:32
Updated-04 Aug, 2024 | 16:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered on Western Digital My Cloud OS 5 devices before 5.06.115. A NAS Admin authentication bypass vulnerability could allow an unauthenticated user to execute privileged commands on the device via a cookie. (In addition, an upload endpoint could then be used by an authenticated administrator to upload executable PHP scripts.)

Action-Not Available
Vendor-n/aWestern Digital Corp.
Product-my_cloud_os_5my_cloud_ex4100my_cloud_pr2100my_cloud_ex2_ultramy_cloud_mirror_gen_2my_cloud_pr4100n/a
CWE ID-CWE-287
Improper Authentication
CVE-2026-8031
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.39% / 31.44%
||
7 Day CHG~0.00%
Published-06 May, 2026 | 18:00
Updated-07 May, 2026 | 14:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PicoTronica e-Clinic Healthcare System ECHS API Endpoint patient-records missing authentication

A vulnerability was detected in PicoTronica e-Clinic Healthcare System ECHS 5.7. The affected element is an unknown function of the file /cdemos/echs/api/v2/patient-records of the component API Endpoint. The manipulation results in missing authentication. The attack can be executed remotely. The exploit is now public and may be used. Upgrading to version 5.7.1 is sufficient to fix this issue. You should upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.

Action-Not Available
Vendor-PicoTronica
Product-e-Clinic Healthcare System ECHS
CWE ID-CWE-287
Improper Authentication
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2013-6470
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-5||MEDIUM
EPSS-1.88% / 76.86%
||
7 Day CHG~0.00%
Published-02 Jun, 2014 | 15:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The default configuration in the standalone controller quickstack manifest in openstack-foreman-installer, as used in Red Hat Enterprise Linux OpenStack Platform 4.0, disables authentication for Qpid, which allows remote attackers to gain access by connecting to Qpid.

Action-Not Available
Vendor-n/aRed Hat, Inc.
Product-openstackn/a
CWE ID-CWE-287
Improper Authentication
CVE-2026-8214
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.40% / 32.23%
||
7 Day CHG~0.00%
Published-10 May, 2026 | 00:15
Updated-11 May, 2026 | 15:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Industrial Application Software IAS Canias ERP RMI doAction improper authentication

A vulnerability was found in Industrial Application Software IAS Canias ERP 8.03. This affects the function doAction of the component RMI Interface. The manipulation of the argument sessionId results in improper authentication. It is possible to launch the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-Industrial Application Software IAS
Product-Canias ERP
CWE ID-CWE-287
Improper Authentication
CVE-2026-8244
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.40% / 32.23%
||
7 Day CHG~0.00%
Published-10 May, 2026 | 09:15
Updated-18 May, 2026 | 15:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Industrial Application Software IAS Canias ERP Login RMI improper authentication

A vulnerability was identified in Industrial Application Software IAS Canias ERP 8.03. This impacts an unknown function of the component Login RMI Interface. The manipulation of the argument clientVersion leads to improper authentication. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-Industrial Application Software IAS
Product-Canias ERP
CWE ID-CWE-287
Improper Authentication
CVE-2026-8305
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.64% / 46.02%
||
7 Day CHG~0.00%
Published-11 May, 2026 | 16:30
Updated-16 May, 2026 | 03:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
OpenClaw bluebubbles Webhook monitor.ts handleBlueBubblesWebhookRequest improper authentication

A vulnerability was detected in OpenClaw up to 2026.1.24. The impacted element is the function handleBlueBubblesWebhookRequest of the file extensions/bluebubbles/src/monitor.ts of the component bluebubbles Webhook. Performing a manipulation results in improper authentication. It is possible to initiate the attack remotely. The exploit is now public and may be used. Upgrading to version 2026.2.12 is sufficient to resolve this issue. The patch is named a6653be0265f1f02b9de46c06f52ea7c81a836e6. The affected component should be upgraded.

Action-Not Available
Vendor-n/aOpenClaw
Product-openclawOpenClaw
CWE ID-CWE-287
Improper Authentication
CVE-2020-26542
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.52% / 71.51%
||
7 Day CHG~0.00%
Published-09 Nov, 2020 | 19:07
Updated-04 Aug, 2024 | 15:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in the MongoDB Simple LDAP plugin through 2020-10-02 for Percona Server when using the SimpleLDAP authentication in conjunction with Microsoft’s Active Directory, Percona has discovered a flaw that would allow authentication to complete when passing a blank value for the account password, leading to access against the service integrated with which Active Directory is deployed at the level granted to the authenticating account.

Action-Not Available
Vendor-perconan/a
Product-percona_servern/a
CWE ID-CWE-287
Improper Authentication
CVE-2026-8181
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-9.8||CRITICAL
EPSS-14.61% / 96.23%
||
7 Day CHG~0.00%
Published-14 May, 2026 | 05:30
Updated-14 May, 2026 | 14:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Burst Statistics 3.4.0 - 3.4.1.1 - Authentication Bypass to Admin Account Takeover

The Burst Statistics – Privacy-Friendly WordPress Analytics (Google Analytics Alternative) plugin for WordPress is vulnerable to Authentication Bypass in versions 3.4.0 to 3.4.1.1. This is due to incorrect return-value handling in the `is_mainwp_authenticated()` function when validating application passwords from the Authorization header. This makes it possible for unauthenticated attackers, with knowledge of an administrator username, to impersonate that administrator for the duration of the request by supplying any random Basic Authentication password achieving privilege escalation.

Action-Not Available
Vendor-burstbv
Product-Burst Statistics – Privacy-Friendly WordPress Analytics (Google Analytics Alternative)
CWE ID-CWE-287
Improper Authentication
CVE-2017-20237
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-9.3||CRITICAL
EPSS-0.96% / 57.26%
||
7 Day CHG~0.00%
Published-03 Apr, 2026 | 21:05
Updated-14 May, 2026 | 02:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Hirschmann Industrial HiVision Authentication Bypass Remote Code Execution

Hirschmann Industrial HiVision versions prior to 06.0.07 and 07.0.03 contains an authentication bypass vulnerability in the master service that allows unauthenticated remote attackers to execute arbitrary commands with administrative privileges. Attackers can invoke exposed interface methods over the remote service to bypass authentication and achieve remote code execution on the underlying operating system.

Action-Not Available
Vendor-Belden
Product-Hirschmann Industrial HiVision
CWE ID-CWE-287
Improper Authentication
CVE-2013-5122
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-3.75% / 88.54%
||
7 Day CHG~0.00%
Published-07 Jan, 2020 | 13:29
Updated-06 Aug, 2024 | 17:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cisco Linksys Routers EA2700, EA3500, E4200, EA4500: A bug can cause an unsafe TCP port to open which leads to unauthenticated access

Action-Not Available
Vendor-n/aCisco Systems, Inc.
Product-linksys_e4200_firmwarelinksys_ea4500_firmwarelinksys_ea4500linksys_e4200linksys_ea3500_firmwarelinksys_ea2700linksys_ea3500linksys_ea2700_firmwaren/a
CWE ID-CWE-287
Improper Authentication
CVE-2026-7664
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.28% / 19.49%
||
7 Day CHG~0.00%
Published-22 Jun, 2026 | 14:10
Updated-26 Jun, 2026 | 21:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Unauthenticated Flow Execution via Webhook Endpoint in Langflow OSS

IBM Langflow OSS 1.0.0 through 1.8.4 could allow unauthenticated attackers to access protected MCP project resources and execute MCP operations due to improper authorization enforcement in the Streamable MCP transport endpoint.

Action-Not Available
Vendor-langflowIBM Corporation
Product-langflowLangflow OSS
CWE ID-CWE-287
Improper Authentication
CVE-2020-25848
Matching Score-4
Assigner-TWCERT/CC
ShareView Details
Matching Score-4
Assigner-TWCERT/CC
CVSS Score-9.8||CRITICAL
EPSS-1.65% / 73.69%
||
7 Day CHG~0.00%
Published-31 Dec, 2020 | 07:45
Updated-17 Sep, 2024 | 00:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HGiga MailSherlock - Broken Authentication

HGiga MailSherlock contains weak authentication flaw that attackers grant privilege remotely with default password generation mechanism.

Action-Not Available
Vendor-hgigaHGiga
Product-msr45_isherlock-useradminmsr45_isherlock-antispammsr45_isherlock-userssr45_isherlock-userssr45_isherlock-antispamssr45_isherlock-useradminmsr45_isherlock-auditssr45_isherlock-auditmsr45_isherlock-basessr45_isherlock-baseMailSherlock MSR45/SSR45
CWE ID-CWE-287
Improper Authentication
CVE-2020-24029
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.97% / 78.04%
||
7 Day CHG~0.00%
Published-02 Sep, 2020 | 16:09
Updated-14 Oct, 2025 | 13:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Because of unauthenticated password changes in ForLogic Qualiex v1 and v3, customer and admin permissions and data can be accessed via a simple request. NOTE: as of 2025-10-14, the Supplier's perspective is that this is "corrected in all maintained versions. Password reset requests are validated against registered user emails and require a valid, short-lived token."

Action-Not Available
Vendor-forlogicn/a
Product-qualiexn/a
CWE ID-CWE-287
Improper Authentication
CVE-2022-43549
Matching Score-4
Assigner-HackerOne
ShareView Details
Matching Score-4
Assigner-HackerOne
CVSS Score-9.8||CRITICAL
EPSS-0.72% / 49.36%
||
7 Day CHG~0.00%
Published-05 Dec, 2022 | 00:00
Updated-24 Apr, 2025 | 14:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper authentication in Veeam Backup for Google Cloud v1.0 and v3.0 allows attackers to bypass authentication mechanisms.

Action-Not Available
Vendor-n/aVeeam Software Group GmbH
Product-veeam_backup_for_google_cloudVeeam Backup for Google Cloud
CWE ID-CWE-287
Improper Authentication
CVE-2013-4621
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.76% / 75.28%
||
7 Day CHG~0.00%
Published-27 Dec, 2019 | 16:21
Updated-06 Aug, 2024 | 16:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Magnolia CMS before 4.5.9 has multiple access bypass vulnerabilities

Action-Not Available
Vendor-magdevgroupn/a
Product-magnolia_cmsn/a
CWE ID-CWE-287
Improper Authentication
CVE-2026-45434
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-9.8||CRITICAL
EPSS-22.88% / 97.46%
||
7 Day CHG~0.00%
Published-19 May, 2026 | 09:40
Updated-20 May, 2026 | 17:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache OFBiz: Authentication Bypass via Password-Change Logic Flaw Leading to RCE

Improper Authentication vulnerability in Apache OFBiz via Password-Change Logic Flaw Leading to Remote Code Execution This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.

Action-Not Available
Vendor-The Apache Software Foundation
Product-ofbizApache OFBiz
CWE ID-CWE-287
Improper Authentication
CVE-2013-2954
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-5||MEDIUM
EPSS-1.26% / 66.12%
||
7 Day CHG~0.00%
Published-27 May, 2013 | 14:00
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The login page in the Console in IBM InfoSphere Optim Data Growth for Oracle E-Business Suite 6.x, 7.x, and 9.x before 9.1.0.3 does not limit the number of incorrect authentication attempts, which makes it easier for remote attackers to obtain access via a brute-force attack.

Action-Not Available
Vendor-n/aIBM Corporation
Product-infosphere_optim_data_growth_for_oracle_e-business_suiten/a
CWE ID-CWE-287
Improper Authentication
CVE-2020-22176
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-2.09% / 79.35%
||
7 Day CHG~0.00%
Published-22 Jun, 2021 | 14:19
Updated-04 Aug, 2024 | 14:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

PHPGurukul Hospital Management System in PHP v4.0 has a sensitive information disclosure vulnerability in multiple areas. Remote unauthenticated users can exploit the vulnerability to obtain user sensitive information.

Action-Not Available
Vendor-n/aPHPGurukul LLP
Product-hospital_management_systemn/a
CWE ID-CWE-862
Missing Authorization
CWE ID-CWE-287
Improper Authentication
CVE-2026-6274
Matching Score-4
Assigner-TR-CERT (Computer Emergency Response Team of the Republic of Türkiye)
ShareView Details
Matching Score-4
Assigner-TR-CERT (Computer Emergency Response Team of the Republic of Türkiye)
CVSS Score-9.8||CRITICAL
EPSS-0.46% / 36.66%
||
7 Day CHG~0.00%
Published-05 Jun, 2026 | 09:01
Updated-08 Jun, 2026 | 19:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Authentication Bypass in DTS Electronics' Redline WR3200

Improper Authentication, Missing authentication for critical function, Weak Authentication vulnerability in DTS Electronics Industry and Trade Ltd. Co. Redline WR3200 allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Redline WR3200: from 7.1.3 before 7.1.8.

Action-Not Available
Vendor-DTS Electronics Industry and Trade Ltd. Co.
Product-Redline WR3200
CWE ID-CWE-1390
Weak Authentication
CWE ID-CWE-287
Improper Authentication
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2013-3088
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.85% / 76.58%
||
7 Day CHG~0.00%
Published-26 Dec, 2019 | 22:46
Updated-06 Aug, 2024 | 16:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Belkin N900 router (F9K1104v1) contains an Authentication Bypass using "Javascript debugging".

Action-Not Available
Vendor-n/aBelkin International, Inc.
Product-n900_firmwaren900n/a
CWE ID-CWE-287
Improper Authentication
CVE-2013-3316
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-4.77% / 90.82%
||
7 Day CHG~0.00%
Published-29 Jan, 2020 | 21:15
Updated-06 Aug, 2024 | 16:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Netgear WNR1000v3 with firmware before 1.0.2.60 contains an Authentication Bypass due to the server skipping checks for URLs containing a ".jpg".

Action-Not Available
Vendor-n/aNETGEAR, Inc.
Product-wnr1000_firmwarewnr1000n/a
CWE ID-CWE-287
Improper Authentication
CVE-2025-11529
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.56% / 42.59%
||
7 Day CHG~0.00%
Published-09 Oct, 2025 | 03:02
Updated-24 Feb, 2026 | 07:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ChurchCRM API Endpoint AuthMiddleware.php AuthMiddleware missing authentication

A security flaw has been discovered in ChurchCRM up to 5.18.0. This impacts the function AuthMiddleware of the file src/ChurchCRM/Slim/Middleware/AuthMiddleware.php of the component API Endpoint. The manipulation results in missing authentication. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks. The patch is identified as 3a1cffd2aea63d884025949cfbcfd274d06216a4. A patch should be applied to remediate this issue.

Action-Not Available
Vendor-churchcrmn/a
Product-churchcrmChurchCRM
CWE ID-CWE-287
Improper Authentication
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2013-3367
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-2.70% / 84.10%
||
7 Day CHG~0.00%
Published-13 Nov, 2019 | 20:43
Updated-06 Aug, 2024 | 16:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Undocumented TELNET service in TRENDnet TEW-691GR and TEW-692GR when a web page named backdoor contains an HTML parameter of password and a value of j78G¬DFdg_24Mhw3.

Action-Not Available
Vendor-n/aTRENDnet, Inc.
Product-tew-691grtew-691gr_firmwaretew-692grtew-692gr_firmwaren/a
CWE ID-CWE-287
Improper Authentication
CVE-2013-3215
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-68.85% / 99.26%
||
7 Day CHG~0.00%
Published-29 Jan, 2020 | 17:21
Updated-06 Aug, 2024 | 16:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

vtiger CRM 5.4.0 and earlier contain an Authentication Bypass Vulnerability due to improper authentication validation in the validateSession function.

Action-Not Available
Vendor-vtigern/a
Product-vtiger_crmn/a
CWE ID-CWE-287
Improper Authentication
CVE-2013-3072
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-2.11% / 79.56%
||
7 Day CHG~0.00%
Published-14 Nov, 2019 | 18:11
Updated-06 Aug, 2024 | 16:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An Authentication Bypass vulnerability exists in NETGEAR Centria WNDR4700 Firmware 1.0.0.34 in http://<router_ip>/apply.cgi?/hdd_usr_setup.htm that when visited by any user, authenticated or not, causes the router to no longer require a password to access the web administration portal.

Action-Not Available
Vendor-n/aNETGEAR, Inc.
Product-wndr4700_firmwarewndr4700n/a
CWE ID-CWE-287
Improper Authentication
CVE-2026-5722
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-9.8||CRITICAL
EPSS-0.46% / 36.53%
||
7 Day CHG~0.00%
Published-05 May, 2026 | 01:24
Updated-05 May, 2026 | 19:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
MoreConvert Pro <= 1.9.14 - Authentication Bypass via Waitlist Guest Verification Token Reuse

The MoreConvert Pro plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.9.14. This is due to the guest waitlist verification flow not invalidating or regenerating verification tokens when the customer email address is changed. This makes it possible for unauthenticated attackers to authenticate as existing users, including administrators, by obtaining a valid guest verification token for an attacker-controlled email, changing the same guest customer email to the target account email through the public waitlist flow, and then using the original verification link.

Action-Not Available
Vendor-MoreConvert
Product-MoreConvert Pro
CWE ID-CWE-287
Improper Authentication
CVE-2013-1600
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-18.50% / 96.89%
||
7 Day CHG~0.00%
Published-28 Jan, 2020 | 20:19
Updated-06 Aug, 2024 | 15:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An Authentication Bypass vulnerability exists in upnp/asf-mp4.asf when streaming live video in D-Link TESCO DCS-2121 1.05_TESCO, TESCO DCS-2102 1.05_TESCO, DCS-2121 1.06_FR, 1.06, and 1.05_RU, DCS-2102 1.06_FR. 1.06, and 1.05_RU, which could let a malicious user obtain sensitive information.

Action-Not Available
Vendor-n/aD-Link Corporation
Product-dcs-2121_firmwaredcs-2102_firmwaredcs-2121dcs-2102n/a
CWE ID-CWE-287
Improper Authentication
CVE-2020-19111
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.89% / 77.07%
||
7 Day CHG~0.00%
Published-05 May, 2021 | 21:38
Updated-04 Aug, 2024 | 14:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Incorrect Access Control vulnerability in Online Book Store v1.0 via admin_verify.php, which could let a remote mailicious user bypass authentication and obtain sensitive information.

Action-Not Available
Vendor-n/aProjectworlds
Product-online_book_store_project_in_phpn/a
CWE ID-CWE-287
Improper Authentication
CVE-2019-1666
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-5.3||MEDIUM
EPSS-2.21% / 80.41%
||
7 Day CHG~0.00%
Published-21 Feb, 2019 | 19:00
Updated-19 Nov, 2024 | 19:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cisco HyperFlex Unauthenticated Statistics Retrieval Vulnerability

A vulnerability in the Graphite service of Cisco HyperFlex software could allow an unauthenticated, remote attacker to retrieve data from the Graphite service. The vulnerability is due to insufficient authentication controls. An attacker could exploit this vulnerability by sending crafted requests to the Graphite service. A successful exploit could allow the attacker to retrieve any statistics from the Graphite service. Versions prior to 3.5(2a) are affected.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-hyperflex_hx_data_platformCisco HyperFlex HX-Series
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-287
Improper Authentication
CVE-2025-15069
Matching Score-4
Assigner-Financial Security Institute (FSI)
ShareView Details
Matching Score-4
Assigner-Financial Security Institute (FSI)
CVSS Score-8.4||HIGH
EPSS-0.29% / 21.14%
||
7 Day CHG~0.00%
Published-29 Dec, 2025 | 05:05
Updated-13 Jan, 2026 | 05:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Privilege Escalation in Gmission Web FAX

Improper Authentication vulnerability in Gmission Web Fax allows Privilege Escalation.This issue affects Web Fax: from 3.0 before 3.0.1

Action-Not Available
Vendor-gmissionGmission
Product-web_faxWeb Fax
CWE ID-CWE-287
Improper Authentication
CVE-2025-15458
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.51% / 39.82%
||
7 Day CHG~0.00%
Published-05 Jan, 2026 | 05:02
Updated-23 Feb, 2026 | 08:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
bg5sbk MiniCMS Article post-edit.php improper authentication

A vulnerability was determined in bg5sbk MiniCMS up to 1.8. This affects an unknown function of the file /mc-admin/post-edit.php of the component Article Handler. Executing a manipulation can lead to improper authentication. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-1234nbg5sbk
Product-minicmsMiniCMS
CWE ID-CWE-287
Improper Authentication
CVE-2013-10004
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.5||MEDIUM
EPSS-0.92% / 55.82%
||
7 Day CHG~0.00%
Published-24 May, 2022 | 15:30
Updated-15 Apr, 2025 | 14:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Telecommunication Software SAMwin Contact Center Suite Password SAMwinLIBVB.dll passwordScramble improper authentication

A vulnerability classified as critical was found in Telecommunication Software SAMwin Contact Center Suite 5.1. This vulnerability affects the function passwordScramble in the library SAMwinLIBVB.dll of the component Password Handler. Incorrect implementation of a hashing function leads to predictable authentication possibilities. Upgrading to version 6.2 is able to address this issue. It is recommended to upgrade the affected component.

Action-Not Available
Vendor-telecomsoftwareTelecommunication Software
Product-samwin_agentsamwin_contact_centerSAMwin Contact Center Suite
CWE ID-CWE-287
Improper Authentication
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2022-42233
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-42.70% / 98.55%
||
7 Day CHG~0.00%
Published-20 Oct, 2022 | 00:00
Updated-08 May, 2025 | 14:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Tenda 11N with firmware version V5.07.33_cn suffers from an Authentication Bypass vulnerability.

Action-Not Available
Vendor-n/aTenda Technology Co., Ltd.
Product-11n11n_firmwaren/a
CWE ID-CWE-287
Improper Authentication
CVE-2022-41648
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-9.2||CRITICAL
EPSS-0.70% / 48.74%
||
7 Day CHG~0.00%
Published-28 Oct, 2022 | 17:09
Updated-13 Oct, 2025 | 13:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The HEIDENHAIN Controller TNC 640 NC software Version 340590 07 SP5, is vulnerable to improper authentication in its DNC communication for CNC machines. Authentication is not enabled by default for DNC communication. This vulnerability may allow an attacker to deny service on the production line, steal sensitive data from the production line, and alter any products created by the production line. Note: CNC machines running the TNC 640 controller require DNC to be enabled for DNC communication to be present.

Action-Not Available
Vendor-heidenhainHEIDENHAIN
Product-tnc_640herostnc_640_programming_stationHEIDENHAIN Controller TNC 640 NC Software
CWE ID-CWE-1188
Initialization of a Resource with an Insecure Default
CWE ID-CWE-287
Improper Authentication
CVE-2025-15099
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.73% / 49.56%
||
7 Day CHG~0.00%
Published-26 Dec, 2025 | 04:02
Updated-08 Jan, 2026 | 22:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
simstudioai sim CRON Secret internal.ts improper authentication

A vulnerability was identified in simstudioai sim up to 0.5.27. This vulnerability affects unknown code of the file apps/sim/lib/auth/internal.ts of the component CRON Secret Handler. The manipulation of the argument INTERNAL_API_SECRET leads to improper authentication. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The identifier of the patch is e359dc2946b12ed5e45a0ec9c95ecf91bd18502a. Applying a patch is the recommended action to fix this issue.

Action-Not Available
Vendor-simsimstudioai
Product-simsim
CWE ID-CWE-287
Improper Authentication
CVE-2020-16169
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-2.44% / 82.29%
||
7 Day CHG~0.00%
Published-07 Aug, 2020 | 19:22
Updated-04 Aug, 2024 | 13:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Authentication Bypass Using an Alternate Path or Channel in temi Robox OS prior to120, temi Android app up to 1.3.7931 allows remote attackers to gain elevated privileges on the temi and have it automatically answer the attacker's calls, granting audio, video, and motor control via unspecified vectors.

Action-Not Available
Vendor-robotemin/a
Product-robox_osn/a
CWE ID-CWE-287
Improper Authentication
  • Previous
  • 1
  • 2
  • 3
  • ...
  • 20
  • 21
  • Next
Details not found