Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2019-20833

Summary
Assigner-mitre
Assigner Org ID-8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At-04 Jun, 2020 | 16:49
Updated At-05 Aug, 2024 | 02:53
Rejected At-
Credits

An issue was discovered in Foxit PhantomPDF before 8.3.10. It has mishandling of cloud credentials, as demonstrated by Google Drive.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:mitre
Assigner Org ID:8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At:04 Jun, 2020 | 16:49
Updated At:05 Aug, 2024 | 02:53
Rejected At:
▼CVE Numbering Authority (CNA)

An issue was discovered in Foxit PhantomPDF before 8.3.10. It has mishandling of cloud credentials, as demonstrated by Google Drive.

Affected Products
Vendor
n/a
Product
n/a
Versions
Affected
  • n/a
Problem Types
TypeCWE IDDescription
textN/An/a
Type: text
CWE ID: N/A
Description: n/a
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://www.foxitsoftware.com/support/security-bulletins.php
x_refsource_CONFIRM
Hyperlink: https://www.foxitsoftware.com/support/security-bulletins.php
Resource:
x_refsource_CONFIRM
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://www.foxitsoftware.com/support/security-bulletins.php
x_refsource_CONFIRM
x_transferred
Hyperlink: https://www.foxitsoftware.com/support/security-bulletins.php
Resource:
x_refsource_CONFIRM
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cve@mitre.org
Published At:04 Jun, 2020 | 17:15
Updated At:21 Jul, 2021 | 11:39

An issue was discovered in Foxit PhantomPDF before 8.3.10. It has mishandling of cloud credentials, as demonstrated by Google Drive.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.17.5HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary2.05.0MEDIUM
AV:N/AC:L/Au:N/C:P/I:N/A:N
Type: Primary
Version: 3.1
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Type: Primary
Version: 2.0
Base score: 5.0
Base severity: MEDIUM
Vector:
AV:N/AC:L/Au:N/C:P/I:N/A:N
CPE Matches

Foxit Software Incorporated
foxitsoftware
>>phantompdf>>Versions before 8.3.10(exclusive)
cpe:2.3:a:foxitsoftware:phantompdf:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-287Primarynvd@nist.gov
CWE ID: CWE-287
Type: Primary
Source: nvd@nist.gov
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://www.foxitsoftware.com/support/security-bulletins.phpcve@mitre.org
Vendor Advisory
Hyperlink: https://www.foxitsoftware.com/support/security-bulletins.php
Source: cve@mitre.org
Resource:
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

401Records found

CVE-2015-4453
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5||MEDIUM
EPSS-2.87% / 85.11%
||
7 Day CHG~0.00%
Published-05 Jul, 2015 | 01:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

interface/globals.php in OpenEMR 2.x, 3.x, and 4.x before 4.2.0 patch 2 allows remote attackers to bypass authentication and obtain sensitive information via an ignoreAuth=1 value to certain scripts, as demonstrated by (1) interface/fax/fax_dispatch_newpid.php and (2) interface/billing/sl_eob_search.php.

Action-Not Available
Vendor-n/aOpenEMR Foundation, Inc
Product-openemrn/a
CWE ID-CWE-287
Improper Authentication
CVE-2025-30214
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8||HIGH
EPSS-0.40% / 31.76%
||
7 Day CHG+0.02%
Published-25 Mar, 2025 | 15:05
Updated-01 Aug, 2025 | 15:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Frappe vulnerable to information disclosure leading to account takeover

Frappe is a full-stack web application framework. Prior to versions 14.89.0 and 15.51.0, making crafted requests could lead to information disclosure that could further lead to account takeover. Versions 14.89.0 and 15.51.0 fix the issue. There's no workaround to fix this without upgrading.

Action-Not Available
Vendor-frappefrappe
Product-frappefrappe
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-287
Improper Authentication
CVE-2020-26101
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.42% / 69.55%
||
7 Day CHG~0.00%
Published-25 Sep, 2020 | 05:43
Updated-04 Aug, 2024 | 15:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In cPanel before 88.0.3, insecure RNDC credentials are used for BIND on a templated VM (SEC-549).

Action-Not Available
Vendor-n/acPanel (WebPros International, LLC)
Product-cpaneln/a
CWE ID-CWE-287
Improper Authentication
CVE-2025-30116
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.51% / 39.62%
||
7 Day CHG~0.00%
Published-18 Mar, 2025 | 00:00
Updated-22 May, 2025 | 19:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered on the Forvia Hella HELLA Driving Recorder DR 820. Remotely Dumping of Video Footage and the Live Video Stream can occur. It allows remote attackers to access and download recorded video footage from the SD card via port 9091. Additionally, attackers can connect to port 9092 to stream the live video feed by bypassing the challenge-response authentication mechanism. This exposes sensitive location and personal data.

Action-Not Available
Vendor-hellan/a
Product-dr_820dr_820_firmwaren/a
CWE ID-CWE-287
Improper Authentication
CVE-2019-1666
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-5.3||MEDIUM
EPSS-2.21% / 80.40%
||
7 Day CHG~0.00%
Published-21 Feb, 2019 | 19:00
Updated-19 Nov, 2024 | 19:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cisco HyperFlex Unauthenticated Statistics Retrieval Vulnerability

A vulnerability in the Graphite service of Cisco HyperFlex software could allow an unauthenticated, remote attacker to retrieve data from the Graphite service. The vulnerability is due to insufficient authentication controls. An attacker could exploit this vulnerability by sending crafted requests to the Graphite service. A successful exploit could allow the attacker to retrieve any statistics from the Graphite service. Versions prior to 3.5(2a) are affected.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-hyperflex_hx_data_platformCisco HyperFlex HX-Series
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-287
Improper Authentication
CVE-2026-4959
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.43% / 34.56%
||
7 Day CHG~0.00%
Published-27 Mar, 2026 | 15:31
Updated-29 Apr, 2026 | 16:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
OpenBMB XAgent ShareServer WebSocket Endpoint share.py check_user missing authentication

A vulnerability was found in OpenBMB XAgent 1.0.0. This impacts the function check_user of the file XAgentServer/application/websockets/share.py of the component ShareServer WebSocket Endpoint. Performing a manipulation of the argument interaction_id results in missing authentication. Remote exploitation of the attack is possible. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-openbmbOpenBMB
Product-xagentXAgent
CWE ID-CWE-287
Improper Authentication
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2022-25027
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-1.06% / 60.31%
||
7 Day CHG+0.01%
Published-12 Jan, 2023 | 00:00
Updated-08 Apr, 2025 | 14:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Forgotten Password functionality of Rocket TRUfusion Portal v7.9.2.1 allows remote attackers to bypass authentication and access restricted pages by validating the user's session token when the "Password forgotten?" button is clicked.

Action-Not Available
Vendor-rocketsoftwaren/a
Product-trufusion_enterprisen/a
CWE ID-CWE-287
Improper Authentication
CWE ID-CWE-640
Weak Password Recovery Mechanism for Forgotten Password
CVE-2019-15987
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-5.3||MEDIUM
EPSS-1.58% / 72.52%
||
7 Day CHG~0.00%
Published-26 Nov, 2019 | 03:42
Updated-19 Nov, 2024 | 18:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cisco WebEx Centers Username Enumeration Information Disclosure Vulnerability

A vulnerability in web interface of the Cisco Webex Event Center, Cisco Webex Meeting Center, Cisco Webex Support Center, and Cisco Webex Training Center could allow an unauthenticated, remote attacker to guess account usernames. The vulnerability is due to missing CAPTCHA protection in certain URLs. An attacker could exploit this vulnerability by sending a crafted request to the web interface. A successful exploit could allow the attacker to know if a given username is valid and find the real name of the user.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-webex_meetings_onlinewebex_meeting_centerwebex_event_centerwebex_support_centerwebex_training_centerwebex_meetings_serverCisco WebEx Event Center
CWE ID-CWE-287
Improper Authentication
CVE-2025-27422
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-0.39% / 31.23%
||
7 Day CHG~0.00%
Published-03 Mar, 2025 | 16:25
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
FACTION Allows Authentication Bypass via User Creation

FACTION is a PenTesting Report Generation and Collaboration Framework. Authentication is bypassed when an attacker registers a new user with admin privileges. This is possible at any time without any authorization. The request must follow the validation rules (no missing information, secure password, etc) but there are no other controls stopping them. This vulnerability is fixed in 1.4.3.

Action-Not Available
Vendor-factionsecurity
Product-faction
CWE ID-CWE-287
Improper Authentication
CVE-2022-23723
Matching Score-4
Assigner-Ping Identity Corporation
ShareView Details
Matching Score-4
Assigner-Ping Identity Corporation
CVSS Score-7.7||HIGH
EPSS-0.82% / 52.87%
||
7 Day CHG+0.02%
Published-02 May, 2022 | 22:05
Updated-03 Aug, 2024 | 03:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PingFederate PingOneMFA Integration Kit MFA Bypass

An MFA bypass vulnerability exists in the PingFederate PingOne MFA Integration Kit when adapter HTML templates are used as part of an authentication flow.

Action-Not Available
Vendor-Ping Identity Corp.
Product-pingone_mfa_integration_kitPingFederate PingOne MFA Integration Kit
CWE ID-CWE-288
Authentication Bypass Using an Alternate Path or Channel
CWE ID-CWE-287
Improper Authentication
CVE-2022-23505
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.75% / 50.45%
||
7 Day CHG~0.00%
Published-13 Dec, 2022 | 07:04
Updated-23 Apr, 2025 | 16:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Passport-wsfed-saml2 vulnerable to Authentication Bypass for WSFed authentication

Passport-wsfed-saml2 is a ws-federation protocol and SAML2 tokens authentication provider for Passport. In versions prior to 4.6.3, a remote attacker may be able to bypass WSFed authentication on a website using passport-wsfed-saml2. A successful attack requires that the attacker is in possession of an arbitrary IDP signed assertion. Depending on the IDP used, fully unauthenticated attacks (e.g without access to a valid user) might also be feasible if generation of a signed message can be triggered. This issue is patched in version 4.6.3. Use of SAML2 authentication instead of WSFed is a workaround.

Action-Not Available
Vendor-auth0auth0
Product-passport-wsfed-saml2passport-wsfed-saml2
CWE ID-CWE-287
Improper Authentication
CVE-2017-15531
Matching Score-4
Assigner-Symantec - A Division of Broadcom
ShareView Details
Matching Score-4
Assigner-Symantec - A Division of Broadcom
CVSS Score-9.8||CRITICAL
EPSS-2.41% / 82.09%
||
7 Day CHG~0.00%
Published-23 Jan, 2018 | 20:00
Updated-16 Sep, 2024 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Symantec Reporter 9.5 prior to 9.5.4.1 and 10.1 prior to 10.1.5.5 does not restrict excessive authentication attempts for management interface users. A remote attacker can use brute force search to guess a user password and gain access to Reporter.

Action-Not Available
Vendor-Symantec Corporation
Product-reporterReporter
CWE ID-CWE-287
Improper Authentication
CVE-2022-23317
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-1.06% / 60.38%
||
7 Day CHG~0.00%
Published-15 Feb, 2022 | 12:53
Updated-03 Aug, 2024 | 03:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

CobaltStrike <=4.5 HTTP(S) listener does not determine whether the request URL begins with "/", and attackers can obtain relevant information by specifying the URL.

Action-Not Available
Vendor-helpsystemsn/a
Product-cobalt_striken/a
CWE ID-CWE-287
Improper Authentication
CVE-2022-20733
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-5.3||MEDIUM
EPSS-1.04% / 59.96%
||
7 Day CHG+0.01%
Published-15 Jun, 2022 | 17:55
Updated-06 Nov, 2024 | 16:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cisco Identity Services Engine Authentication Bypass Vulnerability

A vulnerability in the login page of Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to log in without credentials and access all roles without any restrictions. This vulnerability is due to exposed sensitive Security Assertion Markup Language (SAML) metadata. An attacker could exploit this vulnerability by using the exposed SAML metadata to bypass authentication to the user portal. A successful exploit could allow the attacker to access all roles without any restrictions.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-identity_services_engineCisco Identity Services Engine Software
CWE ID-CWE-287
Improper Authentication
CVE-2026-44478
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-0.24% / 14.97%
||
7 Day CHG~0.00%
Published-13 May, 2026 | 21:47
Updated-15 May, 2026 | 19:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
hoppscotch: Unauthenticated Onboarding Config Disclosure via Empty Recovery Token

hoppscotch is an open source API development ecosystem. The fix for CVE-2026-28215 in version 2026.2.0 addresses the unauthenticated POST /v1/onboarding/config endpoint by checking onboardingCompleted and canReRunOnboarding before allowing config overwrites. However, GET /v1/onboarding/config still leaks all infrastructure secrets in plaintext to unauthenticated users when the ONBOARDING_RECOVERY_TOKEN stored in the database is an empty string. This vulnerability is fixed in 2026.4.0.

Action-Not Available
Vendor-hoppscotch
Product-hoppscotch
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-287
Improper Authentication
CVE-2025-2339
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.84% / 53.33%
||
7 Day CHG~0.00%
Published-16 Mar, 2025 | 13:00
Updated-26 Aug, 2025 | 20:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
otale Tale Blog logs improper authentication

A vulnerability was found in otale Tale Blog 2.0.5. It has been classified as problematic. This affects an unknown part of the file /%61dmin/api/logs. The manipulation leads to improper authentication. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. This vulnerability only affects products that are no longer supported by the maintainer.

Action-Not Available
Vendor-otaleotale
Product-tale_blogTale Blog
CWE ID-CWE-287
Improper Authentication
CVE-2023-39981
Matching Score-4
Assigner-Moxa Inc.
ShareView Details
Matching Score-4
Assigner-Moxa Inc.
CVSS Score-7.5||HIGH
EPSS-0.62% / 45.22%
||
7 Day CHG~0.00%
Published-02 Sep, 2023 | 12:25
Updated-28 Oct, 2024 | 06:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
MXsecurity Device Information Disclosure

A vulnerability that allows for unauthorized access has been discovered in MXsecurity versions prior to v1.0.1. This vulnerability arises from inadequate authentication measures, potentially leading to the disclosure of device information by a remote attacker.

Action-Not Available
Vendor-Moxa Inc.
Product-mxsecurityMXsecurity Series
CWE ID-CWE-306
Missing Authentication for Critical Function
CWE ID-CWE-287
Improper Authentication
CVE-2017-1000030
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.70% / 74.40%
||
7 Day CHG~0.00%
Published-13 Jul, 2017 | 20:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Oracle, GlassFish Server Open Source Edition 3.0.1 (build 22) is vulnerable to Java Key Store Password Disclosure vulnerability, that makes it possible to provide an unauthenticated attacker plain text password of administrative user and grant access to the web-based administration interface.

Action-Not Available
Vendor-n/aOracle Corporation
Product-glassfish_servern/a
CWE ID-CWE-287
Improper Authentication
CVE-2014-7860
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-9.58% / 94.88%
||
7 Day CHG~0.00%
Published-25 Aug, 2017 | 18:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The web/web_file/fb_publish.php script in D-Link DNS-320L before 1.04b12 and DNS-327L before 1.03b04 Build0119 does not authenticate requests, which allows remote attackers to obtain arbitrary photos and publish them to an arbitrary Facebook profile via a target album_id and access_token.

Action-Not Available
Vendor-n/aD-Link Corporation
Product-dns-327l_firmwaredns-320l_firmwaredns-327ldns-320ln/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-287
Improper Authentication
CVE-2021-46740
Matching Score-4
Assigner-Huawei Technologies
ShareView Details
Matching Score-4
Assigner-Huawei Technologies
CVSS Score-7.5||HIGH
EPSS-0.73% / 49.55%
||
7 Day CHG+0.02%
Published-11 Apr, 2022 | 19:38
Updated-04 Aug, 2024 | 05:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The device authentication service module has a defect vulnerability introduced in the design process.Successful exploitation of this vulnerability may affect data confidentiality.

Action-Not Available
Vendor-Huawei Technologies Co., Ltd.
Product-emuiharmonyosHarmonyOSEMUI
CWE ID-CWE-287
Improper Authentication
CVE-2016-8937
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.90% / 77.13%
||
7 Day CHG~0.00%
Published-05 Oct, 2017 | 17:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The IBM Tivoli Storage Manager (IBM Spectrum Protect 7.1 and 8.1) default authentication protocol is vulnerable to a brute force attack due to disclosing too much information during authentication. An attacker could gain user or administrative access to the TSM server. IBM X-Force ID: 118750.

Action-Not Available
Vendor-IBM Corporation
Product-tivoli_storage_managerSpectrum Protect
CWE ID-CWE-287
Improper Authentication
CVE-2026-42855
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-0.35% / 27.07%
||
7 Day CHG~0.00%
Published-12 May, 2026 | 21:56
Updated-15 May, 2026 | 15:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
arduino-esp32: Digest authentication URI mismatch bypass in WebServer allows cross-resource replay attack

arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6 and ESP32-H2 microcontrollers. Prior to 3.3.8, the WebServer Digest authentication implementation in arduino-esp32 computes the authentication hash using the URI field from the client's Authorization header, without verifying that it matches the actual requested URI. This allows an attacker who possesses any valid digest response (computed for URI-A) to authenticate requests to a completely different protected URI (URI-B), bypassing per-resource access control. This vulnerability is fixed in 3.3.8.

Action-Not Available
Vendor-espressifespressif
Product-arduino-esp32arduino-esp32
CWE ID-CWE-287
Improper Authentication
CVE-2026-8244
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.40% / 32.21%
||
7 Day CHG~0.00%
Published-10 May, 2026 | 09:15
Updated-18 May, 2026 | 15:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Industrial Application Software IAS Canias ERP Login RMI improper authentication

A vulnerability was identified in Industrial Application Software IAS Canias ERP 8.03. This impacts an unknown function of the component Login RMI Interface. The manipulation of the argument clientVersion leads to improper authentication. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-Industrial Application Software IAS
Product-Canias ERP
CWE ID-CWE-287
Improper Authentication
CVE-2025-2344
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.47% / 37.32%
||
7 Day CHG~0.00%
Published-16 Mar, 2025 | 18:00
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IROAD Dash Cam X5/Dash Cam X6 API Endpoint missing authentication

A vulnerability, which was classified as critical, has been found in IROAD Dash Cam X5 and Dash Cam X6 up to 20250308. Affected by this issue is some unknown functionality of the component API Endpoint. The manipulation leads to missing authentication. The attack may be launched remotely. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-IROAD
Product-Dash Cam X5Dash Cam X6
CWE ID-CWE-287
Improper Authentication
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2016-8347
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-9.8||CRITICAL
EPSS-2.27% / 80.95%
||
7 Day CHG~0.00%
Published-13 Feb, 2017 | 21:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Kabona AB WebDatorCentral (WDC) application prior to Version 3.4.0. WDC does not limit authentication attempts that may allow a brute force attack method.

Action-Not Available
Vendor-kabona_abn/a
Product-webdatorcentralKabona AB WDC prior to Version 3.4.0
CWE ID-CWE-287
Improper Authentication
CVE-2026-4187
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.51% / 39.98%
||
7 Day CHG~0.00%
Published-15 Mar, 2026 | 19:02
Updated-22 Apr, 2026 | 21:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Tiandy Easy7 Integrated Management Platform Device Identifier UpdateLocalDevInfo.jsp missing authentication

A vulnerability was identified in Tiandy Easy7 Integrated Management Platform 7.17.0. Impacted is an unknown function of the file /WebService/UpdateLocalDevInfo.jsp of the component Device Identifier Handler. Such manipulation of the argument username/password leads to missing authentication. The attack can be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-Tiandy
Product-Easy7 Integrated Management Platform
CWE ID-CWE-287
Improper Authentication
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2019-16649
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-10||CRITICAL
EPSS-0.92% / 55.88%
||
7 Day CHG~0.00%
Published-21 Sep, 2019 | 01:54
Updated-05 Aug, 2024 | 01:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

On Supermicro H11, H12, M11, X9, X10, and X11 products, a combination of encryption and authentication problems in the virtual media service allows capture of BMC credentials and data transferred over virtual media devices. Attackers can use captured credentials to connect virtual USB devices to the server managed by the BMC.

Action-Not Available
Vendor-supermicron/a
Product-x10sra-fx10qrh\+x9drw-c\(t\)f31_firmwarex9srh-7\(t\)f_firmwareb10drt-ibf_firmwarex11sdd-18c-fa1sai-2550fx9drff-7\/i\(t\)g\+_firmwarex10drt-p_firmwarex10qblx11spw-ctfx10drt-hibfb2ss1-mtfx9srw-f_firmwarex10drh-i_firmwarex9da7\/e_firmwarex10sll\+-fx10dri-t_firmwarex10drt-pibq_firmwareb9drpx9drd-it\+_firmwareb2ss1-cf_firmwarem11sdv-8c-ln4f_firmwarex10sdv-4c\+-tln4f_firmwareb9drix11dpi-n_firmwarex10drt-px10drd-intp_firmwarex11opi-cpux9sci-ln4\(f\)_firmwarex11dpu-x_firmwarex11sca-wx10drsx10drg-ht_firmwarex10srg-fx10drg-h_firmwarex10drd-intx11qph\+_firmwareb10dri-nx10srh-cf_firmwarex10drw-i_firmwarex10srax10drt-pibf_firmwarex9drw-3ln4f\+\/3tf\+_firmwarex10drt-b\+_firmwarex10sra_firmwarex11sds-12cx10sae_firmwarex10qbl-ctx10qbl-4ct_firmwareb10drc_firmwarex11sse-fx11spm-fx10drh-it_firmwarex9drh-7\/i\(t\)f_firmwarex10qbl-ct_firmwarex10dsc\+x9dbl-3\/i\(f\)x11sph-nctfx9dr7\/e-ln4fx10sdv-7tp8fx9drff-7\/i\(t\)\+x9drl-3\/if_firmwarex9dr7\/e-tf\+b2ss2-mtfx11scm-ln8f_firmwarex11sse-f_firmwareb11dpe_firmwarex10drd-lx10sdv-f_firmwareb2ss2-h-mtfb11qpix10drff-ctgb10drg-ibf2_firmwarex10drd-l_firmwarex11ddw-nt_firmwarex11dpt-bhx10sdv-8c\+-ln2f_firmwarex11dsn-ts_firmwarem11sdv-8c\+-ln4fx11dpi-ntx11dpub1sd2-tf_firmwarex10drg-ot\+-cpu_firmwareb10drt-tp_firmwarex9drd-c\(n\)t\+_firmwareb9drtx10drt-pibqb9drg-ex10drc-t4\+_firmwarex11dpi-nt_firmwarex11ssw-4tf_firmwarex9drw-3\/ifx11sds-16c_firmwarex10drff-igx9scd_seriesx10sdv-tln4f_firmwarex9qr7-tf\+x11dpfr-sx9scl\+-fx10dri-t4\+_firmwarea1srm-2758f_firmwarex9drt-h_series_firmwarex10dru-xllx10srm-tfx10sle-dfb11spe-cpu-tf_firmwarex11ssl-nfa1srm-ln7f-2358x10drh-c_firmwarex11sph-nctf_firmwarex10drd-itx10sdv-fa1sai-2750f_firmwarex9scm\(-f\)_firmwarex10dru-xll_firmwarex11spi-tf_firmwarex9drt-hf\+x10drt-b\+x11dsn-tsqx10drw-ntx10sdv-8c-tln4f_firmwarex11dpt-psx11dpu-xll_firmwareb9drg-e_firmwarex11sch-ln4f_firmwarex9scl\(-f\)x11dph-i_firmwarex10srd-fa1srm-ln7f-2758b11spe-cpu-25g_firmwarex11ssmx11dgo-t_firmwarex11dpu-xa1srm-2758fx10drfr-ta1sri-2358f_firmwarex10drt-h_firmwarex10drc-ln4\+x9drg-qfx10slh-f_firmwarex10dsc\+_firmwarea1srm-ln7f-2358_firmwarex9sca\(-f\)x11sds-8c_firmwarex11dai-na1sai-2550f_firmwareb1sd2-16c-tfx11sri-if_firmwarex11scl-ifx10sll-sf_firmwarex11sdd-8c-fb2ss1-cpux11srm-vf_firmwarex10drt-hibf_firmwarex10drl-ct_firmwarem11sdv-4ct-ln4fx9drt-p_series_firmwarea1sa2-2750f_firmwarex9dr3\/i-ln4f\+_firmwarex9drd-7ln4f_series_firmwarex10drd-ltp_firmwarex9drw-7\/itpf\+x11spg-tf_firmwarex11ssh-ln4f_firmwarex11dpu-xllx10drff-cx9drh-if-nvx10dru-i\+x10drx_firmwarex10qbl-4x11ssw-tfx11dpff-sn_firmwarex9dr3\/i-fx10drh-cln4x9drt-p_seriesx11sdd-18c-f_firmwarex10srw-fx10drh-ctx9sae\(-v\)_firmwarex11dpl-i_firmwarex11opi-cpu_firmwarex10drh-itx10drfr_firmwareb11spe-cpu-tfx10sld-f_firmwarea1sri-2758f_firmwarex10drc-t4\+x10sde-dfx9srd-fx10drl-cx9drfrx11ssw-4tfx9drd-efx11sch-f_firmwarex9drl-7\/ef_firmwarex9daix9drw-7\/itpfm11sdv-8ct-ln4fx10sle-f_firmwarex10drff-cgx11srm-fb11dpex10srg-f_firmwarex10dri_firmwarex9sae\(-v\)x10srh-cfx11spm-tpfx10slm\+-ln4f_firmwarex9da7\/ex10drl-ln4_firmwarex10drw-nx11dsf-e_firmwarex11ssw-fm11sdv-8c-ln4fx11sca-f_firmwarex10sdd-f_firmwarex11scw-f_firmwareb10drg-ibf2x10sdv-8c\+-ln2fx10sdv-6c\+-tln4fx9srl\(-f\)_firmwarex9drt-hf\+_firmwarex11sch-ln4fx9drh-if-nv_firmwarex11ssh-ctfx10sdv-16c-tln4f\+x9dr7-jln4fx10drw-etx11dac_firmwarex9drg-h\(t\)f\+ii_firmwarex11ssh-gf-1585lb2ss1-mtf_firmwarex11scl-ln4fx11dpt-lx11dpff-snx10sdv-6c-tln4fx11ssl-cf_firmwarex10drt-libfx11spa-tf_firmwarex11ssl-cfx10drl-i_firmwarex10drt-psx11dgq_firmwarex11spw-ctf_firmwarex9drff-7\/i\(t\)\+_firmwarex9scl\+-f_firmwareb9drg_firmwareb10drt_firmwarex9drg-h\(t\)f_firmwarex11dsf-ex11scl-f_firmwarea1sam-2550fx9drfr_firmwarex9qri-fx10drg-ot\+-cpux9sre\/i_seriesx11dph-tqx10slm\+-ln4fx10drd-it_firmwarex10drg-q_firmwarem11sdv-4c-ln4f_firmwarea1sri-2558fx10srd-f_firmwarex10sll-sx10sdv-4c\+-tp4fx10sle-hfx10drg-o\+-cpua1sam-2750f_firmwarex10sl7-f_firmwarex11ssd-fx10drfr-ntx11spw-tf_firmwarex11dsc\+a1sa2-2750fb10drg-tpx9qri-f\+x10dgq_firmwarex9qr7-tfx9dax-7\/i\(t\)f_firmwarex10dgo-tx11dpu-vx10drh-cln4_firmwarex11dpi-nx10sdv-2c-7tp4fx10sdv-8c-tln4fb9drt_firmwarex10dri-ln4\+x10dri-tb10drix9drt_series_firmwarex11ssl-fx11dpfr-s_firmwarex10qbl-4_firmwarex10sdv-2c-tp8f_firmwarex10drd-itp_firmwarex10drl-ix10qbi_firmwarex10sle-hf_firmwarex11ssm_firmwareb11qpi_firmwarex11spa-tfx9db3\/i-\(tp\)fx9dax-7\/if-hft_firmwareb2ss1-f_firmwarex10sdv-4c-7tp4fx10sdv-16c-tln4f_firmwarex9dai_firmwarex9drff\(-7\)x11scm-ln8fx10slx-fx10drh-ct_firmwarex10drt-pibfx10slm-f_firmwarex9srh-7\(t\)fx11spw-tfx11ssw-tf_firmwarex10drg-hx9drff\(-7\)_firmwarex10drd-intpx11sri-ifx11srm-f_firmwarex9sre\/i_series_firmwarex11ddw-ntb2ss2-fx11ssh-gf-1585_firmwareb9dr7x11dpt-bh_firmwarex11dpx-tx11dpl-ix11dpt-l_firmwarex10sdv-tp8f_firmwarex11ssh-gtf-1585_firmwareb2ss1-fb9dri_firmwareb9drp_firmwarex10drd-int_firmwarex10sdv-8c-tln4f\+_firmwarea1sri-2558f_firmwarex9dax-7\/i\(t\)fx11scl-if_firmwarex10drg-o\+-cpu_firmwarex9drd-l\/if_firmwarex11dph-t_firmwarex11scm-fx9drg-h\(t\)f\+_firmwareb11spe-cpu-25gx10sdv-4c\+-tln4fx11dpg-ot-cpu_firmwarex10sdv-16c\+-tln4f_firmwarex10sdv-4c-tln2fx11ssh-gtf-1585l_firmwarex11scd-fx11ssl-nf_firmwarex10drw-n_firmwarex11scax11scd-f_firmwarex10saex10drw-et_firmwarex11sds-12c_firmwarex11srl-fx10drt-ptx11scl-ln4f_firmwarex10sri-f_firmwarex11dph-tx10drt-pt_firmwarex11dpu-ze\+_firmwarex10sle-fx10drfr-nt_firmwarex9srg-f_firmwarex10sll-fb1sd1-tf_firmwarex9sra_firmwarex10srh-cln4f_firmwarex10drw-ex10sld-hf_firmwarex10qbix10srw-f_firmwarex10drix10sdv-2c-tp4fx10sdv-12c-tln4f\+_firmwarex11ssh-gtf-1585x10srh-cln4fx11dacb2ss1-cpu_firmwareb1sd1-16c-tf_firmwarea1srm-2558f_firmwareb10drt-ibf2_firmwareb10drg-ibfx9drx\+-f_firmwarex11dpu-z\+x10srl-fx10dri-t4\+x10sdd-16c-fx10drff-itg_firmwarex10drw-nt_firmwarex10sdv-4c-tln4fx9qri-f\+_firmwarex9drh-7\/i\(t\)fx11ssh-tf_firmwarex9drw-3ln4f\+\/3tf\+x9dr3\/i-ln4f\+x10dru-i\+_firmwareb10drcx11sds-16ca1sam-2550f_firmwarex11dpt-ps_firmwarex10sle-df_firmwarex10drt-hx11dai-n_firmwareb10dri_firmwarex9drw-7\/itpf_firmwarex11ddw-lx10obi-cpu_firmwareb2ss1-cfx11dgqx11ssi-ln4f_firmwarex10sdv-7tp4f_firmwarex10drff-itgx10drw-e_firmwarex11dps-re_firmwarex10drff_firmwarex9scd_series_firmwarex10dsn-ts_firmwareb2ss1-h-mtf_firmwarex10drl-ln4x11dsn-tsq_firmwarex10drd-ix9dbu-3\/ifx11dph-ix10sll-s_firmwarex10srm-tf_firmwarex11dpt-bx9scm\(-f\)x11dpu_firmwarex11spg-tfx10slx-f_firmwarex11spm-tfx10slm\+-f_firmwarex9srg-fx10drxx10drw-ix9dbl-3\/i\(f\)_firmwarex10sat_firmwarex10drt-lx10sdv-8c-tln4f\+x10drh-ix11sch-fx10sla-fx10drffx10sri-fx10ddw-i_firmwarex11ssh-f_firmwarex10sla-f_firmwarex9drd-7ln4f_seriesx10sdv-7tp8f_firmwarex11srm-vfx10drd-ltx10dgo-t_firmwarex9drff-7\/i\(t\)g\+x10sdv-12c-tln4f_firmwareb10drt-ibf2x10drfr-n_firmwareb10drt-tpx10sdv-6c\+-tln4f_firmwarex10sdv-2c-7tp4f_firmwarex10drff-ig_firmwarex9scl\(-f\)_firmwareb10drc-n_firmwarex9drw-c\(t\)f31x11ssl_firmwarex11dpg-ot-cpux10drfr-nx10sdv-2c-tp4f_firmwarex10drg-qx10sdv-12c\+-tln4f_firmwareb10dri-n_firmwarex11srl-f_firmwarex9drt_seriesx10drfr-t_firmwarex10sdv-2c-tln2f_firmwarem11sdv-8c\+-ln4f_firmwarex10sra-f_firmwarex11scm-f_firmwarex10sdv-12c-tln4f\+x10slm\+-fx11spa-t_firmwarex11ssm-f_firmwarex10drl-c_firmwarex10dru-x_firmwareb10drg-tp_firmwarea1sam-2750fx11dpfr-snx10sll\+-f_firmwarex11ssh-fx10sdv-16c-tln4fx10drw-itx9dr3\/i-f_firmwarex10drc-ln4\+_firmwarex11sds-8cx10dri-ln4\+_firmwarex11sslx10sll-f_firmwarex9srax10drs_firmwarex11ssh-tfx9drd-it\+x9srd-f_firmwarex11dpu-z\+_firmwareb1sd2-16c-tf_firmwarex10sdv-12c-tln4fb9drgx10dru-xx10srm-f_firmwarex11dpg-qtx10sdv-2c-tln2fx10sdv-4c-tln4f_firmwarex10slh-fx10drh-iln4x11sca_firmwareb9qr7\(-tp\)x10obi-cpux10drw-it_firmwarex11spm-f_firmwarex10drh-ca1sri-2358fx10sdv-16c\+-tln4fm11sdv-4ct-ln4f_firmwarex9drg-qf_firmwarex11scw-fb10drg-ibf_firmwareb2ss2-mtf_firmwareb9drg-3mx10drl-itx10drd-lt_firmwarex11dpu-ze\+x11dph-tq_firmwarex10drff-cg_firmwarex10ddw-ix9srw-fx9sca\(-f\)_firmwarex11qph\+x9drw-7\/itpf\+_firmwareb9qr7\(-tp\)_firmwarex11spa-tx11dgo-tx11dpx-t_firmwarex9drw-3\/if_firmwarex10drd-i_firmwarex9dal-3\/ix9dbs-f\(-2u\)_firmwarex10sdv-4c-tln2f_firmwarex11dsc\+_firmwarex10drd-ltpx9drg-h\(t\)fx9drl-3\/ifx9drg-o\(t\)f-cpux11spm-tpf_firmwarex10drff-ctg_firmwarex10dgqx10sdd-fx11sca-w_firmwarex11spl-fx10ddw-inx11spm-tf_firmwarex11dpg-qt_firmwarem11sdv-4c-ln4fx11ddw-l_firmwarex11dpfr-sn_firmwarex9dr7\/e-ln4f_firmwarex11sdd-8c-f_firmwarex10qrh\+_firmwarex9qr7-tf\+_firmwarex10sld-hfb2ss2-f_firmwareb10drtx10drt-libf_firmwarex10sdv-7tp4fx10drt-ps_firmwarex10sl7-fb2ss1-h-mtfb11dpt_firmwarex10srl-f_firmwarex11ssm-fx9drd-c\(n\)t\+x10sdv-tln4fx10drl-it_firmwarex11spl-f_firmwarex9drl-7\/efx9dr7\/e-tf\+_firmwarex11dps-rea1srm-2558fx11scl-fx10drd-itpx10sdv-4c\+-tp4f_firmwarex11ssh-ctf_firmwarex10drt-libqx9drg-h\(t\)f\+iix10ddw-in_firmwarex11ssi-ln4fx10srm-fx11dsn-tsa1srm-ln7f-2758_firmwarex10drg-htx9db3\/i-\(tp\)f_firmwarex9dr7-jln4f_firmwarex10drt-libq_firmwarex10sdv-tp8fx9qr7-tf_firmwarex11ssd-f_firmwareb10drt-ibfx11ssl-f_firmwarex9drg-o\(t\)f-cpu_firmwareb1sd1-tfx9dbs-f\(-2u\)x10sdv-16c-tln4f\+_firmwarex9dax-7\/if-hftx10sdv-6c-tln4f_firmwarex9drg-h\(t\)f\+x9drx\+-fx10drt-l_firmwarex9dal-3\/i_firmwarex11dpg-snx11ssh-gf-1585x10drh-iln4_firmwareb1sd2-tfx9dbu-3\/if_firmwarea1srm-ln5f-2358_firmwareb10drc-nx11ssw-f_firmwarex9srl\(-f\)x11sph-nctpf_firmwarex10drff-c_firmwarex10sdv-12c\+-tln4fb2ss2-h-mtf_firmwarex10drfrx9qri-f_firmwarex10dbt-t_firmwarex10dbt-tx11dpt-b_firmwarem11sdv-8ct-ln4f_firmwarex11ssh-ln4fb11dptx10dsn-tsx11sca-fx11spi-tfx10sde-df_firmwarex10satx11dpg-sn_firmwarex10sll-sfa1srm-ln5f-2358x9drt-h_seriesb9dr7_firmwarex10sdv-2c-tp8fb1sd1-16c-tfx10slm-fx10sld-fx11sph-nctpfx11ssh-gtf-1585lx10sdd-16c-f_firmwarex9drd-l\/ifx9sci-ln4\(f\)x9drd-ef_firmwarex10sdv-4c-7tp4f_firmwareb9drg-3m_firmwarex10drl-ctx11ssh-gf-1585l_firmwarex11dpu-v_firmwarex10qbl_firmwarea1sai-2750fa1sri-2758fx10qbl-4ctn/a
CWE ID-CWE-287
Improper Authentication
CWE ID-CWE-326
Inadequate Encryption Strength
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2023-38372
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-5.9||MEDIUM
EPSS-0.64% / 46.32%
||
7 Day CHG~0.00%
Published-29 Feb, 2024 | 00:23
Updated-14 Feb, 2025 | 15:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM Watson IoT Platform information disclosure

An unauthorized attacker who has obtained an IBM Watson IoT Platform 1.0 security authentication token can use it to impersonate an authorized platform user. IBM X-Force ID: 261201.

Action-Not Available
Vendor-IBM Corporation
Product-watson_iot_platformWatson IoT Platform
CWE ID-CWE-287
Improper Authentication
CVE-2025-14738
Matching Score-4
Assigner-TP-Link Systems Inc.
ShareView Details
Matching Score-4
Assigner-TP-Link Systems Inc.
CVSS Score-5.7||MEDIUM
EPSS-0.44% / 34.97%
||
7 Day CHG~0.00%
Published-18 Dec, 2025 | 18:01
Updated-29 Jan, 2026 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Configuration Disclosure Vulnerability in TP-Link WA850RE

Improper authentication vulnerability in TP-Link WA850RE (httpd modules) allows unauthenticated attackers to download the configuration file.This issue affects: ≤ WA850RE V2_160527, ≤ WA850RE V3_160922.

Action-Not Available
Vendor-TP-Link Systems Inc.TP-Link Systems Inc.
Product-tl-wa850retl-wa850re_firmwareWA850RE
CWE ID-CWE-287
Improper Authentication
CVE-2016-2102
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-5.3||MEDIUM
EPSS-2.01% / 78.45%
||
7 Day CHG~0.00%
Published-22 Aug, 2017 | 18:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

HAProxy statistics in openstack-tripleo-image-elements are non-authenticated over the network.

Action-Not Available
Vendor-haproxyn/a
Product-haproxyn/a
CWE ID-CWE-287
Improper Authentication
CVE-2025-14567
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.68% / 48.02%
||
7 Day CHG~0.00%
Published-12 Dec, 2025 | 16:02
Updated-23 Dec, 2025 | 16:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
haxxorsid Stock-Management-System employees missing authentication

A weakness has been identified in haxxorsid Stock-Management-System up to fbbbf213e9c93b87183a3891f77e3cc7095f22b0. This affects an unknown function of the file /api/employees. Executing manipulation can lead to missing authentication. It is possible to launch the attack remotely. The exploit has been made available to the public and could be exploited. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The vendor was contacted early about this disclosure but did not respond in any way. This vulnerability only affects products that are no longer supported by the maintainer.

Action-Not Available
Vendor-haxxorsidhaxxorsid
Product-stock-management-systemStock-Management-System
CWE ID-CWE-287
Improper Authentication
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2026-35579
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.2||HIGH
EPSS-0.51% / 39.75%
||
7 Day CHG+0.07%
Published-05 May, 2026 | 20:29
Updated-30 Jun, 2026 | 12:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
CoreDNS TSIG authentication bypass on gRPC, QUIC, DoH, and DoH3 transports

CoreDNS is a DNS server written in Go. In versions prior to 1.14.3, the gRPC, QUIC, DoH, and DoH3 transport implementations incorrectly handle TSIG authentication. For gRPC and QUIC, the server checks whether the TSIG key name exists in the configuration but never calls dns.TsigVerify() to validate the HMAC. If the key name matches a configured key, the tsigStatus field remains nil and the tsig plugin treats the request as successfully authenticated regardless of the MAC value. For DoH and DoH3, the issue is more severe: the DoHWriter.TsigStatus() method unconditionally returns nil, and the server never inspects the TSIG record at all. Any request containing a TSIG record is treated as authenticated over DoH and DoH3, even if the key name is invalid and the MAC is arbitrary. An unauthenticated network attacker can exploit this to bypass TSIG-protected functionality such as AXFR/IXFR zone transfers, dynamic DNS updates, or other TSIG-gated plugin behavior. The DoH and DoH3 variants have a lower exploitation bar because the attacker does not need to know a valid TSIG key name. This issue has been fixed in version 1.14.3. As a workaround, disable gRPC, QUIC, DoH, and DoH3 listeners where TSIG authentication is required, or restrict network-level access to affected transport ports to trusted sources only.

Action-Not Available
Vendor-coredns.iocorednsRed Hat, Inc.
Product-corednscorednsRed Hat Advanced Cluster Management for Kubernetes 2.14Red Hat Advanced Cluster Management for Kubernetes 2Red Hat OpenShift Container Platform 4
CWE ID-CWE-287
Improper Authentication
CWE ID-CWE-303
Incorrect Implementation of Authentication Algorithm
CVE-2025-14703
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.60% / 44.62%
||
7 Day CHG~0.00%
Published-15 Dec, 2025 | 04:02
Updated-09 Jan, 2026 | 02:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Shiguangwu sgwbox N3 POST Message fsnotify improper authentication

A vulnerability has been found in Shiguangwu sgwbox N3 2.0.25. The affected element is an unknown function of the file /fsnotify of the component POST Message Handler. The manipulation of the argument token leads to improper authentication. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-sgwboxShiguangwu
Product-n3n3_firmwaresgwbox N3
CWE ID-CWE-287
Improper Authentication
CVE-2014-3106
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-5||MEDIUM
EPSS-1.85% / 76.52%
||
7 Day CHG~0.00%
Published-23 Sep, 2014 | 21:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM Rational ClearQuest 7.1 before 7.1.2.15, 8.0.0 before 8.0.0.12, and 8.0.1 before 8.0.1.5 does not properly implement the Local Access Only protection mechanism, which allows remote attackers to bypass authentication and read files via the Help Server Administration feature.

Action-Not Available
Vendor-n/aIBM Corporation
Product-rational_clearcasen/a
CWE ID-CWE-287
Improper Authentication
CVE-2021-43786
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-9.8||CRITICAL
EPSS-2.29% / 81.14%
||
7 Day CHG~0.00%
Published-29 Nov, 2021 | 19:30
Updated-04 Aug, 2024 | 04:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
API token verification can be bypassed

Nodebb is an open source Node.js based forum software. In affected versions incorrect logic present in the token verification step unintentionally allowed master token access to the API. The vulnerability has been patch as of v1.18.5. Users are advised to upgrade as soon as possible.

Action-Not Available
Vendor-nodebbNodeBB
Product-nodebbNodeBB
CWE ID-CWE-287
Improper Authentication
CVE-2026-33512
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-0.23% / 14.18%
||
7 Day CHG~0.00%
Published-23 Mar, 2026 | 18:17
Updated-25 Mar, 2026 | 17:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
AVideo has an unauthenticated decrypt oracle leaking any ciphertext

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the API plugin exposes a `decryptString` action without any authentication. Anyone can submit ciphertext and receive plaintext. Ciphertext is issued publicly (e.g., `view/url2Embed.json.php`), so any user can recover protected tokens/metadata. Commit 3fdeecef37bb88967a02ccc9b9acc8da95de1c13 contains a patch.

Action-Not Available
Vendor-wwbnWWBN
Product-avideoAVideo
CWE ID-CWE-287
Improper Authentication
CWE ID-CWE-312
Cleartext Storage of Sensitive Information
CWE ID-CWE-326
Inadequate Encryption Strength
CWE ID-CWE-327
Use of a Broken or Risky Cryptographic Algorithm
CVE-2025-11852
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.57% / 42.85%
||
7 Day CHG~0.00%
Published-16 Oct, 2025 | 19:02
Updated-21 Oct, 2025 | 19:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apeman ID71 ONVIF Service device_service missing authentication

A vulnerability was found in Apeman ID71 218.53.203.117. The impacted element is an unknown function of the file /onvif/device_service of the component ONVIF Service. Performing manipulation results in missing authentication. The attack is possible to be carried out remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-Apeman
Product-ID71
CWE ID-CWE-287
Improper Authentication
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2019-18312
Matching Score-4
Assigner-Siemens
ShareView Details
Matching Score-4
Assigner-Siemens
CVSS Score-5.3||MEDIUM
EPSS-1.08% / 60.95%
||
7 Day CHG~0.00%
Published-12 Dec, 2019 | 19:08
Updated-05 Aug, 2024 | 01:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability has been identified in SPPA-T3000 MS3000 Migration Server (All versions). An attacker with network access to the MS3000 Server could be able to enumerate running RPC services. Please note that an attacker needs to have network access to the MS3000 in order to exploit this vulnerability. At the time of advisory publication no public exploitation of this security vulnerability was known.

Action-Not Available
Vendor-Siemens AG
Product-sppa-t3000_ms3000_migration_serverSPPA-T3000 MS3000 Migration Server
CWE ID-CWE-287
Improper Authentication
CVE-2026-32815
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.36% / 28.08%
||
7 Day CHG~0.00%
Published-19 Mar, 2026 | 21:39
Updated-23 Mar, 2026 | 18:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SiYuan: Cross-Origin WebSocket Hijacking via Authentication Bypass — Unauthenticated Information Disclosure

SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the WebSocket endpoint (/ws) allows unauthenticated connections when specific URL parameters are provided (?app=siyuan&id=auth&type=auth). This bypass, intended for the login page to keep the kernel alive, allows any external client — including malicious websites via cross-origin WebSocket — to connect and receive all server push events in real-time. These events leak sensitive document metadata including document titles, notebook names, file paths, and all CRUD operations performed by authenticated users. Combined with the absence of Origin header validation, a malicious website can silently connect to a victim's local SiYuan instance and monitor their note-taking activity. This issue has been fixed in version 3.6.1.

Action-Not Available
Vendor-b3logsiyuan-note
Product-siyuansiyuan
CWE ID-CWE-287
Improper Authentication
CVE-2014-0357
Matching Score-4
Assigner-CERT/CC
ShareView Details
Matching Score-4
Assigner-CERT/CC
CVSS Score-5||MEDIUM
EPSS-1.83% / 76.28%
||
7 Day CHG~0.00%
Published-15 Apr, 2014 | 10:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Amtelco miSecureMessages allows remote attackers to read the messages of arbitrary users via an XML request containing a valid license key and a modified contactID value, as demonstrated by a request from the iOS or Android application.

Action-Not Available
Vendor-amtelcon/a
Product-misecuremessagesn/a
CWE ID-CWE-287
Improper Authentication
CVE-2019-15046
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-5.30% / 91.58%
||
7 Day CHG~0.00%
Published-14 Aug, 2019 | 14:51
Updated-05 Aug, 2024 | 00:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Zoho ManageEngine ServiceDesk Plus 10 before 10509 allows unauthenticated sensitive information leakage during Fail Over Service (FOS) replication, aka SD-79989.

Action-Not Available
Vendor-n/aZoho Corporation Pvt. Ltd.
Product-manageengine_servicedesk_plusn/a
CWE ID-CWE-287
Improper Authentication
CVE-2026-32173
Matching Score-4
Assigner-Microsoft Corporation
ShareView Details
Matching Score-4
Assigner-Microsoft Corporation
CVSS Score-8.6||HIGH
EPSS-0.91% / 55.59%
||
7 Day CHG~0.00%
Published-02 Apr, 2026 | 23:27
Updated-19 Jun, 2026 | 16:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Azure SRE Agent Information Disclosure Vulnerability

Improper authentication in Azure SRE Agent allows an unauthorized attacker to disclose information over a network.

Action-Not Available
Vendor-Microsoft Corporation
Product-azure_sre_agentAzure SRE Agent Gateway - SignalR Hub
CWE ID-CWE-287
Improper Authentication
CWE ID-CWE-863
Incorrect Authorization
CVE-2014-0732
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-5||MEDIUM
EPSS-1.80% / 75.88%
||
7 Day CHG~0.00%
Published-20 Feb, 2014 | 02:00
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Real Time Monitoring Tool (RTMT) web application in Cisco Unified Communications Manager (Unified CM) 10.0(1) and earlier does not properly enforce authentication requirements, which allows remote attackers to read application files via a direct request to a URL, aka Bug ID CSCum46495.

Action-Not Available
Vendor-n/aCisco Systems, Inc.
Product-unified_communications_managern/a
CWE ID-CWE-287
Improper Authentication
CVE-2021-43175
Matching Score-4
Assigner-Black Duck Software, Inc.
ShareView Details
Matching Score-4
Assigner-Black Duck Software, Inc.
CVSS Score-7.5||HIGH
EPSS-1.16% / 63.28%
||
7 Day CHG~0.00%
Published-07 Dec, 2021 | 17:25
Updated-04 Aug, 2024 | 03:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The GOautodial API prior to commit 3c3a979 made on October 13th, 2021 exposes an API router that accepts a username, password, and action that routes to other PHP files that implement the various API functions. Vulnerable versions of GOautodial validate the username and password incorrectly, allowing the caller to specify any values for these parameters and successfully authenticate. CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C

Action-Not Available
Vendor-goautodialGOautodial
Product-goautodial_apigoautodialGOautodial API
CWE ID-CWE-305
Authentication Bypass by Primary Weakness
CWE ID-CWE-287
Improper Authentication
CVE-2023-30967
Matching Score-4
Assigner-Palantir Technologies
ShareView Details
Matching Score-4
Assigner-Palantir Technologies
CVSS Score-9.8||CRITICAL
EPSS-0.62% / 45.12%
||
7 Day CHG~0.00%
Published-25 Oct, 2023 | 23:18
Updated-10 Sep, 2024 | 16:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Gotham Orbital Simulator path traversal

Gotham Orbital-Simulator service prior to 0.692.0 was found to be vulnerable to a Path traversal issue allowing an unauthenticated user to read arbitrary files on the file system.

Action-Not Available
Vendor-palantirPalantir
Product-orbital_simulatorcom.palantir.meta:orbital-simulator
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE ID-CWE-287
Improper Authentication
CVE-2023-30061
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-1.11% / 61.96%
||
7 Day CHG~0.00%
Published-01 May, 2023 | 00:00
Updated-30 Jan, 2025 | 18:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

D-Link DIR-879 v105A1 is vulnerable to Authentication Bypass via phpcgi.

Action-Not Available
Vendor-n/aD-Link Corporation
Product-dir-879_firmwaredir-879n/a
CWE ID-CWE-287
Improper Authentication
CVE-2014-0725
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-5||MEDIUM
EPSS-1.28% / 66.44%
||
7 Day CHG~0.00%
Published-13 Feb, 2014 | 02:00
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cisco Unified Communications Manager (UCM) does not require authentication for reading WAR files, which allows remote attackers to obtain sensitive information via unspecified access to a "file storage location," aka Bug ID CSCum05337.

Action-Not Available
Vendor-n/aCisco Systems, Inc.
Product-unified_communications_managern/a
CWE ID-CWE-287
Improper Authentication
CVE-2014-0733
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-5||MEDIUM
EPSS-1.80% / 75.75%
||
7 Day CHG~0.00%
Published-20 Feb, 2014 | 11:00
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Enterprise License Manager (ELM) component in Cisco Unified Communications Manager (Unified CM) 10.0(1) and earlier does not properly enforce authentication requirements, which allows remote attackers to read ELM files via a direct request to a URL, aka Bug ID CSCum46494.

Action-Not Available
Vendor-n/aCisco Systems, Inc.
Product-unified_communications_managern/a
CWE ID-CWE-287
Improper Authentication
CVE-2023-27877
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.46% / 36.98%
||
7 Day CHG~0.00%
Published-19 Jul, 2023 | 01:31
Updated-28 Oct, 2024 | 15:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM Planning Analytics Cartridge for Cloud Pak for Data information disclosure

IBM Planning Analytics Cartridge for Cloud Pak for Data 4.0 connects to a CouchDB server. An attacker can exploit an insecure password policy to the CouchDB server and collect sensitive information from the database. IBM X-Force ID: 247905.

Action-Not Available
Vendor-IBM Corporation
Product-cloud_pak_for_dataPlanning Analytics Cartridge for Cloud Pak for Data
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-287
Improper Authentication
CVE-2023-27377
Matching Score-4
Assigner-The Missing Link Australia (TML)
ShareView Details
Matching Score-4
Assigner-The Missing Link Australia (TML)
CVSS Score-7.5||HIGH
EPSS-0.69% / 48.45%
||
7 Day CHG~0.00%
Published-25 Oct, 2023 | 10:20
Updated-25 Sep, 2024 | 12:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Missing Authentication In IDAttend’s IDWeb Application

Missing authentication in the StudentPopupDetails_EmergencyContactDetails method in IDAttend’s IDWeb application 3.1.052 and earlier allows extraction of sensitive student data by unauthenticated attackers.

Action-Not Available
Vendor-idattendIDAttend Pty Ltd
Product-idwebIDWeb
CWE ID-CWE-306
Missing Authentication for Critical Function
CWE ID-CWE-287
Improper Authentication
  • Previous
  • 1
  • 2
  • 3
  • 4
  • ...
  • 8
  • 9
  • Next
Details not found