Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2023-0858

Summary
Assigner-Canon
Assigner Org ID-f98c90f0-e9bd-4fa7-911b-51993f3571fd
Published At-11 May, 2023 | 00:00
Updated At-24 Jan, 2025 | 21:11
Rejected At-
Credits

Improper Authentication of RemoteUI of Office / Small Office Multifunction Printers and Laser Printers(*) which may allow an attacker on the network segment to trigger unauthorized access to the product. *:Satera LBP660C Series/LBP620C Series/MF740C Series/MF640C Series firmware Ver.11.04 and earlier sold in Japan. Color imageCLASS LBP660C Series/LBP 620C Series/X LBP1127C/MF740C Series/MF640C Series/X MF1127C firmware Ver.11.04 and earlier sold in US. i-SENSYS LBP660C Series/LBP620C Series/MF740C Series/MF640C Series, C1127P, C1127iF, C1127i firmware Ver.11.04 and earlier sold in Europe.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
â–¼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:Canon
Assigner Org ID:f98c90f0-e9bd-4fa7-911b-51993f3571fd
Published At:11 May, 2023 | 00:00
Updated At:24 Jan, 2025 | 21:11
Rejected At:
â–¼CVE Numbering Authority (CNA)

Improper Authentication of RemoteUI of Office / Small Office Multifunction Printers and Laser Printers(*) which may allow an attacker on the network segment to trigger unauthorized access to the product. *:Satera LBP660C Series/LBP620C Series/MF740C Series/MF640C Series firmware Ver.11.04 and earlier sold in Japan. Color imageCLASS LBP660C Series/LBP 620C Series/X LBP1127C/MF740C Series/MF640C Series/X MF1127C firmware Ver.11.04 and earlier sold in US. i-SENSYS LBP660C Series/LBP620C Series/MF740C Series/MF640C Series, C1127P, C1127iF, C1127i firmware Ver.11.04 and earlier sold in Europe.

Affected Products
Vendor
Canon Inc.Canon Inc.
Product
Canon Office/Small Office Multifunction Printers and Laser Printers
Versions
Affected
  • Satera LBP660C Series/LBP620C Series/MF740C Series/MF640C Series firmware Ver.11.04 and earlier sold in Japan. Color imageCLASS LBP660C Series/LBP 620C Series/X LBP1127C/MF740C Series/MF640C Series/X MF1127C firmware Ver.11.04 and earlier sold in US. i-SENSYS LBP660C Series/LBP620C Series/MF740C Series/MF640C Series, C1127P, C1127iF, C1127i firmware Ver.11.04 and earlier sold in Europe.
Problem Types
TypeCWE IDDescription
CWECWE-284CWE-284: Improper Access Control
Type: CWE
CWE ID: CWE-284
Description: CWE-284: Improper Access Control
Metrics
VersionBase scoreBase severityVector
3.13.1LOW
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
Version: 3.1
Base score: 3.1
Base severity: LOW
Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://www.canon-europe.com/support/product-security-latest-news/
N/A
https://psirt.canon/advisory-information/cp2023-001/
N/A
https://canon.jp/support/support-info/230414vulnerability-response
N/A
https://www.usa.canon.com/support/canon-product-advisories/Service-Notice-Vulnerabilities-Remediation-Against-Buffer-Overflow
N/A
Hyperlink: https://www.canon-europe.com/support/product-security-latest-news/
Resource: N/A
Hyperlink: https://psirt.canon/advisory-information/cp2023-001/
Resource: N/A
Hyperlink: https://canon.jp/support/support-info/230414vulnerability-response
Resource: N/A
Hyperlink: https://www.usa.canon.com/support/canon-product-advisories/Service-Notice-Vulnerabilities-Remediation-Against-Buffer-Overflow
Resource: N/A
â–¼Authorized Data Publishers (ADP)
1. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://www.canon-europe.com/support/product-security-latest-news/
x_transferred
https://psirt.canon/advisory-information/cp2023-001/
x_transferred
https://canon.jp/support/support-info/230414vulnerability-response
x_transferred
https://www.usa.canon.com/support/canon-product-advisories/Service-Notice-Vulnerabilities-Remediation-Against-Buffer-Overflow
x_transferred
Hyperlink: https://www.canon-europe.com/support/product-security-latest-news/
Resource:
x_transferred
Hyperlink: https://psirt.canon/advisory-information/cp2023-001/
Resource:
x_transferred
Hyperlink: https://canon.jp/support/support-info/230414vulnerability-response
Resource:
x_transferred
Hyperlink: https://www.usa.canon.com/support/canon-product-advisories/Service-Notice-Vulnerabilities-Remediation-Against-Buffer-Overflow
Resource:
x_transferred
2. CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
Information is not available yet
â–¼National Vulnerability Database (NVD)
nvd.nist.gov
Source:f98c90f0-e9bd-4fa7-911b-51993f3571fd
Published At:11 May, 2023 | 13:15
Updated At:07 Nov, 2023 | 04:01

Improper Authentication of RemoteUI of Office / Small Office Multifunction Printers and Laser Printers(*) which may allow an attacker on the network segment to trigger unauthorized access to the product. *:Satera LBP660C Series/LBP620C Series/MF740C Series/MF640C Series firmware Ver.11.04 and earlier sold in Japan. Color imageCLASS LBP660C Series/LBP 620C Series/X LBP1127C/MF740C Series/MF640C Series/X MF1127C firmware Ver.11.04 and earlier sold in US. i-SENSYS LBP660C Series/LBP620C Series/MF740C Series/MF640C Series, C1127P, C1127iF, C1127i firmware Ver.11.04 and earlier sold in Europe.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.15.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Secondary3.13.1LOW
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
Type: Primary
Version: 3.1
Base score: 5.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Type: Secondary
Version: 3.1
Base score: 3.1
Base severity: LOW
Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
CPE Matches

Canon Inc.
canon
>>mf642cdw_firmware>>Versions up to 11.04(inclusive)
cpe:2.3:o:canon:mf642cdw_firmware:*:*:*:*:*:*:*:*
Canon Inc.
canon
>>mf642cdw>>-
cpe:2.3:h:canon:mf642cdw:-:*:*:*:*:*:*:*
Canon Inc.
canon
>>mf644cdw_firmware>>Versions up to 11.04(inclusive)
cpe:2.3:o:canon:mf644cdw_firmware:*:*:*:*:*:*:*:*
Canon Inc.
canon
>>mf644cdw>>-
cpe:2.3:h:canon:mf644cdw:-:*:*:*:*:*:*:*
Canon Inc.
canon
>>mf741cdw_firmware>>Versions up to 11.04(inclusive)
cpe:2.3:o:canon:mf741cdw_firmware:*:*:*:*:*:*:*:*
Canon Inc.
canon
>>mf741cdw>>-
cpe:2.3:h:canon:mf741cdw:-:*:*:*:*:*:*:*
Canon Inc.
canon
>>mf743cdw_firmware>>Versions up to 11.04(inclusive)
cpe:2.3:o:canon:mf743cdw_firmware:*:*:*:*:*:*:*:*
Canon Inc.
canon
>>mf743cdw>>-
cpe:2.3:h:canon:mf743cdw:-:*:*:*:*:*:*:*
Canon Inc.
canon
>>mf745cdw_firmware>>Versions up to 11.04(inclusive)
cpe:2.3:o:canon:mf745cdw_firmware:*:*:*:*:*:*:*:*
Canon Inc.
canon
>>mf745cdw>>-
cpe:2.3:h:canon:mf745cdw:-:*:*:*:*:*:*:*
Canon Inc.
canon
>>lbp621c_firmware>>Versions up to 11.04(inclusive)
cpe:2.3:o:canon:lbp621c_firmware:*:*:*:*:*:*:*:*
Canon Inc.
canon
>>lbp621c>>-
cpe:2.3:h:canon:lbp621c:-:*:*:*:*:*:*:*
Canon Inc.
canon
>>lbp622c_firmware>>Versions up to 11.04(inclusive)
cpe:2.3:o:canon:lbp622c_firmware:*:*:*:*:*:*:*:*
Canon Inc.
canon
>>lbp622c>>-
cpe:2.3:h:canon:lbp622c:-:*:*:*:*:*:*:*
Canon Inc.
canon
>>lbp661c_firmware>>Versions up to 11.04(inclusive)
cpe:2.3:o:canon:lbp661c_firmware:*:*:*:*:*:*:*:*
Canon Inc.
canon
>>lbp661c>>-
cpe:2.3:h:canon:lbp661c:-:*:*:*:*:*:*:*
Canon Inc.
canon
>>lbp662c_firmware>>Versions up to 11.04(inclusive)
cpe:2.3:o:canon:lbp662c_firmware:*:*:*:*:*:*:*:*
Canon Inc.
canon
>>lbp662c>>-
cpe:2.3:h:canon:lbp662c:-:*:*:*:*:*:*:*
Canon Inc.
canon
>>lbp664c_firmware>>Versions up to 11.04(inclusive)
cpe:2.3:o:canon:lbp664c_firmware:*:*:*:*:*:*:*:*
Canon Inc.
canon
>>lbp664c>>-
cpe:2.3:h:canon:lbp664c:-:*:*:*:*:*:*:*
Canon Inc.
canon
>>mf1127c_firmware>>Versions up to 11.04(inclusive)
cpe:2.3:o:canon:mf1127c_firmware:*:*:*:*:*:*:*:*
Canon Inc.
canon
>>mf1127c>>-
cpe:2.3:h:canon:mf1127c:-:*:*:*:*:*:*:*
Canon Inc.
canon
>>mf262dw_ii_firmware>>Versions up to 11.04(inclusive)
cpe:2.3:o:canon:mf262dw_ii_firmware:*:*:*:*:*:*:*:*
Canon Inc.
canon
>>mf262dw_ii>>-
cpe:2.3:h:canon:mf262dw_ii:-:*:*:*:*:*:*:*
Canon Inc.
canon
>>mf264dw_ii_firmware>>Versions up to 11.04(inclusive)
cpe:2.3:o:canon:mf264dw_ii_firmware:*:*:*:*:*:*:*:*
Canon Inc.
canon
>>mf264dw_ii>>-
cpe:2.3:h:canon:mf264dw_ii:-:*:*:*:*:*:*:*
Canon Inc.
canon
>>mf267dw_ii_firmware>>Versions up to 11.04(inclusive)
cpe:2.3:o:canon:mf267dw_ii_firmware:*:*:*:*:*:*:*:*
Canon Inc.
canon
>>mf267dw_ii>>-
cpe:2.3:h:canon:mf267dw_ii:-:*:*:*:*:*:*:*
Canon Inc.
canon
>>mf269dw_ii_firmware>>Versions up to 11.04(inclusive)
cpe:2.3:o:canon:mf269dw_ii_firmware:*:*:*:*:*:*:*:*
Canon Inc.
canon
>>mf269dw_ii>>-
cpe:2.3:h:canon:mf269dw_ii:-:*:*:*:*:*:*:*
Canon Inc.
canon
>>mf269dw_vp_ii_firmware>>Versions up to 11.04(inclusive)
cpe:2.3:o:canon:mf269dw_vp_ii_firmware:*:*:*:*:*:*:*:*
Canon Inc.
canon
>>mf269dw_vp_ii>>-
cpe:2.3:h:canon:mf269dw_vp_ii:-:*:*:*:*:*:*:*
Canon Inc.
canon
>>mf272dw_firmware>>Versions up to 11.04(inclusive)
cpe:2.3:o:canon:mf272dw_firmware:*:*:*:*:*:*:*:*
Canon Inc.
canon
>>mf272dw>>-
cpe:2.3:h:canon:mf272dw:-:*:*:*:*:*:*:*
Canon Inc.
canon
>>mf273dw_firmware>>Versions up to 11.04(inclusive)
cpe:2.3:o:canon:mf273dw_firmware:*:*:*:*:*:*:*:*
Canon Inc.
canon
>>mf273dw>>-
cpe:2.3:h:canon:mf273dw:-:*:*:*:*:*:*:*
Canon Inc.
canon
>>mf275dw_firmware>>Versions up to 11.04(inclusive)
cpe:2.3:o:canon:mf275dw_firmware:*:*:*:*:*:*:*:*
Canon Inc.
canon
>>mf275dw>>-
cpe:2.3:h:canon:mf275dw:-:*:*:*:*:*:*:*
Canon Inc.
canon
>>mf641cw_firmware>>Versions up to 11.04(inclusive)
cpe:2.3:o:canon:mf641cw_firmware:*:*:*:*:*:*:*:*
Canon Inc.
canon
>>mf641cw>>-
cpe:2.3:h:canon:mf641cw:-:*:*:*:*:*:*:*
Canon Inc.
canon
>>mf746cdw_firmware>>Versions up to 11.04(inclusive)
cpe:2.3:o:canon:mf746cdw_firmware:*:*:*:*:*:*:*:*
Canon Inc.
canon
>>mf746cdw>>-
cpe:2.3:h:canon:mf746cdw:-:*:*:*:*:*:*:*
Canon Inc.
canon
>>lbp122dw_firmware>>Versions up to 11.04(inclusive)
cpe:2.3:o:canon:lbp122dw_firmware:*:*:*:*:*:*:*:*
Canon Inc.
canon
>>lbp122dw>>-
cpe:2.3:h:canon:lbp122dw:-:*:*:*:*:*:*:*
Canon Inc.
canon
>>lbp1127c_firmware>>Versions up to 11.04(inclusive)
cpe:2.3:o:canon:lbp1127c_firmware:*:*:*:*:*:*:*:*
Canon Inc.
canon
>>lbp1127c>>-
cpe:2.3:h:canon:lbp1127c:-:*:*:*:*:*:*:*
Canon Inc.
canon
>>lbp622cdw_firmware>>Versions up to 11.04(inclusive)
cpe:2.3:o:canon:lbp622cdw_firmware:*:*:*:*:*:*:*:*
Canon Inc.
canon
>>lbp622cdw>>-
cpe:2.3:h:canon:lbp622cdw:-:*:*:*:*:*:*:*
Canon Inc.
canon
>>lbp623cdw_firmware>>Versions up to 11.04(inclusive)
cpe:2.3:o:canon:lbp623cdw_firmware:*:*:*:*:*:*:*:*
Canon Inc.
canon
>>lbp623cdw>>-
cpe:2.3:h:canon:lbp623cdw:-:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-287Primarynvd@nist.gov
CWE-284Secondaryf98c90f0-e9bd-4fa7-911b-51993f3571fd
CWE ID: CWE-287
Type: Primary
Source: nvd@nist.gov
CWE ID: CWE-284
Type: Secondary
Source: f98c90f0-e9bd-4fa7-911b-51993f3571fd
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://canon.jp/support/support-info/230414vulnerability-responsef98c90f0-e9bd-4fa7-911b-51993f3571fd
N/A
https://psirt.canon/advisory-information/cp2023-001/f98c90f0-e9bd-4fa7-911b-51993f3571fd
N/A
https://www.canon-europe.com/support/product-security-latest-news/f98c90f0-e9bd-4fa7-911b-51993f3571fd
N/A
https://www.usa.canon.com/support/canon-product-advisories/Service-Notice-Vulnerabilities-Remediation-Against-Buffer-Overflowf98c90f0-e9bd-4fa7-911b-51993f3571fd
N/A
Hyperlink: https://canon.jp/support/support-info/230414vulnerability-response
Source: f98c90f0-e9bd-4fa7-911b-51993f3571fd
Resource: N/A
Hyperlink: https://psirt.canon/advisory-information/cp2023-001/
Source: f98c90f0-e9bd-4fa7-911b-51993f3571fd
Resource: N/A
Hyperlink: https://www.canon-europe.com/support/product-security-latest-news/
Source: f98c90f0-e9bd-4fa7-911b-51993f3571fd
Resource: N/A
Hyperlink: https://www.usa.canon.com/support/canon-product-advisories/Service-Notice-Vulnerabilities-Remediation-Against-Buffer-Overflow
Source: f98c90f0-e9bd-4fa7-911b-51993f3571fd
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

346Records found

CVE-2025-10952
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.34% / 25.97%
||
7 Day CHG~0.00%
Published-25 Sep, 2025 | 15:32
Updated-26 Sep, 2025 | 14:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
geyang ml-logger File server.py stream_handler information disclosure

A security flaw has been discovered in geyang ml-logger up to acf255bade5be6ad88d90735c8367b28cbe3a743. Affected by this issue is the function stream_handler of the file ml_logger/server.py of the component File Handler. Performing manipulation of the argument key results in information disclosure. The attack can be initiated remotely. The exploit has been released to the public and may be exploited. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available.

Action-Not Available
Vendor-geyang
Product-ml-logger
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-284
Improper Access Control
CVE-2025-0224
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.43% / 34.25%
||
7 Day CHG~0.00%
Published-05 Jan, 2025 | 16:31
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Provision-ISR SH-4050A-2 server.js information disclosure

A vulnerability was found in Provision-ISR SH-4050A-2, SH-4100A-2L(MM), SH-8100A-2L(MM), SH-16200A-2(1U), SH-16200A-5(1U) and NVR5-8200PX up to 20241220. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /server.js. The manipulation leads to information disclosure. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-Provision-ISR
Product-SH-4050A-2SH-16200A-5(1U)SH-4100A-2L(MM)NVR5-8200PXSH-8100A-2L(MM)SH-16200A-2(1U)
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-284
Improper Access Control
CVE-2025-0206
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.61% / 44.76%
||
7 Day CHG~0.00%
Published-04 Jan, 2025 | 12:00
Updated-22 Jan, 2025 | 15:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
code-projects Online Shoe Store index.php access control

A vulnerability classified as critical was found in code-projects Online Shoe Store 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/index.php. The manipulation leads to improper access controls. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-Source Code & Projects
Product-online_shoe_storeOnline Shoe Store
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-266
Incorrect Privilege Assignment
CVE-2025-0403
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.51% / 39.51%
||
7 Day CHG~0.00%
Published-13 Jan, 2025 | 00:00
Updated-21 Oct, 2025 | 11:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
1902756969 reggie Phone Number Validation sendMsg information disclosure

A vulnerability, which was classified as problematic, has been found in 1902756969 reggie 1.0. Affected by this issue is some unknown functionality of the file /user/sendMsg of the component Phone Number Validation Handler. The manipulation of the argument code leads to information disclosure. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-19027569691902756969
Product-reggiereggie
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-284
Improper Access Control
CVE-2025-0481
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-1.39% / 68.90%
||
7 Day CHG~0.00%
Published-15 Jan, 2025 | 19:00
Updated-15 Jan, 2025 | 20:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
D-Link DIR-878 HTTP POST Request dllog.cgi information disclosure

A vulnerability classified as problematic has been found in D-Link DIR-878 1.03. Affected is an unknown function of the file /dllog.cgi of the component HTTP POST Request Handler. The manipulation leads to information disclosure. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-D-Link Corporation
Product-DIR-878
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-284
Improper Access Control
CVE-2024-9683
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-4.8||MEDIUM
EPSS-0.29% / 20.57%
||
7 Day CHG~0.00%
Published-17 Oct, 2024 | 14:08
Updated-07 Nov, 2025 | 00:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Quay: quay allows successful authentication with trucated version of the password

A vulnerability was found in Quay, which allows successful authentication even when a truncated password version is provided. This flaw affects the authentication mechanism, reducing the overall security of password enforcement.  While the risk is relatively low due to the typical length of the passwords used (73 characters), this vulnerability can still be exploited to reduce the complexity of brute-force or password-guessing attacks. The truncation of passwords weakens the overall authentication process, thereby reducing the effectiveness of password policies and potentially increasing the risk of unauthorized access in the future.

Action-Not Available
Vendor-Red Hat, Inc.
Product-quayRed Hat Quay 3
CWE ID-CWE-305
Authentication Bypass by Primary Weakness
CWE ID-CWE-287
Improper Authentication
CVE-2022-34894
Matching Score-4
Assigner-JetBrains s.r.o.
ShareView Details
Matching Score-4
Assigner-JetBrains s.r.o.
CVSS Score-3.5||LOW
EPSS-0.55% / 41.99%
||
7 Day CHG+0.05%
Published-01 Jul, 2022 | 09:00
Updated-03 Aug, 2024 | 09:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In JetBrains Hub before 2022.2.14799, insufficient access control allowed the hijacking of untrusted services

Action-Not Available
Vendor-JetBrains s.r.o.
Product-hubHub
CWE ID-CWE-284
Improper Access Control
CVE-2024-7919
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-1.13% / 62.48%
||
7 Day CHG~0.00%
Published-19 Aug, 2024 | 00:00
Updated-21 Aug, 2024 | 12:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Anhui Deshun Intelligent Technology Jieshun JieLink+ JSOTC2016 GetDataList access control

A vulnerability, which was classified as critical, has been found in Anhui Deshun Intelligent Technology Jieshun JieLink+ JSOTC2016 up to 20240805. This issue affects some unknown processing of the file /report/ParkChargeRecord/GetDataList. The manipulation leads to improper access controls. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-jielink\+_jsotc2016_projectAnhui Deshun Intelligent Technologyanhui_deshun_intelligent_technology
Product-jielink\+_jsotc2016Jieshun JieLink+ JSOTC2016jieshun_jielink\+
CWE ID-CWE-284
Improper Access Control
CVE-2024-5814
Matching Score-4
Assigner-wolfSSL Inc.
ShareView Details
Matching Score-4
Assigner-wolfSSL Inc.
CVSS Score-5.1||MEDIUM
EPSS-0.47% / 37.09%
||
7 Day CHG~0.00%
Published-27 Aug, 2024 | 18:38
Updated-06 Dec, 2025 | 00:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Unverifed Ciphersuite used on a client-side TLS1.3 Downgrade

A malicious TLS1.2 server can force a TLS1.3 client with downgrade capability to use a ciphersuite that it did not agree to and achieve a successful connection. This is because, aside from the extensions, the client was skipping fully parsing the server hello. https://doi.org/10.46586/tches.v2024.i1.457-500

Action-Not Available
Vendor-wolfsslwolfSSLwolfssl
Product-wolfsslwolfSSLwolfssl
CWE ID-CWE-284
Improper Access Control
CVE-2024-5956
Matching Score-4
Assigner-Trellix
ShareView Details
Matching Score-4
Assigner-Trellix
CVSS Score-6.5||MEDIUM
EPSS-0.39% / 30.93%
||
7 Day CHG~0.00%
Published-05 Sep, 2024 | 10:42
Updated-06 Sep, 2024 | 16:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

This vulnerability allows unauthenticated remote attackers to bypass authentication and gain partial data access to the vulnerable Trellix IPS Manager with garbage data in response mostly

Action-Not Available
Vendor-Musarubra US LLC (Trellix)
Product-intrusion_prevention_system_managerIntrusion Prevention System (IPS) Managerintrusion_prevention_system_manager
CWE ID-CWE-305
Authentication Bypass by Primary Weakness
CWE ID-CWE-287
Improper Authentication
CVE-2022-32255
Matching Score-4
Assigner-Siemens
ShareView Details
Matching Score-4
Assigner-Siemens
CVSS Score-5.3||MEDIUM
EPSS-0.78% / 51.26%
||
7 Day CHG+0.01%
Published-14 Jun, 2022 | 09:22
Updated-03 Aug, 2024 | 07:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.1). The affected application consists of a web service that lacks proper access control for some of the endpoints. This could lead to unauthorized access to limited information.

Action-Not Available
Vendor-Siemens AG
Product-sinema_remote_connect_serverSINEMA Remote Connect Serversinema_remote_connect_server
CWE ID-CWE-284
Improper Access Control
CVE-2022-3286
Matching Score-4
Assigner-GitLab Inc.
ShareView Details
Matching Score-4
Assigner-GitLab Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.44% / 35.27%
||
7 Day CHG~0.00%
Published-17 Oct, 2022 | 00:00
Updated-13 May, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Lack of IP address checking in GitLab EE affecting all versions from 14.2 prior to 15.2.5, 15.3 prior to 15.3.4, and 15.4 prior to 15.4.1 allows a group member to bypass IP restrictions when using a deploy token

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-284
Improper Access Control
CVE-2026-24036
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.46% / 36.84%
||
7 Day CHG~0.00%
Published-22 Jan, 2026 | 03:21
Updated-29 Jan, 2026 | 18:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Horilla Exposes Unpublished Job Disclosures through Unauthenticated API

Horilla is a free and open source Human Resource Management System (HRMS). Versions 1.4.0 and above expose unpublished job postings through the /recruitment/recruitment-details// endpoint without authentication. The response includes draft job titles, descriptions and application link allowing unauthenticated users to view unpublished roles and access the application workflow for unpublished jobs. Unauthorized access to unpublished job posts can leak sensitive internal hiring information and cause confusion among candidates. This issue has been fixed in version 1.5.0.

Action-Not Available
Vendor-horillahorilla-opensource
Product-horillahorilla
CWE ID-CWE-284
Improper Access Control
CVE-2026-2147
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.52% / 40.38%
||
7 Day CHG~0.00%
Published-08 Feb, 2026 | 10:02
Updated-23 Feb, 2026 | 09:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Tenda AC21 Web Management DownloadLog information disclosure

A weakness has been identified in Tenda AC21 16.03.08.16. This impacts an unknown function of the file /cgi-bin/DownloadLog of the component Web Management Interface. Executing a manipulation can lead to information disclosure. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks.

Action-Not Available
Vendor-Tenda Technology Co., Ltd.
Product-ac21_firmwareac21AC21
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-284
Improper Access Control
CVE-2022-29578
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-1.01% / 58.99%
||
7 Day CHG~0.00%
Published-24 Jun, 2022 | 16:36
Updated-03 Aug, 2024 | 06:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Meridian Cooperative Utility Software versions 22.02 and 22.03 allows remote attackers to obtain sensitive information such as name, address, and daily energy usage.

Action-Not Available
Vendor-meridiann/a
Product-meridiann/a
CWE ID-CWE-287
Improper Authentication
CVE-2022-28713
Matching Score-4
Assigner-JPCERT/CC
ShareView Details
Matching Score-4
Assigner-JPCERT/CC
CVSS Score-5.3||MEDIUM
EPSS-1.00% / 58.40%
||
7 Day CHG+0.10%
Published-04 Jul, 2022 | 06:56
Updated-03 Aug, 2024 | 06:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper authentication vulnerability in Scheduler of Cybozu Garoon 4.10.0 to 5.5.1 allows a remote attacker to obtain some data of Facility Information without logging in to the product.

Action-Not Available
Vendor-Cybozu, Inc.
Product-garoonCybozu Garoon
CWE ID-CWE-287
Improper Authentication
CVE-2024-50353
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.29% / 20.77%
||
7 Day CHG~0.00%
Published-30 Oct, 2024 | 13:57
Updated-13 Nov, 2024 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ICG.AspNetCore.Utilities.CloudStorage's Secure Token Durations Different Than Expected

ICG.AspNetCore.Utilities.CloudStorage is a collection of cloud storage utilities to assist with the management of files for cloud upload. Users of this library that set a duration for a SAS Uri with a value other than 1 hour may have generated a URL with a duration that is longer, or shorter than desired. Users not implemented SAS Uri's are unaffected. This issue was resolved in version 8.0.0 of the library.

Action-Not Available
Vendor-iowacomputergurusIowaComputerGurusiowa_computer_gurus
Product-aspnetcore.utilities.cloudstorageaspnetcore.utilities.cloudstorageaspnetcore.utilites.cloudstorage
CWE ID-CWE-284
Improper Access Control
CVE-2024-49755
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-3.1||LOW
EPSS-0.32% / 23.82%
||
7 Day CHG~0.00%
Published-28 Oct, 2024 | 19:44
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Duende IdentityServer has insufficient validation of DPoP cnf claim in Local APIs

Duende IdentityServer is an OpenID Connect and OAuth 2.x framework for ASP.NET Core. IdentityServer's local API authentication handler performs insufficient validation of the cnf claim in DPoP access tokens. This allows an attacker to use leaked DPoP access tokens at local api endpoints even without possessing the private key for signing proof tokens. Note that this only impacts custom endpoints within an IdentityServer implementation that have explicitly used the LocalApiAuthenticationHandler for authentication. This vulnerability is patched in IdentityServer 7.0.8. Version 6.3 and below are unaffected, as they do not support DPoP in Local APIs.

Action-Not Available
Vendor-DuendeSoftware
Product-IdentityServer
CWE ID-CWE-287
Improper Authentication
CVE-2024-50339
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-9.3||CRITICAL
EPSS-19.62% / 97.06%
||
7 Day CHG-0.15%
Published-11 Dec, 2024 | 17:48
Updated-10 Jan, 2025 | 18:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
GLPI vulnerable to unauthenticated session hijacking

GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to version 10.0.17, an unauthenticated user can retrieve all the sessions IDs and use them to steal any valid session. Version 10.0.17 contains a patch for this issue.

Action-Not Available
Vendor-GLPI Project
Product-glpiglpi
CWE ID-CWE-287
Improper Authentication
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-384
Session Fixation
CVE-2024-48932
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.50% / 39.41%
||
7 Day CHG~0.00%
Published-24 Oct, 2024 | 21:00
Updated-05 Nov, 2025 | 22:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ZimaOS Unauthenticated API Discloses Usernames

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In versions below 1.5.0, the API endpoint `http://<Server-ip>/v1/users/name` allows unauthenticated users to access sensitive information, such as usernames, without any authorization. This vulnerability could be exploited by an attacker to enumerate usernames and leverage them for further attacks, such as brute-force or phishing campaigns. As of time of publication, no known patched versions are available.

Action-Not Available
Vendor-zimaspaceIceWhaleTechicewhaletech
Product-zimaosZimaOSzimaos
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-862
Missing Authorization
CVE-2024-55402
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.29% / 21.10%
||
7 Day CHG~0.00%
Published-06 Aug, 2025 | 00:00
Updated-01 Oct, 2025 | 20:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

4C Strategies Exonaut before v22.4 was discovered to contain an access control issue.

Action-Not Available
Vendor-4cstrategiesn/a
Product-exonautn/a
CWE ID-CWE-284
Improper Access Control
CVE-2019-3928
Matching Score-4
Assigner-Tenable Network Security, Inc.
ShareView Details
Matching Score-4
Assigner-Tenable Network Security, Inc.
CVSS Score-5.3||MEDIUM
EPSS-1.77% / 75.40%
||
7 Day CHG~0.00%
Published-30 Apr, 2019 | 20:18
Updated-04 Aug, 2024 | 19:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Crestron AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 allow any user to obtain the presentation passcode via the iso.3.6.1.4.1.3212.100.3.2.7.4 OIDs. A remote, unauthenticated attacker can use this vulnerability to access a restricted presentation or to become the presenter.

Action-Not Available
Vendor-Crestron Electronics, Inc.
Product-am-101am-100am-101_firmwaream-100_firmwareCrestron AirMedia
CWE ID-CWE-284
Improper Access Control
CVE-2025-9398
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.45% / 35.96%
||
7 Day CHG~0.00%
Published-24 Aug, 2025 | 23:32
Updated-11 Dec, 2025 | 18:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
YiFang CMS Migrate.php exportInstallTable information disclosure

A security vulnerability has been detected in YiFang CMS up to 2.0.5. Affected by this vulnerability is the function exportInstallTable of the file app/utils/base/database/Migrate.php. The manipulation leads to information disclosure. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-wanglongcnYiFang
Product-yifangCMS
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-284
Improper Access Control
CVE-2019-15993
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-7.5||HIGH
EPSS-10.27% / 95.13%
||
7 Day CHG~0.00%
Published-23 Sep, 2020 | 00:26
Updated-13 Nov, 2024 | 18:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cisco Small Business Switches Information Disclosure Vulnerability

A vulnerability in the web UI of Cisco Small Business Switches could allow an unauthenticated, remote attacker to access sensitive device information. The vulnerability exists because the software lacks proper authentication controls to information accessible from the web UI. An attacker could exploit this vulnerability by sending a malicious HTTP request to the web UI of an affected device. A successful exploit could allow the attacker to access sensitive device information, which includes configuration files.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-sf550x-48mpsg250-10p_firmwaresf250-24psg300-10p_firmwaresg250-18_firmwaresg300-52_firmwaresg500-52mp_firmwaresg250x-24p_firmwaresg300-52sg250x-24psg200-26sg250-18sg500-28sg500x-48sg350x-24mpsx550x-24sg550x-48p_firmwaresg200-50p_firmwaresg200-26_firmwaresg200-08psf250-24p_firmwaresf200-24_firmwaresg300-20sg500-28psg350x-48_firmwaresg350xg-24tsx550x-12fsf200-48sg350x-24_firmwaresf350-48psf350-48sg550x-48mp_firmwaresg500x-24psf300-48psf300-24_firmwaresg500-52sf300-24mp_firmwaresf550x-24mp_firmwaresg500-28mpp_firmwaresg500-52psg350-28sg350x-24mp_firmwaresf250-24sg500-52_firmwaresf550x-48p_firmwaresg550x-48psg200-10fpsf300-24ppsg350x-48mp_firmwaresg250x-24_firmwaresg250-50hp_firmwaresx550x-24ft_firmwaresg350x-24sg300-10mpp_firmwaresg250x-24sf550x-48_firmwaresg200-50sg300-52mpsg350-10p_firmwaresg355-10psg200-50psg350-10psg200-26fp_firmwaresx550x-16ft_firmwaresf200-48p_firmwaresf302-08p_firmwaresg500-52mpsg250-50psg300-52psf250-48sg250-26hpsg250x-48p_firmwaresg300-20_firmwaresf500-24p_firmwaresf500-48sg300-10sfpsg550x-24_firmwaresg200-50fpsg250x-48_firmwaresg300-28_firmwaresf302-08psg500-28mppsf500-24psg250-50p_firmwaresf200-24p_firmwaresf302-08ppsf350-48p_firmwaresg350xg-48t_firmwaresf300-48sg250-26sg300-10sfp_firmwaresg250x-48sf550x-48mp_firmwaresg350-28p_firmwaresf550x-24_firmwaresf250-48hp_firmwaresg350xg-2f10sg300-28ppsg300-52mp_firmwaresf500-48_firmwaresg350-10mpsg500-28p_firmwaresf550x-48psg550x-24mppsf550x-24sf500-48psg350xg-24f_firmwaresf200-24psg500-52p_firmwaresf500-48p_firmwaresg300-28mpsf302-08mp_firmwaresf350-48mp_firmwaresf250-24_firmwaresg350-28mpsg350x-48sg350-28mp_firmwaresg300-28pp_firmwaresf302-08sf200-24sx550x-24fsg500x-48psg250-26_firmwaresg350-10mp_firmwaresf302-08mpp_firmwaresg355-10p_firmwaresg550x-24mp_firmwaresg500x-48p_firmwaresg200-18_firmwaresg300-10psg300-52p_firmwaresf300-48ppsg500x-24_firmwaresg350xg-24t_firmwaresg550x-48_firmwaresf550x-24p_firmwaresg350x-24p_firmwaresg300-10mp_firmwaresf302-08_firmwaresg200-08p_firmwaresf200-24fp_firmwaresg550x-24sg300-10mpsf300-08sg300-10ppsg250-50_firmwaresf350-48_firmwaresg250-10psg350xg-2f10_firmwaresx550x-24f_firmwaresg200-08sg250-08sg350-28psg250-26hp_firmwaresg200-26fpsg200-26p_firmwaresg350xg-48tsf550x-48sg300-28sx550x-52_firmwaresg200-10fp_firmwaresg350-28_firmwaresg300-10_firmwaresg350-10sg350x-48psg250-08hpsg550x-24mpsx550x-16ftsf300-24p_firmwaresg500x-24sg550x-48mpsg350-10_firmwaresx550x-24ftsx550x-52sg250x-48psg200-50fp_firmwaresg500x-24p_firmwaresg250-26psg300-10pp_firmwaresf550x-24psg300-10sf500-24sf300-48p_firmwaresf350-48mpsg250-50sg550x-24p_firmwaresf200-24fpsg300-10mppsg500xg-8f8t_firmwaresg300-28psg550x-24psg200-26psf200-48psf300-24psf300-24sg200-08_firmwaresg350x-48mpsf302-08mppsg550x-48sf302-08mpsf250-48_firmwaresg350x-48p_firmwaresf300-48pp_firmwaresg250-08_firmwaresf300-24mpsg300-28mp_firmwaresg350x-24psf550x-24mpsx550x-12f_firmwaresf302-08pp_firmwaresg250-50hpsg550x-24mpp_firmwaresf250-48hpsg200-18sx550x-24_firmwaresg200-50_firmwaresg250-26p_firmwaresg350xg-24fsf300-08_firmwaresf200-48_firmwaresg500x-48_firmwaresg500xg-8f8tsg500-28_firmwaresf500-24_firmwaresg250-08hp_firmwaresf300-48_firmwaresf300-24pp_firmwaresg300-28p_firmwareCisco Small Business 250 Series Smart Switches Software
CWE ID-CWE-16
Not Available
CWE ID-CWE-287
Improper Authentication
CVE-2024-39772
Matching Score-4
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-4
Assigner-Mattermost, Inc.
CVSS Score-3.7||LOW
EPSS-0.31% / 23.06%
||
7 Day CHG~0.00%
Published-16 Sep, 2024 | 14:27
Updated-01 Nov, 2024 | 14:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Silent Desktop Screenshot Capture

Mattermost Desktop App versions <=5.8.0 fail to safeguard screen capture functionality which allows an attacker to silently capture high-quality screenshots via JavaScript APIs.

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermost_desktopMattermost
CWE ID-CWE-284
Improper Access Control
CVE-2025-8525
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.41% / 33.36%
||
7 Day CHG~0.00%
Published-04 Aug, 2025 | 20:32
Updated-28 Aug, 2025 | 12:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Exrick xboot Spring Boot Admin/Spring Actuator information disclosure

A vulnerability was found in Exrick xboot up to 3.3.4. It has been classified as problematic. This affects an unknown part of the component Spring Boot Admin/Spring Actuator. The manipulation leads to information disclosure. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-exrickExrick
Product-xbootxboot
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-284
Improper Access Control
CVE-2019-15987
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-5.3||MEDIUM
EPSS-1.58% / 72.53%
||
7 Day CHG~0.00%
Published-26 Nov, 2019 | 03:42
Updated-19 Nov, 2024 | 18:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cisco WebEx Centers Username Enumeration Information Disclosure Vulnerability

A vulnerability in web interface of the Cisco Webex Event Center, Cisco Webex Meeting Center, Cisco Webex Support Center, and Cisco Webex Training Center could allow an unauthenticated, remote attacker to guess account usernames. The vulnerability is due to missing CAPTCHA protection in certain URLs. An attacker could exploit this vulnerability by sending a crafted request to the web interface. A successful exploit could allow the attacker to know if a given username is valid and find the real name of the user.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-webex_meetings_onlinewebex_meeting_centerwebex_event_centerwebex_support_centerwebex_training_centerwebex_meetings_serverCisco WebEx Event Center
CWE ID-CWE-287
Improper Authentication
CVE-2025-7874
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.74% / 49.98%
||
7 Day CHG~0.00%
Published-20 Jul, 2025 | 07:02
Updated-27 Aug, 2025 | 17:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Metasoft 美特软件 MetaCRM env.jsp information disclosure

A vulnerability was found in Metasoft 美特软件 MetaCRM up to 6.4.2. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /env.jsp. The manipulation leads to information disclosure. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-metasoftMetasoft 美特软件
Product-metacrmMetaCRM
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-284
Improper Access Control
CVE-2024-44202
Matching Score-4
Assigner-Apple Inc.
ShareView Details
Matching Score-4
Assigner-Apple Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.51% / 39.48%
||
7 Day CHG~0.00%
Published-16 Sep, 2024 | 23:22
Updated-02 Apr, 2026 | 19:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An authentication issue was addressed with improved state management. This issue is fixed in Safari 18, iOS 18 and iPadOS 18. Private Browsing tabs may be accessed without authentication.

Action-Not Available
Vendor-Apple Inc.
Product-iphone_osipadosSafariiOS and iPadOSiphone_osipados
CWE ID-CWE-287
Improper Authentication
CVE-2024-1678
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.45% / 35.89%
||
7 Day CHG~0.00%
Published-02 May, 2024 | 16:52
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Subway – Private Site Option <= 2.1.4 - Improper Access Control to Sensitive Information Exposure via REST API

The Subway – Private Site Option plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.1.4 via the REST API. This makes it possible for unauthenticated attackers to bypass the plugin's private site feature and view restricted page and post content.

Action-Not Available
Vendor-dunhakdisdunhakdis
Product-Subway – Private Site Optionsubway-private_site_option
CWE ID-CWE-284
Improper Access Control
CVE-2024-42172
Matching Score-4
Assigner-HCL Software
ShareView Details
Matching Score-4
Assigner-HCL Software
CVSS Score-5.3||MEDIUM
EPSS-0.38% / 29.92%
||
7 Day CHG~0.00%
Published-11 Jan, 2025 | 06:44
Updated-16 May, 2025 | 13:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HCL MyXalytics is affected by broken authentication

HCL MyXalytics is affected by broken authentication. It allows attackers to compromise keys, passwords, and session tokens, potentially leading to identity theft and system control. This vulnerability arises from poor configuration, logic errors, or software bugs and can affect any application with access control, including databases, network infrastructure, and web applications.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-dryice_myxalyticsDRYiCE MyXalytics
CWE ID-CWE-287
Improper Authentication
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2019-20412
Matching Score-4
Assigner-Atlassian
ShareView Details
Matching Score-4
Assigner-Atlassian
CVSS Score-5.3||MEDIUM
EPSS-1.88% / 76.95%
||
7 Day CHG~0.00%
Published-29 Jun, 2020 | 05:50
Updated-17 Sep, 2024 | 00:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Convert Sub-Task to Issue page in affected versions of Atlassian Jira Server and Data Center allow remote attackers to enumerate the following information via an Improper Authentication vulnerability: Workflow names; Project Key, if it is part of the workflow name; Issue Keys; Issue Types; Status Types. The affected versions are before version 7.13.9, and from version 8.0.0 before 8.4.2.

Action-Not Available
Vendor-Atlassian
Product-jira_serverjira_software_data_centerjira_data_centerjiraJira Server
CWE ID-CWE-287
Improper Authentication
CVE-2022-23513
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.3||MEDIUM
EPSS-40.16% / 98.46%
||
7 Day CHG~0.00%
Published-22 Dec, 2022 | 23:17
Updated-15 Apr, 2025 | 13:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Pi-Hole/AdminLTE vulnerable due to improper access control in queryads endpoint

Pi-Hole is a network-wide ad blocking via your own Linux hardware, AdminLTE is a Pi-hole Dashboard for stats and more. In case of an attack, the threat actor will obtain the ability to perform an unauthorized query for blocked domains on `queryads` endpoint. In the case of application, this vulnerability exists because of a lack of validation in code on a root server path: `/admin/scripts/pi-hole/phpqueryads.php.` Potential threat actor(s) are able to perform an unauthorized query search in blocked domain lists. This could lead to the disclosure for any victims' personal blacklists.

Action-Not Available
Vendor-pi-holepi-hole
Product-adminlteAdminLTE
CWE ID-CWE-284
Improper Access Control
CVE-2024-41243
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.51% / 39.97%
||
7 Day CHG~0.00%
Published-07 Aug, 2024 | 00:00
Updated-19 Mar, 2025 | 21:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An Incorrect Access Control vulnerability was found in /smsa/view_marks.php in Kashipara Responsive School Management System v3.2.0, which allows remote unauthenticated attackers to view MARKS details.

Action-Not Available
Vendor-lopalopan/a
Product-responsive_school_management_systemn/a
CWE ID-CWE-284
Improper Access Control
CVE-2024-41246
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.54% / 41.36%
||
7 Day CHG~0.00%
Published-07 Aug, 2024 | 00:00
Updated-27 Mar, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An Incorrect Access Control vulnerability was found in /smsa/admin_dashboard.php in Kashipara Responsive School Management System v3.2.0, which allows remote unauthenticated attackers to view administrator dashboard.

Action-Not Available
Vendor-lopalopan/aKashipara Group
Product-responsive_school_management_systemn/aresponsive_school_management_system
CWE ID-CWE-284
Improper Access Control
CVE-2024-41245
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.55% / 41.88%
||
7 Day CHG~0.00%
Published-07 Aug, 2024 | 00:00
Updated-08 Aug, 2024 | 15:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An Incorrect Access Control vulnerability was found in /smsa/view_teachers.php in Kashipara Responsive School Management System v3.2.0, which allows remote unauthenticated attackers to view TEACHER details.

Action-Not Available
Vendor-lopalopan/aKashipara Group
Product-responsive_school_management_systemn/aresponsive_school_management_system
CWE ID-CWE-284
Improper Access Control
CVE-2024-40794
Matching Score-4
Assigner-Apple Inc.
ShareView Details
Matching Score-4
Assigner-Apple Inc.
CVSS Score-5.3||MEDIUM
EPSS-1.18% / 63.88%
||
7 Day CHG~0.00%
Published-29 Jul, 2024 | 22:17
Updated-02 Apr, 2026 | 19:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

This issue was addressed through improved state management. This issue is fixed in Safari 17.6, iOS 17.6 and iPadOS 17.6, macOS Sonoma 14.6. Private Browsing tabs may be accessed without authentication.

Action-Not Available
Vendor-Apple Inc.
Product-iphone_ossafariipadosmacosSafariiOS and iPadOSmacOS
CWE ID-CWE-287
Improper Authentication
CVE-2019-1622
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-5.3||MEDIUM
EPSS-78.86% / 99.54%
||
7 Day CHG~0.00%
Published-27 Jun, 2019 | 03:05
Updated-19 Nov, 2024 | 19:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cisco Data Center Network Manager Information Disclosure Vulnerability

A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to retrieve sensitive information from an affected device. The vulnerability is due to improper access controls for certain URLs on affected DCNM software. An attacker could exploit this vulnerability by connecting to the web-based management interface of an affected device and requesting specific URLs. A successful exploit could allow the attacker to download log files and diagnostic information from the affected device.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-data_center_network_managerCisco Data Center Network Manager
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-532
Insertion of Sensitive Information into Log File
CVE-2024-38426
Matching Score-4
Assigner-Qualcomm, Inc.
ShareView Details
Matching Score-4
Assigner-Qualcomm, Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.25% / 16.12%
||
7 Day CHG~0.00%
Published-03 Mar, 2025 | 10:07
Updated-11 Aug, 2025 | 15:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Authentication in Modem

While processing the authentication message in UE, improper authentication may lead to information disclosure.

Action-Not Available
Vendor-Qualcomm Technologies, Inc.
Product-sdm429w_firmwaresw5100pqcs410_firmwarewcn6650qcs610_firmwarewcd9335wcd9370qca8081_firmwaresnapdragon_730gsnapdragon_429_firmwareqcc711_firmwareqca4004qca6696wcd9340_firmwarewcd9341_firmwarewcd9395_firmwarewcn7881_firmwareqcn6024wcn6450qcc710_firmwaresnapdragon_auto_4gfastconnect_6700wcn3610snapdragon_695_5gsnapdragon_wear_4100\+_firmwarewsa8832_firmwareqca8337wcd9395qca6574au_firmwaresnapdragon_x12_lte_firmwarewcd9341snapdragon_wear_1300qca6574auwcd9390315_5g_iot_firmwaresd730_firmwarewsa8845h_firmwaresnapdragon_429wsa8810_firmwarecsra6640snapdragon_690_5gsm8650q_firmwaresnapdragon_765_5gwcn3660b_firmwaresd730sdx80mfastconnect_6800_firmwaresd835_firmwareqcn6024_firmwarevideo_collaboration_vc1_platform_firmwaresnapdragon_x72_5g-rf_firmwareqcm6125_firmwaresnapdragon_x62_5g-rfqcc710snapdragon_730snapdragon_wear_4100\+snapdragon_765g_5g_firmwarefastconnect_6900robotics_rb2video_collaboration_vc1_platformqep8111sm8635snapdragon_x65_5g-rf_firmwareqfw7114wcd9385_firmwareqca6310snapdragon_678_firmwaresdx61qcs4490snapdragon_732g_firmwaresnapdragon_x55_5g-rf_firmwaresnapdragon_662_firmwarewsa8845qcm6125snapdragon_x75_5g-rf_firmwareqca6564au_firmwarewsa8810205snapdragon_678qca6595ausnapdragon_865_5g_firmwarewcd9326_firmwarewsa8840mdm9640_firmwaresnapdragon_730g_firmwaresd835qfw7124_firmwarewcd9371_firmwareqcs4490_firmwarewcn3910_firmwareqts110snapdragon_675_firmwaresdx71msm8635psnapdragon_680_4gwcn3910snapdragon_212_firmwaremdm9205s_firmwarewcd9370_firmwarecsrb31024qca9367robotics_rb2_firmwaresnapdragon_480\+_5g_firmwaresnapdragon_765_5g_firmwaresnapdragon_x55_5g-rfwcn3660bqca6574awcn3620_firmwareqca6174aqca6584_firmwaresnapdragon_695_5g_firmwarewcd9340qcm22909205_ltesnapdragon_835_mobile_pc_firmware215wcn3988qcn9024sd675_firmwareqcc711snapdragon_auto_5g-rf_firmwaresnapdragon_439_firmwaresdx57msmart_audio_400qcn9024_firmwarewsa8845hwcd9326qcs410qcm2290_firmwaresm8650qqca6564awsa8830snapdragon_870_5g_firmwaresnapdragon_x75_5g-rfsm7675_firmwarear8035sm7635_firmwaremsm8996auwcn3620wcn6450_firmwareqcm4325qcn6224qca6698aqwcn3950_firmwaresm7635mdm9205sfastconnect_6200wcn3680bwcd9378snapdragon_210_firmwaresm8635p_firmwarefastconnect_6700_firmwaresnapdragon_768g_5gvideo_collaboration_vc3_platform_firmwaresnapdragon_x72_5g-rfsnapdragon_auto_5g-rf_gen_2_firmwarewcn3990snapdragon_210snapdragon_x5_lte_firmwarefastconnect_6200_firmwarewsa8830_firmwareqcn6224_firmwarewsa8845_firmwarewsa8832sdx61_firmwarewcd9378_firmwaresdx57m_firmwaresm7675par8035_firmwaresnapdragon_680_4g_firmwareqca6320snapdragon_x65_5g-rfsnapdragon_x35_5g-rf_firmwaresnapdragon_439wcd9306qca6564auqcs6125_firmwaresnapdragon_460snapdragon_wear_1300_firmwarewsa8815_firmwaresnapdragon_865_5gqca8337_firmwaresnapdragon_665_firmwaresnapdragon_auto_4g_firmwareqcm4290snapdragon_480_5g_firmwaresnapdragon_4_gen_1_firmwaresnapdragon_x12_ltesnapdragon_685_4gqca9377_firmwaresnapdragon_w5\+_gen_1snapdragon_665sm7250p_firmwarewcn3680_firmware205_firmwareqcm4490_firmwarewcn3950qcs6125snapdragon_690_5g_firmwareqca4004_firmwaresmart_audio_400_firmwaresnapdragon_460_firmwaresd_675_firmwaresm7250pcsrb31024_firmwaresnapdragon_768g_5g_firmwareqca6584ausnapdragon_x35_5g-rfqca6320_firmwareqcn6274_firmwarewcn6755_firmwaresw5100_firmwarewcn6650_firmwaresnapdragon_732gqca6310_firmwarefastconnect_6800qfw7114_firmwaresnapdragon_662snapdragon_x5_ltefastconnect_7800_firmwaresnapdragon_auto_5g-rfwcd9371snapdragon_x70-rfsm8635_firmwarefastconnect_6900_firmwarewcd9380snapdragon_x70-rf_firmwarewcn6755215_firmwaresnapdragon_765g_5gmsm8996au_firmwarewcn7881sm6650sw5100video_collaboration_vc3_platformwcd9306_firmwareqcm2150_firmwaresnapdragon_8657\+_5gsnapdragon_8_gen_1_firmwarewcd9330_firmwarewcn3990_firmwareqca6698aq_firmwareqcs2290qca6564a_firmwarewcd9385qcs2290_firmwarewcn3615qca9367_firmwarewcd9330wcn3610_firmwarewcn3680snapdragon_8_gen_1qcs4290wcd9390_firmwaresnapdragon_8_gen_3qep8111_firmwaresdx71m_firmwaresdx55_firmwarewcn3615_firmwareqcm4490snapdragon_4_gen_1snapdragon_870_5gcsra6640_firmwaresnapdragon_480\+_5gqca6174a_firmwaresnapdragon_685_4g_firmwarewcn7861wcn7861_firmwaresm6650_firmwaresnapdragon_480_5gwcn3980_firmwarewcd9335_firmwaremdm9640sdm429wqca6584au_firmwareqcn6274wsa8835wsa8840_firmwareqca6391_firmwareqfw71249205_lte_firmwareqca6595au_firmwaresw5100p_firmwareqca6696_firmwareqcs4290_firmwarewcd9380_firmwaresnapdragon_8657\+_5g_firmwarecsra6620qca8081wsa8815mdm9628sg4150psd_8_gen1_5gsnapdragon_auto_5g-rf_gen_2qca9377mdm9628_firmwaresnapdragon_730_firmwareqcm4325_firmwareqca6574a_firmwaresdx55qcm4290_firmwaresnapdragon_835_mobile_pcsd675sd_8_gen1_5g_firmwaresnapdragon_8_gen_3_firmwaresnapdragon_w5\+_gen_1_firmwareqca6391wcd9375_firmwareqts110_firmwaresg4150p_firmwareqca6584csra6620_firmwaresnapdragon_675fastconnect_7800wcd9375wcn3988_firmware315_5g_iotsm7675snapdragon_x62_5g-rf_firmwaresd_675snapdragon_212wsa8835_firmwaresdx80m_firmwarewcn3980sm7675p_firmwareqcm2150wcn3680b_firmwareqcs610Snapdragon
CWE ID-CWE-287
Improper Authentication
CVE-2022-23505
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.75% / 50.46%
||
7 Day CHG~0.00%
Published-13 Dec, 2022 | 07:04
Updated-23 Apr, 2025 | 16:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Passport-wsfed-saml2 vulnerable to Authentication Bypass for WSFed authentication

Passport-wsfed-saml2 is a ws-federation protocol and SAML2 tokens authentication provider for Passport. In versions prior to 4.6.3, a remote attacker may be able to bypass WSFed authentication on a website using passport-wsfed-saml2. A successful attack requires that the attacker is in possession of an arbitrary IDP signed assertion. Depending on the IDP used, fully unauthenticated attacks (e.g without access to a valid user) might also be feasible if generation of a signed message can be triggered. This issue is patched in version 4.6.3. Use of SAML2 authentication instead of WSFed is a workaround.

Action-Not Available
Vendor-auth0auth0
Product-passport-wsfed-saml2passport-wsfed-saml2
CWE ID-CWE-287
Improper Authentication
CVE-2024-37152
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.3||MEDIUM
EPSS-2.35% / 81.62%
||
7 Day CHG~0.00%
Published-06 Jun, 2024 | 15:33
Updated-18 Sep, 2024 | 12:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Unauthenticated Access to sensitive settings in Argo CD

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The vulnerability allows unauthorized access to the sensitive settings exposed by /api/v1/settings endpoint without authentication. All sensitive settings are hidden except passwordPattern. This vulnerability is fixed in 2.11.3, 2.10.12, and 2.9.17.

Action-Not Available
Vendor-argoprojargoprojThe Linux Foundation
Product-argo_cdargo-cdargo-cd
CWE ID-CWE-287
Improper Authentication
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2024-34093
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.44% / 35.09%
||
7 Day CHG~0.00%
Published-06 May, 2024 | 00:00
Updated-18 Mar, 2025 | 15:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Archer Platform 6 before 2024.03. There is an X-Forwarded-For Header Bypass vulnerability. An unauthenticated attacker could potentially bypass intended whitelisting when X-Forwarded-For header is enabled.

Action-Not Available
Vendor-archerirmn/aarcherirm
Product-archern/aarcher
CWE ID-CWE-287
Improper Authentication
CVE-2024-34107
Matching Score-4
Assigner-Adobe Systems Incorporated
ShareView Details
Matching Score-4
Assigner-Adobe Systems Incorporated
CVSS Score-5.3||MEDIUM
EPSS-1.13% / 62.55%
||
7 Day CHG~0.00%
Published-13 Jun, 2024 | 09:04
Updated-17 Sep, 2024 | 11:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Adobe Commerce | Improper Access Control (CWE-284)

Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and view minor unauthorised information. Exploitation of this issue does not require user interaction.

Action-Not Available
Vendor-Adobe Inc.
Product-magentocommerce_webhookscommerceAdobe Commercecommerce
CWE ID-CWE-284
Improper Access Control
CVE-2019-12395
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-1.59% / 72.76%
||
7 Day CHG~0.00%
Published-28 May, 2019 | 12:41
Updated-04 Aug, 2024 | 23:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Webbukkit Dynmap 3.0-beta-3 or below, due to a missing login check in servlet/MapStorageHandler.java, an attacker can see a map image without login even if victim enables login-required in setting.

Action-Not Available
Vendor-dynmap_projectn/a
Product-dynmapn/a
CWE ID-CWE-287
Improper Authentication
CVE-2022-22289
Matching Score-4
Assigner-Samsung Mobile
ShareView Details
Matching Score-4
Assigner-Samsung Mobile
CVSS Score-5.3||MEDIUM
EPSS-0.77% / 51.18%
||
7 Day CHG~0.00%
Published-07 Jan, 2022 | 22:39
Updated-03 Aug, 2024 | 03:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper access control vulnerability in S Assistant prior to version 7.5 allows attacker to remotely get senstive information.

Action-Not Available
Vendor-SamsungSamsung Electronics
Product-s_assistantS Assistant
CWE ID-CWE-287
Improper Authentication
CVE-2025-4980
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.53% / 40.72%
||
7 Day CHG~0.00%
Published-20 May, 2025 | 14:00
Updated-12 Jun, 2025 | 16:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Netgear DGND3700 mini_http currentsetting.htm information disclosure

A vulnerability has been found in Netgear DGND3700 1.1.00.15_1.00.15NA and classified as problematic. This vulnerability affects unknown code of the file /currentsetting.htm of the component mini_http. The manipulation leads to information disclosure. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Other products might be affected as well. The vendor was contacted early about this disclosure.

Action-Not Available
Vendor-NETGEAR, Inc.
Product-dgnd3700_firmwaredgnd3700DGND3700
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-284
Improper Access Control
CVE-2022-2133
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-5.3||MEDIUM
EPSS-0.99% / 58.18%
||
7 Day CHG~0.00%
Published-17 Jul, 2022 | 10:36
Updated-03 Aug, 2024 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
OAuth Single Sign On < 6.22.6 - Authentication Bypass

The OAuth Single Sign On WordPress plugin before 6.22.6 doesn't validate that OAuth access token requests are legitimate, which allows attackers to log onto the site with the only knowledge of a user's email address.

Action-Not Available
Vendor-miniorangeUnknown
Product-oauth_single_sign_onOAuth Single Sign On – SSO (OAuth Client)
CWE ID-CWE-287
Improper Authentication
CVE-2024-28188
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.33% / 24.99%
||
7 Day CHG~0.00%
Published-23 May, 2024 | 11:54
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
jupyter-scheduler's endpoint is missing authentication

Jupyter Scheduler is collection of extensions for programming jobs to run now or run on a schedule. The list of conda environments of `jupyter-scheduler` users maybe be exposed, potentially revealing information about projects that a specific user may be working on. This vulnerability has been patched in version(s) 1.1.6, 1.2.1, 1.8.2 and 2.5.2.

Action-Not Available
Vendor-jupyter-serverjupyter
Product-jupyter-schedulerscheduler
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-287
Improper Authentication
CVE-2024-28006
Matching Score-4
Assigner-NEC Corporation
ShareView Details
Matching Score-4
Assigner-NEC Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.49% / 38.31%
||
7 Day CHG~0.00%
Published-28 Mar, 2024 | 00:51
Updated-29 Sep, 2025 | 13:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper authentication vulnerability in NEC Corporation Aterm WG1800HP4, WG1200HS3, WG1900HP2, WG1200HP3, WG1800HP3, WG1200HS2, WG1900HP, WG1200HP2, W1200EX(-MS), WG1200HS, WG1200HP, WF300HP2, W300P, WF800HP, WR8165N, WG2200HP, WF1200HP2, WG1800HP2, WF1200HP, WG600HP, WG300HP, WF300HP, WG1800HP, WG1400HP, WR8175N, WR9300N, WR8750N, WR8160N, WR9500N, WR8600N, WR8370N, WR8170N, WR8700N, WR8300N, WR8150N, WR4100N, WR4500N, WR8100N, WR8500N, CR2500P, WR8400N, WR8200N, WR1200H, WR7870S, WR6670S, WR7850S, WR6650S, WR6600H, WR7800H, WM3400RN, WM3450RN, WM3500R, WM3600R, WM3800R, WR8166N, MR01LN MR02LN, WG1810HP(JE) and WG1810HP(MF) all versions allows a attacker to view device information.

Action-Not Available
Vendor-NEC Corporation
Product-aterm_wr1200haterm_wr9500n_firmwareaterm_wg600hpaterm_wg1400hpaterm_wr8750naterm_wm3450rn_firmwareaterm_wg300hpaterm_wg1200hs2aterm_wg1200hs3_firmwareaterm_wg1810hp\(je\)aterm_wr8700naterm_wg1800hp2_firmwareaterm_wm3800raterm_w1200ex-ms_firmwareaterm_wg1800hp2aterm_wg1900hp2_firmwareaterm_mr02lnaterm_wf800hpaterm_wm3600r_firmwareaterm_wg1200hs3aterm_wr8700n_firmwareaterm_wr6600h_firmwareaterm_wg2200hp_firmwareaterm_wf300hpaterm_wr9300naterm_wf800hp_firmwareaterm_wr4500n_firmwareaterm_wg1810hp\(je\)_firmwareaterm_wr6670saterm_wg1800hp4_firmwareaterm_wr9500naterm_wg300hp_firmwareaterm_wr8150n_firmwareaterm_wg1200hpaterm_wr6650saterm_wr8175naterm_wr7850saterm_wr8100n_firmwareaterm_wr7850s_firmwareaterm_wr8200n_firmwareaterm_wm3400rnaterm_cr2500paterm_wr8100naterm_wm3500r_firmwareaterm_w300paterm_wr4100n_firmwareaterm_wm3400rn_firmwareaterm_wr7870saterm_wr8150naterm_wr8165n_firmwareaterm_wr8160n_firmwareaterm_wf1200hp2_firmwareaterm_wr8500n_firmwareaterm_wf300hp2aterm_wg1200hp2aterm_wg1900hpaterm_w1200ex-msaterm_wm3500raterm_w300p_firmwareaterm_wg1800hp3_firmwareaterm_wr7800h_firmwareaterm_wf1200hp_firmwareaterm_wf300hp2_firmwareaterm_wr1200h_firmwareaterm_wr9300n_firmwareaterm_wg1200hs2_firmwareaterm_wg1800hp3aterm_wr8166n_firmwareaterm_wr6650s_firmwareaterm_wg1900hp2aterm_wr6600haterm_wg1200hs_firmwareaterm_wr8165naterm_wr7800haterm_wr8166naterm_wr8370n_firmwareaterm_cr2500p_firmwareaterm_wm3600raterm_wr8160naterm_wf1200hp2aterm_wr4100naterm_mr01ln_firmwareaterm_wm3800r_firmwareaterm_wg1200hp3_firmwareaterm_wr8750n_firmwareaterm_wr8370naterm_mr02ln_firmwareaterm_wg1800hp_firmwareaterm_wr8175n_firmwareaterm_wg1400hp_firmwareaterm_wg1810hp\(mf\)_firmwareaterm_wr8400naterm_wg1200hp2_firmwareaterm_wr4500naterm_wg1810hp\(mf\)aterm_wg1900hp_firmwareaterm_wm3450rnaterm_wr8200naterm_wf300hp_firmwareaterm_wg2200hpaterm_wr7870s_firmwareaterm_wr6670s_firmwareaterm_wg1200hp3aterm_wr8170n_firmwareaterm_wf1200hpaterm_wr8600naterm_wg600hp_firmwareaterm_wr8600n_firmwareaterm_wg1200hsaterm_wg1800hpaterm_wr8500naterm_wg1200hp_firmwareaterm_wr8170naterm_wr8300n_firmwareaterm_mr01lnaterm_wg1800hp4aterm_wr8400n_firmwareaterm_wr8300nMR02LNW1200EX(-MS)WF300HPWG1810HP(JE)WG1200HS3WG600HPWG1200HP2WR8100NWG1800HP2WR8150NCR2500PWG300HPWR4100NWG1200HPWG1800HP3WR8175NWR8600NWR8700NWM3400RNWM3450RNWG1900HP2WG1800HPWR8166NWM3600RWG1400HPWG1200HS2WR6670SWR6650SWR8370NWF1200HP2WR7800HMR01LNWG1810HP(MF)WR4500NWR9300NWR8165NWR8300NWR8400NWG1200HP3WR7870SWG1800HP4WR6600HWF300HP2WG2200HPWR8170NWR9500NWF800HPWR8200NWR8500NWR7850SW300PWR1200HWR8160NWR8750NWF1200HPWM3500RWG1900HPWM3800RWG1200HS
CWE ID-CWE-287
Improper Authentication
CVE-2025-4752
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.92% / 55.80%
||
7 Day CHG~0.00%
Published-16 May, 2025 | 06:00
Updated-03 Jun, 2025 | 15:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
D-Link DI-7003GV2 install_base.data information disclosure

A vulnerability has been found in D-Link DI-7003GV2 24.04.18D1 R(68125) and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /install_base.data. The manipulation leads to information disclosure. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-D-Link Corporation
Product-di-7003g_firmwaredi-7003gDI-7003GV2
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-284
Improper Access Control
  • Previous
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • Next
Details not found