| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| The Iskra iHUB and iHUB Lite smart metering gateway exposes its web management interface without requiring authentication, allowing unauthenticated users to access and modify critical device settings. |
| SiRcom SMART Alert (SiSA) allows unauthorized access to backend APIs. This allows an unauthenticated attacker to bypass the login screen using browser developer tools, gaining access to restricted parts of the application. |
| Improper resource management in firmware of some Solidigm DC Products may allow an attacker with local or physical access to gain un-authorized access to a locked storage device. |
| A security vulnerability has been detected in VirtFusion up to 6.0.2. This vulnerability affects unknown code of the file /account/_settings of the component Email Change Handler. The manipulation leads to improper restriction of excessive authentication attempts. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. |
| A vulnerability was found in Apeman ID71 218.53.203.117. The impacted element is an unknown function of the file /onvif/device_service of the component ONVIF Service. Performing manipulation results in missing authentication. The attack is possible to be carried out remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. |
| A vulnerability was identified in huggingface LeRobot up to 0.3.3. Affected by this vulnerability is an unknown functionality of the file lerobot/common/robot_devices/robots/lekiwi_remote.py of the component ZeroMQ Socket Handler. The manipulation leads to missing authentication. The attack can only be initiated within the local network. The vendor was contacted early about this disclosure but did not respond in any way. |
| A vulnerability has been found in Harness 3.3.0. Affected is an unknown function of the file /api/v1/login of the component Login Endpoint. The manipulation leads to improper restriction of excessive authentication attempts. Remote exploitation of the attack is possible. The attack is considered to have high complexity. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. |
| NUP Portal developed by NewType Infortech has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to directly upload files. If the attacker manages to bypass the file extension restrictions, they could upload a webshell and execute it on the server side. |
| A missing authentication vulnerability in Palo Alto Networks Cortex XDR® Broker VM allows an unauthenticated user to disable certain internal services on the Broker VM.
The attacker must have network access to the Broker VM to exploit this issue. |
| An improper exception check in Palo Alto Networks Prisma Access Browser allows a low privileged user to prevent Prisma Access Browser from applying it's Policy Rules. This enables the user to use Prisma Access Browser without any restrictions. |
| In WS_FTP Server versions before 8.8.9 (2022.0.9), an Incorrect Implementation of Authentication Algorithm in the Web Transfer Module allows users to skip the second-factor verification and log in with username and password only. |
| A vulnerability exists in NSD570 login panel that does not restrict excessive authentication attempts. If exploited, this could
cause account takeover and unauthorized access to the system
when an attacker conducts brute-force attacks against the
equipment login. Note that the system supports only one concurrent session and implements a delay of more than a second
between failed login attempts making it difficult to automate the
attacks. |
| The affected product lacks an authentication check when sending commands to the server via the Moxa service. This vulnerability allows an attacker to execute specified commands, potentially leading to unauthorized downloads or uploads of configuration files and system compromise. |
| The Archify application contains a local privilege escalation vulnerability due to insufficient client validation in its privileged helper tool, com.oct4pie.archifyhelper, which is exposed via XPC. Archify follows the "factored applications" model, delegating privileged operations—such as arbitrary file deletion and file permission changes—to this helper running as root. However, the helper does not verify the code signature, entitlements, or signing flags of the connecting client. Although macOS provides secure validation mechanisms like auditToken, these are not implemented. As a result, any local process can establish a connection to the helper and invoke privileged functionality, leading to unauthorized execution of actions with root-level privileges. |
| A vulnerability in the MSC800 allows an unauthenticated attacker to modify the product’s IP
address over Sopas ET.
This can lead to Denial of Service.
Users are recommended to upgrade both
MSC800 and MSC800 LFT to version V4.26 and S2.93.20 respectively which fixes this issue. |
| In version 0.4.1 of danswer-ai/danswer, a vulnerability exists where a basic user can create credentials and link them to an existing connector. This issue arises because the system allows an unauthenticated attacker to sign up with a basic account and perform actions that should be restricted to admin users. This can lead to excessive resource consumption, potentially resulting in a Denial of Service (DoS) and other significant issues, impacting the system's stability and security. |
| OMNTEC Proteus Tank Monitoring OEL8000III Series
could allow an attacker to perform administrative actions without proper authentication. |
| Siklu MultiHaul TG series devices before version 2.0.0 contain an unauthenticated vulnerability that allows remote attackers to retrieve randomly generated credentials via a network request. Attackers can send a specific hex-encoded command to port 12777 to obtain username and password, enabling direct SSH access to the device. |
| Server-Side Access Control Bypass vulnerability in WombatDialer before 25.02 could allow unauthorized users to potentially call certain services without the necessary access level. This issue is limited to services used by the client (not the general-use JSON services) and requires reverse engineering of the proprietary serialization protocol, making it difficult to exploit. |
| In One Identity Identity Manager 9.x before 9.3, an insecure direct object reference (IDOR) vulnerability allows privilege escalation. Only On-Premise installations are affected. |
