CVE-2025-31478 Zulip Authentication Backend Configuration Bypass

Zulip is an open-source team collaboration tool. Zulip supports a configuration where account creation is limited solely by being able to authenticate with a single-sign on authentication backend, meaning the organization places no restrictions on email address domains or invitations being requir...

CVE-2025-31478 Zulip Authentication Backend Configuration Bypass

Zulip is an open-source team collaboration tool. Zulip supports a configuration where account creation is limited solely by being able to authenticate with a single-sign on authentication backend, meaning the organization places no restrictions on email address domains or invitations being requir...

CVE-2025-2291 PgBouncer default auth_query does not take Postgres password expiry into account

Password can be used past expiry in PgBouncer due to authquery not taking into account Postgres its VALID UNTIL value, which allows an attacker to log in with an already expired password...

CVE-2025-2291

CVE-2025-2291 affects PgBouncer; the flaw arises because auth_query does not respect the PostgreSQL VALID UNTIL expiry, allowing login with an already expired password. The issue impacts versions older than the fixed release (upstream 1.24.1 line; many advisories reference versions < 1.24.1-1 or

CWA smartcard logon error 'Can’t read smart card' on client with SIM card

There is a client with 2 smart cards . A physical smart card and an integrated eSIM . When CWA Windows tries to autenticate with smartcard the user gets an error that says "Can't read smart card. Please contact your IT administrator" . If we remove the SIM card from the client , the authenticatio...

CVE-2025-29652

...

The vulnerability of the SAP NetWeaver software integration platform, related to the lack of authentication, allows attackers to compromise the confidentiality, integrity, and accessibility of protected information.

The vulnerability of the SAP NetWeaver software integration platform is related to the lack of authentication. Exploiting this vulnerability allows a malicious actor to remotely compromise the confidentiality, integrity, and accessibility of the protected information...

CVE-2023-42973

Private Browsing tabs may be accessed without authentication. This issue is fixed in iOS 17 and iPadOS 17. The issue was addressed with improved UI...

CVE-2025-3292 User Registration & Membership – Custom Registration Form, Login Form, and User Profile <= 4.1.3 - Insecure Direct Object Reference to Authenticated (Subscriber+) User Password Update

The User Registration & Membership – Custom Registration Form, Login Form, and User Profile plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.1.3 via the userregistrationupdateprofiledetails due to missing validation on the 'userid' use...

Adobe ColdFusion License Issue Vulnerability (CNVD-2025-09272)

Adobe ColdFusion is the United States Odo than Adobe company's set of rapid application development platform. The platform includes an integrated development environment and scripting language. Adobe ColdFusion has an authorization issue vulnerability, the vulnerability stems from the failure to...

RosarioSIS 7.6 - SQL Injection

Exploit Title: RosarioSIS 7.6 - SQL Injection Date: 2024-10-26 Exploit Author: CodeSecLab Vendor Homepage: https://gitlab.com/francoisjacquet/rosariosis Software Link: https://gitlab.com/francoisjacquet/rosariosis Version: 7.6 Tested on: Ubuntu Windows CVE : CVE-2021-44567 PoC: POST...

CVE-2025-3424

The IntelliSpace portal application utilizes .NET Remoting for its functionality. The vulnerability arises from the exploitation of port 755 through the "Object Marshalling" technique, which allows an attacker to read internal files without any authentication. This is possible by crafting specifi...

CVE-2025-3474 Panels - Critical - Access bypass - SA-CONTRIB-2025-033

Missing Authentication for Critical Function vulnerability in Drupal Panels allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Panels: from 0.0.0 before 4.9.0...

CVE-2025-3474

CVE-2025-3474 concerns the Drupal Panels module for Drupal. A missing authentication for a critical function creates bad access control, affecting Panels versions 0.0.0 through 4.9.0. The vulnerability can allow an attacker to view and modify blocks within variants without proper permissions, as ...

CVE-2025-29870

Missing authentication for critical function vulnerability exists in Wi-Fi AP UNIT 'AC-WPS-11ac series'. If exploited, a remote unauthenticated attacker may obtain the product configuration information including authentication information...

PT-2025-15836 · Drupal · Drupal Panels

Name of the Vulnerable Software and Affected Versions: Drupal Panels versions 0.0.0 through 4.9.0 Description: The issue affects Drupal Panels due to missing authentication for a critical function, allowing exploitation of incorrectly configured access control security levels. Recommendations: Fo...

CVE-2024-41791

A vulnerability has been identified in SENTRON 7KT PAC1260 Data Manager All versions. The web interface of affected devices does not authenticate report creation requests. This could allow an unauthenticated remote attacker to read or clear the log files on the device, reset the device or set the...

CVE-2025-2526

The Streamit theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 4.0.2. This is due to the plugin not properly validating a user's identity prior to updating their details like email in the 'stAuthenticationController::editprofile'...

SUSE SLES12 Security Update : pam (SUSE-SU-2025:1158-1)

The remote SUSE Linux SLES12 host has packages installed that are affected by a vulnerability as referenced in the SUSE- SU-2025:1158-1 advisory. - CVE-2024-10041: sensitive data exposure while performing authentications. bsc1232234 Tenable has extracted the preceding description block directly...

CVE-2025-30373

Graylog is a free and open log management platform. Starting with 6.1, HTTP Inputs can be configured to check if a specified header is present and has a specified value to authenticate HTTP-based ingestion. Unfortunately, even though in cases of a missing header or a wrong value the correct HTTP...