Total
458 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-63700 | 2025-12-03 | N/A | 7.5 HIGH | ||
| An issue was discovered in clerk-js 5.88.0 allowing attackers to bypass the OAuth authentication flow by manipulating the request at the OTP verification stage. NOTE: this is disputed by the Supplier because there is no available information to reproduce the issue, and because an OAuth authentication flow issue would be fixed in a backend component, not within clerk-js itself (which is solely a frontend component). | |||||
| CVE-2018-3829 | 1 Elastic | 1 Elastic Cloud Enterprise | 2025-12-03 | 3.5 LOW | 5.3 MEDIUM |
| In Elastic Cloud Enterprise (ECE) versions prior to 1.1.4 it was discovered that a user could scale out allocators on new hosts with an invalid roles token. An attacker with access to the previous runner ID and IP address of the coordinator-host could add a allocator to an existing ECE install to gain access to other clusters data. | |||||
| CVE-2025-13636 | 2025-12-03 | N/A | 4.3 MEDIUM | ||
| Inappropriate implementation in Split View in Google Chrome prior to 143.0.7499.41 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted domain name. (Chromium security severity: Low) | |||||
| CVE-2025-13635 | 2025-12-03 | N/A | 4.4 MEDIUM | ||
| Inappropriate implementation in Downloads in Google Chrome prior to 143.0.7499.41 allowed a local attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low) | |||||
| CVE-2025-13634 | 2025-12-03 | N/A | 4.4 MEDIUM | ||
| Inappropriate implementation in Downloads in Google Chrome on Windows prior to 143.0.7499.41 allowed a local attacker to bypass mark of the web via a crafted HTML page. (Chromium security severity: Medium) | |||||
| CVE-2025-12653 | 1 Gitlab | 1 Gitlab | 2025-12-02 | N/A | 6.5 MEDIUM |
| GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.3 before 18.4.5, 18.5 before 18.5.3, and 18.6 before 18.6.1 that under specific conditions could have allowed an unauthenticated user to join arbitrary organizations by changing headers on some requests. | |||||
| CVE-2023-30803 | 1 Sangfor | 1 Next-gen Application Firewall | 2025-11-28 | N/A | 9.8 CRITICAL |
| The Sangfor Next-Gen Application Firewall version NGAF8.0.17 is vulnerable to an authentication bypass vulnerability. A remote and unauthenticated attacker can bypass authentication and access administrative functionality by sending HTTP requests using a crafted Y-forwarded-for header. | |||||
| CVE-2025-12414 | 2025-11-21 | N/A | N/A | ||
| An attacker could take over a Looker account in a Looker instance configured with OIDC authentication, due to email address string normalization.Looker-hosted and Self-hosted were found to be vulnerable. This issue has already been mitigated for Looker-hosted. Self-hosted instances must be upgraded as soon as possible. This vulnerability has been patched in all supported versions of Self-hosted. The versions below have all been updated to protect from this vulnerability. You can download these versions at the Looker download page https://download.looker.com/ : * 24.12.100+ * 24.18.193+ * 25.0.69+ * 25.6.57+ * 25.8.39+ * 25.10.22+ * 25.12.0+ | |||||
| CVE-2025-5605 | 1 Wso2 | 9 Api Control Plane, Api Manager, Enterprise Integrator and 6 more | 2025-11-21 | N/A | 4.3 MEDIUM |
| An authentication bypass vulnerability exists in the Management Console of multiple WSO2 products. A malicious actor with access to the console can manipulate the request URI to bypass authentication and access certain restricted resources, resulting in partial information disclosure. The known exposure from this issue is limited to memory statistics. While the vulnerability does not allow full account compromise, it still enables unauthorized access to internal system details. | |||||
| CVE-2025-13015 | 1 Mozilla | 1 Firefox | 2025-11-19 | N/A | 3.4 LOW |
| Spoofing issue in Firefox. This vulnerability affects Firefox < 145, Firefox ESR < 140.5, Firefox ESR < 115.30, Thunderbird < 145, and Thunderbird < 140.5. | |||||
| CVE-2025-56800 | 1 Reolink | 1 Reolink | 2025-11-17 | N/A | 5.1 MEDIUM |
| Reolink desktop application 8.18.12 contains a vulnerability in its local authentication mechanism. The application implements lock screen password logic entirely on the client side using JavaScript within an Electron resource file. Because the password is stored and returned via a modifiable JavaScript property(a.settingsManager.lockScreenPassword), an attacker can patch the return value to bypass authentication. NOTE: this is disputed by the Supplier because the lock-screen bypass would only occur if the local user modified his own instance of the application. | |||||
| CVE-2025-11209 | 1 Google | 2 Android, Chrome | 2025-11-13 | N/A | 8.2 HIGH |
| Inappropriate implementation in Omnibox in Google Chrome on Android prior to 141.0.7390.54 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (Chromium security severity: Medium) | |||||
| CVE-2025-12430 | 4 Apple, Google, Linux and 1 more | 4 Macos, Chrome, Linux Kernel and 1 more | 2025-11-13 | N/A | 7.5 HIGH |
| Object lifecycle issue in Media in Google Chrome prior to 142.0.7444.59 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: High) | |||||
| CVE-2025-58595 | 2025-11-13 | N/A | 9.1 CRITICAL | ||
| Authentication Bypass by Spoofing vulnerability in Saad Iqbal All In One Login change-wp-admin-login allows Identity Spoofing.This issue affects All In One Login: from n/a through <= 2.0.8. | |||||
| CVE-2025-27916 | 1 Anydesk | 1 Anydesk | 2025-11-10 | N/A | 7.5 HIGH |
| An issue was discovered in AnyDesk through 9.0.4. When the connection between two clients is established via an IP address, it is possible to manipulate the data and spoof the AnyDesk ID. | |||||
| CVE-2024-54085 | 2 Ami, Netapp | 19 Megarac Sp-x, H300s, H300s Firmware and 16 more | 2025-11-05 | N/A | 9.8 CRITICAL |
| AMI’s SPx contains a vulnerability in the BMC where an Attacker may bypass authentication remotely through the Redfish Host Interface. A successful exploitation of this vulnerability may lead to a loss of confidentiality, integrity, and/or availability. | |||||
| CVE-2025-43503 | 1 Apple | 5 Ipados, Iphone Os, Safari and 2 more | 2025-11-05 | N/A | 4.3 MEDIUM |
| An inconsistent user interface issue was addressed with improved state management. This issue is fixed in iOS 18.7.2 and iPadOS 18.7.2. Visiting a malicious website may lead to user interface spoofing. | |||||
| CVE-2025-43493 | 1 Apple | 4 Ipados, Iphone Os, Safari and 1 more | 2025-11-05 | N/A | 4.3 MEDIUM |
| The issue was addressed with improved checks. This issue is fixed in iOS 18.7.2 and iPadOS 18.7.2. Visiting a malicious website may lead to address bar spoofing. | |||||
| CVE-2025-59501 | 1 Microsoft | 3 Configuration Manager 2403, Configuration Manager 2409, Configuration Manager 2503 | 2025-11-05 | N/A | 4.8 MEDIUM |
| Authentication bypass by spoofing in Microsoft Configuration Manager allows an authorized attacker to perform spoofing over an adjacent network. | |||||
| CVE-2024-34397 | 4 Debian, Fedoraproject, Gnome and 1 more | 4 Debian Linux, Fedora, Glib and 1 more | 2025-11-04 | N/A | 5.2 MEDIUM |
| An issue was discovered in GNOME GLib before 2.78.5, and 2.79.x and 2.80.x before 2.80.1. When a GDBus-based client subscribes to signals from a trusted system service such as NetworkManager on a shared computer, other users of the same computer can send spoofed D-Bus signals that the GDBus-based client will wrongly interpret as having been sent by the trusted system service. This could lead to the GDBus-based client behaving incorrectly, with an application-dependent impact. | |||||