| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Improper access control in Azure File Sync allows an authorized attacker to elevate privileges locally. |
| Axigen Mail Server before 10.5.57 contains an improper access control vulnerability in the WebAdmin interface. A delegated admin account with zero permissions can bypass access control checks and gain unauthorized access to the SSL Certificates management endpoint (page=sslcerts). This allows the attacker to view, download, upload, and delete SSL certificate files, despite lacking the necessary privileges to access the Security & Filtering section. |
| An authorization issue was addressed with improved state management. This issue is fixed in macOS Sequoia 15.7.4, macOS Sonoma 14.8.4. An app may be able to access sensitive user data. |
| A logic issue was addressed with improved checks. This issue is fixed in iOS 26.3 and iPadOS 26.3. A user with Live Caller ID app extensions turned off could have identifying information leaked to the extensions. |
| Dell iDRAC Service Module (iSM) for Windows, versions prior to 6.0.3.1, and Dell iDRAC Service Module (iSM) for Linux, versions prior to 5.4.1.1, contain an Improper Access Control vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of privileges. |
| Klaw is a self-service Apache Kafka Topic Management/Governance tool/portal. Prior to 2.10.2, there is an improper access control vulnerability that allows unauthorized users to trigger a reset or deletion of metadata for any tenant. By sending a crafted request to the /resetMemoryCache endpoint, an attacker can clear cached configurations, environments, and cluster data. This vulnerability is fixed in 2.10.2. |
| OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 7.0.4 have a broken access control in the Profile Edit endpoint. An authenticated normal user can modify the request parameters (pubpid / pid) to reference another user’s record; the server accepts the modified IDs and applies the changes to that other user’s profile. This allows one user to alter another user’s profile data (name, contact info, etc.), and could enable account takeover. Version 7.0.4 fixes the issue. |
| Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal CKEditor 5 Premium Features allows Functionality Bypass.This issue affects CKEditor 5 Premium Features: from 0.0.0 before 1.2.10, from 1.3.0 before 1.3.6, from 1.4.0 before 1.4.3, from 1.5.0 before 1.5.1, from 1.6.0 before 1.6.4. |
| An authorization issue was addressed with improved state management. This issue is fixed in macOS Tahoe 26.3. An app may be able to access sensitive user data. |
| A vulnerability has been discovered in eladmin v2.7 and before. This vulnerability allows for an arbitrary user password reset under any user permission level. |
| An authentication bypass vulnerability in NETGEAR Orbi devices allows
users connected to the local network to access the router web interface
as an admin. |
| The /dbviewer/ web endpoint in METIS WIC devices is exposed without authentication. A remote attacker can access and export the internal telemetry SQLite database containing sensitive operational data. Additionally, the application is configured with debug mode enabled, causing malformed requests to return verbose Django tracebacks that disclose backend source code, local file paths, and system configuration. |
| METIS DFS devices (versions <= oscore 2.1.234-r18) expose a web-based shell at the /console endpoint that does not require authentication. Accessing this endpoint allows a remote attacker to execute arbitrary operating system commands with 'daemon' privileges. This results in the compromise of the software, granting unauthorized access to modify configuration, read and alter sensitive data, or disrupt services. |
| METIS WIC devices (versions <= oscore 2.1.234-r18) expose a web-based shell at the /console endpoint that does not require authentication. Accessing this endpoint allows a remote attacker to execute arbitrary operating system commands with root (UID 0) privileges. This results in full system compromise, allowing unauthorized access to modify system configuration, read sensitive data, or disrupt device operations |
| sudo-rs is a memory safe implementation of sudo and su written in Rust. With `Defaults targetpw` (or `Defaults rootpw`) enabled, the password of the target account (or root account) instead of the invoking user is used for authentication. sudo-rs starting in version 0.2.5 and prior to version 0.2.10 incorrectly recorded the invoking user’s UID instead of the authenticated-as user's UID in the authentication timestamp. Any later `sudo` invocation on the same terminal while the timestamp was still valid would use that timestamp, potentially bypassing new authentication even if the policy would have required it. A highly-privileged user (able to run commands as other users, or as root, through sudo) who knows one password of an account they are allowed to run commands as, would be able to run commands as any other account the policy permits them to run commands for, even if they don't know the password for those accounts. A common instance of this would be that a user can still use their own password to run commands as root (the default behaviour of `sudo`), effectively negating the intended behaviour of the `targetpw` or `rootpw` options. Version 0.2.10 contains a patch for the issue. Versions prior to 0.2.5 are not affected, since they do not offer `Defaults targetpw` or `Defaults rootpw`. |
| Incorrect access control in the importUser function of SpringBlade v4.5.0 allows attackers with low-level privileges to arbitrarily import sensitive user data. |
| BloodX 1.0 contains an authentication bypass vulnerability in login.php that allows attackers to access the dashboard without valid credentials. Attackers can exploit the vulnerability by sending a crafted payload with '=''or' parameters to bypass login authentication and gain unauthorized access. |
| Improper access control in secure encrypted virtualization (SEV) could allow a privileged attacker to write to the reverse map page (RMP) during secure nested paging (SNP) initialization, potentially resulting in a loss of guest memory confidentiality and integrity. |
| A vulnerability in the TP-Link Archer c20 router with firmware version V6.6_230412 and earlier permits unauthorized individuals to bypass the authentication of some interfaces under the /cgi directory. When adding Referer: http://tplinkwifi.net to the the request, it will be recognized as passing the authentication. NOTE: this is disputed by the Supplier because the response to the API call is only "non-sensitive UI initialization variables." |
| Affected Products and Versions
* Apache Druid
* Affected Versions: 0.17.0 through 35.x (all versions prior to 36.0.0)
* Prerequisites: * druid-basic-security extension enabled
* LDAP authenticator configured
* Underlying LDAP server permits anonymous bind
Vulnerability Description
An authentication bypass vulnerability exists in Apache Druid when using the druid-basic-security extension with LDAP authentication. If the underlying LDAP server is configured to allow anonymous
binds, an attacker can bypass authentication by providing an existing username with an empty password. This allows unauthorized access to otherwise restricted Druid resources without valid credentials.
The vulnerability stems from improper validation of LDAP authentication responses when anonymous binds are permitted, effectively treating anonymous bind success as valid user authentication.
Impact
A remote, unauthenticated attacker can:
* Gain unauthorized access to the Apache Druid cluster
* Access sensitive data stored in Druid datasources
* Execute queries and potentially manipulate data
* Access administrative interfaces if the bypassed account has elevated privileges
* Completely compromise the confidentiality, integrity, and availability of the Druid deployment
Mitigation
Immediate Mitigation (No Druid Upgrade Required):
* Disable anonymous bind on your LDAP server. This prevents the vulnerability from being exploitable and is the recommended immediate action.
Resolution
* Upgrade Apache Druid to version 36.0.0 or later, which includes fixes to properly reject anonymous LDAP bind attempts. |
