Total
4065 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-3880 | 1 Cisco | 1 Webex Meetings Server | 2025-04-20 | 6.4 MEDIUM | 6.5 MEDIUM |
|
An Authentication Bypass vulnerability in Cisco WebEx Meetings Server could allow an unauthenticated, remote attacker to access limited meeting information on the Cisco WebEx Meetings Server. More Information: CSCvd50728. Known Affected Releases: 2.6 2.7 2.8 CWMS-2.5MR1 Orion1.1.2.patch T29_orion_merge.
|
|||||
| CVE-2017-12698 | 1 Advantech | 1 Webaccess | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
|
An Improper Authentication issue was discovered in Advantech WebAccess versions prior to V8.2_20170817. Specially crafted requests allow a possible authentication bypass that could allow remote code execution.
|
|||||
| CVE-2017-3854 | 1 Cisco | 12 2500 Wireless Lan Controller, 2504 Wireless Lan Controller, 5500 Wireless Lan Controller and 9 more | 2025-04-20 | 8.3 HIGH | 8.8 HIGH |
|
A vulnerability in the mesh code of Cisco Wireless LAN Controller (WLC) software could allow an unauthenticated, remote attacker to impersonate a WLC in a meshed topology. The vulnerability is due to insufficient authentication of the parent access point in a mesh configuration. An attacker could exploit this vulnerability by forcing the target system to disconnect from the correct parent access point and reconnect to a rogue access point owned by the attacker. An exploit could allow the attacke ...
Show More |
|||||
| CVE-2017-9552 | 1 Synology | 1 Photo Station | 2025-04-20 | 2.1 LOW | 7.8 HIGH |
|
A design flaw in authentication in Synology Photo Station 6.0-2528 through 6.7.1-3419 allows local users to obtain credentials via cmdline. Synology Photo Station employs the synophoto_dsm_user program to authenticate username and password by "synophoto_dsm_user --auth USERNAME PASSWORD", and local users are able to obtain credentials by sniffing "/proc/*/cmdline".
|
|||||
| CVE-2017-8827 | 1 Genixcms | 1 Genixcms | 2025-04-20 | 6.4 MEDIUM | 9.1 CRITICAL |
|
forgotpassword.php in GeniXCMS 1.0.2 lacks a rate limit, which might allow remote attackers to cause a denial of service (login inability) or possibly conduct Arbitrary User Password Reset attacks via a series of requests.
|
|||||
| CVE-2017-14032 | 1 Arm | 1 Mbed Tls | 2025-04-20 | 6.8 MEDIUM | 8.1 HIGH |
|
ARM mbed TLS before 1.3.21 and 2.x before 2.1.9, if optional authentication is configured, allows remote attackers to bypass peer authentication via an X.509 certificate chain with many intermediates. NOTE: although mbed TLS was formerly known as PolarSSL, the releases shipped with the PolarSSL name are not affected.
|
|||||
| CVE-2017-6871 | 1 Siemens | 2 Simatic Wincc Sm\@rtclient, Simatic Wincc Sm\@rtclient Lite | 2025-04-20 | 4.6 MEDIUM | 5.4 MEDIUM |
|
A vulnerability was discovered in Siemens SIMATIC WinCC Sm@rtClient for Android (All versions before V1.0.2.2) and SIMATIC WinCC Sm@rtClient for Android Lite (All versions before V1.0.2.2). An attacker with physical access to an unlocked mobile device, that has the affected app running, could bypass the app's authentication mechanism under certain conditions.
|
|||||
| CVE-2017-1000068 | 1 Betterment | 1 Testtrack | 2025-04-20 | 5.0 MEDIUM | 7.5 HIGH |
|
TestTrack Server versions 1.0 and earlier are vulnerable to an authentication flaw in the split disablement feature resulting in the ability to disable arbitrary running splits and cause denial of service to clients in the field.
|
|||||
| CVE-2015-1778 | 1 Opendaylight | 1 Opendaylight | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
|
The custom authentication realm used by karaf-tomcat's "opendaylight" realm in Opendaylight before Helium SR3 will authenticate any username and password combination.
|
|||||
| CVE-2017-2768 | 1 Emc | 1 Smarts Network Configuration Manager | 2025-04-20 | 10.0 HIGH | 9.8 CRITICAL |
|
EMC Network Configuration Manager (NCM) 9.3.x, EMC Network Configuration Manager (NCM) 9.4.0.x, EMC Network Configuration Manager (NCM) 9.4.1.x, EMC Network Configuration Manager (NCM) 9.4.2.x contains an Improper Authentication vulnerability that could potentially be exploited by malicious users to compromise the affected system.
|
|||||
| CVE-2017-7450 | 1 Airtame | 2 Hdmi Dongle, Hdmi Dongle Firmware | 2025-04-20 | 10.0 HIGH | 9.8 CRITICAL |
|
AIRTAME HDMI dongle with firmware before 2.2.0 allows unauthenticated access to a big part of the management interface. It is possible to extract all information including the Wi-Fi password, reboot, or force a software update at an arbitrary time.
|
|||||
| CVE-2017-9630 | 1 Pdqinc | 22 Laserjet, Laserjet Firmware, Laserwash 360 and 19 more | 2025-04-20 | 7.5 HIGH | 9.4 CRITICAL |
|
An Improper Authentication issue was discovered in PDQ Manufacturing LaserWash G5 and G5 S Series all versions, LaserWash M5, all versions, LaserWash 360 and 360 Plus, all versions, LaserWash AutoXpress and AutoExpress Plus, all versions, LaserJet, all versions, ProTouch Tandem, all versions, ProTouch ICON, all versions, and ProTouch AutoGloss, all versions. The web server does not properly verify that provided authentication information is correct.
|
|||||
| CVE-2014-0097 | 1 Vmware | 1 Spring Security | 2025-04-20 | 7.5 HIGH | 7.3 HIGH |
|
The ActiveDirectoryLdapAuthenticator in Spring Security 3.2.0 to 3.2.1 and 3.1.0 to 3.1.5 does not check the password length. If the directory allows anonymous binds then it may incorrectly authenticate a user who supplies an empty password.
|
|||||
| CVE-2016-7144 | 1 Unrealircd | 1 Unrealircd | 2025-04-20 | 6.8 MEDIUM | 8.1 HIGH |
|
The m_authenticate function in modules/m_sasl.c in UnrealIRCd before 3.2.10.7 and 4.x before 4.0.6 allows remote attackers to spoof certificate fingerprints and consequently log in as another user via a crafted AUTHENTICATE parameter.
|
|||||
| CVE-2017-10709 | 2 Elephone, Google | 2 P9000, Android | 2025-04-20 | 7.2 HIGH | 6.8 MEDIUM |
|
The lockscreen on Elephone P9000 devices (running Android 6.0) allows physically proximate attackers to bypass a wrong-PIN lockout feature by pressing backspace after each PIN guess.
|
|||||
| CVE-2017-2765 | 1 Emc | 1 Isilon Insightiq | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
|
EMC Isilon InsightIQ 4.1.0, 4.0.1, 4.0.0, 3.2.2, 3.2.1, 3.2.0, 3.1.1, 3.1.0, 3.0.1, 3.0.0 is affected by an authentication bypass vulnerability that could potentially be exploited by attackers to compromise the affected system.
|
|||||
| CVE-2017-3831 | 1 Cisco | 8 Aironet 1810, Aironet 1810w, Aironet 1815i and 5 more | 2025-04-20 | 10.0 HIGH | 9.8 CRITICAL |
|
A vulnerability in the web-based GUI of Cisco Mobility Express 1800 Series Access Points could allow an unauthenticated, remote attacker to bypass authentication. The attacker could be granted full administrator privileges. The vulnerability is due to improper implementation of authentication for accessing certain web pages using the GUI interface. An attacker could exploit this vulnerability by sending a crafted HTTP request to the web interface of the affected system. A successful exploit coul ...
Show More |
|||||
| CVE-2017-6343 | 1 Dahuasecurity | 4 Camera Firmware, Dhi-hcvr7216a-s3, Nvr Firmware and 1 more | 2025-04-20 | 9.3 HIGH | 8.1 HIGH |
|
The web interface on Dahua DHI-HCVR7216A-S3 devices with NVR Firmware 3.210.0001.10 2016-06-06, Camera Firmware 2.400.0000.28.R 2016-03-29, and SmartPSS Software 1.16.1 2017-01-19 allows remote attackers to obtain login access by leveraging knowledge of the MD5 Admin Hash without knowledge of the corresponding password, a different vulnerability than CVE-2013-6117.
|
|||||
| CVE-2016-4926 | 1 Juniper | 1 Junos Space | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
|
Insufficient authentication vulnerability in Junos Space before 15.2R2 allows remote network based users with access to Junos Space web interface to perform certain administrative tasks without authentication.
|
|||||
| CVE-2017-1258 | 1 Ibm | 1 Security Guardium | 2025-04-20 | 6.4 MEDIUM | 6.5 MEDIUM |
|
IBM Security Guardium 10.0 and 10.1 does not perform an authentication check for a critical resource or functionality allowing anonymous users access to protected areas. IBM X-Force ID: 124685
|
|||||
| CVE-2016-8937 | 1 Ibm | 1 Tivoli Storage Manager | 2025-04-20 | 5.0 MEDIUM | 9.8 CRITICAL |
|
The IBM Tivoli Storage Manager (IBM Spectrum Protect 7.1 and 8.1) default authentication protocol is vulnerable to a brute force attack due to disclosing too much information during authentication. An attacker could gain user or administrative access to the TSM server. IBM X-Force ID: 118750.
|
|||||
| CVE-2017-16953 | 1 Zte | 2 Zxdsl 831cii, Zxdsl 831cii Firmware | 2025-04-20 | 5.0 MEDIUM | 7.5 HIGH |
|
connoppp.cgi on ZTE ZXDSL 831CII devices does not require HTTP Basic Authentication, which allows remote attackers to modify the PPPoE configuration or set up a malicious configuration via a GET request.
|
|||||
| CVE-2016-8951 | 1 Ibm | 1 Emptoris Strategic Supply Management | 2025-04-20 | 5.0 MEDIUM | 7.5 HIGH |
|
IBM Emptoris Strategic Supply Management Platform 10.0.0.x through 10.1.1.x is vulnerable to a denial of service attack. An attacker can exploit a vulnerability in the authentication features that could log out users and flood user accounts with emails. IBM X-Force ID: 118838.
|
|||||
| CVE-2015-1401 | 1 Ldap \/ Sso Authentication Project | 1 Ldap \/ Sso Authentication | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
|
Improper Authentication vulnerability in the "LDAP / SSO Authentication" (ig_ldap_sso_auth) extension 2.0.0 for TYPO3.
|
|||||
| CVE-2015-8308 | 1 Lxdm Project | 1 Lxdm | 2025-04-20 | 4.6 MEDIUM | 7.8 HIGH |
|
LXDM before 0.5.2 did not start X server with -auth, which allows local users to bypass authentication with X connections.
|
|||||
| CVE-2014-7860 | 2 D-link, Dlink | 4 Dns-320l Firmware, Dns-327l Firmware, Dns-320l and 1 more | 2025-04-20 | 5.0 MEDIUM | 5.3 MEDIUM |
|
The web/web_file/fb_publish.php script in D-Link DNS-320L before 1.04b12 and DNS-327L before 1.03b04 Build0119 does not authenticate requests, which allows remote attackers to obtain arbitrary photos and publish them to an arbitrary Facebook profile via a target album_id and access_token.
|
|||||
| CVE-2017-6967 | 1 Neutrinolabs | 1 Xrdp | 2025-04-20 | 7.5 HIGH | 7.3 HIGH |
|
xrdp 0.9.1 calls the PAM function auth_start_session() in an incorrect location, leading to PAM session modules not being properly initialized, with a potential consequence of incorrect configurations or elevation of privileges, aka a pam_limits.so bypass.
|
|||||
| CVE-2017-8403 | 1 360fly | 2 4k Camera, 4k Camera Firmware | 2025-04-20 | 8.3 HIGH | 8.8 HIGH |
|
360fly 4K cameras allow unauthenticated Wi-Fi password changes and complete access with REST by using the Bluetooth Low Energy pairing procedure, which is available at any time and does not require a password. This affects firmware 2.1.4. Exploitation can use the 360fly Android or iOS application, or the BlueZ gatttool program.
|
|||||
| CVE-2017-1000106 | 1 Jenkins | 1 Blue Ocean | 2025-04-20 | 5.5 MEDIUM | 8.5 HIGH |
|
Blue Ocean allows the creation of GitHub organization folders that are set up to scan a GitHub organization for repositories and branches containing a Jenkinsfile, and create corresponding pipelines in Jenkins. Its SCM content REST API supports the pipeline creation and editing feature in Blue Ocean. The SCM content REST API did not check the current user's authentication or credentials. If the GitHub organization folder was created via Blue Ocean, it retained a reference to its creator's GitHub ...
Show More |
|||||
| CVE-2017-6413 | 1 Openidc | 1 Mod Auth Openidc | 2025-04-20 | 5.0 MEDIUM | 8.6 HIGH |
|
The "OpenID Connect Relying Party and OAuth 2.0 Resource Server" (aka mod_auth_openidc) module before 2.1.6 for the Apache HTTP Server does not skip OIDC_CLAIM_ and OIDCAuthNHeader headers in an "AuthType oauth20" configuration, which allows remote attackers to bypass authentication via crafted HTTP traffic.
|
|||||
| CVE-2017-8006 | 1 Emc | 1 Rsa Authentication Manager | 2025-04-20 | 4.3 MEDIUM | 5.9 MEDIUM |
|
In EMC RSA Authentication Manager 8.2 SP1 Patch 1 and earlier, a malicious user logged into the Self-Service Console of RSA Authentication Manager as a target user can use a brute force attack to attempt to identify that user's PIN. The malicious user could potentially reset the compromised PIN to affect victim's ability to obtain access to protected resources.
|
|||||
| CVE-2017-1002024 | 1 Kindsoft | 2 Kind Editor, Kindeditor | 2025-04-20 | 4.0 MEDIUM | 4.3 MEDIUM |
|
Vulnerability in web application Kind Editor v4.1.12, kindeditor/php/upload_json.php does not check authentication before allow users to upload files.
|
|||||
| CVE-2017-1000110 | 1 Jenkins | 1 Blue Ocean | 2025-04-20 | 4.0 MEDIUM | 4.3 MEDIUM |
|
Blue Ocean allows the creation of GitHub organization folders that are set up to scan a GitHub organization for repositories and branches containing a Jenkinsfile, and create corresponding pipelines in Jenkins. It did not properly check the current user's authentication and authorization when configuring existing GitHub organization folders. This allowed users with read access to the GitHub organization folder to reconfigure it, including changing the GitHub API endpoint for the organization fol ...
Show More |
|||||
| CVE-2015-3206 | 1 Apple | 1 Pykerberos | 2025-04-20 | 6.8 MEDIUM | 8.1 HIGH |
|
The checkPassword function in python-kerberos does not authenticate the KDC it attempts to communicate with, which allows remote attackers to cause a denial of service (bad response), or have other unspecified impact by performing a man-in-the-middle attack.
|
|||||
| CVE-2015-2800 | 1 Huawei | 14 Campus S5300, Campus S5700, Campus S6300 and 11 more | 2025-04-20 | 7.8 HIGH | 7.5 HIGH |
|
The user authentication module in Huawei Campus switches S5700, S5300, S6300, and S6700 with software before V200R001SPH012 and S7700, S9300, and S9700 with software before V200R001SPH015 allows remote attackers to cause a denial of service (device restart) via vectors involving authentication, which trigger an array access violation.
|
|||||
| CVE-2017-6781 | 1 Cisco | 1 Policy Suite | 2025-04-20 | 4.6 MEDIUM | 5.3 MEDIUM |
|
A vulnerability in the management of shell user accounts for Cisco Policy Suite (CPS) Software for CPS appliances could allow an authenticated, local attacker to gain elevated privileges on an affected system. The affected privilege level is not at the root level. The vulnerability is due to incorrect role-based access control (RBAC) for shell user accounts. An attacker could exploit this vulnerability by authenticating to an affected appliance and providing crafted user input via the CLI. A suc ...
Show More |
|||||
| CVE-2017-9148 | 1 Freeradius | 1 Freeradius | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
|
The TLS session cache in FreeRADIUS 2.1.1 through 2.1.7, 3.0.x before 3.0.14, 3.1.x before 2017-02-04, and 4.0.x before 2017-02-04 fails to reliably prevent resumption of an unauthenticated session, which allows remote attackers (such as malicious 802.1X supplicants) to bypass authentication via PEAP or TTLS.
|
|||||
| CVE-2012-0803 | 1 Apache | 1 Cxf | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
|
The WS-SP UsernameToken policy in Apache CXF 2.4.5 and 2.5.1 allows remote attackers to bypass authentication by sending an empty UsernameToken as part of a SOAP request.
|
|||||
| CVE-2017-7649 | 1 Eclipse | 1 Kura | 2025-04-20 | 10.0 HIGH | 9.8 CRITICAL |
|
The network enabled distribution of Kura before 2.1.0 takes control over the device's firewall setup but does not allow IPv6 firewall rules to be configured. Still the Equinox console port 5002 is left open, allowing to log into Kura without any user credentials over unencrypted telnet and executing commands using the Equinox "exec" command. As the process is running as "root" full control over the device can be acquired. IPv6 is also left in auto-configuration mode, accepting router advertiseme ...
Show More |
|||||
| CVE-2014-9618 | 1 Netsweeper | 1 Netsweeper | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
|
The Client Filter Admin portal in Netsweeper before 3.1.10, 4.0.x before 4.0.9, and 4.1.x before 4.1.2 allows remote attackers to bypass authentication and subsequently create arbitrary profiles via a showdeny action to the default URL.
|
|||||