Total
4065 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2011-0011 | 1 Qemu | 1 Qemu | 2025-04-11 | 4.3 MEDIUM | N/A |
|
qemu-kvm before 0.11.0 disables VNC authentication when the password is cleared, which allows remote attackers to bypass authentication and establish VNC sessions.
|
|||||
| CVE-2012-2437 | 1 Awcm-cms | 1 Ar Web Content Manager | 2025-04-11 | 5.0 MEDIUM | N/A |
|
cookie_gen.php in ar web content manager (AWCM) 2.2 does not require authentication, which allows remote attackers to generate arbitrary cookies via the name parameter in conjunction with the content parameter.
|
|||||
| CVE-2009-4671 | 1 Beaussier | 1 Roomphplanning | 2025-04-11 | 7.5 HIGH | N/A |
|
Login.php in RoomPHPlanning 1.6 allows remote attackers to bypass authentication and obtain administrative access by setting the room_phplanning cookie to a value associated with the admin account.
|
|||||
| CVE-2009-4987 | 1 Scripteen | 1 Free Image Hosting Script | 2025-04-11 | 7.5 HIGH | N/A |
|
admin/header.php in Scripteen Free Image Hosting Script 2.3 allows remote attackers to bypass authentication and gain administrative access by setting the cookgid cookie value to 1, a different vector than CVE-2008-3211.
|
|||||
| CVE-2009-4879 | 1 Novell | 1 Access Manager | 2025-04-11 | 4.3 MEDIUM | N/A |
|
The Identity Server in Novell Access Manager before 3.1 SP1 allows attackers with disabled Active Directory accounts to authenticate using X.509 authentication, which bypasses intended access restrictions.
|
|||||
| CVE-2013-1150 | 1 Cisco | 2 Adaptive Security Appliance, Adaptive Security Appliance Software | 2025-04-11 | 7.8 HIGH | N/A |
|
The authentication-proxy implementation on Cisco Adaptive Security Appliances (ASA) devices with software 7.x before 7.2(5.10), 8.0 before 8.0(5.31), 8.1 and 8.2 before 8.2(5.38), 8.3 before 8.3(2.37), 8.4 before 8.4(5.3), 8.5 and 8.6 before 8.6(1.10), 8.7 before 8.7(1.4), 9.0 before 9.0(1.1), and 9.1 before 9.1(1.2) allows remote attackers to cause a denial of service (device reload) via a crafted URL, aka Bug ID CSCud16590.
|
|||||
| CVE-2013-1241 | 1 Cisco | 27 1921 Integrated Services Router, 1941 Integrated Services Router, 1941w Integrated Services Router and 24 more | 2025-04-11 | 6.3 MEDIUM | N/A |
|
The ISM module in Cisco IOS on ISR G2 routers does not properly handle authentication-header packets, which allows remote authenticated users to cause a denial of service (module reload) via a series of malformed packets, aka Bug ID CSCub92025.
|
|||||
| CVE-2012-2414 | 1 Asterisk | 1 Open Source | 2025-04-11 | 6.5 MEDIUM | N/A |
|
main/manager.c in the Manager Interface in Asterisk Open Source 1.6.2.x before 1.6.2.24, 1.8.x before 1.8.11.1, and 10.x before 10.3.1 and Asterisk Business Edition C.3.x before C.3.7.4 does not properly enforce System class authorization requirements, which allows remote authenticated users to execute arbitrary commands via (1) the originate action in the MixMonitor application, (2) the SHELL and EVAL functions in the GetVar manager action, or (3) the SHELL and EVAL functions in the Status mana ...
Show More |
|||||
| CVE-2011-4214 | 1 Oneorzero | 1 Aims | 2025-04-11 | 10.0 HIGH | N/A |
|
OneOrZero Action & Information Management System (AIMS) 2.7.0 allows remote attackers to bypass authentication and obtain administrator privileges via a crafted oozimsrememberme cookie.
|
|||||
| CVE-2013-2313 | 1 Lockon | 1 Ec-cube | 2025-04-11 | 4.0 MEDIUM | N/A |
|
Session fixation vulnerability in LOCKON EC-CUBE 2.11.0 through 2.12.3enP2 allows remote attackers to hijack web sessions via unspecified vectors.
|
|||||
| CVE-2012-1602 | 1 Nextbbs | 1 Nextbbs | 2025-04-11 | 7.5 HIGH | N/A |
|
user.php in NextBBS 0.6 allows remote attackers to bypass authentication and gain administrator access by setting the userkey cookie to 1.
|
|||||
| CVE-2013-1155 | 1 Cisco | 1 Firewall Services Module Software | 2025-04-11 | 7.8 HIGH | N/A |
|
The auth-proxy functionality in Cisco Firewall Services Module (FWSM) software 3.1 and 3.2 before 3.2(20.1), 4.0 before 4.0(15.2), and 4.1 before 4.1(5.1) allows remote attackers to cause a denial of service (device reload) via a crafted URL, aka Bug ID CSCtg02624.
|
|||||
| CVE-2011-1901 | 1 Proofpoint | 2 Messaging Security Gateway, Protection Server | 2025-04-11 | 7.5 HIGH | N/A |
|
The mail-filter web interface in Proofpoint Messaging Security Gateway 6.2.0.263:6.2.0.237 and earlier in Proofpoint Protection Server 5.5.3, 5.5.4, 5.5.5, 6.0.2, 6.1.1, and 6.2.0 allows remote attackers to bypass authentication via unspecified vectors.
|
|||||
| CVE-2013-6859 | 1 Sybase | 1 Adaptive Server Enterprise | 2025-04-11 | 8.5 HIGH | N/A |
|
SAP Sybase Adaptive Server Enterprise (ASE) before 15.0.3 ESD#4.3. 15.5 before 15.5 ESD#5.3, and 15.7 before 15.7 SP50 or 15.7 SP100 does not properly perform authorization, which allows remote authenticated users to gain privileges via unspecified vectors.
|
|||||
| CVE-2013-4783 | 1 Dell | 1 Idrac6 Bmc | 2025-04-11 | 10.0 HIGH | N/A |
|
The Dell iDRAC6 with firmware 1.x before 1.92 and 2.x and 3.x before 3.42, and iDRAC7 with firmware before 1.23.23, allows remote attackers to bypass authentication and execute arbitrary IPMI commands by using cipher suite 0 (aka cipher zero) and an arbitrary password. NOTE: the vendor disputes the significance of this issue, stating "DRAC's are intended to be on a separate management network; they are not designed nor intended to be placed on or connected to the Internet."
|
|||||
| CVE-2013-2192 | 1 Apache | 1 Hadoop | 2025-04-11 | 3.2 LOW | N/A |
|
The RPC protocol implementation in Apache Hadoop 2.x before 2.0.6-alpha, 0.23.x before 0.23.9, and 1.x before 1.2.1, when the Kerberos security features are enabled, allows man-in-the-middle attackers to disable bidirectional authentication and obtain sensitive information by forcing a downgrade to simple authentication.
|
|||||
| CVE-2011-0718 | 1 Redhat | 1 Network Satellite Server | 2025-04-11 | 5.8 MEDIUM | N/A |
|
Red Hat Network (RHN) Satellite Server 5.4 does not use a time delay after a failed login attempt, which makes it easier for remote attackers to conduct brute force password guessing attacks.
|
|||||
| CVE-2011-1520 | 1 Ibm | 1 Lotus Domino | 2025-04-11 | 7.2 HIGH | N/A |
|
The default configuration of the server console in IBM Lotus Domino does not require a password (aka Server_Console_Password), which allows physically proximate attackers to perform administrative changes or obtain sensitive information via a (1) Load, (2) Tell, or (3) Set Configuration command.
|
|||||
| CVE-2014-0015 | 1 Haxx | 2 Curl, Libcurl | 2025-04-11 | 4.0 MEDIUM | N/A |
|
cURL and libcurl 7.10.6 through 7.34.0, when more than one authentication method is enabled, re-uses NTLM connections, which might allow context-dependent attackers to authenticate as other users via a request.
|
|||||
| CVE-2011-0435 | 1 Gplhost | 1 Domain Technologie Control | 2025-04-11 | 5.0 MEDIUM | N/A |
|
Domain Technologie Control (DTC) before 0.32.9 does not require authentication for (1) admin/bw_per_month.php and (2) client/bw_per_month.php, which allows remote attackers to obtain potentially sensitive bandwidth information via a direct request.
|
|||||
| CVE-2013-3039 | 1 Ibm | 1 Rational Requirements Composer | 2025-04-11 | 5.4 MEDIUM | N/A |
|
IBM Rational Requirements Composer before 4.0.4 does not properly perform authentication, which has unspecified impact and remote attack vectors.
|
|||||
| CVE-2013-6171 | 1 Dovecot | 1 Dovecot | 2025-04-11 | 5.8 MEDIUM | N/A |
|
checkpassword-reply in Dovecot before 2.2.7 performs setuid operations to a user who is authenticating, which allows local users to bypass authentication and access virtual email accounts by attaching to the process and using a restricted file descriptor to modify account information in the response to the dovecot-auth server.
|
|||||
| CVE-2012-4457 | 1 Openstack | 1 Keystone | 2025-04-11 | 4.0 MEDIUM | N/A |
|
OpenStack Keystone Essex before 2012.1.2 and Folsom before folsom-3 does not properly handle authorization tokens for disabled tenants, which allows remote authenticated users to access the tenant's resources by requesting a token for the tenant.
|
|||||
| CVE-2009-4670 | 1 Beaussier | 1 Roomphplanning | 2025-04-11 | 7.5 HIGH | N/A |
|
admin/delitem.php in RoomPHPlanning 1.6 does not require authentication, which allows remote attackers to (1) delete arbitrary users via the user parameter or (2) delete arbitrary rooms via the room parameter.
|
|||||
| CVE-2010-2944 | 1 Jens Vagelpohl | 1 Zope-ldapuserfolder | 2025-04-11 | 7.5 HIGH | N/A |
|
The authenticate function in LDAPUserFolder/LDAPUserFolder.py in zope-ldapuserfolder 2.9-1 does not verify the password for the emergency account, which allows remote attackers to gain privileges.
|
|||||
| CVE-2012-5975 | 2 Linux, Ssh | 2 Linux Kernel, Tectia Server | 2025-04-11 | 9.3 HIGH | N/A |
|
The SSH USERAUTH CHANGE REQUEST feature in SSH Tectia Server 6.0.4 through 6.0.20, 6.1.0 through 6.1.12, 6.2.0 through 6.2.5, and 6.3.0 through 6.3.2 on UNIX and Linux, when old-style password authentication is enabled, allows remote attackers to bypass authentication via a crafted session involving entry of blank passwords, as demonstrated by a root login session from a modified OpenSSH client with an added input_userauth_passwd_changereq call in sshconnect2.c.
|
|||||
| CVE-2009-5077 | 1 Creloaded | 1 Cre Loaded | 2025-04-11 | 7.5 HIGH | N/A |
|
CRE Loaded before 6.2.14 allows remote attackers to bypass authentication and gain administrator privileges via vectors related to a modified PHP_SELF variable, which is not properly handled by (1) includes/application_top.php and (2) admin/includes/application_top.php.
|
|||||
| CVE-2010-4211 | 2 Apple, Ebay | 2 Iphone Os, Paypal | 2025-04-11 | 2.9 LOW | N/A |
|
The PayPal app before 3.0.1 for iOS does not verify that the server hostname matches the domain name of the subject of an X.509 certificate, which allows man-in-the-middle attackers to spoof a PayPal web server via an arbitrary certificate.
|
|||||
| CVE-2013-1337 | 1 Microsoft | 1 .net Framework | 2025-04-11 | 7.5 HIGH | N/A |
|
Microsoft .NET Framework 4.5 does not properly create policy requirements for custom Windows Communication Foundation (WCF) endpoint authentication in certain situations involving passwords over HTTPS, which allows remote attackers to bypass authentication by sending queries to an endpoint, aka "Authentication Bypass Vulnerability."
|
|||||
| CVE-2013-4877 | 1 Verizon | 1 Wireless Network Extender | 2025-04-11 | 2.6 LOW | N/A |
|
The Verizon Wireless Network Extender SCS-26UC4 and SCS-2U01 does not use CAVE authentication, which makes it easier for remote attackers to obtain ESN and MIN values from arbitrary phones, and conduct cloning attacks, by sniffing the network for registration packets.
|
|||||
| CVE-2013-0239 | 1 Apache | 1 Cxf | 2025-04-11 | 5.0 MEDIUM | N/A |
|
Apache CXF before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3, when the plaintext UsernameToken WS-SecurityPolicy is enabled, allows remote attackers to bypass authentication via a security header of a SOAP request containing a UsernameToken element that lacks a password child element.
|
|||||
| CVE-2012-2974 | 1 Smc | 1 Smc8024l2 Switch | 2025-04-11 | 10.0 HIGH | N/A |
|
The web interface on the SMC SMC8024L2 switch allows remote attackers to bypass authentication and obtain administrative access via a direct request to a .html file under (1) status/, (2) system/, (3) ports/, (4) trunks/, (5) vlans/, (6) qos/, (7) rstp/, (8) dot1x/, (9) security/, (10) igmps/, or (11) snmp/.
|
|||||
| CVE-2009-5083 | 1 Ibm | 1 Tivoli Federated Identity Manager | 2025-04-11 | 6.8 MEDIUM | N/A |
|
IBM Tivoli Federated Identity Manager (TFIM) 6.2.0 before 6.2.0.2, when configured as an OpenID relying party, does not perform the expected login rejection upon receiving an OP-Identifier from an OpenID provider, which allows remote attackers to bypass authentication via unspecified vectors.
|
|||||
| CVE-2010-4279 | 1 Artica | 1 Pandora Fms | 2025-04-11 | 10.0 HIGH | N/A |
|
The default configuration of Pandora FMS 3.1 and earlier specifies an empty string for the loginhash_pwd field, which allows remote attackers to bypass authentication by sending a request to index.php with "admin" in the loginhash_user parameter, in conjunction with the md5 hash of "admin" in the loginhash_data parameter.
|
|||||
| CVE-2013-7137 | 1 Burden Project | 1 Burden | 2025-04-11 | 7.5 HIGH | 9.8 CRITICAL |
|
The "remember me" functionality in login.php in Burden before 1.8.1 allows remote attackers to bypass authentication and gain privileges by setting the burden_user_rememberme cookie to 1.
|
|||||
| CVE-2013-7292 | 1 Vasco | 1 Identikey Authentication Server | 2025-04-11 | 3.5 LOW | N/A |
|
VASCO IDENTIKEY Authentication Server (IAS) 3.4.x allows remote authenticated users to bypass Active Directory (AD) authentication by entering only a DIGIPASS one-time password, instead of the intended combination of this one-time password and a multiple-time AD password.
|
|||||
| CVE-2013-5429 | 1 Ibm | 1 Tivoli Federated Identity Manager | 2025-04-11 | 2.1 LOW | N/A |
|
The Risk Based Access functionality in IBM Tivoli Federated Identity Manager (TFIM) 6.2.2 before FP9 and Tivoli Federated Identity Manager Business Gateway (TFIMBG) 6.2.2 before FP9 does not prevent reuse of One Time Password (OTP) tokens, which makes it easier for remote authenticated users to complete transactions by leveraging access to an already-used token.
|
|||||
| CVE-2012-5633 | 1 Apache | 1 Cxf | 2025-04-11 | 5.8 MEDIUM | N/A |
|
The URIMappingInterceptor in Apache CXF before 2.5.8, 2.6.x before 2.6.5, and 2.7.x before 2.7.2, when using the WSS4JInInterceptor, bypasses WS-Security processing, which allows remote attackers to obtain access to SOAP services via an HTTP GET request.
|
|||||
| CVE-2013-0282 | 1 Openstack | 1 Keystone | 2025-04-11 | 5.0 MEDIUM | N/A |
|
OpenStack Keystone Grizzly before 2013.1, Folsom 2012.1.3 and earlier, and Essex does not properly check if the (1) user, (2) tenant, or (3) domain is enabled when using EC2-style authentication, which allows context-dependent attackers to bypass access restrictions.
|
|||||
| CVE-2012-0239 | 1 Advantech | 1 Advantech Webaccess | 2025-04-11 | 5.0 MEDIUM | N/A |
|
uaddUpAdmin.asp in Advantech/BroadWin WebAccess before 7.0 does not properly perform authentication, which allows remote attackers to modify an administrative password via a password-change request.
|
|||||