Total
4065 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2009-0030 | 1 Squirrelmail | 1 Squirrelmail | 2025-04-09 | 6.5 MEDIUM | N/A |
|
A certain Red Hat patch for SquirrelMail 1.4.8 sets the same SQMSESSID cookie value for all sessions, which allows remote authenticated users to access other users' folder lists and configuration data in opportunistic circumstances by using the standard webmail.php interface. NOTE: this vulnerability exists because of an incorrect fix for CVE-2008-3663.
|
|||||
| CVE-2008-5040 | 1 Graphiks | 1 Myforum | 2025-04-09 | 7.5 HIGH | N/A |
|
Graphiks MyForum 1.3 allows remote attackers to bypass authentication and gain administrative access by setting the (1) myforum_login and (2) myforum_pass cookies to 1.
|
|||||
| CVE-2009-2040 | 1 Grestul | 1 Grestul | 2025-04-09 | 7.5 HIGH | N/A |
|
admin/options.php in Grestul 1.2 does not properly restrict access, which allows remote attackers to bypass authentication and create administrative accounts via a manage_admin action in a direct request.
|
|||||
| CVE-2008-4784 | 1 Aflog | 1 Aflog | 2025-04-09 | 7.5 HIGH | N/A |
|
aflog 1.01 allows remote attackers to bypass authentication and gain administrative access by setting the aflog_auth_a cookie to "A" or "O" in (1) edit_delete.php, (2) edit_cat.php, (3) edit_lock.php, and (4) edit_form.php.
|
|||||
| CVE-2008-4689 | 1 Mantis | 1 Mantis | 2025-04-09 | 7.5 HIGH | N/A |
|
Mantis before 1.1.3 does not unset the session cookie during logout, which makes it easier for remote attackers to hijack sessions.
|
|||||
| CVE-2007-6130 | 1 Gnu | 1 Gnump3d | 2025-04-09 | 5.0 MEDIUM | N/A |
|
gnump3d 2.9final does not apply password protection to its plugins, which might allow remote attackers to bypass intended access restrictions.
|
|||||
| CVE-2009-0591 | 1 Openssl | 1 Openssl | 2025-04-09 | 2.6 LOW | N/A |
|
The CMS_verify function in OpenSSL 0.9.8h through 0.9.8j, when CMS is enabled, does not properly handle errors associated with malformed signed attributes, which allows remote attackers to repudiate a signature that originally appeared to be valid but was actually invalid.
|
|||||
| CVE-2007-1966 | 1 Exv2 | 1 Content Management System | 2025-04-09 | 5.0 MEDIUM | 9.1 CRITICAL |
|
Session fixation vulnerability in eXV2 CMS 2.0.4.3 and earlier allows remote attackers to hijack web sessions by setting the PHPSESSID cookie.
|
|||||
| CVE-2007-2546 | 1 Simple Machines | 1 Simple Machines Forum | 2025-04-09 | 6.8 MEDIUM | N/A |
|
Session fixation vulnerability in Simple Machines Forum (SMF) 1.1.2 and earlier allows remote attackers to hijack web sessions by setting the PHPSESSID parameter.
|
|||||
| CVE-2009-3261 | 1 Livestreet | 1 Livestreet | 2025-04-09 | 7.5 HIGH | N/A |
|
update/update_0.1.2_to_0.2.php in LiveStreet 0.2 does not require administrative authentication, which allows remote attackers to perform DROP TABLE operations via unspecified vectors.
|
|||||
| CVE-2008-5158 | 1 Clientsoftware | 1 Wincome Mpd Total | 2025-04-09 | 7.5 HIGH | N/A |
|
Client Software WinCom LPD Total 3.0.2.623 and earlier allows remote attackers to bypass authentication and perform administrative actions via vectors involving "simply skipping the auth stage."
|
|||||
| CVE-2008-6440 | 2 Cerberus, Webgroupmedia | 2 Cerberus Helpdesk, Cerberus Helpdesk | 2025-04-09 | 5.0 MEDIUM | N/A |
|
Cerberus Helpdesk before 4.0 (Build 600) allows remote attackers to obtain sensitive information via direct requests for "controllers ... that aren't standard helpdesk pages," possibly involving the (1) /display and (2) /kb URIs.
|
|||||
| CVE-2009-2410 | 1 Fedorahosted | 1 Sssd | 2025-04-09 | 7.5 HIGH | N/A |
|
The local_handler_callback function in server/responder/pam/pam_LOCAL_domain.c in sssd 0.4.1 does not properly handle blank-password accounts in the SSSD BE database, which allows context-dependent attackers to obtain access by sending the account's username, in conjunction with an arbitrary password, over an ssh connection.
|
|||||
| CVE-2008-7006 | 1 Phpversion | 1 Php Vx Guestbook | 2025-04-09 | 5.0 MEDIUM | N/A |
|
Free PHP VX Guestbook 1.06 allows remote attackers to bypass authentication and download a backup of the database via a direct request to admin/backupdb.php.
|
|||||
| CVE-2008-4081 | 1 Stash | 1 Stash | 2025-04-09 | 7.5 HIGH | N/A |
|
admin/login.php in Stash 1.0.3 allows remote attackers to bypass authentication and gain administrative access by setting a bsm cookie.
|
|||||
| CVE-2009-2168 | 1 Egyplus | 1 7ammel | 2025-04-09 | 7.5 HIGH | 9.8 CRITICAL |
|
cpanel/login.php in EgyPlus 7ammel (aka 7ml) 1.0.1 and earlier sends a redirect to the web browser but does not exit when the supplied credentials are incorrect, which allows remote attackers to bypass authentication by providing arbitrary username and password parameters.
|
|||||
| CVE-2008-6716 | 1 Preprojects | 1 Pre Ads Portal | 2025-04-09 | 7.5 HIGH | N/A |
|
homeadmin/adminhome.php in Pre ADS Portal 2.0 and earlier does not require administrative authentication, which allows remote attackers to have an unspecified impact via a direct request.
|
|||||
| CVE-2008-5558 | 1 Asterisk | 2 Asterisk Business Edition, Open Source | 2025-04-09 | 4.3 MEDIUM | N/A |
|
Asterisk Open Source 1.2.26 through 1.2.30.3 and Business Edition B.2.3.5 through B.2.5.5, when realtime IAX2 users are enabled, allows remote attackers to cause a denial of service (crash) via authentication attempts involving (1) an unknown user or (2) a user using hostname matching.
|
|||||
| CVE-2008-1883 | 1 Blackboard | 1 Blackboard Academic Suite | 2025-04-09 | 6.8 MEDIUM | N/A |
|
The server in Blackboard Academic Suite 7.x stores MD5 password hashes that are provided directly by clients, which makes it easier for remote attackers to access accounts via a modified client that skips the javascript/md5.js hash calculation, and instead sends an arbitrary MD5 string.
|
|||||
| CVE-2008-3425 | 1 Sun | 2 Java System Web Server Plugin, N1 Service Provisioning System | 2025-04-09 | 6.5 MEDIUM | N/A |
|
Unspecified vulnerability in the Sun Java System Web Server 7.0 plugin in Sun N1 Service Provisioning System (SPS) 5.2 and 6.0 allows remote authenticated SPS users to gain administrative access to the web server via unknown attack vectors.
|
|||||
| CVE-2009-2697 | 2 Gnome, Redhat | 2 Gdm, Enterprise Linux | 2025-04-09 | 6.8 MEDIUM | N/A |
|
The Red Hat build script for the GNOME Display Manager (GDM) before 2.16.0-56 on Red Hat Enterprise Linux (RHEL) 5 omits TCP Wrapper support, which might allow remote attackers to bypass intended access restrictions via XDMCP connections, a different vulnerability than CVE-2007-5079.
|
|||||
| CVE-2007-5383 | 2 Alcatel, Bt | 2 Speedtouch 7g Router, Home Hub | 2025-04-09 | 10.0 HIGH | N/A |
|
The Thomson/Alcatel SpeedTouch 7G router, as used for the BT Home Hub 6.2.6.B and earlier, allows remote attackers on an intranet to bypass authentication and gain administrative access via vectors including a '/' (slash) character at the end of the PATH_INFO to cgi/b, aka "double-slash auth bypass." NOTE: remote attackers outside the intranet can exploit this by leveraging a separate CSRF vulnerability. NOTE: SpeedTouch 780 might also be affected by some of these issues.
|
|||||
| CVE-2009-3828 | 1 Everfocus | 1 Edr1600 | 2025-04-09 | 5.0 MEDIUM | N/A |
|
The web interface for Everfocus EDR1600 DVR allows remote attackers to bypass authentication and access live cams via certain vectors.
|
|||||
| CVE-2008-1727 | 1 Myknowledgequest | 1 Knowledgequest | 2025-04-09 | 7.5 HIGH | N/A |
|
KnowledgeQuest 2.5 and 2.6 does not require authentication for access to admincheck.php, which allows remote attackers to create arbitrary admin accounts.
|
|||||
| CVE-2008-2730 | 1 Cisco | 1 Unified Communications Manager | 2025-04-09 | 5.0 MEDIUM | N/A |
|
The Real-Time Information Server (RIS) Data Collector service in Cisco Unified Communications Manager (CUCM) 5.x before 5.1(3) and 6.x before 6.1(1) allows remote attackers to bypass authentication, and obtain cluster configuration information and statistics, via a direct TCP connection to the service port, aka Bug ID CSCsj90843.
|
|||||
| CVE-2009-2068 | 1 Opera | 1 Opera | 2025-04-09 | 5.8 MEDIUM | N/A |
|
Google Chrome detects http content in https web pages only when the top-level frame uses https, which allows man-in-the-middle attackers to execute arbitrary web script, in an https site's context, by modifying an http page to include an https iframe that references a script file on an http site, related to "HTTP-Intended-but-HTTPS-Loadable (HPIHSL) pages."
|
|||||
| CVE-2008-0536 | 2 Cisco, Icon-labs | 2 Service Control Engine, Iconfidant Ssh | 2025-04-09 | 7.8 HIGH | N/A |
|
Unspecified vulnerability in the SSH server in (1) Cisco Service Control Engine (SCE) 3.0.x before 3.0.7 and 3.1.x before 3.1.0, and (2) Icon Labs Iconfidant SSH before 2.3.8, allows remote attackers to cause a denial of service (management interface outage) via SSH traffic that occurs during management operations and triggers "illegal I/O operations," aka Bug ID CSCsh49563.
|
|||||
| CVE-2007-6384 | 1 Bea | 1 Weblogic Mobility Server | 2025-04-09 | 7.5 HIGH | N/A |
|
Unspecified vulnerability in the Image Converter functionality in BEA WebLogic Mobility Server 3.3, 3.5, and 3.6 through 3.6 SP1 allows remote attackers to obtain application file and resource access via unspecified vectors.
|
|||||
| CVE-2007-6226 | 1 Apc | 2 Oas, Switched Rack Pdu Firmware | 2025-04-09 | 7.1 HIGH | N/A |
|
The American Power Conversion (APC) AP7932 0u 30amp Switched Rack Power Distribution Unit (PDU), with rpdu 3.5.5 and aos 3.5.6, allows remote attackers to bypass authentication and obtain login access by making a login attempt while a different client is logged in, and then resubmitting the login attempt once the other client exits.
|
|||||
| CVE-2008-0926 | 1 Novell | 1 Edirectory | 2025-04-09 | 7.5 HIGH | N/A |
|
The SOAP interface to the eMBox module in Novell eDirectory 8.7.3.9 and earlier, and 8.8.x before 8.8.2, relies on client-side authentication, which allows remote attackers to bypass authentication via requests for /SOAP URIs, and cause a denial of service (daemon shutdown) or read arbitrary files. NOTE: it was later reported that 8.7.3.10 (aka 8.7.3 SP10) is also affected.
|
|||||
| CVE-2009-3441 | 1 Alienvault | 1 Ossim | 2025-04-09 | 5.0 MEDIUM | N/A |
|
Open Source Security Information Management (OSSIM) before 2.1.2 allows remote attackers to bypass authentication, and read graphs or infrastructure information, via a direct request to (1) graphs/alarms_events.php or (2) host/draw_tree.php.
|
|||||
| CVE-2007-5057 | 1 Netsupport | 1 Netsupport Manager Client | 2025-04-09 | 10.0 HIGH | N/A |
|
NetSupport Manager Client before 10.20.0004 allows remote attackers to bypass the (1) basic and (2) authentication schemes by spoofing the NetSupport Manager.
|
|||||
| CVE-2008-1268 | 1 Linksys | 1 Wrt54g | 2025-04-09 | 10.0 HIGH | N/A |
|
The FTP server on the Linksys WRT54G 7 router with 7.00.1 firmware does not verify authentication credentials, which allows remote attackers to establish an FTP session by sending an arbitrary username and password.
|
|||||
| CVE-2009-3635 | 1 Typo3 | 1 Typo3 | 2025-04-09 | 6.8 MEDIUM | N/A |
|
The Install Tool subcomponent in TYPO3 4.0.13 and earlier, 4.1.x before 4.1.13, 4.2.x before 4.2.10, and 4.3.x before 4.3beta2 allows remote attackers to gain access by using only the password's md5 hash as a credential.
|
|||||
| CVE-2008-7124 | 1 Zkup | 1 Zkup | 2025-04-09 | 7.5 HIGH | N/A |
|
zKup CMS 2.0 through 2.3 does not require administrative authentication for admin/configuration/modifier.php, which allows remote attackers to gain administrator privileges via a direct request, as demonstrated by adding a new administrator.
|
|||||
| CVE-2008-7051 | 1 Ajsquare | 1 Aj Article | 2025-04-09 | 7.5 HIGH | N/A |
|
AJ Square AJ Article allows remote attackers to bypass authentication and access administrator functionality via a direct request to (1) user.php, (2) articles.php, (3) articlesuspend.php, (4) site.php, (5) statistics.php, (6) mail.php, (7) category.php, (8) subcategory.php, (9) changepassword.php, (10) polling.php, and (11) logo.php in admin/.
|
|||||
| CVE-2008-4319 | 1 Libra File Manager | 1 Php Filemanager | 2025-04-09 | 6.4 MEDIUM | N/A |
|
fileadmin.php in Libra File Manager (aka Libra PHP File Manager) 1.18 and earlier allows remote attackers to bypass authentication, and read arbitrary files, modify arbitrary files, and list arbitrary directories, by inserting certain user and isadmin parameters in the query string.
|
|||||
| CVE-2008-5721 | 1 Sapporoworks | 1 Blackjumbodog | 2025-04-09 | 5.0 MEDIUM | N/A |
|
SapporoWorks BlackJumboDog (BJD) before 4.2.3 allows remote attackers to bypass authentication and obtain sensitive information via unspecified vectors.
|
|||||
| CVE-2007-5855 | 1 Apple | 1 Mac Os X | 2025-04-09 | 6.4 MEDIUM | N/A |
|
Mail in Apple Mac OS X 10.4.11 and 10.5.1, when an SMTP account has been set up using Account Assistant, can use plaintext authentication even when MD5 Challenge-Response authentication is available, which makes it easier for remote attackers to sniff account activity.
|
|||||
| CVE-2008-3428 | 1 Phpfreechat | 1 Phpfreechat | 2025-04-09 | 6.5 MEDIUM | N/A |
|
Session fixation vulnerability in phpFreeChat 1.1 allows remote authenticated users to hijack web sessions by setting the session_id parameter to match the victim's nickid parameter.
|
|||||