Total
4065 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2016-10826 | 1 Cpanel | 1 Cpanel | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
cPanel before 55.9999.141 allows attackers to bypass Two Factor Authentication via DNS clustering requests (SEC-93).
|
|||||
| CVE-2016-10732 | 1 Projectsend | 1 Projectsend | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
ProjectSend (formerly cFTP) r582 allows authentication bypass via a direct request for users.php, home.php, edit-file.php?file_id=1, or process-zip-download.php, or add_user_form_* parameters to users-add.php.
|
|||||
| CVE-2016-10532 | 1 Console-io Project | 1 Console-io | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
|
console-io is a module that allows users to implement a web console in their application. A malicious user could bypass the authentication and execute any command that the user who is running the console-io application 2.2.13 and earlier is able to run. This means that if console-io was running from root, the attacker would have full access to the system. This vulnerability exists because the console-io application does not configure socket.io to require authentication, which allows a malicious ...
Show More |
|||||
| CVE-2016-10525 | 1 Dwyl | 1 Hapi-auth-jwt2 | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
When attempting to allow authentication mode `try` in hapi, hapi-auth-jwt2 version 5.1.1 introduced an issue whereby people could bypass authentication.
|
|||||
| CVE-2016-10434 | 1 Qualcomm | 4 Sd 820, Sd 820 Firmware, Sd 820a and 1 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
In Android before 2018-04-05 or earlier security patch level on Qualcomm Snapdragon Automobile and Snapdragon Mobile SD 820 and SD 820A, the input to RPMB write response function is a buffer from HLOS that needs to be authenticated (using HMAC) and then processed. However, some of the processing occurs before the buffer is authenticated. The function will return various types of errors depending on the values of the `response` and `result` fields of the buffer before verifying the HMAC tag.
|
|||||
| CVE-2016-0796 | 1 Mb.miniaudioplayer Project | 1 Mb.miniaudioplayer | 2024-11-21 | N/A | 7.5 HIGH |
|
WordPress Plugin mb.miniAudioPlayer-an HTML5 audio player for your mp3 files is prone to multiple vulnerabilities, including open proxy and security bypass vulnerabilities because it fails to properly verify user-supplied input. An attacker may leverage these issues to hide attacks directed at a target site from behind vulnerable website or to perform otherwise restricted actions and subsequently download files with the extension mp3, mp4a, wav and ogg from anywhere the web server application ha ...
Show More |
|||||
| CVE-2015-7882 | 1 Mongodb | 1 Mongodb | 2024-11-21 | 6.8 MEDIUM | 8.1 HIGH |
|
Improper handling of LDAP authentication in MongoDB Server versions 3.0.0 to 3.0.6 allows an unauthenticated client to gain unauthorized access.
|
|||||
| CVE-2015-6926 | 1 Oxid-esales | 1 Eshop | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
The OpenID Single Sign-On authentication functionality in OXID eShop before 4.5.0 allows remote attackers to impersonate users via the email address in a crafted authentication token.
|
|||||
| CVE-2015-6922 | 1 Kaseya | 1 Virtual System Administrator | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
Kaseya Virtual System Administrator (VSA) 7.x before 7.0.0.33, 8.x before 8.0.0.23, 9.0 before 9.0.0.19, and 9.1 before 9.1.0.9 does not properly require authentication, which allows remote attackers to bypass authentication and (1) add an administrative account via crafted request to LocalAuth/setAccount.aspx or (2) write to and execute arbitrary files via a full pathname in the PathData parameter to ConfigTab/uploader.aspx.
|
|||||
| CVE-2015-5298 | 1 Jenkins | 1 Google Login | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
The Google Login Plugin (versions 1.0 and 1.1) allows malicious anonymous users to authenticate successfully against Jenkins instances that are supposed to be locked down to a particular Google Apps domain through client-side request modification.
|
|||||
| CVE-2015-4987 | 1 Ibm | 1 Tealeaf Customer Experience | 2024-11-21 | 6.4 MEDIUM | 6.5 MEDIUM |
|
The search and replay servers in IBM Tealeaf Customer Experience 8.0 through 9.0.2 allow remote attackers to bypass authentication via unspecified vectors. IBM X-Force ID: 105896.
|
|||||
| CVE-2015-10083 | 1 Harrys | 1 Dynosaur-rails | 2024-11-21 | 5.8 MEDIUM | 6.3 MEDIUM |
|
A vulnerability has been found in harrystech Dynosaur-Rails and classified as critical. Affected by this vulnerability is the function basic_auth of the file app/controllers/application_controller.rb. The manipulation leads to improper authentication. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The patch is named 04b223813f0e336aab50bff140d0f5889c31dbec. It is recommended to apply a patch to fix this issue. The associated ...
Show More |
|||||
| CVE-2015-0102 | 1 Ibm | 1 Workflow | 2024-11-21 | 5.8 MEDIUM | 8.1 HIGH |
|
IBM Workflow for Bluemix does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session.
|
|||||
| CVE-2014-9753 | 1 Atutor | 1 Atutor | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
confirm.php in ATutor 2.2 and earlier allows remote attackers to bypass authentication and gain access as an existing user via the auto_login parameter.
|
|||||
| CVE-2014-9320 | 1 Sap | 1 Businessobjects Edge | 2024-11-21 | 9.3 HIGH | 9.8 CRITICAL |
|
SAP BusinessObjects Edge 4.1 allows remote attackers to obtain the SI_PLATFORM_SEARCH_SERVER_LOGON_TOKEN token and consequently gain SYSTEM privileges via vectors involving CORBA calls, aka SAP Note 2039905.
|
|||||
| CVE-2014-8650 | 2 Debian, Requests-kerberos Project | 2 Debian Linux, Requests-kerberos | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
python-requests-Kerberos through 0.5 does not handle mutual authentication
|
|||||
| CVE-2014-8347 | 1 Claris | 2 Filemaker Pro, Filemaker Pro Advanced | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
|
An Authentication Bypass vulnerability exists in the MatchPasswordData function in DBEngine.dll in Filemaker Pro 13.03 and Filemaker Pro Advanced 12.04, which could let a malicious user obtain elevated privileges.
|
|||||
| CVE-2014-6436 | 1 Aztech | 6 Adsl Dsl5018en \(1t1r\), Adsl Dsl5018en \(1t1r\) Firmware, Dsl705e and 3 more | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
|
Aztech ADSL DSL5018EN (1T1R), DSL705E, and DSL705EU devices improperly manage sessions, which allows remote attackers to bypass authentication in opportunistic circumstances and execute arbitrary commands with administrator privileges by leveraging an existing web portal login.
|
|||||
| CVE-2014-6435 | 1 Aztech | 6 Adsl Dsl5018en \(1t1r\), Adsl Dsl5018en \(1t1r\) Firmware, Dsl705e and 3 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
cgi-bin/AZ_Retrain.cgi in Aztech ADSL DSL5018EN (1T1R), DSL705E, and DSL705EU devices does not check for authentication, which allows remote attackers to cause a denial of service (WAN connectivity reset) via a direct request.
|
|||||
| CVE-2014-5432 | 1 Baxter | 3 Sigma Spectrum Infusion System, Sigma Spectrum Infusion System Firmware, Wireless Battery Module | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
Baxter SIGMA Spectrum Infusion System version 6.05 (model 35700BAX) with wireless battery module (WBM) version 16 is remotely accessible via Port 22/SSH without authentication. A remote attacker may be able to make unauthorized configuration changes to the WBM, as well as issue commands to access account credentials and shared keys. Baxter asserts that this vulnerability only allows access to features and functionality on the WBM and that the SIGMA Spectrum infusion pump cannot be controlled fro ...
Show More |
|||||
| CVE-2014-5081 | 3 Sphider, Sphider-plus, Sphiderpro | 3 Sphider, Sphider-plus, Sphider Pro | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
sphider prior to 1.3.6, sphider-pro prior to 3.2, and sphider-plus prior to 3.2 allow authentication bypass
|
|||||
| CVE-2014-4198 | 1 Bssys | 1 Rbs Bs-client. Retail Client | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
|
A Two-Factor Authentication Bypass Vulnerability exists in BS-Client Private Client 2.4 and 2.5 via an XML request that neglects the use of ADPswID and AD parameters, which could let a malicious user access privileged function.
|
|||||
| CVE-2014-3999 | 1 Horde | 1 Horde Ldap | 2024-11-21 | 6.8 MEDIUM | 8.1 HIGH |
|
The Horde_Ldap library before 2.0.6 for Horde allows remote attackers to bypass authentication by leveraging knowledge of the LDAP bind user DN.
|
|||||
| CVE-2014-3879 | 1 Freebsd | 1 Freebsd | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
OpenPAM Nummularia 9.2 through 10.0 does not properly handle the error reported when an include directive refers to a policy that does not exist, which causes the loaded policy chain to no be discarded and allows context-dependent attackers to bypass authentication via a login (1) without a password or (2) with an incorrect password.
|
|||||
| CVE-2014-2904 | 1 Wolfssl | 1 Wolfssl | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
wolfssl before 3.2.0 has a server certificate that is not properly authorized for server authentication.
|
|||||
| CVE-2014-2651 | 1 Atos | 28 Openscape Desk Phone Ip 35g, Openscape Desk Phone Ip 35g Eco, Openscape Desk Phone Ip 35g Eco Firmware and 25 more | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
|
Unify OpenStage/OpenScape Desk Phone IP SIP before V3 R3.11.0 has an authentication bypass in the default mode of the Workpoint Interface
|
|||||
| CVE-2014-1867 | 1 Suphp | 1 Suphp | 2024-11-21 | 4.4 MEDIUM | 7.8 HIGH |
|
suPHP before 0.7.2 source-highlighting feature allows security bypass which could lead to arbitrary code execution
|
|||||
| CVE-2014-125060 | 1 Collabcal Project | 1 Collabcal | 2024-11-21 | 7.5 HIGH | 7.3 HIGH |
|
A vulnerability, which was classified as critical, was found in holdennb CollabCal. Affected is the function handleGet of the file calenderServer.cpp. The manipulation leads to improper authentication. It is possible to launch the attack remotely. The patch is identified as b80f6d1893607c99e5113967592417d0fe310ce6. It is recommended to apply a patch to fix this issue. VDB-217614 is the identifier assigned to this vulnerability.
|
|||||
| CVE-2014-10389 | 1 Wpsupportplus | 1 Wp Support Plus Responsive Ticket System | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
The wp-support-plus-responsive-ticket-system plugin before 4.2 for WordPress has incorrect authentication.
|
|||||
| CVE-2014-10067 | 1 Paypal-ipn Project | 1 Paypal-ipn | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
|
paypal-ipn before 3.0.0 uses the `test_ipn` parameter (which is set by the PayPal IPN simulator) to determine if it should use the production PayPal site or the sandbox. With a bit of time, an attacker could craft a request using the simulator that would fool any application which does not explicitly check for test_ipn in production.
|
|||||
| CVE-2014-0927 | 1 Ibm | 2 Sterling B2b Integrator, Sterling File Gateway | 2024-11-21 | 4.3 MEDIUM | 8.1 HIGH |
|
The ActiveMQ admin user interface in IBM Sterling B2B Integrator 5.1 and 5.2 and Sterling File Gateway 2.1 and 2.2 allows remote attackers to bypass authentication by leveraging knowledge of the port number and webapp path. IBM X-Force ID: 92259.
|
|||||
| CVE-2013-7465 | 1 Icecoldapps | 1 Servers Ultimate | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
Ice Cold Apps Servers Ultimate 6.0.2(12) does not require authentication for TELNET, SSH, or FTP, which allows remote attackers to execute arbitrary code by uploading PHP scripts.
|
|||||
| CVE-2013-7051 | 1 Dlink | 2 Dir-100, Dir-100 Firmware | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
D-Link DIR-100 4.03B07: cli.cgi security bypass due to failure to check authentication parameters
|
|||||
| CVE-2013-6360 | 1 Trendnet | 2 Ts-s402, Ts-s402 Firmware | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
TRENDnet TS-S402 has a backdoor to enable TELNET.
|
|||||
| CVE-2013-5582 | 1 Ammyy | 1 Ammyy Admin | 2024-11-21 | 6.8 MEDIUM | 7.8 HIGH |
|
Ammyy Admin 3.2 and earlier stores the client ID at a fixed memory location, which might make it easier for user-assisted remote attackers to bypass authentication by running a local program that extracts a field from the AA_v3.2.exe file.
|
|||||
| CVE-2013-5123 | 5 Debian, Fedoraproject, Pypa and 2 more | 6 Debian Linux, Fedora, Pip and 3 more | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
|
The mirroring support (-M, --use-mirrors) in Python Pip before 1.5 uses insecure DNS querying and authenticity checks which allows attackers to perform man-in-the-middle attacks.
|
|||||
| CVE-2013-5122 | 1 Cisco | 8 Linksys E4200, Linksys E4200 Firmware, Linksys Ea2700 and 5 more | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
|
Cisco Linksys Routers EA2700, EA3500, E4200, EA4500: A bug can cause an unsafe TCP port to open which leads to unauthenticated access
|
|||||
| CVE-2013-5116 | 1 Evernote | 1 Evernote | 2024-11-21 | 6.6 MEDIUM | 7.1 HIGH |
|
Evernote prior to 5.5.1 has insecure password change
|
|||||
| CVE-2013-5114 | 1 Logmein | 1 Lastpass | 2024-11-21 | 6.6 MEDIUM | 6.1 MEDIUM |
|
LastPass prior to 2.5.1 allows secure wipe bypass.
|
|||||
| CVE-2013-5112 | 1 Evernote | 1 Evernote | 2024-11-21 | 2.1 LOW | 4.6 MEDIUM |
|
Evernote before 5.5.1 has insecure PIN storage
|
|||||