Total
3234 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2012-5158 | 2 Puppet, Puppetlabs | 2 Puppet Enterprise, Puppet | 2023-12-10 | 4.0 MEDIUM | N/A |
Puppet Enterprise (PE) before 2.6.1 does not properly invalidate sessions when the session secret has changed, which allows remote authenticated users to retain access via unspecified vectors. | |||||
CVE-2014-1984 | 1 Cybozu | 1 Remote Service Manager | 2023-12-10 | 6.8 MEDIUM | N/A |
Session fixation vulnerability in the management screen in Cybozu Remote Service Manager through 2.3.0 and 3.x before 3.1.1 allows remote attackers to hijack web sessions via unspecified vectors. | |||||
CVE-2014-4325 | 1 Little Kernel Project | 1 Little Kernel Bootloader | 2023-12-10 | 7.2 HIGH | N/A |
The cmd_boot function in app/aboot/aboot.c in the Little Kernel (LK) bootloader, as distributed with Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to bypass intended device-lock and kernel-signature restrictions by using fastboot mode in a boot command for an arbitrary kernel image. | |||||
CVE-2014-2338 | 1 Strongswan | 1 Strongswan | 2023-12-10 | 6.4 MEDIUM | N/A |
IKEv2 in strongSwan 4.0.7 before 5.1.3 allows remote attackers to bypass authentication by rekeying an IKE_SA during (1) initiation or (2) re-authentication, which triggers the IKE_SA state to be set to established. | |||||
CVE-2014-3402 | 1 Cisco | 1 Intrusion Prevention System | 2023-12-10 | 5.0 MEDIUM | N/A |
The authentication-manager process in the web framework in Cisco Intrusion Prevention System (IPS) 7.0(8)E4 and earlier in Cisco Intrusion Detection System (IDS) does not properly manage user tokens, which allows remote attackers to cause a denial of service (temporary MainApp hang) via a crafted connection request to the management interface, aka Bug ID CSCuq39550. | |||||
CVE-2014-6387 | 1 Mantisbt | 1 Mantisbt | 2023-12-10 | 5.0 MEDIUM | N/A |
gpc_api.php in MantisBT 1.2.17 and earlier allows remote attackers to bypass authenticated via a password starting will a null byte, which triggers an unauthenticated bind. | |||||
CVE-2014-3053 | 1 Ibm | 5 Security Access Manager For Mobile Appliance, Security Access Manager For Mobile Software, Security Access Manager For Web 8.0 Firmware and 2 more | 2023-12-10 | 8.0 HIGH | N/A |
The Local Management Interface (LMI) in IBM Security Access Manager (ISAM) for Mobile 8.0 with firmware 8.0.0.0 through 8.0.0.3 and IBM Security Access Manager for Web 7.0, and 8.0 with firmware 8.0.0.2 and 8.0.0.3, allows remote attackers to bypass authentication via a login action with invalid credentials. | |||||
CVE-2014-0074 | 1 Apache | 1 Shiro | 2023-12-10 | 7.5 HIGH | N/A |
Apache Shiro 1.x before 1.2.3, when using an LDAP server with unauthenticated bind enabled, allows remote attackers to bypass authentication via an empty (1) username or (2) password. | |||||
CVE-2014-4435 | 1 Apple | 1 Mac Os X | 2023-12-10 | 4.4 MEDIUM | N/A |
The "iCloud Find My Mac" feature in Apple OS X before 10.10 does not properly enforce rate limiting of lost-mode PIN entry, which makes it easier for physically proximate attackers to obtain access via a brute-force attack involving a series of reboots. | |||||
CVE-2015-2047 | 2 Debian, Typo3 | 2 Debian Linux, Typo3 | 2023-12-10 | 2.6 LOW | N/A |
The rsaauth extension in TYPO3 4.3.0 through 4.3.14, 4.4.0 through 4.4.15, 4.5.0 through 4.5.39, and 4.6.0 through 4.6.18, when configured for the frontend, allows remote attackers to bypass authentication via a password that is casted to an empty value. | |||||
CVE-2014-4168 | 1 Kryo | 1 Iodine | 2023-12-10 | 5.0 MEDIUM | N/A |
(1) iodined.c and (2) user.c in iodine before 0.7.0 allows remote attackers to bypass authentication by continuing execution after an error has been triggering. | |||||
CVE-2013-6031 | 1 Huawei | 2 E355, E355 Firmware | 2023-12-10 | 4.3 MEDIUM | N/A |
The Huawei E355 adapter with firmware 21.157.37.01.910 does not require authentication for API pages, which allows remote attackers to change passwords and settings, or obtain sensitive information, via a direct request to (1) api/wlan/security-settings, (2) api/device/information, (3) api/wlan/basic-settings, (4) api/wlan/mac-filter, (5) api/monitoring/status, or (6) api/dhcp/settings. | |||||
CVE-2013-4304 | 2 Brion Vibber, Mediawiki | 2 Centralauth Extension, Mediawiki | 2023-12-10 | 7.5 HIGH | N/A |
The CentralAuth extension for MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 caches a valid CentralAuthUser object in the centralauth_User cookie even when a user has not successfully logged in, which allows remote attackers to bypass authentication without a password. | |||||
CVE-2014-7807 | 1 Apache | 1 Cloudstack | 2023-12-10 | 5.0 MEDIUM | N/A |
Apache CloudStack 4.3.x before 4.3.2 and 4.4.x before 4.4.2 allows remote attackers to bypass authentication via a login request without a password, which triggers an unauthenticated bind. | |||||
CVE-2014-0482 | 2 Djangoproject, Opensuse | 2 Django, Opensuse | 2023-12-10 | 6.0 MEDIUM | N/A |
The contrib.auth.middleware.RemoteUserMiddleware middleware in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3, when using the contrib.auth.backends.RemoteUserBackend backend, allows remote authenticated users to hijack web sessions via vectors related to the REMOTE_USER header. | |||||
CVE-2014-2066 | 1 Jenkins | 1 Jenkins | 2023-12-10 | 6.8 MEDIUM | N/A |
Session fixation vulnerability in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to hijack web sessions via vectors involving the "override" of Jenkins cookies. | |||||
CVE-2014-9184 | 1 Zte | 1 Zxdsl | 2023-12-10 | 5.0 MEDIUM | N/A |
ZTE ZXDSL 831CII allows remote attackers to bypass authentication via a direct request to (1) main.cgi, (2) adminpasswd.cgi, (3) userpasswd.cgi, (4) upload.cgi, (5) conprocess.cgi, or (6) connect.cgi. | |||||
CVE-2014-0015 | 1 Haxx | 2 Curl, Libcurl | 2023-12-10 | 4.0 MEDIUM | N/A |
cURL and libcurl 7.10.6 through 7.34.0, when more than one authentication method is enabled, re-uses NTLM connections, which might allow context-dependent attackers to authenticate as other users via a request. | |||||
CVE-2014-6116 | 1 Ibm | 1 Websphere Mq | 2023-12-10 | 4.3 MEDIUM | N/A |
The Telemetry Component in WebSphere MQ 8.0.0.1 before p000-001-L140910 allows remote attackers to bypass authentication by setting the JAASConfig property in an MQTT client configuration. | |||||
CVE-2013-4471 | 1 Openstack | 1 Horizon | 2023-12-10 | 5.5 MEDIUM | N/A |
The Identity v3 API in OpenStack Dashboard (Horizon) before 2013.2 does not require the current password when changing passwords for user accounts, which makes it easier for remote attackers to change a user password by leveraging the authentication token for that user. |