Total
3242 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2008-1356 | 1 Sun | 1 Solaris | 2023-12-10 | 6.3 MEDIUM | N/A |
Unspecified vulnerability in xscreensaver in Sun Solaris 10 Java Desktop System (JDS), when using the GNOME On-Screen Keyboard (GOK), allows local users to bypass authentication via unknown vectors that cause the screen saver to crash. | |||||
CVE-2008-6269 | 1 Joovili | 1 Joovili | 2023-12-10 | 7.5 HIGH | N/A |
Joovili 3.1.4 allows remote attackers to bypass authentication and gain privileges as other users, including the administrator, by setting the (1) session_id, session_logged_in, and session_username cookies for user privileges; (2) session_admin_id, session_admin_username, and session_admin cookies for admin privileges; and (3) session_staff_id, session_staff_username, and session_staff cookies for staff users. | |||||
CVE-2008-3866 | 1 Trend Micro | 3 Internet Security 2007, Internet Security 2008, Officescan | 2023-12-10 | 4.6 MEDIUM | N/A |
The Trend Micro Personal Firewall service (aka TmPfw.exe) in Trend Micro Network Security Component (NSC) modules, as used in Trend Micro OfficeScan 8.0 SP1 Patch 1 and Internet Security 2007 and 2008 17.0.1224, relies on client-side password protection implemented in the configuration GUI, which allows local users to bypass intended access restrictions and change firewall settings by using a modified client to send crafted packets. | |||||
CVE-2008-4167 | 1 Ezphotogallery | 1 Ezphotogallery | 2023-12-10 | 6.4 MEDIUM | N/A |
useradmin.php in Easy Photo Gallery (aka Ezphotogallery) 2.1 does not require administrative authentication, which allows remote attackers to (1) add or (2) remove an Administrator account. | |||||
CVE-2009-0864 | 1 Matteoiammarrone | 1 S-cms | 2023-12-10 | 7.5 HIGH | N/A |
S-Cms 1.1 Stable allows remote attackers to bypass authentication and obtain administrative access via an OK value for the login cookie. | |||||
CVE-2008-3729 | 1 Microworld Technologies | 1 Mailscan | 2023-12-10 | 7.5 HIGH | N/A |
Web Based Administration in MicroWorld Technologies MailScan 5.6.a espatch 1 allows remote attackers to bypass authentication and obtain administrative access via a direct request with (1) an IsAdmin=true cookie value or (2) no cookie. | |||||
CVE-2008-2730 | 1 Cisco | 1 Unified Communications Manager | 2023-12-10 | 5.0 MEDIUM | N/A |
The Real-Time Information Server (RIS) Data Collector service in Cisco Unified Communications Manager (CUCM) 5.x before 5.1(3) and 6.x before 6.1(1) allows remote attackers to bypass authentication, and obtain cluster configuration information and statistics, via a direct TCP connection to the service port, aka Bug ID CSCsj90843. | |||||
CVE-2008-5407 | 1 Symantec | 1 Backup Exec For Windows Server | 2023-12-10 | 9.4 HIGH | N/A |
Multiple unspecified vulnerabilities in the Backup Exec remote-agent logon process in Symantec Backup Exec for Windows Servers 11.0 (aka 11d) builds 6235 and 7170, 12.0 build 1364, and 12.5 build 2213 allow remote attackers to bypass authentication, and read or delete files, via unknown vectors. | |||||
CVE-2008-1930 | 1 Wordpress | 1 Wordpress | 2023-12-10 | 7.5 HIGH | N/A |
The cookie authentication method in WordPress 2.5 relies on a hash of a concatenated string containing USERNAME and EXPIRY_TIME, which allows remote attackers to forge cookies by registering a username that results in the same concatenated string, as demonstrated by registering usernames beginning with "admin" to obtain administrator privileges, aka a "cryptographic splicing" issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2007-6013. | |||||
CVE-2008-4679 | 1 Ibm | 1 Websphere Application Server | 2023-12-10 | 6.8 MEDIUM | N/A |
The Web Services Security component in IBM WebSphere Application Server (WAS) 6.0.2 before 6.0.2.31 and 6.1 before 6.1.0.19, when Certificate Store Collections is configured to use Certificate Revocation Lists (CRL), does not call the setRevocationEnabled method on the PKIXBuilderParameters object, which prevents the "Java security method" from checking the revocation status of X.509 certificates and allows remote attackers to bypass intended access restrictions via a SOAP message with a revoked certificate. | |||||
CVE-2008-6569 | 1 Cybozu | 1 Garoon | 2023-12-10 | 6.8 MEDIUM | N/A |
Session fixation vulnerability in Cybozu Garoon 2.0.0 through 2.1.3 allows remote attackers to hijack web sessions via the session ID in the login page. | |||||
CVE-2009-2072 | 1 Apple | 1 Safari | 2023-12-10 | 5.4 MEDIUM | N/A |
Apple Safari does not require a cached certificate before displaying a lock icon for an https web site, which allows man-in-the-middle attackers to spoof an arbitrary https site by sending the browser a crafted (1) 4xx or (2) 5xx CONNECT response page for an https request sent through a proxy server. | |||||
CVE-2008-3411 | 1 Axesstel | 1 Akw-d800 | 2023-12-10 | 10.0 HIGH | N/A |
The Axesstel AXW-D800 modem with D2_ETH_109_01_VEBR Jun-14-2006 software does not require authentication for (1) etc/config/System.html, (2) etc/config/Network.html, (3) etc/config/Security.html, (4) cgi-bin/sysconf.cgi, and (5) cgi-bin/route.cgi, which allows remote attackers to change the modem's configuration via direct requests. | |||||
CVE-2008-1727 | 1 Myknowledgequest | 1 Knowledgequest | 2023-12-10 | 7.5 HIGH | N/A |
KnowledgeQuest 2.5 and 2.6 does not require authentication for access to admincheck.php, which allows remote attackers to create arbitrary admin accounts. | |||||
CVE-2009-0124 | 1 Arrl | 1 Tqsllib | 2023-12-10 | 5.0 MEDIUM | N/A |
The tqsl_verifyDataBlock function in openssl_cert.cpp in American Radio Relay League (ARRL) tqsllib 2.0 does not properly check the return value from the OpenSSL EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature, a similar vulnerability to CVE-2008-5077. | |||||
CVE-2008-5686 | 1 Ibm | 1 Tivoli Provisioning Manager | 2023-12-10 | 8.5 HIGH | N/A |
IBM Tivoli Provisioning Manager (TPM) before 5.1.1.1 IF0006, when its LDAP service is shared with other applications, does not require that an LDAP user be listed in the TPM user records, which allows remote authenticated users to execute SOAP commands that access arbitrary TPM functionality, as demonstrated by running provisioning workflows. | |||||
CVE-2008-5558 | 1 Asterisk | 2 Asterisk Business Edition, Open Source | 2023-12-10 | 4.3 MEDIUM | N/A |
Asterisk Open Source 1.2.26 through 1.2.30.3 and Business Edition B.2.3.5 through B.2.5.5, when realtime IAX2 users are enabled, allows remote attackers to cause a denial of service (crash) via authentication attempts involving (1) an unknown user or (2) a user using hostname matching. | |||||
CVE-2009-2057 | 1 Microsoft | 2 Ie, Internet Explorer | 2023-12-10 | 5.8 MEDIUM | N/A |
Microsoft Internet Explorer before 8 uses the HTTP Host header to determine the context of a document provided in a (1) 4xx or (2) 5xx CONNECT response from a proxy server, which allows man-in-the-middle attackers to execute arbitrary web script by modifying this CONNECT response, aka an "SSL tampering" attack. | |||||
CVE-2009-0046 | 1 Sun | 1 Grid Engine | 2023-12-10 | 5.0 MEDIUM | N/A |
Sun GridEngine 5.3 and earlier does not properly check the return value from the OpenSSL EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature for DSA and ECDSA keys, a similar vulnerability to CVE-2008-5077. | |||||
CVE-2009-1384 | 2 Eyrie, Redhat | 2 Pam-krb5, Enterprise Linux | 2023-12-10 | 5.0 MEDIUM | N/A |
pam_krb5 2.2.14 through 2.3.4, as used in Red Hat Enterprise Linux (RHEL) 5, generates different password prompts depending on whether the user account exists, which allows remote attackers to enumerate valid usernames. |