Total
3242 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2011-5090 | 1 Grboard | 1 Grboard | 2024-02-14 | 6.4 MEDIUM | N/A |
GR Board (aka grboard) 1.8.6.5 Community Edition does not require authentication for certain database actions, which allows remote attackers to modify or delete data via a request to (1) mod_rewrite.php, (2) comment_write_ok.php, (3) poll/index.php, (4) update/index.php, (5) trackback.php, or (6) an arbitrary poll.php script under theme/. | |||||
CVE-2022-30034 | 1 Flower Project | 1 Flower | 2024-02-14 | 7.5 HIGH | 8.6 HIGH |
Flower, a web UI for the Celery Python RPC framework, all versions as of 05-02-2022 is vulnerable to an OAuth authentication bypass. An attacker could then access the Flower API to discover and invoke arbitrary Celery RPC calls or deny service by shutting down Celery task nodes. | |||||
CVE-2009-2422 | 2 Apple, Rubyonrails | 3 Mac Os X, Mac Os X Server, Ruby On Rails | 2024-02-13 | 7.5 HIGH | 9.8 CRITICAL |
The example code for the digest authentication functionality (http_authentication.rb) in Ruby on Rails before 2.3.3 defines an authenticate_or_request_with_http_digest block that returns nil instead of false when the user does not exist, which allows context-dependent attackers to bypass authentication for applications that are derived from this example by sending an invalid username without a password. | |||||
CVE-2009-2382 | 1 Jay-jayx0r | 1 Phpmyblockchecker | 2024-02-13 | 7.5 HIGH | 9.8 CRITICAL |
admin.php in phpMyBlockchecker 1.0.0055 allows remote attackers to bypass authentication and gain administrative access by setting the PHPMYBCAdmin cookie to LOGGEDIN. | |||||
CVE-2009-2168 | 1 Egyplus | 1 7ammel | 2024-02-13 | 7.5 HIGH | 9.8 CRITICAL |
cpanel/login.php in EgyPlus 7ammel (aka 7ml) 1.0.1 and earlier sends a redirect to the web browser but does not exit when the supplied credentials are incorrect, which allows remote attackers to bypass authentication by providing arbitrary username and password parameters. | |||||
CVE-2009-1596 | 1 Igniterealtime | 1 Openfire | 2024-02-13 | 4.0 MEDIUM | 6.5 MEDIUM |
Ignite Realtime Openfire before 3.6.5 does not properly implement the register.password (aka canChangePassword) console configuration setting, which allows remote authenticated users to bypass intended policy and change their own passwords via a passwd_change IQ packet. | |||||
CVE-2009-3232 | 1 Canonical | 1 Ubuntu Linux | 2024-02-13 | 9.3 HIGH | N/A |
pam-auth-update for PAM, as used in Ubuntu 8.10 and 9.4, and Debian GNU/Linux, does not properly handle an "empty selection" for system authentication modules in certain rare configurations, which causes any attempt to be successful and allows remote attackers to bypass authentication. | |||||
CVE-2009-3231 | 5 Canonical, Fedoraproject, Opensuse and 2 more | 6 Ubuntu Linux, Fedora, Opensuse and 3 more | 2024-02-13 | 6.8 MEDIUM | N/A |
The core server component in PostgreSQL 8.3 before 8.3.8 and 8.2 before 8.2.14, when using LDAP authentication with anonymous binds, allows remote attackers to bypass authentication via an empty password. | |||||
CVE-2009-3107 | 1 Symantec | 1 Altiris Deployment Solution | 2024-02-13 | 4.8 MEDIUM | N/A |
Symantec Altiris Deployment Solution 6.9.x before 6.9 SP3 Build 430 does not properly restrict access to the listening port for the DBManager service, which allows remote attackers to bypass authentication and modify tasks or the Altiris Database via a connection to this service. | |||||
CVE-2020-12812 | 1 Fortinet | 1 Fortios | 2024-02-13 | 7.5 HIGH | 9.8 CRITICAL |
An improper authentication vulnerability in SSL VPN in FortiOS 6.4.0, 6.2.0 to 6.2.3, 6.0.9 and below may result in a user being able to log in successfully without being prompted for the second factor of authentication (FortiToken) if they changed the case of their username. | |||||
CVE-2020-0688 | 1 Microsoft | 1 Exchange Server | 2024-02-13 | 9.0 HIGH | 8.8 HIGH |
A remote code execution vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory, aka 'Microsoft Exchange Memory Corruption Vulnerability'. | |||||
CVE-2017-14623 | 1 Go-ldap Project | 1 Ldap | 2024-02-13 | 5.1 MEDIUM | 8.1 HIGH |
In the ldap.v2 (aka go-ldap) package through 2.5.0 for Go, an attacker may be able to login with an empty password. This issue affects an application using this package if these conditions are met: (1) it relies only on the return error of the Bind function call to determine whether a user is authorized (i.e., a nil return value is interpreted as successful authorization) and (2) it is used with an LDAP server allowing unauthenticated bind. | |||||
CVE-2009-3421 | 1 Zenas | 1 Pao-bacheca Guestbook | 2024-02-13 | 6.8 MEDIUM | 9.8 CRITICAL |
login.php in Zenas PaoBacheca Guestbook 2.1, when register_globals is enabled, allows remote attackers to bypass authentication and gain administrative access by setting the login_ok parameter to 1. | |||||
CVE-2022-36436 | 1 Osuosl | 1 Twisted Vnc Authentication Proxy | 2024-02-13 | N/A | 9.8 CRITICAL |
OSU Open Source Lab VNCAuthProxy through 1.1.1 is affected by an vncap/vnc/protocol.py VNCServerAuthenticator authentication-bypass vulnerability that could allow a malicious actor to gain unauthorized access to a VNC session or to disconnect a legitimate user from a VNC session. A remote attacker with network access to the proxy server could leverage this vulnerability to connect to VNC servers protected by the proxy server without providing any authentication credentials. Exploitation of this issue requires that the proxy server is currently accepting connections for the target VNC server. | |||||
CVE-2021-34523 | 1 Microsoft | 1 Exchange Server | 2024-02-13 | 7.5 HIGH | 9.0 CRITICAL |
Microsoft Exchange Server Elevation of Privilege Vulnerability | |||||
CVE-2022-35248 | 1 Rocket.chat | 1 Rocket.chat | 2024-02-13 | N/A | 8.8 HIGH |
A improper authentication vulnerability exists in Rocket.Chat <v5, <v4.8.2 and <v4.7.5 that allowed two factor authentication can be bypassed when telling the server to use CAS during login. | |||||
CVE-2024-25313 | 1 Code-projects | 1 Simple School Management System | 2024-02-12 | N/A | 8.8 HIGH |
Code-projects Simple School Managment System 1.0 allows Authentication Bypass via the username and password parameters at School/teacher_login.php. | |||||
CVE-2023-30559 | 1 Bd | 2 Alaris 8015 Pcu, Alaris 8015 Pcu Firmware | 2024-02-08 | N/A | 5.7 MEDIUM |
The firmware update package for the wireless card is not properly signed and can be modified. | |||||
CVE-2024-23637 | 1 Octoprint | 1 Octoprint | 2024-02-08 | N/A | 4.9 MEDIUM |
OctoPrint is a web interface for 3D printer.s OctoPrint versions up until and including 1.9.3 contain a vulnerability that allows malicious admins to change the password of other admin accounts, including their own, without having to repeat their password. An attacker who managed to hijack an admin account might use this to lock out actual admins from their OctoPrint instance. The vulnerability will be patched in version 1.10.0. | |||||
CVE-2024-1039 | 1 Gesslergmbh | 2 Web-master, Web-master Firmware | 2024-02-07 | N/A | 9.8 CRITICAL |
Gessler GmbH WEB-MASTER has a restoration account that uses weak hard coded credentials and if exploited could allow an attacker control over the web management of the device. |