Search
Total
2785 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2013-3071 | 1 Netgear | 2 Wndr4700, Wndr4700 Firmware | 2020-01-30 | 7.5 HIGH | 9.8 CRITICAL |
| NETGEAR Centria WNDR4700 devices with firmware 1.0.0.34 allow authentication bypass. | |||||
| CVE-2020-1787 | 1 Huawei | 2 Mate 20, Mate 20 Firmware | 2020-01-29 | 7.2 HIGH | 6.6 MEDIUM |
| HUAWEI Mate 20 smartphones versions earlier than 9.1.0.139(C00E133R3P1) have an improper authentication vulnerability. The system has a logic error under certain scenario, successful exploit could allow the attacker who gains the privilege of guest user to access to the host user's desktop in an instant, without unlocking the screen lock of the host user. | |||||
| CVE-2020-1840 | 1 Huawei | 2 Mate 20, Mate 20 Firmware | 2020-01-29 | 3.6 LOW | 6.0 MEDIUM |
| HUAWEI Mate 20 smart phones with versions earlier than 10.0.0.175(C00E70R3P8) have an insufficient authentication vulnerability. A local attacker with high privilege can execute a specific command to exploit this vulnerability. Successful exploitation may cause information leak and compromise the availability of the smart phones.Affected product versions include: HUAWEI Mate 20 versions Versions earlier than 10.0.0.175(C00E70R3P8) | |||||
| CVE-2020-7222 | 1 Amcrest | 1 Web Server | 2020-01-29 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in Amcrest Web Server 2.520.AC00.18.R 2017-06-29 WEB 3.2.1.453504. The login page responds with JavaScript when one tries to authenticate. An attacker who changes the result parameter (to true) in this JavaScript code can bypass authentication and achieve limited privileges (ability to see every option but not modify them). | |||||
| CVE-2019-15585 | 1 Gitlab | 1 Gitlab | 2020-01-29 | 7.5 HIGH | 9.8 CRITICAL |
| Improper authentication exists in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE) in the GitLab SAML integration had a validation issue that permitted an attacker to takeover another user's account. | |||||
| CVE-2012-2714 | 1 Browserid Project | 1 Browserid | 2020-01-27 | 7.5 HIGH | 9.8 CRITICAL |
| The BrowserID (Mozilla Persona) module 7.x-1.x before 7.x-1.3 for Drupal allows remote attackers to hijack the authentication of arbitrary users via the audience identifier. | |||||
| CVE-2020-1788 | 1 Huawei | 2 Honor V30, Honor V30 Firmware | 2020-01-24 | 4.3 MEDIUM | 5.5 MEDIUM |
| Honor V30 smartphones with versions earlier than 10.0.1.135(C00E130R4P1) have an improper authentication vulnerability. Certain applications do not properly validate the identity of another application who would call its interface. An attacker could trick the user into installing a malicious application. Successful exploit could allow unauthorized actions leading to information disclosure. | |||||
| CVE-2012-1258 | 1 Plixer | 1 Scrutinizer Netflow \& Sflow Analyzer | 2020-01-22 | 4.0 MEDIUM | 6.5 MEDIUM |
| cgi-bin/userprefs.cgi in Plixer International Scrutinizer NetFlow & sFlow Analyzer before 9.0.1.19899 does not validate user permissions, which allow remote attackers to add user accounts with administrator privileges via the newuser, pwd, and selectedUserGroup parameters. | |||||
| CVE-2014-2651 | 1 Atos | 28 Openscape Desk Phone Ip 35g, Openscape Desk Phone Ip 35g Eco, Openscape Desk Phone Ip 35g Eco Firmware and 25 more | 2020-01-21 | 10.0 HIGH | 9.8 CRITICAL |
| Unify OpenStage/OpenScape Desk Phone IP SIP before V3 R3.11.0 has an authentication bypass in the default mode of the Workpoint Interface | |||||
| CVE-2017-7562 | 2 Mit, Redhat | 5 Kerberos 5, Enterprise Linux, Enterprise Linux Desktop and 2 more | 2020-01-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| An authentication bypass flaw was found in the way krb5's certauth interface before 1.16.1 handled the validation of client certificates. A remote attacker able to communicate with the KDC could potentially use this flaw to impersonate arbitrary principals under rare and erroneous circumstances. | |||||
| CVE-2019-19518 | 1 Broadcom | 1 Ca Automic Sysload | 2020-01-17 | 7.5 HIGH | 9.8 CRITICAL |
| CA Automic Sysload 5.6.0 through 6.1.2 contains a vulnerability, related to a lack of authentication on the File Server port, that potentially allows remote attackers to execute arbitrary commands. | |||||
| CVE-2013-3088 | 1 Belkin | 2 N900, N900 Firmware | 2020-01-16 | 9.3 HIGH | 9.8 CRITICAL |
| Belkin N900 router (F9K1104v1) contains an Authentication Bypass using "Javascript debugging". | |||||
| CVE-2012-3824 | 1 Arialsoftware | 1 Campaign Enterprise | 2020-01-15 | 5.0 MEDIUM | 7.5 HIGH |
| In Arial Campaign Enterprise before 11.0.551, multiple pages are accessible without authentication or authorization. | |||||
| CVE-2020-1786 | 1 Huawei | 2 Mate 20 Pro, Mate 20 Pro Firmware | 2020-01-15 | 2.1 LOW | 4.6 MEDIUM |
| HUAWEI Mate 20 Pro smartphones versions earlier than 10.0.0.175(C00E69R3P8) have an improper authentication vulnerability. The software does not sufficiently validate the name of apk file in a special condition which could allow an attacker to forge a crafted application as a normal one. Successful exploit could allow the attacker to bypass digital balance function. | |||||
| CVE-2013-4982 | 1 Avtech | 2 Avn801 Dvr, Avn801 Dvr Firmware | 2020-01-15 | 7.5 HIGH | 9.8 CRITICAL |
| AVTECH AVN801 DVR has a security bypass via the administration login captcha | |||||
| CVE-2018-19831 | 1 Cryptbond Network Project | 1 Cryptbond Network | 2020-01-14 | 5.0 MEDIUM | 7.5 HIGH |
| The ToOwner() function of a smart contract implementation for Cryptbond Network (CBN), an tradable Ethereum ERC20 token, allows attackers to change the owner of the contract, because the function does not check the caller's identity. | |||||
| CVE-2018-19833 | 1 Ddq Project | 1 Ddq | 2020-01-14 | 5.0 MEDIUM | 7.5 HIGH |
| The owned function of a smart contract implementation for DDQ, an tradable Ethereum ERC20 token, allows attackers to change the owner of the contract, because the function does not check the caller's identity. | |||||
| CVE-2018-19834 | 1 Bombba Project | 1 Bombba | 2020-01-14 | 5.0 MEDIUM | 7.5 HIGH |
| The quaker function of a smart contract implementation for BOMBBA (BOMB), an tradable Ethereum ERC20 token, allows attackers to change the owner of the contract, because the function does not check the caller's identity. | |||||
| CVE-2018-19832 | 1 Newinteltechmedia Project | 1 Newinteltechmedia | 2020-01-14 | 5.0 MEDIUM | 7.5 HIGH |
| The NETM() function of a smart contract implementation for NewIntelTechMedia (NETM), an tradable Ethereum ERC20 token, allows attackers to change the owner of the contract, because the function does not check the caller's identity. | |||||
| CVE-2013-4976 | 1 Hikvision | 2 Ds-2cd7153-e, Ds-2cd7153-e Firmware | 2020-01-10 | 7.5 HIGH | 9.8 CRITICAL |
| Hikvision DS-2CD7153-E IP Camera has security bypass via hardcoded credentials | |||||
| CVE-2019-20360 | 1 Impress | 1 Givewp | 2020-01-09 | 5.0 MEDIUM | 7.5 HIGH |
| A flaw in Give before 2.5.5, a WordPress plugin, allowed unauthenticated users to bypass API authentication methods and access personally identifiable user information (PII) including names, addresses, IP addresses, and email addresses. Once an API key has been set to any meta key value from the wp_usermeta table, and the token is set to the corresponding MD5 hash of the meta key selected, one can make a request to the restricted endpoints, and thus access sensitive donor data. | |||||
| CVE-2013-5122 | 1 Cisco | 8 Linksys E4200, Linksys E4200 Firmware, Linksys Ea2700 and 5 more | 2020-01-09 | 10.0 HIGH | 9.8 CRITICAL |
| Cisco Linksys Routers EA2700, EA3500, E4200, EA4500: A bug can cause an unsafe TCP port to open which leads to unauthenticated access | |||||
| CVE-2013-3085 | 1 Belkin | 2 F5d8236-4, F5d8236-4 Firmware | 2020-01-09 | 7.5 HIGH | 9.8 CRITICAL |
| An authentication bypass exists in the web management interface in Belkin F5D8236-4 v2. | |||||
| CVE-2019-16327 | 1 Dlink | 2 Dir-601, Dir-601 Firmware | 2020-01-08 | 7.5 HIGH | 9.8 CRITICAL |
| D-Link DIR-601 B1 2.00NA devices are vulnerable to authentication bypass. They do not check for authentication at the server side and rely on client-side validation, which is bypassable. NOTE: this is an end-of-life product. | |||||
| CVE-2018-20489 | 1 Gitlab | 1 Gitlab | 2020-01-08 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in GitLab Community and Enterprise Edition before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It has Incorrect Access Control. | |||||
| CVE-2013-4621 | 1 Magdevgroup | 1 Magnolia Cms | 2020-01-04 | 7.5 HIGH | 9.8 CRITICAL |
| Magnolia CMS before 4.5.9 has multiple access bypass vulnerabilities | |||||
| CVE-2012-3462 | 1 Fedoraproject | 1 Sssd | 2020-01-03 | 6.5 MEDIUM | 8.8 HIGH |
| A flaw was found in SSSD version 1.9.0. The SSSD's access-provider logic causes the result of the HBAC rule processing to be ignored in the event that the access-provider is also handling the setup of the user's SELinux user context. | |||||
| CVE-2019-5486 | 1 Gitlab | 1 Gitlab | 2019-12-30 | 6.5 MEDIUM | 8.8 HIGH |
| A authentication bypass vulnerability exists in GitLab CE/EE <v12.3.2, <v12.2.6, and <v12.1.10 in the Salesforce login integration that could be used by an attacker to create an account that bypassed domain restrictions and email verification requirements. | |||||
| CVE-2019-19982 | 1 Icegram | 1 Email Subscribers \& Newsletters | 2019-12-30 | 5.0 MEDIUM | 5.3 MEDIUM |
| The WordPress plugin, Email Subscribers & Newsletters, before 4.2.3 had a flaw that allowed for unauthenticated option creation. In order to exploit this vulnerability, an attacker would need to send a /wp-admin/admin-post.php?es_skip=1&option_name= request. | |||||
| CVE-2019-5253 | 1 Huawei | 2 E5572-855, E5572-855 Firmware | 2019-12-30 | 7.1 HIGH | 5.9 MEDIUM |
| E5572-855 with versions earlier than 8.0.1.3(H335SP1C233) has an improper authentication vulnerability. The device does not perform a sufficient authentication when doing certain operations, successful exploit could allow an attacker to cause the device to reboot after launch a man in the middle attack. | |||||
| CVE-2019-5252 | 1 Huawei | 12 Enjoy 8 Plus, Enjoy 8 Plus Firmware, Honor 8x and 9 more | 2019-12-27 | 3.6 LOW | 3.5 LOW |
| There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant. | |||||
| CVE-2019-8533 | 1 Apple | 1 Mac Os X | 2019-12-26 | 4.6 MEDIUM | 7.8 HIGH |
| A lock handling issue was addressed with improved lock handling. This issue is fixed in macOS Mojave 10.14.4. A Mac may not lock when disconnecting from an external monitor. | |||||
| CVE-2019-8804 | 1 Apple | 2 Ipados, Iphone Os | 2019-12-26 | 2.9 LOW | 5.7 MEDIUM |
| An inconsistency in Wi-Fi network configuration settings was addressed. This issue is fixed in iOS 13.2 and iPadOS 13.2. An attacker in physical proximity may be able to force a user onto a malicious Wi-Fi network during device setup. | |||||
| CVE-2019-8704 | 1 Apple | 2 Iphone Os, Tvos | 2019-12-20 | 2.1 LOW | 5.5 MEDIUM |
| An authentication issue was addressed with improved state management. This issue is fixed in tvOS 13. A local user may be able to leak sensitive user information. | |||||
| CVE-2014-8650 | 2 Debian, Requests-kerberos Project | 2 Debian Linux, Requests-kerberos | 2019-12-19 | 7.5 HIGH | 9.8 CRITICAL |
| python-requests-Kerberos through 0.5 does not handle mutual authentication | |||||
| CVE-2019-19507 | 1 Json Pattern Validator Project | 1 Json Pattern Validator | 2019-12-19 | 5.0 MEDIUM | 5.3 MEDIUM |
| In jpv (aka Json Pattern Validator) before 2.1.1, compareCommon() can be bypassed because certain internal attributes can be overwritten via a conflicting name, as demonstrated by 'constructor': {'name':'Array'}. This affects validate(). Hence, a crafted payload can overwrite this builtin attribute to manipulate the type detection result. | |||||
| CVE-2019-6675 | 1 F5 | 11 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Analytics and 8 more | 2019-12-18 | 7.5 HIGH | 9.8 CRITICAL |
| BIG-IP configurations using Active Directory, LDAP, or Client Certificate LDAP for management authentication with multiple servers are exposed to a vulnerability which allows an authentication bypass. This can result in a complete compromise of the system. This issue only impacts specific engineering hotfixes using the aforementioned authentication configuration. NOTE: This vulnerability does not affect any of the BIG-IP major, minor or maintenance releases you obtained from downloads.f5.com. The affected Engineering Hotfix builds are as follows: Hotfix-BIGIP-14.1.0.3.0.79.6-ENG.iso, Hotfix-BIGIP-14.1.0.3.0.97.6-ENG.iso, Hotfix-BIGIP-14.1.0.3.0.99.6-ENG.iso, Hotfix-BIGIP-14.1.0.5.0.15.5-ENG.iso, Hotfix-BIGIP-14.1.0.5.0.36.5-ENG.iso, Hotfix-BIGIP-14.1.0.5.0.40.5-ENG.iso, Hotfix-BIGIP-14.1.0.6.0.11.9-ENG.iso, Hotfix-BIGIP-14.1.0.6.0.14.9-ENG.iso, Hotfix-BIGIP-14.1.0.6.0.68.9-ENG.iso, Hotfix-BIGIP-14.1.0.6.0.70.9-ENG.iso, Hotfix-BIGIP-14.1.2.0.11.37-ENG.iso, Hotfix-BIGIP-14.1.2.0.18.37-ENG.iso, Hotfix-BIGIP-14.1.2.0.32.37-ENG.iso, Hotfix-BIGIP-14.1.2.1.0.46.4-ENG.iso, Hotfix-BIGIP-14.1.2.1.0.14.4-ENG.iso, Hotfix-BIGIP-14.1.2.1.0.16.4-ENG.iso, Hotfix-BIGIP-14.1.2.1.0.34.4-ENG.iso, Hotfix-BIGIP-14.1.2.1.0.97.4-ENG.iso, Hotfix-BIGIP-14.1.2.1.0.99.4-ENG.iso, Hotfix-BIGIP-14.1.2.1.0.105.4-ENG.iso, Hotfix-BIGIP-14.1.2.1.0.111.4-ENG.iso, Hotfix-BIGIP-14.1.2.1.0.115.4-ENG.iso, Hotfix-BIGIP-14.1.2.1.0.122.4-ENG.iso, Hotfix-BIGIP-15.0.1.0.33.11-ENG.iso, Hotfix-BIGIP-15.0.1.0.48.11-ENG.iso | |||||
| CVE-2014-1867 | 1 Suphp | 1 Suphp | 2019-12-17 | 4.4 MEDIUM | 7.8 HIGH |
| suPHP before 0.7.2 source-highlighting feature allows security bypass which could lead to arbitrary code execution | |||||
| CVE-2019-18380 | 1 Symantec | 1 Industrial Control System Protection | 2019-12-17 | 3.3 LOW | 6.5 MEDIUM |
| Symantec Industrial Control System Protection (ICSP), versions 6.x.x, may be susceptible to an unauthorized access issue that could potentially allow a threat actor to create or modify application user accounts without proper authentication. | |||||
| CVE-2019-5218 | 1 Huawei | 4 Band 2, Band 2 Firmware, Band 3 and 1 more | 2019-12-16 | 5.8 MEDIUM | 8.8 HIGH |
| There is an insufficient authentication vulnerability in Huawei Band 2 and Honor Band 3. The band does not sufficiently authenticate the device try to connect to it in certain scenario. Successful exploit could allow the attacker to spoof then connect to the band. | |||||
| CVE-2019-14909 | 1 Redhat | 1 Keycloak | 2019-12-16 | 7.5 HIGH | 8.3 HIGH |
| A vulnerability was found in Keycloak 7.x where the user federation LDAP bind type is none (LDAP anonymous bind), any password, invalid or valid will be accepted. | |||||
| CVE-2013-4593 | 1 Omniauth-facebook Project | 1 Omniauth-facebook | 2019-12-16 | 5.0 MEDIUM | 7.5 HIGH |
| RubyGem omniauth-facebook has an access token security vulnerability | |||||
| CVE-2019-19598 | 1 Dlink | 2 Dap-1860, Dap-1860 Firmware | 2019-12-14 | 8.3 HIGH | 8.8 HIGH |
| D-Link DAP-1860 devices before v1.04b03 Beta allow access to administrator functions without authentication via the HNAP_AUTH header timestamp value. In HTTP requests, part of the HNAP_AUTH header is the timestamp used to determine the time when the user sent the request. If this value is equal to the value stored in the device's /var/hnap/timestamp file, the request will pass the HNAP_AUTH check function. | |||||
| CVE-2019-17437 | 1 Paloaltonetworks | 1 Pan-os | 2019-12-13 | 4.6 MEDIUM | 7.8 HIGH |
| An improper authentication check in Palo Alto Networks PAN-OS may allow an authenticated low privileged non-superuser custom role user to elevate privileges and become superuser. This issue affects PAN-OS 7.1 versions prior to 7.1.25; 8.0 versions prior to 8.0.20; 8.1 versions prior to 8.1.11; 9.0 versions prior to 9.0.5. PAN-OS version 7.0 and prior EOL versions have not been evaluated for this issue. | |||||
| CVE-2013-2159 | 1 Monkey-project | 1 Monkey | 2019-12-13 | 7.5 HIGH | 9.8 CRITICAL |
| Monkey HTTP Daemon: broken user name authentication | |||||
| CVE-2019-12394 | 1 Anviz | 1 Management System | 2019-12-12 | 7.5 HIGH | 9.8 CRITICAL |
| Anviz access control devices allow unverified password change which allows remote attackers to change the administrator password without prior authentication. | |||||
| CVE-2019-19521 | 1 Openbsd | 1 Openbsd | 2019-12-12 | 7.5 HIGH | 9.8 CRITICAL |
| libc in OpenBSD 6.6 allows authentication bypass via the -schallenge username, as demonstrated by smtpd, ldapd, or radiusd. This is related to gen/auth_subr.c and gen/authenticate.c in libc (and login/login.c and xenocara/app/xenodm/greeter/verify.c). | |||||
| CVE-2019-15987 | 1 Cisco | 6 Webex Event Center, Webex Meeting Center, Webex Meetings Online and 3 more | 2019-12-09 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability in web interface of the Cisco Webex Event Center, Cisco Webex Meeting Center, Cisco Webex Support Center, and Cisco Webex Training Center could allow an unauthenticated, remote attacker to guess account usernames. The vulnerability is due to missing CAPTCHA protection in certain URLs. An attacker could exploit this vulnerability by sending a crafted request to the web interface. A successful exploit could allow the attacker to know if a given username is valid and find the real name of the user. | |||||
| CVE-2014-2904 | 1 Wolfssl | 1 Wolfssl | 2019-12-04 | 5.0 MEDIUM | 7.5 HIGH |
| wolfssl before 3.2.0 has a server certificate that is not properly authorized for server authentication. | |||||
| CVE-2013-3072 | 1 Netgear | 2 Wndr4700, Wndr4700 Firmware | 2019-11-20 | 7.5 HIGH | 9.8 CRITICAL |
| An Authentication Bypass vulnerability exists in NETGEAR Centria WNDR4700 Firmware 1.0.0.34 in http://<router_ip>/apply.cgi?/hdd_usr_setup.htm that when visited by any user, authenticated or not, causes the router to no longer require a password to access the web administration portal. | |||||