Search
Total
2785 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2012-5003 | 1 Nomachine | 1 Nx Web Companion | 2017-08-29 | 6.8 MEDIUM | N/A |
| nxapplet.jar in No Machine NX Web Companion 3.x and earlier does not properly verify the authenticity of updates, which allows user-assisted remote attackers to execute arbitrary code via a crafted (1) SiteUrl or (2) RedirectUrl parameter that points to a Trojan Horse client.zip update file. | |||||
| CVE-2012-5352 | 1 Josso | 1 Java Open Single Sign-on Project Home | 2017-08-29 | 5.8 MEDIUM | N/A |
| Java Open Single Sign-On Project Home (JOSSO) allows remote attackers to forge messages and bypass authentication via a SAML assertion that lacks a Signature element, aka a "Signature exclusion attack." | |||||
| CVE-2012-5940 | 1 Ibm | 1 Netezza | 2017-08-29 | 4.3 MEDIUM | N/A |
| The WebAdmin application 6.0.5, 6.0.8, and 7.0 before P2 in IBM Netezza, when SSL is not enabled, allows remote attackers to discover credentials by sniffing the network during the authentication process. | |||||
| CVE-2013-0191 | 1 Lucas Clemente Vella | 1 Libpam-pgsql | 2017-08-29 | 5.0 MEDIUM | N/A |
| libpam-pgsql (aka pam_pgsql) 0.7 does not properly handle a NULL value returned by the password search query, which allows remote attackers to bypass authentication via a crafted password. | |||||
| CVE-2012-3721 | 1 Apple | 1 Mac Os X | 2017-08-29 | 5.0 MEDIUM | N/A |
| Profile Manager in Apple Mac OS X before 10.7.5 does not properly perform authentication for the Device Management private interface, which allows attackers to enumerate managed devices via unspecified vectors. | |||||
| CVE-2012-3741 | 1 Apple | 1 Iphone Os | 2017-08-29 | 1.9 LOW | N/A |
| The Restrictions (aka Parental Controls) implementation in Apple iOS before 6 does not properly handle purchase attempts after a Disable Restrictions action, which allows local users to bypass an intended Apple ID authentication step via an app that performs purchase transactions. | |||||
| CVE-2012-4595 | 1 Mcafee | 2 Email And Web Security, Email Gateway | 2017-08-29 | 7.5 HIGH | N/A |
| McAfee Email and Web Security (EWS) 5.5 through Patch 6 and 5.6 through Patch 3, and McAfee Email Gateway (MEG) 7.0.0 and 7.0.1, allows remote attackers to bypass authentication and obtain an admin session ID via unspecified vectors. | |||||
| CVE-2012-2377 | 1 Redhat | 3 Jboss Enterprise Brms Platform, Jboss Enterprise Portal Platform, Jboss Enterprise Soa Platform | 2017-08-29 | 3.3 LOW | N/A |
| JGroups diagnostics service in JBoss Enterprise Portal Platform before 5.2.2, SOA Platform before 5.3.0, and BRMS Platform before 5.3.0, is enabled without authentication when started by the JGroups channel, which allows remote attackers in adjacent networks to read diagnostics information via a crafted IP multicast. | |||||
| CVE-2012-3467 | 1 Apache | 1 Qpid | 2017-08-29 | 5.0 MEDIUM | N/A |
| Apache QPID 0.14, 0.16, and earlier uses a NullAuthenticator mechanism to authenticate catch-up shadow connections to AMQP brokers, which allows remote attackers to bypass authentication. | |||||
| CVE-2012-2132 | 1 Gnome | 1 Libsoup | 2017-08-29 | 5.0 MEDIUM | N/A |
| libsoup 2.32.2 and earlier does not validate certificates or clear the trust flag when the ssl-ca-file does not exist, which allows remote attackers to bypass authentication by connecting with a SSL connection. | |||||
| CVE-2012-2285 | 1 Emc | 2 Cloud Tiering Appliance, Cloud Tiering Appliance Virtual Edition | 2017-08-29 | 6.8 MEDIUM | N/A |
| EMC Cloud Tiering Appliance (aka CTA, formerly FMA) 9.0 and earlier, and Cloud Tiering Appliance Virtual Edition (CTA/VE) 9.0 and earlier, allows remote attackers to obtain GUI administrative access by sending a crafted file during the authentication phase. | |||||
| CVE-2012-2287 | 2 Emc, Microsoft | 4 Rsa Authentication Agent, Rsa Authentication Client, Windows Server 2003 and 1 more | 2017-08-29 | 8.5 HIGH | N/A |
| The authentication functionality in EMC RSA Authentication Agent 7.1 and RSA Authentication Client 3.5 on Windows XP and Windows Server 2003, when an unspecified configuration exists, allows remote authenticated users to bypass an intended token-authentication step, and establish a login session to a remote host, by leveraging Windows credentials for that host. | |||||
| CVE-2012-0874 | 1 Redhat | 3 Jboss Enterprise Application Platform, Jboss Enterprise Brms Platform, Jboss Enterprise Web Platform | 2017-08-29 | 6.8 MEDIUM | N/A |
| The (1) JMXInvokerHAServlet and (2) EJBInvokerHAServlet invoker servlets in JBoss Enterprise Application Platform (EAP) before 5.2.0, Web Platform (EWP) before 5.2.0, BRMS Platform before 5.3.1, and SOA Platform before 5.3.1 do not require authentication by default in certain profiles, which might allow remote attackers to invoke MBean methods and execute arbitrary code via unspecified vectors. NOTE: this issue can only be exploited when the interceptor is not properly configured with a "second layer of authentication," or when used in conjunction with other vulnerabilities that bypass this second layer. | |||||
| CVE-2012-0702 | 1 Ibm | 2 Infosphere Information Server, Infosphere Information Server Information Services Framework | 2017-08-29 | 4.0 MEDIUM | N/A |
| Information Services Framework (ISF) in IBM InfoSphere Information Server 8.1, 8.5 before FP3, and 8.7 does not properly determine authorization, which allows remote authenticated users to gain privileges via unspecified vectors. | |||||
| CVE-2012-2388 | 1 Strongswan | 1 Strongswan | 2017-08-29 | 7.5 HIGH | N/A |
| The GMP Plugin in strongSwan 4.2.0 through 4.6.3 allows remote attackers to bypass authentication via a (1) empty or (2) zeroed RSA signature, aka "RSA signature verification vulnerability." | |||||
| CVE-2012-2437 | 1 Awcm-cms | 1 Ar Web Content Manager | 2017-08-29 | 5.0 MEDIUM | N/A |
| cookie_gen.php in ar web content manager (AWCM) 2.2 does not require authentication, which allows remote attackers to generate arbitrary cookies via the name parameter in conjunction with the content parameter. | |||||
| CVE-2012-2562 | 2 Google, Xelex | 2 Android, Mobiletrack | 2017-08-29 | 7.6 HIGH | N/A |
| The Xelex MobileTrack application 2.3.7 and earlier for Android does not verify the origin of SMS commands, which allows remote attackers to execute a (1) LOCATE, (2) TRACK, (3) UPDATECFG, (4) UPDATEACCT, (5) STAT, (6) TERM, or (7) WIPE command via an SMS message. | |||||
| CVE-2012-0944 | 2 Canonical, Sebastian Heinlein | 2 Ubuntu Linux, Aptdaemon | 2017-08-29 | 4.3 MEDIUM | N/A |
| Aptdaemon 0.43 and earlier in Ubuntu 11.04, 11.10, and 12.04 LTS does not authenticate packages when the transaction is not simulated, which allows remote attackers to install arbitrary packages via a man-in-the-middle attack. | |||||
| CVE-2012-3315 | 1 Ibm | 2 Tivoli Federated Identity Manager, Tivoli Federated Identity Manager Business Gateway | 2017-08-29 | 5.0 MEDIUM | N/A |
| The Java servlets in the management console in IBM Tivoli Federated Identity Manager (TFIM) through 6.2.2 and Tivoli Federated Identity Manager Business Gateway (TFIMBG) before 6.2.2 do not require authentication for all resource downloads, which allows remote attackers to bypass intended J2EE security constraints, and obtain sensitive information related to (1) federation metadata or (2) a web plugin configuration template, via a crafted request. | |||||
| CVE-2012-3416 | 1 Condor Project | 1 Condor | 2017-08-29 | 10.0 HIGH | N/A |
| Condor before 7.8.2 allows remote attackers to bypass host-based authentication and execute actions such as ALLOW_ADMINISTRATOR or ALLOW_WRITE by connecting from a system with a spoofed reverse DNS hostname. | |||||
| CVE-2011-5054 | 1 Kde | 1 Kcheckpass | 2017-08-29 | 6.9 MEDIUM | N/A |
| kcheckpass passes a user-supplied argument to the pam_start function, often within a setuid environment, which allows local users to invoke any configured PAM stack, and possibly trigger unintended side effects, via an arbitrary valid PAM service name, a different vulnerability than CVE-2011-4122. NOTE: the vendor indicates that the possibility of resultant privilege escalation may be "a bit far-fetched." | |||||
| CVE-2011-3667 | 1 Mozilla | 1 Bugzilla | 2017-08-29 | 6.8 MEDIUM | N/A |
| The User.offer_account_by_email WebService method in Bugzilla 2.x and 3.x before 3.4.13, 3.5.x and 3.6.x before 3.6.7, 3.7.x and 4.0.x before 4.0.3, and 4.1.x through 4.1.3, when createemailregexp is not empty, does not properly handle user_can_create_account settings, which allows remote attackers to create user accounts by leveraging a token contained in an e-mail message. | |||||
| CVE-2011-5253 | 1 Thegr | 1 Dl | 2017-08-29 | 4.3 MEDIUM | N/A |
| Dl Download Ticket Service 0.3 through 0.9 allows remote attackers to login as an arbitrary user by supplying an authorization header. | |||||
| CVE-2011-5090 | 1 Grboard | 1 Grboard | 2017-08-29 | 6.4 MEDIUM | N/A |
| GR Board (aka grboard) 1.8.6.5 Community Edition does not require authentication for certain database actions, which allows remote attackers to modify or delete data via a request to (1) mod_rewrite.php, (2) comment_write_ok.php, (3) poll/index.php, (4) update/index.php, (5) trackback.php, or (6) an arbitrary poll.php script under theme/. | |||||
| CVE-2011-3297 | 1 Cisco | 3 Catalyst 6500, Catalyst 7600, Firewall Services Module Software | 2017-08-29 | 7.8 HIGH | N/A |
| Cisco Firewall Services Module (aka FWSM) 3.1 before 3.1(21), 3.2 before 3.2(22), 4.0 before 4.0(16), and 4.1 before 4.1(7), when certain authentication configurations are used, allows remote attackers to cause a denial of service (module crash) by making many authentication requests for network access, aka Bug ID CSCtn15697. | |||||
| CVE-2011-2155 | 1 Smartertools | 1 Smarterstats | 2017-08-29 | 7.5 HIGH | N/A |
| Login.aspx in the SmarterTools SmarterStats 6.0 web server generates a ctl00$MPH$txtPassword password form field without disabling the autocomplete feature, which makes it easier for remote attackers to bypass authentication by leveraging an unattended workstation. | |||||
| CVE-2011-2676 | 2 Ark-web, Six Apart | 5 A-form, A-form Bamboo, A-form Pc and 2 more | 2017-08-29 | 5.5 MEDIUM | N/A |
| The A-Form and A-Form bamboo before 1.3.6 and 2.x before 2.0.3, and A-Form PC and PC/Mobile before 3.1, plug-ins for Movable Type do not require administrative authentication, which allows remote authenticated users to modify data via unspecified vectors. | |||||
| CVE-2011-2907 | 1 Clusterresources | 1 Torque Resource Manager | 2017-08-29 | 7.5 HIGH | N/A |
| Terascale Open-Source Resource and Queue Manager (aka TORQUE Resource Manager) 3.0.1 and earlier allows remote attackers to bypass host-based authentication and submit arbitrary jobs via a modified PBS_O_HOST variable to the qsub program. | |||||
| CVE-2011-2925 | 1 Redhat | 1 Enterprise Mrg | 2017-08-29 | 4.6 MEDIUM | N/A |
| Cumin in Red Hat Enterprise Messaging, Realtime, and Grid (MRG) 2.0 records broker authentication credentials in a log file, which allows local users to bypass authentication and perform unauthorized actions on jobs and message queues via a direct connection to the broker. | |||||
| CVE-2017-9370 | 1 Blackberry | 1 Workspaces | 2017-08-24 | 6.5 MEDIUM | 8.8 HIGH |
| An information disclosure / elevation of privilege vulnerability in the BlackBerry Workspaces Server could potentially allow an attacker who has legitimate access to BlackBerry Workspaces to gain access to another user's workspace by making multiple login requests to the server. | |||||
| CVE-2017-9857 | 1 Sma | 78 Sunny Boy 1.5, Sunny Boy 1.5 Firmware, Sunny Boy 2.5 and 75 more | 2017-08-22 | 4.3 MEDIUM | 8.1 HIGH |
| ** DISPUTED ** An issue was discovered in SMA Solar Technology products. The SMAdata2+ communication protocol does not properly use authentication with encryption: it is vulnerable to man in the middle, packet injection, and replay attacks. Any setting change, authentication packet, scouting packet, etc. can be replayed, injected, or used for a man in the middle session. All functionalities available in Sunny Explorer can effectively be done from anywhere within the network as long as an attacker gets the packet setup correctly. This includes the authentication process for all (including hidden) access levels and the changing of settings in accordance with the gained access rights. Furthermore, because the SMAdata2+ communication channel is unencrypted, an attacker capable of understanding the protocol can eavesdrop on communications. NOTE: the vendor's position is that authentication with encryption is not required on an isolated subnetwork. Also, only Sunny Boy TLST-21 and TL-21 and Sunny Tripower TL-10 and TL-30 could potentially be affected. | |||||
| CVE-2015-6816 | 2 Fedoraproject, Ganglia | 2 Fedora, Ganglia-web | 2017-08-20 | 7.5 HIGH | 9.8 CRITICAL |
| ganglia-web before 3.7.1 allows remote attackers to bypass authentication. | |||||
| CVE-2011-1409 | 1 Ulli Horlacher | 1 Fex | 2017-08-17 | 5.0 MEDIUM | N/A |
| Frams's Fast File EXchange (F*EX, aka fex) 20100208, and possibly other versions before 20110610, allows remote attackers to bypass authentication and upload arbitrary files via a request that lacks an authentication ID. | |||||
| CVE-2011-1674 | 1 Netgear | 2 Prosafe Wnap210, Prosafe Wnap210 Firmware | 2017-08-17 | 6.8 MEDIUM | N/A |
| The NetGear ProSafe WNAP210 with firmware 2.0.12 allows remote attackers to bypass authentication and obtain access to the configuration page by visiting recreate.php and then visiting index.php. | |||||
| CVE-2011-1472 | 1 Nokia | 2 E75, E75 Firmware | 2017-08-17 | 7.2 HIGH | N/A |
| The Nokia E75 phone with firmware before 211.12.01 allows physically proximate attackers to bypass the Device Lock code by entering an unspecified button sequence at boot time. | |||||
| CVE-2011-1372 | 1 Ibm | 4 Ts3100 Tape Library, Ts3100 Tape Library Firmware, Ts3200 Tape Library and 1 more | 2017-08-17 | 6.8 MEDIUM | N/A |
| The Web User Interface on the IBM TS3100 and TS3200 tape libraries with firmware before A.60 allows remote attackers to bypass authentication and obtain administrative access via unspecified vectors. | |||||
| CVE-2010-4211 | 2 Apple, Ebay | 2 Iphone Os, Paypal | 2017-08-17 | 2.9 LOW | N/A |
| The PayPal app before 3.0.1 for iOS does not verify that the server hostname matches the domain name of the subject of an X.509 certificate, which allows man-in-the-middle attackers to spoof a PayPal web server via an arbitrary certificate. | |||||
| CVE-2010-3905 | 1 Eucalyptus | 1 Eucalyptus | 2017-08-17 | 7.5 HIGH | N/A |
| The password reset feature in the administrator interface for Eucalyptus 2.0.0 and 2.0.1 does not perform authentication, which allows remote attackers to gain privileges by sending password reset requests for other users. | |||||
| CVE-2011-0718 | 1 Redhat | 1 Network Satellite Server | 2017-08-17 | 5.8 MEDIUM | N/A |
| Red Hat Network (RHN) Satellite Server 5.4 does not use a time delay after a failed login attempt, which makes it easier for remote attackers to conduct brute force password guessing attacks. | |||||
| CVE-2011-0688 | 1 Symantec | 3 Antivirus, Antivirus Central Quarantine Server, System Center | 2017-08-17 | 9.3 HIGH | N/A |
| Intel Alert Management System (aka AMS or AMS2), as used in Symantec Antivirus Corporate Edition (SAVCE) 10.x before 10.1 MR10, Symantec System Center (SSC) 10.x, and Symantec Quarantine Server 3.5 and 3.6, allows remote attackers to execute arbitrary commands via crafted messages over TCP, as discovered by Junaid Bohio, a different vulnerability than CVE-2010-0110 and CVE-2010-0111. NOTE: some of these details are obtained from third party information. | |||||
| CVE-2011-0527 | 1 Vmware | 1 Tc Server | 2017-08-17 | 5.0 MEDIUM | N/A |
| VMware vFabric tc Server (aka SpringSource tc Server) 2.0.x before 2.0.6.RELEASE and 2.1.x before 2.1.2.RELEASE accepts obfuscated passwords during JMX authentication, which makes it easier for context-dependent attackers to obtain access by leveraging an ability to read stored passwords. | |||||
| CVE-2011-0489 | 1 Objectivity | 1 Objectivity\/db | 2017-08-17 | 7.5 HIGH | N/A |
| The server components in Objectivity/DB 10.0 do not require authentication for administrative commands, which allows remote attackers to modify data, obtain sensitive information, or cause a denial of service by sending requests over TCP to (1) the Lock Server or (2) the Advanced Multithreaded Server, as demonstrated by commands that are ordinarily sent by the (a) ookillls and (b) oostopams applications. NOTE: some of these details are obtained from third party information. | |||||
| CVE-2011-0438 | 1 Arthurdejong | 1 Nss-pam-ldapd | 2017-08-17 | 6.8 MEDIUM | N/A |
| nslcd/pam.c in the nss-pam-ldapd 0.8.0 PAM module returns a success code when a user is not found in LDAP, which allows remote attackers to bypass authentication. | |||||
| CVE-2011-0435 | 1 Gplhost | 1 Domain Technologie Control | 2017-08-17 | 5.0 MEDIUM | N/A |
| Domain Technologie Control (DTC) before 0.32.9 does not require authentication for (1) admin/bw_per_month.php and (2) client/bw_per_month.php, which allows remote attackers to obtain potentially sensitive bandwidth information via a direct request. | |||||
| CVE-2011-0384 | 1 Cisco | 2 Telepresence Multipoint Switch, Telepresence Multipoint Switch Software | 2017-08-17 | 10.0 HIGH | N/A |
| The Java Servlet framework on Cisco TelePresence Multipoint Switch (CTMS) devices with software 1.0.x, 1.1.x, 1.5.x, and 1.6.x does not require administrative authentication for unspecified actions, which allows remote attackers to execute arbitrary code via a crafted request, aka Bug ID CSCtf01253. | |||||
| CVE-2011-0383 | 1 Cisco | 4 Telepresence Multipoint Switch, Telepresence Multipoint Switch Software, Telepresence Recording Server and 1 more | 2017-08-17 | 10.0 HIGH | N/A |
| The Java Servlet framework on Cisco TelePresence Recording Server devices with software 1.6.x before 1.6.2 and Cisco TelePresence Multipoint Switch (CTMS) devices with software 1.0.x, 1.1.x, 1.5.x, and 1.6.x does not require administrative authentication for unspecified actions, which allows remote attackers to execute arbitrary code via a crafted request, aka Bug IDs CSCtf42005 and CSCtf42008. | |||||
| CVE-2011-0380 | 1 Cisco | 1 Telepresence Manager | 2017-08-17 | 7.5 HIGH | N/A |
| Cisco TelePresence Manager 1.2.x through 1.6.x allows remote attackers to bypass authentication and invoke arbitrary methods via a malformed SOAP request, aka Bug ID CSCtc59562. | |||||
| CVE-2011-0392 | 1 Cisco | 2 Telepresence Recording Server, Telepresence Recording Server Software | 2017-08-17 | 7.5 HIGH | N/A |
| Cisco TelePresence Recording Server devices with software 1.6.x do not require authentication for an XML-RPC interface, which allows remote attackers to perform unspecified actions via a session on TCP port 8080, aka Bug ID CSCtg35833. | |||||
| CVE-2011-0279 | 1 Hp | 1 Multifunction Peripheral Digital Sending Software | 2017-08-17 | 2.1 LOW | N/A |
| HP Multifunction Peripheral (MFP) Digital Sending Software (DSS) 4.91.00 does not properly configure authentication settings of managed devices within device templates, which allows attackers to access these devices via actions that were intended to require authentication. | |||||
| CVE-2010-3852 | 1 Redhat | 2 Conga, Luci | 2017-08-17 | 6.4 MEDIUM | N/A |
| The default configuration of Luci 0.22.4 and earlier in Red Hat Conga uses "[INSERT SECRET HERE]" as its secret key for cookies, which makes it easier for remote attackers to bypass repoze.who authentication via a forged ticket cookie. | |||||