Total
2926 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-16613 | 2 Debian, Openstack | 3 Debian Linux, Swauth, Swift | 2017-12-12 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in middleware.py in OpenStack Swauth through 1.2.0 when used with OpenStack Swift through 2.15.1. The Swift object store and proxy server are saving (unhashed) tokens retrieved from the Swauth middleware authentication mechanism to a log file as part of a GET URI. This allows attackers to bypass authentication by inserting a token into an X-Auth-Token header of a new request. NOTE: github.com/openstack/swauth URLs do not mean that Swauth is maintained by an official OpenStack project team. | |||||
| CVE-2017-10903 | 1 Princeton | 2 Ptw-wms1, Ptw-wms1 Firmware | 2017-12-12 | 10.0 HIGH | 9.8 CRITICAL |
| Improper authentication issue in PTW-WMS1 firmware version 2.000.012 allows remote attackers to log in to the device with root privileges and conduct arbitrary operations via unspecified vectors. | |||||
| CVE-2017-8151 | 1 Huawei | 2 Honor 5s, Honor 5s Firmware | 2017-12-11 | 7.2 HIGH | 6.8 MEDIUM |
| Huawei Honor 5S smart phones with software the versions before TAG-TL00C01B173 have an authentication bypass vulnerability due to the improper design of some components. An attacker can get a user's smart phone and install malicious apps in the mobile phone, allowing the attacker to reset the password and fingerprint of the phone without authentication. | |||||
| CVE-2017-2738 | 1 Huawei | 2 Vcm5010, Vcm5010 Firmware | 2017-12-11 | 7.5 HIGH | 9.8 CRITICAL |
| VCM5010 with software versions earlier before V100R002C50SPC100 has an authentication bypass vulnerability. This is due to improper implementation of authentication for accessing web pages. An unauthenticated attacker could bypass the authentication by sending a crafted HTTP request. 5010 with software versions earlier before V100R002C50SPC100 has an arbitrary file upload vulnerability. The software does not validate the files that uploaded. An authenticated attacker could upload arbitrary files to the system. | |||||
| CVE-2017-8195 | 1 Huawei | 1 Fusionsphere Openstack | 2017-12-08 | 6.5 MEDIUM | 8.8 HIGH |
| The FusionSphere OpenStack V100R006C00SPC102(NFV) has an improper authentication vulnerability. Due to improper authentication on one port, an authenticated, remote attacker may exploit the vulnerability to execute more operations by send a crafted rest message. | |||||
| CVE-2012-0400 | 1 Rsa | 1 Envision | 2017-12-05 | 7.9 HIGH | N/A |
| EMC RSA enVision 4.x before 4.1 Patch 4 does not properly restrict the number of failed authentication attempts, which makes it easier for remote attackers to obtain access via a brute-force attack. | |||||
| CVE-2017-9314 | 1 Dahuasecurity | 44 Nvr5208-4ks2, Nvr5208-4ks2 Firmware, Nvr5208-8p-4ks2 and 41 more | 2017-11-29 | 6.5 MEDIUM | 8.8 HIGH |
| Authentication vulnerability found in Dahua NVR models NVR50XX, NVR52XX, NVR54XX, NVR58XX with software before DH_NVR5xxx_Eng_P_V2.616.0000.0.R.20171102. Attacker could exploit this vulnerability to gain access to additional operations by means of forging json message. | |||||
| CVE-2013-3656 | 1 Cybozu | 1 Cybozu Office | 2017-11-28 | 5.8 MEDIUM | N/A |
| Cybozu Office 9.1.0 and earlier does not properly manage sessions, which allows remote attackers to bypass authentication by leveraging knowledge of a login URL. | |||||
| CVE-2017-16634 | 1 Joomla | 1 Joomla\! | 2017-11-28 | 7.5 HIGH | 9.8 CRITICAL |
| In Joomla! before 3.8.2, a bug allowed third parties to bypass a user's 2-factor authentication method. | |||||
| CVE-2017-1000154 | 1 Mahara | 1 Mahara | 2017-11-13 | 7.5 HIGH | 9.8 CRITICAL |
| Mahara 15.04 before 15.04.8 and 15.10 before 15.10.4 and 16.04 before 16.04.2 are vulnerable to some authentication methods, which do not use Mahara's built-in login form, still allowing users to log in even if their institution was expired or suspended. | |||||
| CVE-2017-14032 | 1 Arm | 1 Mbed Tls | 2017-11-07 | 6.8 MEDIUM | 8.1 HIGH |
| ARM mbed TLS before 1.3.21 and 2.x before 2.1.9, if optional authentication is configured, allows remote attackers to bypass peer authentication via an X.509 certificate chain with many intermediates. NOTE: although mbed TLS was formerly known as PolarSSL, the releases shipped with the PolarSSL name are not affected. | |||||
| CVE-2014-2685 | 1 Zend | 2 Zend Framework, Zendopenid | 2017-11-03 | 7.5 HIGH | N/A |
| The GenericConsumer class in the Consumer component in ZendOpenId before 2.0.2 and the Zend_OpenId_Consumer class in Zend Framework 1 before 1.12.4 violate the OpenID 2.0 protocol by ensuring only that at least one field is signed, which allows remote attackers to bypass authentication by leveraging an assertion from an OpenID provider. | |||||
| CVE-2017-10807 | 1 Jabberd2 | 1 Jabberd2 | 2017-11-03 | 7.5 HIGH | 9.8 CRITICAL |
| JabberD 2.x (aka jabberd2) before 2.6.1 allows anyone to authenticate using SASL ANONYMOUS, even when the sasl.anonymous c2s.xml option is not enabled. | |||||
| CVE-2014-8088 | 1 Zend | 1 Zend Framework | 2017-11-03 | 5.0 MEDIUM | N/A |
| The (1) Zend_Ldap class in Zend before 1.12.9 and (2) Zend\Ldap component in Zend 2.x before 2.2.8 and 2.3.x before 2.3.3 allows remote attackers to bypass authentication via a password starting with a null byte, which triggers an unauthenticated bind. | |||||
| CVE-2016-5791 | 1 Jantek | 2 Jtc-200, Jtc-200 Firmware | 2017-11-03 | 10.0 HIGH | 9.8 CRITICAL |
| An Improper Authentication issue was discovered in JanTek JTC-200, all versions. The improper authentication could provide an undocumented BusyBox Linux shell accessible over the TELNET service without any authentication. | |||||
| CVE-2017-5152 | 1 Advantech | 1 Webaccess | 2017-11-02 | 6.4 MEDIUM | 9.1 CRITICAL |
| An issue was discovered in Advantech WebAccess Version 8.1. By accessing a specific uniform resource locator (URL) on the web server, a malicious user is able to access pages unrestricted (AUTHENTICATION BYPASS). | |||||
| CVE-2017-1222 | 1 Ibm | 1 Bigfix Platform | 2017-10-31 | 6.4 MEDIUM | 6.5 MEDIUM |
| IBM Tivoli Endpoint Manager (IBM BigFix Platform 9.2 and 9.5) does not perform an authentication check for a critical resource or functionality allowing anonymous users access to protected areas. IBM X-Force ID: 123862. | |||||
| CVE-2016-8937 | 1 Ibm | 1 Tivoli Storage Manager | 2017-10-25 | 5.0 MEDIUM | 9.8 CRITICAL |
| The IBM Tivoli Storage Manager (IBM Spectrum Protect 7.1 and 8.1) default authentication protocol is vulnerable to a brute force attack due to disclosing too much information during authentication. An attacker could gain user or administrative access to the TSM server. IBM X-Force ID: 118750. | |||||
| CVE-2008-3318 | 1 Maian | 1 Weblog | 2017-10-18 | 7.5 HIGH | N/A |
| admin/index.php in Maian Weblog 4.0 and earlier allows remote attackers to bypass authentication and gain administrative access by sending an arbitrary weblog_cookie cookie. | |||||
| CVE-2008-3203 | 1 Auracms | 1 Auracms | 2017-10-18 | 7.5 HIGH | N/A |
| js/pages/pages_data.php in AuraCMS 2.2 through 2.2.2 does not perform authentication, which allows remote attackers to add, edit, and delete web content via a modified id parameter. | |||||