Total
3293 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2014-2955 | 1 Raritan | 2 Dpxr20a-16, Px | 2014-07-15 | 10.0 HIGH | N/A |
| Raritan PX before 1.5.11 on DPXR20A-16 devices allows remote attackers to bypass authentication and execute arbitrary IPMI commands by using cipher suite 0 (aka cipher zero) and an arbitrary password. | |||||
| CVE-2013-6117 | 1 Dahuasecurity | 1 Dvr Firmware | 2014-07-14 | 7.5 HIGH | N/A |
| Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perform other actions via a request to TCP port 37777. | |||||
| CVE-2014-4168 | 1 Kryo | 1 Iodine | 2014-07-07 | 5.0 MEDIUM | N/A |
| (1) iodined.c and (2) user.c in iodine before 0.7.0 allows remote attackers to bypass authentication by continuing execution after an error has been triggering. | |||||
| CVE-2013-6788 | 1 Bitrix | 2 Bitrix E-store Module, Bitrix Site Manager | 2014-06-26 | 7.5 HIGH | N/A |
| The Bitrix e-Store module before 14.0.1 for Bitrix Site Manager uses sequential values for the BITRIX_SM_SALE_UID cookie, which makes it easier for remote attackers to guess the cookie value and bypass authentication via a brute force attack. | |||||
| CVE-2014-2609 | 1 Hp | 1 Executive Scorecard | 2014-06-26 | 10.0 HIGH | N/A |
| The Java Glassfish Admin Console in HP Executive Scorecard 9.40 and 9.41 does not require authentication, which allows remote attackers to execute arbitrary code via a session on TCP port 10001, aka ZDI-CAN-2116. | |||||
| CVE-2014-3780 | 1 Citrix | 1 Vdi-in-a-box | 2014-06-24 | 7.5 HIGH | N/A |
| Unspecified vulnerability in Citrix VDI-In-A-Box 5.3.x before 5.3.8 and 5.4.x before 5.4.4 allows remote attackers to bypass authentication via unspecified vectors, related to a Java servlet. | |||||
| CVE-2014-3781 | 1 Dotclear | 1 Dotclear | 2014-06-12 | 5.8 MEDIUM | N/A |
| The dcXmlRpc::setUser method in nc/core/class.dc.xmlrpc.php in Dotclear before 2.6.3 allows remote attackers to bypass authentication via an empty password in an XML-RPC request. | |||||
| CVE-2014-3945 | 1 Typo3 | 1 Typo3 | 2014-06-04 | 4.0 MEDIUM | N/A |
| The Authentication component in TYPO3 before 6.2, when salting for password hashing is disabled, does not require knowledge of the cleartext password if the password hash is known, which allows remote attackers to bypass authentication and gain access to the backend by leveraging knowledge of a password hash. | |||||
| CVE-2014-3944 | 1 Typo3 | 1 Typo3 | 2014-06-04 | 5.8 MEDIUM | N/A |
| The Authentication component in TYPO3 6.2.0 before 6.2.3 does not properly invalidate timed out user sessions, which allows remote attackers to bypass authentication via unspecified vectors. | |||||
| CVE-2013-6470 | 1 Redhat | 1 Openstack | 2014-06-03 | 5.0 MEDIUM | N/A |
| The default configuration in the standalone controller quickstack manifest in openstack-foreman-installer, as used in Red Hat Enterprise Linux OpenStack Platform 4.0, disables authentication for Qpid, which allows remote attackers to gain access by connecting to Qpid. | |||||
| CVE-2013-4178 | 2 Drupal, Google Authenticator Login Project | 2 Drupal, Ga Login | 2014-05-30 | 5.0 MEDIUM | N/A |
| The Google Authenticator login module 6.x-1.x before 6.x-1.2 and 7.x-1.x before 7.x-1.4 for Drupal allows remote attackers to obtain access by replaying the username, password, and one-time password (OTP). | |||||
| CVE-2013-6766 | 1 Openvas | 1 Openvas Administrator | 2014-05-20 | 7.5 HIGH | N/A |
| OpenVAS Administrator 1.2 before 1.2.2 and 1.3 before 1.3.2 allows remote attackers to bypass the OAP authentication restrictions and execute OAP commands via a crafted OAP request for version information, which causes the state to be set to CLIENT_AUTHENTIC. | |||||
| CVE-2013-6806 | 1 Opentext | 1 Exceed Ondemand | 2014-05-19 | 6.8 MEDIUM | N/A |
| OpenText Exceed OnDemand (EoD) 8 allows man-in-the-middle attackers to disable bidirectional authentication and obtain sensitive information via a crafted string in a response, which triggers a downgrade to simple authentication that sends credentials in plaintext. | |||||
| CVE-2013-6765 | 1 Openvas | 1 Openvas Manager | 2014-05-19 | 7.5 HIGH | N/A |
| OpenVAS Manager 3.0 before 3.0.7 and 4.0 before 4.0.4 allows remote attackers to bypass the OMP authentication restrictions and execute OMP commands via a crafted OMP request for version information, which causes the state to be set to CLIENT_AUTHENTIC, as demonstrated by the omp_xml_handle_end_element function in omp.c. | |||||
| CVE-2013-7379 | 1 Ucdok | 1 Tomato | 2014-05-16 | 6.8 MEDIUM | N/A |
| The admin API in the tomato module before 0.0.6 for Node.js does not properly check the access key when it is set to a string, which allows remote attackers to bypass authentication via a string in the access-key header that partially matches config.master.api.access_key. | |||||
| CVE-2013-4552 | 1 Drupalauth Project | 1 Drupalauth | 2014-05-14 | 7.5 HIGH | N/A |
| lib/Auth/Source/External.php in the drupalauth module before 1.2.2 for simpleSAMLphp allows remote attackers to authenticate as an arbitrary user via the user name (uid) in a cookie. | |||||
| CVE-2014-0357 | 1 Amtelco | 1 Misecuremessages | 2014-05-10 | 5.0 MEDIUM | N/A |
| Amtelco miSecureMessages allows remote attackers to read the messages of arbitrary users via an XML request containing a valid license key and a modified contactID value, as demonstrated by a request from the iOS or Android application. | |||||
| CVE-2014-1682 | 2 Fedoraproject, Zabbix | 2 Fedora, Zabbix | 2014-05-09 | 4.0 MEDIUM | N/A |
| The API in Zabbix before 1.8.20rc1, 2.0.x before 2.0.11rc1, and 2.2.x before 2.2.2rc1 allows remote authenticated users to spoof arbitrary users via the user name in a user.login request. | |||||
| CVE-2014-3139 | 1 Unitrends | 1 Enterprise Backup | 2014-05-05 | 7.5 HIGH | N/A |
| recoveryconsole/bpl/snmpd.php in Unitrends Enterprise Backup 7.3.0 allows remote attackers to bypass authentication by setting the auth parameter to a certain string. | |||||
| CVE-2013-7302 | 2 Drupal, Ubercart | 2 Drupal, Ubercart | 2014-04-30 | 6.8 MEDIUM | N/A |
| Session fixation vulnerability in the Ubercart module 6.x-2.x before 6.x-2.13 and 7.x-3.x before 7.x-3.6 for Drupal, when the "Log in new customers after checkout" option is enabled, allows remote attackers to hijack web sessions by leveraging knowledge of the original session ID. | |||||