Total
3293 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2014-3527 | 1 Vmware | 1 Spring Security | 2021-06-08 | 7.5 HIGH | 9.8 CRITICAL |
| When using the CAS Proxy ticket authentication from Spring Security 3.1 to 3.2.4 a malicious CAS Service could trick another CAS Service into authenticating a proxy ticket that was not associated. This is due to the fact that the proxy ticket authentication uses the information from the HttpServletRequest which is populated based upon untrusted information within the HTTP request. This means if there are access control restrictions on which CAS services can authenticate to one another, those restrictions can be bypassed. If users are not using CAS Proxy tickets and not basing access control decisions based upon the CAS Service, then there is no impact to users. | |||||
| CVE-2018-16496 | 1 Versa-networks | 1 Versa Director | 2021-06-07 | 5.0 MEDIUM | 5.3 MEDIUM |
| In Versa Director, the un-authentication request found. | |||||
| CVE-2021-29047 | 1 Liferay | 2 Dxp, Liferay Portal | 2021-05-24 | 5.0 MEDIUM | 7.5 HIGH |
| The SimpleCaptcha implementation in Liferay Portal 7.3.4, 7.3.5 and Liferay DXP 7.3 before fix pack 1 does not invalidate CAPTCHA answers after it is used, which allows remote attackers to repeatedly perform actions protected by a CAPTCHA challenge by reusing the same CAPTCHA answer. | |||||
| CVE-2020-21991 | 1 Ave | 13 53ab-wbs, 53ab-wbs Firmware, Dominaplus and 10 more | 2021-05-19 | 7.5 HIGH | 9.8 CRITICAL |
| AVE DOMINAplus <=1.10.x suffers from an authentication bypass vulnerability due to missing control check when directly calling the autologin GET parameter in changeparams.php script. Setting the autologin value to 1 allows an unauthenticated attacker to permanently disable the authentication security control and access the management interface with admin privileges without providing credentials. | |||||
| CVE-2021-31520 | 1 Trendmicro | 1 Im Security | 2021-05-19 | 6.8 MEDIUM | 8.1 HIGH |
| A weak session token authentication bypass vulnerability in Trend Micro IM Security 1.6 and 1.6.5 could allow an remote attacker to guess currently logged-in administrators' session session token in order to gain access to the product's web management interface. | |||||
| CVE-2021-23008 | 1 F5 | 1 Big-ip Access Policy Manager | 2021-05-19 | 7.5 HIGH | 9.8 CRITICAL |
| On version 15.1.x before 15.1.3, 14.1.x before 14.1.4, 13.1.x before 13.1.4, 12.1.x before 12.1.6, and all versions of 16.0.x and 11.6.x., BIG-IP APM AD (Active Directory) authentication can be bypassed via a spoofed AS-REP (Kerberos Authentication Service Response) response sent over a hijacked KDC (Kerberos Key Distribution Center) connection or from an AD server compromised by an attacker. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | |||||
| CVE-2021-23365 | 1 Tyk | 1 Tyk-identity-broker | 2021-05-19 | 5.5 MEDIUM | 9.1 CRITICAL |
| The package github.com/tyktechnologies/tyk-identity-broker before 1.1.1 are vulnerable to Authentication Bypass via the Go XML parser which can cause SAML authentication bypass. This is because the XML parser doesn’t guarantee integrity in the XML round-trip (encoding/decoding XML data). | |||||
| CVE-2017-10817 | 1 Intercom | 1 Malion | 2021-05-17 | 7.5 HIGH | 9.8 CRITICAL |
| MaLion for Windows and Mac 5.0.0 to 5.2.1 allows remote attackers to bypass authentication to alter settings in Relay Service Server. | |||||
| CVE-2021-31245 | 1 Openmptcprouter | 1 Openmptcprouter | 2021-05-13 | 4.3 MEDIUM | 5.9 MEDIUM |
| omr-admin.py in openmptcprouter-vps-admin 0.57.3 and earlier compares the user provided password with the original password in a length dependent manner, which allows remote attackers to guess the password via a timing attack. | |||||
| CVE-2021-25147 | 1 Arubanetworks | 1 Airwave | 2021-05-08 | 6.8 MEDIUM | 8.1 HIGH |
| A remote authentication restriction bypass vulnerability was discovered in Aruba AirWave Management Platform version(s) prior to 8.2.12.1. Aruba has released patches for AirWave Management Platform that address this security vulnerability. | |||||
| CVE-2017-10796 | 1 Tp-link | 2 Nc250, Nc250 Firmware | 2021-05-07 | 3.3 LOW | 6.5 MEDIUM |
| On TP-Link NC250 devices with firmware through 1.2.1 build 170515, anyone can view video and audio without authentication via an rtsp://admin@yourip:554/h264_hd.sdp URL. | |||||
| CVE-2016-2032 | 1 Arubanetworks | 3 Airwave, Aruba Instant, Arubaos | 2021-05-04 | 5.0 MEDIUM | 7.5 HIGH |
| A vulnerability exists in the Aruba AirWave Management Platform 8.x prior to 8.2 in the management interface of an underlying system component called RabbitMQ, which could let a malicious user obtain sensitive information. This interface listens on TCP port 15672 and 55672 | |||||
| CVE-2018-0163 | 2 Cisco, Rockwellautomation | 96 1120 Connected Grid Router, 1240 Connected Grid Router, 1905 Serial Integrated Services Router and 93 more | 2021-04-28 | 3.3 LOW | 6.5 MEDIUM |
| A vulnerability in the 802.1x multiple-authentication (multi-auth) feature of Cisco IOS Software could allow an unauthenticated, adjacent attacker to bypass the authentication phase on an 802.1x multi-auth port. The vulnerability is due to a logic change error introduced into the code. An attacker could exploit this vulnerability by trying to access an 802.1x multi-auth port after a successful supplicant has authenticated. An exploit could allow the attacker to bypass the 802.1x access controls and obtain access to the network. Cisco Bug IDs: CSCvg69701. | |||||
| CVE-2015-7974 | 4 Debian, Netapp, Ntp and 1 more | 8 Debian Linux, Clustered Data Ontap, Oncommand Balance and 5 more | 2021-04-26 | 4.0 MEDIUM | 7.7 HIGH |
| NTP 4.x before 4.2.8p6 and 4.3.x before 4.3.90 do not verify peer associations of symmetric keys when authenticating packets, which might allow remote attackers to conduct impersonation attacks via an arbitrary trusted key, aka a "skeleton key." | |||||
| CVE-2017-8405 | 1 Dlink | 4 Dcs-1100, Dcs-1100 Firmware, Dcs-1130 and 1 more | 2021-04-23 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered on D-Link DCS-1130 and DCS-1100 devices. The binary rtspd in /sbin folder of the device handles all the rtsp connections received by the device. It seems that the binary loads at address 0x00012CF4 a flag called "Authenticate" that indicates whether a user should be authenticated or not before allowing access to the video feed. By default, the value for this flag is zero and can be set/unset using the HTTP interface and network settings tab as shown below. The device requires that a user logging to the HTTP management interface of the device to provide a valid username and password. However, the device does not enforce the same restriction by default on RTSP URL due to the checkbox unchecked by default, thereby allowing any attacker in possession of external IP address of the camera to view the live video feed. The severity of this attack is enlarged by the fact that there more than 100,000 D-Link devices out there. | |||||
| CVE-2020-7856 | 1 Cnesty | 1 Helpcom | 2021-04-23 | 7.5 HIGH | 9.8 CRITICAL |
| A vulnerability of Helpcom could allow an unauthenticated attacker to execute arbitrary command. This vulnerability exists due to insufficient authentication validation. | |||||
| CVE-2020-8863 | 1 Dlink | 6 Dir-867, Dir-867 Firmware, Dir-878 and 3 more | 2021-04-23 | 8.3 HIGH | 8.8 HIGH |
| This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DIR-867, DIR-878, and DIR-882 routers with firmware 1.10B04. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of HNAP login requests. The issue results from the lack of proper implementation of the authentication algorithm. An attacker can leverage this vulnerability to escalate privileges and execute code in the context of the router. Was ZDI-CAN-9470. | |||||
| CVE-2018-17777 | 1 Dlink | 2 Dva-5592, Dva-5592 Firmware | 2021-04-23 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered on D-Link DVA-5592 A1_WI_20180823 devices. If the PIN of the page "/ui/cbpc/login" is the default Parental Control PIN (0000), it is possible to bypass the login form by editing the path of the cookie "sid" generated by the page. The attacker will have access to the router control panel with administrator privileges. | |||||
| CVE-2019-16190 | 1 Dlink | 6 Dir-868l, Dir-868l Firmware, Dir-885l and 3 more | 2021-04-23 | 7.5 HIGH | 9.8 CRITICAL |
| SharePort Web Access on D-Link DIR-868L REVB through 2.03, DIR-885L REVA through 1.20, and DIR-895L REVA through 1.21 devices allows Authentication Bypass, as demonstrated by a direct request to folder_view.php or category_view.php. | |||||
| CVE-2018-20675 | 1 Dlink | 8 Dir-822, Dir-822-us, Dir-822-us Firmware and 5 more | 2021-04-23 | 7.5 HIGH | 9.8 CRITICAL |
| D-Link DIR-822 C1 before v3.11B01Beta, DIR-822-US C1 before v3.11B01Beta, DIR-850L A* before v1.21B08Beta, DIR-850L B* before v2.22B03Beta, and DIR-880L A* before v1.20B02Beta devices allow authentication bypass. | |||||