CVE Daily
← All tags

Tag: Unauthenticated/Unauthorized Access

All CVEs associated with "Unauthenticated/Unauthorized Access". Page 121/128 • 15319 CVEs.

Subscribe CVEs: RSS for “Unauthenticated/Unauthorized Access”  ·  RSS (High+Critical only)

About “Unauthenticated/Unauthorized Access”

A curated feed of “Unauthenticated/Unauthorized Access”-related CVEs appears below. We currently track 15319 CVEs for this tag (all time). In the last 365 days, 3827 were published. Average CVSS is 7.4 (all time; 7.4 over 365d), and 61% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-862 - Missing Authorization, CWE-306 - Missing Authentication for Critical Function, CWE-639 - Authorization Bypass Through User-Controlled Key.

In our taxonomy this topic maps to a HIGH impact class. Vendor advisories and release notes are key. Verify compatibility matrices, prefer supported long term versions, and stage rollouts with monitoring. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0
2014-12-10
Medium

CVE-2014-7807

Apache CloudStack 4.3.x before 4.3.2 and 4.4.x before 4.4.2 allows remote attackers to bypass authentication via a login request without a password, which triggers an unauthenticated bind.

CVSS: 5.0 CWE: CWE-287 - Improper Authentication View on NVD
2014-12-08
Medium

CVE-2014-4631

RSA Adaptive Authentication (On-Premise) 6.0.2.1 through 7.1 P3, when using device binding in a Challenge SOAP call or using the RSA Adaptive Authentication Integration Adapters with Out-of-Band Phon…

CVSS: 5.0 CWE: CWE-287 - Improper Authentication View on NVD
2014-12-02
Medium

CVE-2014-9184

ZTE ZXDSL 831CII allows remote attackers to bypass authentication via a direct request to (1) main.cgi, (2) adminpasswd.cgi, (3) userpasswd.cgi, (4) upload.cgi, (5) conprocess.cgi, or (6) connect.cgi.

CVSS: 5.0 CWE: CWE-287 - Improper Authentication View on NVD
2014-11-28
High

CVE-2014-8424

ARRIS VAP2500 before FW08.41 does not properly validate passwords, which allows remote attackers to bypass authentication.

CVSS: 7.8 CWE: CWE-287 - Improper Authentication View on NVD
2014-11-19
Critical

CVE-2014-6626

Aruba Networks ClearPass before 6.3.6 and 6.4.x before 6.4.1 does not properly restrict access to unspecified administrative functions, which allows remote attackers to bypass authentication and exec…

CVSS: 10.0 CWE: CWE-284 - Improper Access Control View on NVD
2014-11-16
Medium

CVE-2014-2684

The GenericConsumer class in the Consumer component in ZendOpenId before 2.0.2 and the Zend_OpenId_Consumer class in Zend Framework 1 before 1.12.4 does not verify that the openid_op_endpoint value i…

CVSS: 6.4 CWE: CWE-264 View on NVD
2014-11-06
Medium

CVE-2014-8655

The Compal Broadband Networks (CBN) CH6640E and CG6640E Wireless Gateway 1.0 with firmware CH6640-3.5.11.7-NOSH allows remote attackers to bypass authentication and obtain sensitive information via a…

CVSS: 5.0 CWE: CWE-264 View on NVD
2014-10-26
Medium

CVE-2013-6796

The SMTP server in DeepOfix 3.3 and earlier allows remote attackers to bypass authentication via an empty password, which triggers an LDAP anonymous bind.

CVSS: 5.0 CWE: CWE-264 View on NVD
2014-10-22
Medium

CVE-2014-8764

DokuWiki 2014-05-05a and earlier, when using Active Directory for LDAP authentication, allows remote attackers to bypass authentication via a user name and password starting with a null (\0) characte…

CVSS: 5.0 CWE: CWE-287 - Improper Authentication View on NVD
Medium

CVE-2014-8763

DokuWiki before 2014-05-05b, when using Active Directory for LDAP authentication, allows remote attackers to bypass authentication via a password starting with a null (\0) character and a valid user…

CVSS: 5.0 CWE: CWE-287 - Improper Authentication View on NVD
Medium

CVE-2014-8088

The (1) Zend_Ldap class in Zend before 1.12.9 and (2) Zend\Ldap component in Zend 2.x before 2.2.8 and 2.3.x before 2.3.3 allows remote attackers to bypass authentication via a password starting with…

CVSS: 5.0 CWE: CWE-287 - Improper Authentication View on NVD
2014-10-19
Medium

CVE-2014-6116

The Telemetry Component in WebSphere MQ 8.0.0.1 before p000-001-L140910 allows remote attackers to bypass authentication by setting the JAASConfig property in an MQTT client configuration.

CVSS: 4.3 CWE: CWE-287 - Improper Authentication View on NVD
2014-10-14
High

CVE-2014-6379

Juniper Junos 11.4 before R12, 12.1 before R10, 12.1X44 before D35, 12.1X45 before D25, 12.1X46 before D20, 12.1X47 before D10, 12.2 before R8, 12.2X50 before D70, 12.3 before R6, 13.1 before R4-S3,…

CVSS: 7.5 CWE: CWE-287 - Improper Authentication View on NVD
2014-10-08
High

CVE-2014-7299

Unspecified vulnerability in administrative interfaces in ArubaOS 6.3.1.11, 6.3.1.11-FIPS, 6.4.2.1, and 6.4.2.1-FIPS on Aruba controllers allows remote attackers to bypass authentication, and obtain…

CVSS: 7.5 CWE: N/A View on NVD
2014-10-06
High

CVE-2014-0074

Apache Shiro 1.x before 1.2.3, when using an LDAP server with unauthenticated bind enabled, allows remote attackers to bypass authentication via an empty (1) username or (2) password.

CVSS: 7.5 CWE: CWE-287 - Improper Authentication View on NVD
2014-09-29
High

CVE-2013-3092

The Belkin N300 (F7D7301v1) router allows remote attackers to bypass authentication and gain privileges via vectors related to incorrect validation of the HTTP Authorization header.

CVSS: 8.3 CWE: CWE-287 - Improper Authentication View on NVD
2014-09-23
Medium

CVE-2014-3106

IBM Rational ClearQuest 7.1 before 7.1.2.15, 8.0.0 before 8.0.0.12, and 8.0.1 before 8.0.1.5 does not properly implement the Local Access Only protection mechanism, which allows remote attackers to b…

CVSS: 5.0 CWE: CWE-287 - Improper Authentication View on NVD
2014-09-04
High

CVE-2014-2685

The GenericConsumer class in the Consumer component in ZendOpenId before 2.0.2 and the Zend_OpenId_Consumer class in Zend Framework 1 before 1.12.4 violate the OpenID 2.0 protocol by ensuring only th…

CVSS: 7.5 CWE: CWE-287 - Improper Authentication View on NVD
2014-08-28
Critical

CVE-2014-4619

EMC RSA Identity Management and Governance (IMG) 6.5.x before 6.5.1 P11, 6.5.2 before P02HF01, and 6.8.x before 6.8.1 P07, when Novell Identity Manager (aka NovellIM) is used, allows remote attackers…

CVSS: 9.3 CWE: CWE-287 - Improper Authentication View on NVD
2014-08-22
Critical

CVE-2014-5246

The Shenzhen Tenda Technology Tenda A5s router with firmware 3.02.05_CN allows remote attackers to bypass authentication and gain administrator access by setting the admin:language cookie to zh-cn.

CVSS: 10.0 CWE: CWE-264 View on NVD
2014-07-31
High

CVE-2014-5175

The License Measurement servlet in SAP Solution Manager 7.1 allows remote attackers to bypass authentication via unspecified vectors, related to a verb tampering attack and SAP_JTECHS.

CVSS: 7.5 CWE: CWE-287 - Improper Authentication View on NVD
2014-07-29
Medium

CVE-2014-3895

The I-O DATA TS-WLCAM camera with firmware 1.06 and earlier, TS-WLCAM/V camera with firmware 1.06 and earlier, TS-WPTCAM camera with firmware 1.08 and earlier, TS-PTCAM camera with firmware 1.08 and…

CVSS: 6.4 CWE: CWE-287 - Improper Authentication View on NVD
2014-07-27
High

CVE-2014-4725

The MailPoet Newsletters (wysija-newsletters) plugin before 2.6.7 for WordPress allows remote attackers to bypass authentication and execute arbitrary PHP code by uploading a crafted theme using wp-a…

CVSS: 7.5 CWE: CWE-287 - Improper Authentication View on NVD
2014-07-24
High

CVE-2014-2717

Honeywell FALCON XLWeb Linux controller devices 2.04.01 and earlier and FALCON XLWeb XLWebExe controller devices 2.02.11 and earlier allow remote attackers to bypass authentication and obtain adminis…

CVSS: 7.6 CWE: N/A View on NVD
2014-07-14
Critical

CVE-2014-2955

Raritan PX before 1.5.11 on DPXR20A-16 devices allows remote attackers to bypass authentication and execute arbitrary IPMI commands by using cipher suite 0 (aka cipher zero) and an arbitrary password.

CVSS: 10.0 CWE: CWE-287 - Improper Authentication View on NVD
2014-07-11
High

CVE-2013-6117

Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perfo…

CVSS: 7.5 CWE: CWE-287 - Improper Authentication View on NVD
2014-07-07
High

CVE-2014-2614

Unspecified vulnerability in HP SiteScope 11.1x through 11.13 and 11.2x through 11.24 allows remote attackers to bypass authentication via unknown vectors, aka ZDI-CAN-2140.

CVSS: 7.5 CWE: CWE-287 - Improper Authentication View on NVD
2014-07-03
Medium

CVE-2014-4168

(1) iodined.c and (2) user.c in iodine before 0.7.0 allows remote attackers to bypass authentication by continuing execution after an error has been triggering.

CVSS: 5.0 CWE: CWE-287 - Improper Authentication View on NVD
2014-07-02
Medium

CVE-2014-4668

The cherokee_validator_ldap_check function in validator_ldap.c in Cherokee 1.2.103 and earlier, when LDAP is used, does not properly consider unauthenticated-bind semantics, which allows remote attac…

CVSS: 6.8 CWE: CWE-287 - Improper Authentication View on NVD
2014-06-21
High

CVE-2014-3053

The Local Management Interface (LMI) in IBM Security Access Manager (ISAM) for Mobile 8.0 with firmware 8.0.0.0 through 8.0.0.3 and IBM Security Access Manager for Web 7.0, and 8.0 with firmware 8.0.…

CVSS: 8.0 CWE: CWE-287 - Improper Authentication View on NVD
2014-06-14
Medium

CVE-2014-3295

The HSRP implementation in Cisco NX-OS 6.2(2a) and earlier allows remote attackers to bypass authentication and cause a denial of service (group-member state modification and traffic blackholing) via…

CVSS: 4.8 CWE: CWE-287 - Improper Authentication View on NVD
2014-06-13
High

CVE-2013-5356

Sharetronix 3.1.1.3, 3.1.1, and earlier does not properly restrict access to unspecified AJAX functionality, which allows remote attackers to bypass authentication via unknown vectors.

CVSS: 7.5 CWE: CWE-264 View on NVD
2014-06-11
Medium

CVE-2014-3781

The dcXmlRpc::setUser method in nc/core/class.dc.xmlrpc.php in Dotclear before 2.6.3 allows remote attackers to bypass authentication via an empty password in an XML-RPC request.

CVSS: 5.8 CWE: CWE-287 - Improper Authentication View on NVD
2014-06-03
Medium

CVE-2014-3945

The Authentication component in TYPO3 before 6.2, when salting for password hashing is disabled, does not require knowledge of the cleartext password if the password hash is known, which allows remot…

CVSS: 4.0 CWE: CWE-287 - Improper Authentication View on NVD
Medium

CVE-2014-3944

The Authentication component in TYPO3 6.2.0 before 6.2.3 does not properly invalidate timed out user sessions, which allows remote attackers to bypass authentication via unspecified vectors.

CVSS: 5.8 CWE: CWE-287 - Improper Authentication View on NVD
Medium

CVE-2013-0191

libpam-pgsql (aka pam_pgsql) 0.7 does not properly handle a NULL value returned by the password search query, which allows remote attackers to bypass authentication via a crafted password.

CVSS: 5.0 CWE: CWE-287 - Improper Authentication View on NVD
2014-05-30
High

CVE-2014-3780

Unspecified vulnerability in Citrix VDI-In-A-Box 5.3.x before 5.3.8 and 5.4.x before 5.4.4 allows remote attackers to bypass authentication via unspecified vectors, related to a Java servlet.

CVSS: 7.5 CWE: CWE-287 - Improper Authentication View on NVD
High

CVE-2013-6788

The Bitrix e-Store module before 14.0.1 for Bitrix Site Manager uses sequential values for the BITRIX_SM_SALE_UID cookie, which makes it easier for remote attackers to guess the cookie value and bypa…

CVSS: 7.5 CWE: CWE-287 - Improper Authentication View on NVD
2014-05-16
Medium

CVE-2013-7379

The admin API in the tomato module before 0.0.6 for Node.js does not properly check the access key when it is set to a string, which allows remote attackers to bypass authentication via a string in t…

CVSS: 6.8 CWE: CWE-287 - Improper Authentication View on NVD
High

CVE-2014-0643

EMC RSA NetWitness before 9.8.5.19 and RSA Security Analytics before 10.2.4 and 10.3.x before 10.3.2, when Kerberos PAM is enabled, do not require a password, which allows remote attackers to bypass…

CVSS: 7.6 CWE: CWE-287 - Improper Authentication View on NVD
2014-05-12
Critical

CVE-2013-4772

D-Link DIR-505L SharePort Mobile Companion 1.01 and DIR-826L Wireless N600 Cloud Router 1.02 allows remote attackers to bypass authentication via a direct request when an authorized session is active.

CVSS: 9.3 CWE: CWE-287 - Improper Authentication View on NVD
Medium

CVE-2013-4580

GitLab before 5.4.2, Community Edition before 6.2.4, and Enterprise Edition before 6.2.1, when using a MySQL backend, allows remote attackers to impersonate arbitrary users and bypass authentication…

CVSS: 6.8 CWE: CWE-287 - Improper Authentication View on NVD
2014-05-02
High

CVE-2014-3139

recoveryconsole/bpl/snmpd.php in Unitrends Enterprise Backup 7.3.0 allows remote attackers to bypass authentication by setting the auth parameter to a certain string.

CVSS: 7.5 CWE: CWE-287 - Improper Authentication View on NVD
2014-04-27
Medium

CVE-2011-3152

DistUpgrade/DistUpgradeFetcherCore.py in Update Manager before 1:0.87.31.1, 1:0.134.x before 1:0.134.11.1, 1:0.142.x before 1:0.142.23.1, 1:0.150.x before 1:0.150.5.1, and 1:0.152.x before 1:0.152.25…

CVSS: 6.4 CWE: CWE-310 View on NVD
2014-04-24
High

CVE-2014-0188

The openshift-origin-broker in Red Hat OpenShift Enterprise 2.0.5, 1.2.7, and earlier does not properly handle authentication requests from the remote-user auth plugin, which allows remote attackers…

CVSS: 7.5 CWE: CWE-287 - Improper Authentication View on NVD
2014-04-19
Medium

CVE-2014-0778

TCPUploader module listens on Port 10651/TCP for incoming connections. Exploitation of this vulnerability could allow a remote unauthenticated user access to release OS version information. While t…

CVSS: 4.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2014-04-16
Medium

CVE-2014-2338

IKEv2 in strongSwan 4.0.7 before 5.1.3 allows remote attackers to bypass authentication by rekeying an IKE_SA during (1) initiation or (2) re-authentication, which triggers the IKE_SA state to be set…

CVSS: 6.4 CWE: CWE-287 - Improper Authentication View on NVD
2014-04-15
Medium

CVE-2014-0353

The ZyXEL Wireless N300 NetUSB NBG-419N router with firmware 1.00(BFQ.6)C0 allows remote attackers to bypass authentication by using %2F sequences in place of / (slash) characters.

CVSS: 6.1 CWE: CWE-287 - Improper Authentication View on NVD
2014-04-10
Medium

CVE-2014-2583

Multiple directory traversal vulnerabilities in pam_timestamp.c in the pam_timestamp module for Linux-PAM (aka pam) 1.1.8 allow local users to create arbitrary files or possibly bypass authentication…

CVSS: 5.8 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
Medium

CVE-2014-2128

The SSL VPN implementation in Cisco Adaptive Security Appliance (ASA) Software 8.2 before 8.2(5.47, 8.3 before 8.3(2.40), 8.4 before 8.4(7.3), 8.6 before 8.6(1.13), 9.0 before 9.0(3.8), and 9.1 befor…

CVSS: 5.0 CWE: CWE-287 - Improper Authentication View on NVD
2014-03-01
Medium

CVE-2014-1888

Cross-site scripting (XSS) vulnerability in the BuddyPress plugin before 1.9.2 for WordPress allows remote authenticated users to inject arbitrary web script or HTML via the name field to groups/crea…

CVSS: 4.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2014-02-27
Medium

CVE-2014-0743

The Certificate Authority Proxy Function (CAPF) component in Cisco Unified Communications Manager (Unified CM) 10.0(1) and earlier allows remote attackers to bypass authentication and modify register…

CVSS: 5.0 CWE: CWE-287 - Improper Authentication View on NVD
2014-02-22
Medium

CVE-2014-0738

The Phone Proxy component in Cisco Adaptive Security Appliance (ASA) Software 9.1(.3) and earlier allows remote attackers to bypass authentication and change trust relationships by injecting a Certif…

CVSS: 4.3 CWE: CWE-287 - Improper Authentication View on NVD
Medium

CVE-2014-0737

The Cisco Unified IP Phone 7960G 9.2(1) and earlier allows remote attackers to bypass authentication and change trust relationships by injecting a Certificate Trust List (CTL) file, aka Bug ID CSCuj6…

CVSS: 4.3 CWE: CWE-287 - Improper Authentication View on NVD
Medium

CVE-2014-0731

The administration interface in Cisco Unified Communications Manager (Unified CM) 10.0(1) and earlier allows remote attackers to bypass authentication and read Java class files via a direct request,…

CVSS: 5.0 CWE: CWE-264 View on NVD
2014-02-14
Medium

CVE-2013-6492

The Piranha Configuration Tool in Piranha 0.8.6 does not properly restrict access to webpages, which allows remote attackers to bypass authentication and read or modify the LVS configuration via an H…

CVSS: 5.8 CWE: CWE-264 View on NVD
Critical

CVE-2013-5400

An unspecified servlet in IBM Platform Symphony Developer Edition (DE) 5.2 and 6.1.x through 6.1.1 has hardcoded credentials, which allows remote attackers to bypass authentication and obtain "local…

CVSS: 10.0 CWE: CWE-255 View on NVD
2014-02-13
Medium

CVE-2014-0724

The bulk administration interface in Cisco Unified Communications Manager (UCM) 10.0(1) and earlier allows remote attackers to bypass authentication and read arbitrary files by using an unspecified p…

CVSS: 4.0 CWE: CWE-20 - Improper Input Validation View on NVD
2014-01-26
High

CVE-2013-4304

The CentralAuth extension for MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 caches a valid CentralAuthUser object in the centralauth_User cookie even when a user has…

CVSS: 7.5 CWE: CWE-287 - Improper Authentication View on NVD
Critical

CVE-2013-7137

The "remember me" functionality in login.php in Burden before 1.8.1 allows remote attackers to bypass authentication and gain privileges by setting the burden_user_rememberme cookie to 1.

CVSS: 9.8 CWE: CWE-287 - Improper Authentication View on NVD
2014-01-22
Critical

CVE-2014-0808

Authorization bypass through user-controlled key issue exists in EC-CUBE 2.11.0 through 2.12.2 and EC-Orange systems deployed before June 29th, 2015. If this vulnerability is exploited, a user of the…

CVSS: 9.1 CWE: CWE-566 - Authorization Bypass Through User-Controlled SQL Primary Key View on NVD
2014-01-15
Medium

CVE-2013-7106

Multiple stack-based buffer overflows in Icinga before 1.8.5, 1.9 before 1.9.4, and 1.10 before 1.10.2 allow remote authenticated users to cause a denial of service (crash) and possibly execute arbit…

CVSS: 6.5 CWE: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer View on NVD
2014-01-13
Medium

CVE-2013-7239

memcached before 1.4.17 allows remote attackers to bypass authentication by sending an invalid request with SASL credentials, then sending another request with incorrect SASL credentials.

CVSS: 4.8 CWE: CWE-287 - Improper Authentication View on NVD
2014-01-10
Critical

CVE-2013-7282

The management web interface on the Nisuta NS-WIR150NE router with firmware 5.07.41 and Nisuta NS-WIR300N router with firmware 5.07.36_NIS01 allows remote attackers to bypass authentication via a "Co…

CVSS: 10.0 CWE: CWE-287 - Improper Authentication View on NVD
2013-12-30
Medium

CVE-2013-5038

The HOT HOTBOX router with software 2.1.11 allows remote attackers to bypass authentication by configuring a source IP address that had previously been used for an authenticated session.

CVSS: 5.8 CWE: CWE-287 - Improper Authentication View on NVD
2013-12-23
Medium

CVE-2013-6979

The VTY authentication implementation in Cisco IOS XE 03.02.xxSE and 03.03.xxSE incorrectly relies on the Linux-IOS internal-network configuration, which allows remote attackers to bypass authenticat…

CVSS: 5.4 CWE: CWE-287 - Improper Authentication View on NVD
2013-12-21
Medium

CVE-2013-5413

IBM Sterling B2B Integrator 5.2 and Sterling File Gateway 2.2 do not invalidate a session upon a logout action, which allows remote attackers to bypass authentication by leveraging an unattended work…

CVSS: 4.3 CWE: CWE-287 - Improper Authentication View on NVD
2013-12-13
Medium

CVE-2013-7093

SAP Network Interface Router (SAProuter) 39.3 SP4 allows remote attackers to bypass authentication and modify the configuration via unspecified vectors.

CVSS: 5.0 CWE: CWE-287 - Improper Authentication View on NVD
2013-12-09
Medium

CVE-2013-6171

checkpassword-reply in Dovecot before 2.2.7 performs setuid operations to a user who is authenticating, which allows local users to bypass authentication and access virtual email accounts by attachin…

CVSS: 5.8 CWE: CWE-287 - Improper Authentication View on NVD
2013-12-04
High

CVE-2013-6945

The M2M Broker in OSEHRA VistA, as distributed before September 30, 2013, allows attackers to bypass authentication and authorization to perform doctor-only actions and read or modify patient records…

CVSS: 7.5 CWE: CWE-264 View on NVD
2013-11-30
Medium

CVE-2013-6918

The web interface on the Satechi travel router 1.5, when Wi-Fi is used for WAN access, exposes the console without authentication on the WAN IP address regardless of the "Web Management via WAN" sett…

CVSS: 5.8 CWE: CWE-264 View on NVD
2013-11-20
Medium

CVE-2013-6828

admin/management.html in PineApp Mail-SeCure allows remote attackers to bypass authentication and perform a sys_usermng operation via the it parameter.

CVSS: 6.4 CWE: CWE-287 - Improper Authentication View on NVD
2013-11-19
High

CVE-2013-2271

The D-Link DSL-2740B Gateway with firmware EU_1.0, when an active administrator session exists, allows remote attackers to bypass authentication and gain administrator access via a request to login.c…

CVSS: 7.6 CWE: CWE-264 View on NVD
2013-11-04
High

CVE-2013-4835

The APISiteScopeImpl SOAP service in HP SiteScope 10.1x and 11.x before 11.22 allows remote attackers to bypass authentication and execute arbitrary code via a direct request to the issueSiebelCmd me…

CVSS: 7.5 CWE: N/A View on NVD
2013-10-28
High

CVE-2013-6012

Juniper Junos 12.1X44 before 12.1.X44-D20 and 12.1X45 before 12.1X45-D15, when the no-validate option is enabled, does not properly handle configuration validation errors during the config commit pha…

CVSS: 8.5 CWE: CWE-287 - Improper Authentication View on NVD
2013-10-25
Medium

CVE-2013-5531

Cisco Identity Services Engine (ISE) 1.x before 1.1.1 allows remote attackers to bypass authentication, and read support-bundle configuration and credentials data, via a crafted session on TCP port 4…

CVSS: 5.0 CWE: CWE-287 - Improper Authentication View on NVD
2013-10-19
Critical

CVE-2013-6026

The web interface on D-Link DIR-100, DIR-120, DI-624S, DI-524UP, DI-604S, DI-604UP, DI-604+, and TM-G5240 routers; Planex BRL-04R, BRL-04UR, and BRL-04CW routers; and Alpha Networks routers allows re…

CVSS: 10.0 CWE: CWE-264 View on NVD
2013-10-16
High

CVE-2013-5030

Ruckus Wireless Zoneflex 2942 devices with firmware 9.6.0.0.267 allow remote attackers to bypass authentication, and subsequently access certain configuration/ and maintenance/ scripts, by constructi…

CVSS: 7.2 CWE: CWE-264 View on NVD
2013-10-13
Critical

CVE-2013-5511

The Adaptive Security Device Management (ASDM) remote-management feature in Cisco Adaptive Security Appliance (ASA) Software 8.2.x before 8.2(5.46), 8.3.x before 8.3(2.39), 8.4.x before 8.4(6), 8.5.x…

CVSS: 10.0 CWE: CWE-287 - Improper Authentication View on NVD
Medium

CVE-2013-5510

The remote-access VPN implementation in Cisco Adaptive Security Appliance (ASA) Software 7.x before 7.2(5.12), 8.x before 8.2(5.46), 8.3.x before 8.3(2.39), 8.4.x before 8.4(6), 8.6.x before 8.6(1.12…

CVSS: 4.3 CWE: CWE-287 - Improper Authentication View on NVD
Critical

CVE-2013-5509

The SSL implementation in Cisco Adaptive Security Appliance (ASA) Software 9.0 before 9.0(2.6) and 9.1 before 9.1(2) allows remote attackers to bypass authentication, and obtain VPN access or adminis…

CVSS: 10.0 CWE: CWE-264 View on NVD
High

CVE-2013-4824

Unspecified vulnerability in HP Intelligent Management Center (iMC) and HP IMC Service Operation Management Software Module allows remote attackers to bypass authentication via unknown vectors, aka Z…

CVSS: 7.5 CWE: CWE-287 - Improper Authentication View on NVD
2013-08-31
Critical

CVE-2012-6603

The web management UI in Palo Alto Networks PAN-OS before 3.1.12, 4.0.x before 4.0.10, and 4.1.x before 4.1.4 allows remote attackers to bypass authentication and obtain administrator privileges via…

CVSS: 10.0 CWE: CWE-287 - Improper Authentication View on NVD
2013-08-28
High

CVE-2013-3586

Samsung Web Viewer for Samsung DVR devices allows remote attackers to bypass authentication via an arbitrary SessionID value in a cookie.

CVSS: 7.6 CWE: CWE-287 - Improper Authentication View on NVD
2013-08-20
Medium

CVE-2013-2157

OpenStack Keystone Folsom, Grizzly before 2013.1.3, and Havana, when using LDAP with Anonymous binding, allows remote attackers to bypass authentication via an empty password.

CVSS: 4.3 CWE: CWE-287 - Improper Authentication View on NVD
2013-08-05
Critical

CVE-2013-4805

Unspecified vulnerability in HP Integrated Lights-Out 3 (aka iLO3) firmware before 1.60 and 4 (aka iLO4) firmware before 1.30 allows remote attackers to bypass authentication via unknown vectors.

CVSS: 9.0 CWE: N/A View on NVD
2013-08-01
Critical

CVE-2013-4652

Unspecified vulnerability in the command-line management interface on Siemens Scalance W7xx devices with firmware before 4.5.4 allows remote attackers to bypass authentication and execute arbitrary c…

CVSS: 10.0 CWE: N/A View on NVD
2013-07-20
Medium

CVE-2013-3656

Cybozu Office 9.1.0 and earlier does not properly manage sessions, which allows remote attackers to bypass authentication by leveraging knowledge of a login URL.

CVSS: 5.8 CWE: CWE-287 - Improper Authentication View on NVD
2013-07-10
Medium

CVE-2013-3405

The web portal in TC software on Cisco TelePresence endpoints does not require an exact password match during a login attempt by a user who has not configured a password, which allows remote attacker…

CVSS: 4.3 CWE: CWE-264 View on NVD
2013-07-08
Critical

CVE-2013-4784

The HP Integrated Lights-Out (iLO) BMC implementation allows remote attackers to bypass authentication and execute arbitrary IPMI commands by using cipher suite 0 (aka cipher zero) and an arbitrary p…

CVSS: 10.0 CWE: CWE-287 - Improper Authentication View on NVD
Critical

CVE-2013-4783

The Dell iDRAC6 with firmware 1.x before 1.92 and 2.x and 3.x before 3.42, and iDRAC7 with firmware before 1.23.23, allows remote attackers to bypass authentication and execute arbitrary IPMI command…

CVSS: 10.0 CWE: CWE-287 - Improper Authentication View on NVD
Critical

CVE-2013-4782

The Supermicro BMC implementation allows remote attackers to bypass authentication and execute arbitrary IPMI commands by using cipher suite 0 (aka cipher zero) and an arbitrary password.

CVSS: 10.0 CWE: CWE-287 - Improper Authentication View on NVD
2013-06-21
Medium

CVE-2013-4615

The Canon MG3100, MG5300, MG6100, MP495, MX340, MX870, MX890, MX920, and MX922 printers allow remote attackers to cause a denial of service (device hang) via a crafted LAN_TXT24 parameter to English/…

CVSS: 5.0 CWE: CWE-20 - Improper Input Validation View on NVD
2013-05-15
High

CVE-2013-1337

Microsoft .NET Framework 4.5 does not properly create policy requirements for custom Windows Communication Foundation (WCF) endpoint authentication in certain situations involving passwords over HTTP…

CVSS: 7.5 CWE: CWE-287 - Improper Authentication View on NVD
2013-05-09
Critical

CVE-2013-0600

Unspecified vulnerability on IBM WebSphere DataPower XC10 Appliance devices 2.0 and 2.1 through 2.1 FP3 allows remote attackers to bypass authentication and perform administrative actions via unknown…

CVSS: 9.3 CWE: N/A View on NVD
2013-05-01
Medium

CVE-2013-3107

VMware vCenter Server 5.1 before Update 1, when anonymous LDAP binding for Active Directory is enabled, allows remote attackers to bypass authentication by providing a valid username in conjunction w…

CVSS: 4.3 CWE: CWE-264 View on NVD
2013-04-02
High

CVE-2013-2743

importbuddy.php in the BackupBuddy plugin 1.3.4, 2.1.4, 2.2.25, 2.2.28, and 2.2.4 for WordPress allows remote attackers to bypass authentication via a crafted integer in the step parameter.

CVSS: 7.5 CWE: CWE-287 - Improper Authentication View on NVD
2013-03-27
Medium

CVE-2013-0258

The Google Authenticator login (ga_login) module 7.x before 7.x-1.3 for Drupal, when multi-factor authentication is enabled, allows remote attackers to bypass authentication for accounts without an a…

CVSS: 6.8 CWE: CWE-287 - Improper Authentication View on NVD
2013-03-15
Medium

CVE-2013-0969

Login Window in Apple Mac OS X before 10.8.3 does not prevent application launching with the VoiceOver feature, which allows physically proximate attackers to bypass authentication and make arbitrary…

CVSS: 4.9 CWE: CWE-264 View on NVD
2013-03-14
Medium

CVE-2012-4446

The default configuration for Apache Qpid 0.20 and earlier, when the federation_tag attribute is enabled, accepts AMQP connections without checking the source user ID, which allows remote attackers t…

CVSS: 6.8 CWE: CWE-287 - Improper Authentication View on NVD
2013-03-12
Medium

CVE-2013-0239

Apache CXF before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3, when the plaintext UsernameToken WS-SecurityPolicy is enabled, allows remote attackers to bypass authentication via a security hea…

CVSS: 5.0 CWE: CWE-287 - Improper Authentication View on NVD
High

CVE-2012-5629

The default configuration of the (1) LdapLoginModule and (2) LdapExtLoginModule modules in JBoss Enterprise Application Platform (EAP) 4.3.0 CP10, 5.2.0, and 6.0.1, and Enterprise Web Platform (EWP)…

CVSS: 7.5 CWE: CWE-264 View on NVD
2013-03-08
Medium

CVE-2013-0266

A flaw was found in the `puppetlabs-cinder` module, as used in PackStack. This vulnerability is due to incorrect file permissions, specifically world-readable permissions, on the `cinder.conf` and `a…

CVSS: 5.5 CWE: CWE-276 - Incorrect Default Permissions View on NVD
2013-03-01
Medium

CVE-2012-5604

The ldap_fluff gem for Ruby, as used in Red Hat CloudForms 1.1, when using Active Directory for authentication, allows remote attackers to bypass authentication via unspecified vectors.

CVSS: 4.3 CWE: CWE-264 View on NVD
2013-02-19
High

CVE-2012-6354

The management GUI on the IBM SAN Volume Controller and Storwize V7000 6.x before 6.4.1.3 allows remote attackers to bypass authentication and obtain superuser access via IP packets.

CVSS: 7.5 CWE: CWE-287 - Improper Authentication View on NVD
2013-01-30
High

CVE-2013-0333

lib/active_support/json/backends/yaml.rb in Ruby on Rails 2.3.x before 2.3.16 and 3.0.x before 3.0.20 does not properly convert JSON data to YAML data for processing by a YAML parser, which allows re…

CVSS: 7.5 CWE: N/A View on NVD
2013-01-29
Low

CVE-2013-0963

Identity Services in Apple iOS before 6.1 does not properly handle validation failures of AppleID certificates, which might allow physically proximate attackers to bypass authentication by leveraging…

CVSS: 2.1 CWE: CWE-20 - Improper Input Validation View on NVD
2013-01-24
Medium

CVE-2012-6440

The Web server password authentication mechanism used by the products is vulnerable to a MitM and Replay attack. Successful exploitation of this vulnerability will allow unauthorized access of the pr…

CVSS: 4.8 CWE: CWE-287 - Improper Authentication View on NVD
2013-01-17
Critical

CVE-2013-0632

administrator.cfc in Adobe ColdFusion 9.0, 9.0.1, 9.0.2, and 10 allows remote attackers to bypass authentication and possibly execute arbitrary code by logging in to the RDS component using the defau…

CVSS: 9.8 CWE: CWE-276 - Incorrect Default Permissions View on NVD
2013-01-09
Critical

CVE-2013-0625

Adobe ColdFusion 9.0, 9.0.1, and 9.0.2, when a password is not configured, allows remote attackers to bypass authentication and possibly execute arbitrary code via unspecified vectors, as exploited i…

CVSS: 9.8 CWE: CWE-287 - Improper Authentication View on NVD
2013-01-05
Medium

CVE-2012-4550

A flaw was found in JBoss Enterprise Application Platform. When role-based authorization is used for Enterprise Java Beans (EJB) access, the system does not correctly call the necessary authorization…

CVSS: 5.3 CWE: CWE-280 - Improper Handling of Insufficient Permissions or Privileges View on NVD
Medium

CVE-2012-4549

A flaw was found in JBoss Enterprise Application Platform. The `processInvocation` function within the `org.jboss.as.ejb3.security.AuthorizationInterceptor` component incorrectly authorizes all reque…

CVSS: 6.5 CWE: CWE-266 - Incorrect Privilege Assignment View on NVD
2012-12-31
High

CVE-2012-4688

The Central application in i-GEN opLYNX before 2.01.9 allows remote attackers to bypass authentication via vectors involving the disabling of browser JavaScript support.

CVSS: 7.5 CWE: CWE-592 View on NVD
2012-12-23
Critical

CVE-2012-6428

The Carlo Gavazzi EOS-Box stores hard-coded passwords in the PHP file of the device. By using the hard-coded passwords, attackers can log into the device with administrative privileges. This coul…

CVSS: 10.0 CWE: CWE-798 - Use of Hard-coded Credentials View on NVD
2012-12-21
Critical

CVE-2012-3002

The web interface on (1) Foscam and (2) Wansview IP cameras allows remote attackers to bypass authentication, and perform administrative functions or read the admin password, via a direct request to…

CVSS: 10.0 CWE: CWE-287 - Improper Authentication View on NVD
2012-12-20
High

CVE-2012-5469

The Portable phpMyAdmin plugin before 1.3.1 for WordPress allows remote attackers to bypass authentication and obtain phpMyAdmin console access via a direct request to wp-content/plugins/portable-php…

CVSS: 7.5 CWE: CWE-264 View on NVD
2012-12-18
Medium

CVE-2012-5571

A flaw was found in OpenStack Keystone. This vulnerability allows remote authenticated users to bypass intended authorization restrictions. This occurs because OpenStack Keystone does not properly ha…

CVSS: 5.4 CWE: CWE-639 - Authorization Bypass Through User-Controlled Key View on NVD
2012-12-04
Critical

CVE-2012-6067

freeFTPd.exe in freeFTPd through 1.0.11 allows remote attackers to bypass authentication via a crafted SFTP session, as demonstrated by an OpenSSH client with modified versions of ssh.c and sshconnec…

CVSS: 10.0 CWE: CWE-287 - Improper Authentication View on NVD
Critical

CVE-2012-6066

freeSSHd.exe in freeSSHd through 1.2.6 allows remote attackers to bypass authentication via a crafted session, as demonstrated by an OpenSSH client with modified versions of ssh.c and sshconnect2.c.

CVSS: 9.3 CWE: CWE-287 - Improper Authentication View on NVD
Critical

CVE-2012-5975

The SSH USERAUTH CHANGE REQUEST feature in SSH Tectia Server 6.0.4 through 6.0.20, 6.1.0 through 6.1.12, 6.2.0 through 6.2.5, and 6.3.0 through 6.3.2 on UNIX and Linux, when old-style password authen…

CVSS: 9.3 CWE: CWE-287 - Improper Authentication View on NVD