Total
3455 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-15727 | 2 Grafana, Redhat | 2 Grafana, Ceph Storage | 2019-03-05 | 7.5 HIGH | 9.8 CRITICAL |
| Grafana 2.x, 3.x, and 4.x before 4.6.4 and 5.x before 5.2.3 allows authentication bypass because an attacker can generate a valid "remember me" cookie knowing only a username of an LDAP or OAuth user. | |||||
| CVE-2018-10561 | 1 Dasannetworks | 2 Gpon Router, Gpon Router Firmware | 2019-03-04 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered on Dasan GPON home routers. It is possible to bypass authentication simply by appending "?images" to any URL of the device that requires authentication, as demonstrated by the /menu.html?images/ or /GponForm/diag_FORM?images/ URI. One can then manage the device. | |||||
| CVE-2018-12399 | 2 Canonical, Mozilla | 2 Ubuntu Linux, Firefox | 2019-03-01 | 4.3 MEDIUM | 4.3 MEDIUM |
| When a new protocol handler is registered, the API accepts a title argument which can be used to mislead users about which domain is registering the new protocol. This may result in the user approving a protocol handler that they otherwise would not have. This vulnerability affects Firefox < 63. | |||||
| CVE-2018-8096 | 1 Datalust | 1 Seq | 2019-02-28 | 7.5 HIGH | 9.8 CRITICAL |
| Datalust Seq before 4.2.605 is vulnerable to Authentication Bypass (with the attacker obtaining admin access) via '"Name":"isauthenticationenabled","Value":false' in an api/settings/setting-isauthenticationenabled PUT request. | |||||
| CVE-2012-2287 | 2 Emc, Microsoft | 4 Rsa Authentication Agent, Rsa Authentication Client, Windows Server 2003 and 1 more | 2019-02-26 | 8.5 HIGH | N/A |
| The authentication functionality in EMC RSA Authentication Agent 7.1 and RSA Authentication Client 3.5 on Windows XP and Windows Server 2003, when an unspecified configuration exists, allows remote authenticated users to bypass an intended token-authentication step, and establish a login session to a remote host, by leveraging Windows credentials for that host. | |||||
| CVE-2018-6908 | 1 Rainmachine | 4 Mini-8, Mini-8 Firmware, Touch Hd 12 and 1 more | 2019-02-22 | 5.0 MEDIUM | 9.8 CRITICAL |
| An authentication bypass vulnerability exists in the Green Electronics RainMachine Mini-8 (2nd Generation) and Touch HD 12 web application allowing an unauthenticated attacker to perform authenticated actions on the device via a 127.0.0.1:port value in the HTTP 'Host' header, as demonstrated by retrieving credentials. | |||||
| CVE-2016-0916 | 1 Emc | 1 Networker | 2019-02-20 | 10.0 HIGH | 9.8 CRITICAL |
| EMC NetWorker 8.2.1.x and 8.2.2.x before 8.2.2.6 and 9.x before 9.0.0.6 mishandles authentication, which allows remote attackers to execute arbitrary commands by leveraging access to a different NetWorker instance. | |||||
| CVE-2018-19505 | 1 Bmc | 1 Remedy Action Request System Server | 2019-02-15 | 4.0 MEDIUM | 6.5 MEDIUM |
| Remedy AR System Server in BMC Remedy 7.1 may fail to set the correct user context in certain impersonation scenarios, which can allow a user to act with the identity of a different user, because userdata.js in the WOI:WorkOrderConsole component allows a username substitution involving a UserData_Init call. | |||||
| CVE-2018-0670 | 1 Mnc | 1 Inplc-rt | 2019-02-11 | 7.5 HIGH | 9.8 CRITICAL |
| INplc-RT 3.08 and earlier allows remote attackers to bypass authentication to execute an arbitrary command through the protocol-compliant traffic. This is a different vulnerability than CVE-2018-0669. | |||||
| CVE-2018-0669 | 1 Mnc | 1 Inplc-rt | 2019-02-11 | 7.5 HIGH | 9.8 CRITICAL |
| INplc-RT 3.08 and earlier allows remote attackers to bypass authentication to execute an arbitrary command through the protocol-compliant traffic. This is a different vulnerability than CVE-2018-0670. | |||||
| CVE-2018-0676 | 1 Panasonic | 2 Bn-sdwbp3, Bn-sdwbp3 Firmware | 2019-02-11 | 5.8 MEDIUM | 8.8 HIGH |
| BN-SDWBP3 firmware version 1.0.9 and earlier allows an attacker on the same network segment to bypass authentication to access to the management screen and execute an arbitrary command via unspecified vectors. | |||||
| CVE-2019-6519 | 1 Advantech | 1 Webaccess\/scada | 2019-02-06 | 7.5 HIGH | 9.8 CRITICAL |
| WebAccess/SCADA, Version 8.3. An improper authentication vulnerability exists that could allow a possible authentication bypass allowing an attacker to upload malicious data. | |||||
| CVE-2019-6521 | 1 Advantech | 1 Webaccess\/scada | 2019-02-06 | 7.5 HIGH | 8.6 HIGH |
| WebAccess/SCADA, Version 8.3. Specially crafted requests could allow a possible authentication bypass that could allow an attacker to obtain and manipulate sensitive information. | |||||
| CVE-2018-7067 | 1 Arubanetworks | 1 Clearpass Policy Manager | 2019-02-05 | 6.5 MEDIUM | 7.2 HIGH |
| A Remote Authentication bypass in Aruba ClearPass Policy Manager leads to complete cluster compromise. An authentication flaw in all versions of ClearPass could allow an attacker to compromise the entire cluster through a specially crafted API call. Network access to the administrative web interface is required to exploit this vulnerability. Resolution: Fixed in 6.7.6 and 6.6.10-hotfix. | |||||
| CVE-2018-14708 | 1 Drobo | 2 5n2, 5n2 Firmware | 2019-02-05 | 7.5 HIGH | 9.8 CRITICAL |
| An insecure transport protocol used by Drobo Dashboard API on Drobo 5N2 NAS version 4.0.5-13.28.96115 allows attackers to intercept network traffic. | |||||
| CVE-2014-9605 | 1 Netsweeper | 1 Netsweeper | 2019-02-01 | 9.4 HIGH | N/A |
| WebUpgrade in Netsweeper before 3.1.10, 4.0.x before 4.0.9, and 4.1.x before 4.1.2 allows remote attackers to bypass authentication and create a system backup tarball, restart the server, or stop the filters on the server via a ' (single quote) character in the login and password parameters to webupgrade/webupgrade.php. NOTE: this was originally reported as an SQL injection vulnerability, but this may be inaccurate. | |||||
| CVE-2018-19249 | 1 Stripe | 1 Stripe Api | 2019-01-31 | 5.0 MEDIUM | 7.5 HIGH |
| The Stripe API v1 allows remote attackers to bypass intended access restrictions by replaying api.stripe.com /v1/tokens XMLHttpRequest data, parsing the response under the object card{}, and reading the cvc_check information if the creation is successful without charging the actual card used in the transaction. | |||||
| CVE-2018-12666 | 1 Sv3c | 4 H.264 Poe Ip Camera Firmware, Sv-b01poe-1080p-l, Sv-b11vpoe-1080p-l and 1 more | 2019-01-28 | 7.5 HIGH | 9.8 CRITICAL |
| SV3C L-SERIES HD CAMERA V2.3.4.2103-S50-NTD-B20170508B devices improperly identifies users only by the authentication level sent in the cookies, which allow remote attackers to bypass authentication and gain administrator access by setting the authLevel cookie to 255. | |||||
| CVE-2018-12667 | 1 Sv3c | 4 H.264 Poe Ip Camera Firmware, Sv-b01poe-1080p-l, Sv-b11vpoe-1080p-l and 1 more | 2019-01-25 | 7.5 HIGH | 9.8 CRITICAL |
| The SV3C HD Camera (L-SERIES V2.3.4.2103-S50-NTD-B20170508B and V2.3.4.2103-S50-NTD-B20170823B) is affected by an improper authentication vulnerability that allows requests to be made to back-end CGI scripts without a valid session. This vulnerability could be used to read and modify the configuration. The vulnerability affects all versions. | |||||
| CVE-2018-18389 | 1 Neo4j | 1 Neo4j | 2019-01-18 | 7.5 HIGH | 9.8 CRITICAL |
| Due to incorrect access control in Neo4j Enterprise Database Server 3.4.x before 3.4.9, the setting of LDAP for authentication with STARTTLS, and System Account for authorization, allows an attacker to log into the server by sending any valid username with an arbitrary password. | |||||