Total
3455 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-20815 | 1 Samsung | 1 Android | 2024-02-14 | N/A | 6.5 MEDIUM |
| Improper authentication vulnerability in onCharacteristicReadRequest in Auto Hotspot prior to SMR Feb-2024 Release 1 allows adjacent attackers connect to victim's mobile hotspot without user awareness. | |||||
| CVE-2024-24698 | 2024-02-14 | N/A | 4.9 MEDIUM | ||
| Improper authentication in some Zoom clients may allow a privileged user to conduct a disclosure of information via local access. | |||||
| CVE-2009-5076 | 1 Creloaded | 1 Cre Loaded | 2024-02-14 | 7.5 HIGH | N/A |
| CRE Loaded before 6.2.14, and possibly other versions before 6.3.x, allows remote attackers to bypass authentication and gain administrator privileges via a request with (1) login.php or (2) password_forgotten.php appended as the PATH_INFO, which bypasses a check that uses PHP_SELF, which is not properly handled by (a) includes/application_top.php and (b) admin/includes/application_top.php, as exploited in the wild in 2009. | |||||
| CVE-2005-4006 | 1 Redgraphic | 1 Sapid Cms | 2024-02-14 | 7.5 HIGH | N/A |
| SAPID CMS before 1.2.3.03 allows remote attackers to bypass authentication via direct requests to the usr/system files (1) insert_file.php, (2) insert_image.php, (3) insert_link.php, (4) insert_qcfile.php, and (5) edit.php. | |||||
| CVE-2008-6664 | 1 Yarck | 1 Sh-news | 2024-02-14 | 7.5 HIGH | N/A |
| action.php in SH-News 3.0 allows remote attackers to bypass authentication and gain administrator privileges by setting the shuser and shpass cookies to non-zero values. | |||||
| CVE-2018-10362 | 1 Phpliteadmin | 1 Phpliteadmin | 2024-02-14 | 5.0 MEDIUM | 9.8 CRITICAL |
| An issue was discovered in phpLiteAdmin 1.9.5 through 1.9.7.1. Due to loose comparison with '==' instead of '===' in classes/Authorization.php for the user-provided login password, it is possible to login with a simpler password if the password has the form of a power in scientific notation (like '2e2' for '200' or '0e1234' for '0'). This is possible because, in the loose comparison case, PHP interprets the string as a number in scientific notation, and thus converts it to a number. After that, the comparison with '==' casts the user input (e.g., the string '200' or '0') to a number, too. Hence the attacker can login with just a '0' or a simple number he has to brute force. Strong comparison with '===' prevents the cast into numbers. | |||||
| CVE-2011-5090 | 1 Grboard | 1 Grboard | 2024-02-14 | 6.4 MEDIUM | N/A |
| GR Board (aka grboard) 1.8.6.5 Community Edition does not require authentication for certain database actions, which allows remote attackers to modify or delete data via a request to (1) mod_rewrite.php, (2) comment_write_ok.php, (3) poll/index.php, (4) update/index.php, (5) trackback.php, or (6) an arbitrary poll.php script under theme/. | |||||
| CVE-2021-36460 | 1 Veryfitpro Project | 1 Veryfitpro | 2024-02-14 | 4.6 MEDIUM | 7.8 HIGH |
| VeryFitPro (com.veryfit2hr.second) 3.2.8 hashes the account's password locally on the device and uses the hash to authenticate in all communication with the backend API, including login, registration and changing of passwords. This allows an attacker in possession of a hash to takeover a user's account, rendering the benefits of storing hashed passwords in the database useless. | |||||
| CVE-2022-30034 | 1 Flower Project | 1 Flower | 2024-02-14 | 7.5 HIGH | 8.6 HIGH |
| Flower, a web UI for the Celery Python RPC framework, all versions as of 05-02-2022 is vulnerable to an OAuth authentication bypass. An attacker could then access the Flower API to discover and invoke arbitrary Celery RPC calls or deny service by shutting down Celery task nodes. | |||||
| CVE-2009-5077 | 1 Creloaded | 1 Cre Loaded | 2024-02-14 | 7.5 HIGH | N/A |
| CRE Loaded before 6.2.14 allows remote attackers to bypass authentication and gain administrator privileges via vectors related to a modified PHP_SELF variable, which is not properly handled by (1) includes/application_top.php and (2) admin/includes/application_top.php. | |||||
| CVE-2022-35203 | 1 Trendnet | 2 Tv-ip572pi, Tv-ip572pi Firmware | 2024-02-14 | N/A | 7.2 HIGH |
| An access control issue in TrendNet TV-IP572PI v1.0 allows unauthenticated attackers to access sensitive system information. | |||||
| CVE-2009-2422 | 2 Apple, Rubyonrails | 3 Mac Os X, Mac Os X Server, Ruby On Rails | 2024-02-13 | 7.5 HIGH | 9.8 CRITICAL |
| The example code for the digest authentication functionality (http_authentication.rb) in Ruby on Rails before 2.3.3 defines an authenticate_or_request_with_http_digest block that returns nil instead of false when the user does not exist, which allows context-dependent attackers to bypass authentication for applications that are derived from this example by sending an invalid username without a password. | |||||
| CVE-2009-2382 | 1 Jay-jayx0r | 1 Phpmyblockchecker | 2024-02-13 | 7.5 HIGH | 9.8 CRITICAL |
| admin.php in phpMyBlockchecker 1.0.0055 allows remote attackers to bypass authentication and gain administrative access by setting the PHPMYBCAdmin cookie to LOGGEDIN. | |||||
| CVE-2009-2168 | 1 Egyplus | 1 7ammel | 2024-02-13 | 7.5 HIGH | 9.8 CRITICAL |
| cpanel/login.php in EgyPlus 7ammel (aka 7ml) 1.0.1 and earlier sends a redirect to the web browser but does not exit when the supplied credentials are incorrect, which allows remote attackers to bypass authentication by providing arbitrary username and password parameters. | |||||
| CVE-2009-1596 | 1 Igniterealtime | 1 Openfire | 2024-02-13 | 4.0 MEDIUM | 6.5 MEDIUM |
| Ignite Realtime Openfire before 3.6.5 does not properly implement the register.password (aka canChangePassword) console configuration setting, which allows remote authenticated users to bypass intended policy and change their own passwords via a passwd_change IQ packet. | |||||
| CVE-2009-3232 | 1 Canonical | 1 Ubuntu Linux | 2024-02-13 | 9.3 HIGH | N/A |
| pam-auth-update for PAM, as used in Ubuntu 8.10 and 9.4, and Debian GNU/Linux, does not properly handle an "empty selection" for system authentication modules in certain rare configurations, which causes any attempt to be successful and allows remote attackers to bypass authentication. | |||||
| CVE-2009-3231 | 5 Canonical, Fedoraproject, Opensuse and 2 more | 6 Ubuntu Linux, Fedora, Opensuse and 3 more | 2024-02-13 | 6.8 MEDIUM | N/A |
| The core server component in PostgreSQL 8.3 before 8.3.8 and 8.2 before 8.2.14, when using LDAP authentication with anonymous binds, allows remote attackers to bypass authentication via an empty password. | |||||
| CVE-2009-3107 | 1 Symantec | 1 Altiris Deployment Solution | 2024-02-13 | 4.8 MEDIUM | N/A |
| Symantec Altiris Deployment Solution 6.9.x before 6.9 SP3 Build 430 does not properly restrict access to the listening port for the DBManager service, which allows remote attackers to bypass authentication and modify tasks or the Altiris Database via a connection to this service. | |||||
| CVE-2020-12812 | 1 Fortinet | 1 Fortios | 2024-02-13 | 7.5 HIGH | 9.8 CRITICAL |
| An improper authentication vulnerability in SSL VPN in FortiOS 6.4.0, 6.2.0 to 6.2.3, 6.0.9 and below may result in a user being able to log in successfully without being prompted for the second factor of authentication (FortiToken) if they changed the case of their username. | |||||
| CVE-2020-0688 | 1 Microsoft | 1 Exchange Server | 2024-02-13 | 9.0 HIGH | 8.8 HIGH |
| A remote code execution vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory, aka 'Microsoft Exchange Memory Corruption Vulnerability'. | |||||