Total
3455 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2013-6788 | 1 Bitrix | 2 Bitrix E-store Module, Bitrix Site Manager | 2014-06-26 | 7.5 HIGH | N/A |
| The Bitrix e-Store module before 14.0.1 for Bitrix Site Manager uses sequential values for the BITRIX_SM_SALE_UID cookie, which makes it easier for remote attackers to guess the cookie value and bypass authentication via a brute force attack. | |||||
| CVE-2014-2609 | 1 Hp | 1 Executive Scorecard | 2014-06-26 | 10.0 HIGH | N/A |
| The Java Glassfish Admin Console in HP Executive Scorecard 9.40 and 9.41 does not require authentication, which allows remote attackers to execute arbitrary code via a session on TCP port 10001, aka ZDI-CAN-2116. | |||||
| CVE-2014-3780 | 1 Citrix | 1 Vdi-in-a-box | 2014-06-24 | 7.5 HIGH | N/A |
| Unspecified vulnerability in Citrix VDI-In-A-Box 5.3.x before 5.3.8 and 5.4.x before 5.4.4 allows remote attackers to bypass authentication via unspecified vectors, related to a Java servlet. | |||||
| CVE-2014-3781 | 1 Dotclear | 1 Dotclear | 2014-06-12 | 5.8 MEDIUM | N/A |
| The dcXmlRpc::setUser method in nc/core/class.dc.xmlrpc.php in Dotclear before 2.6.3 allows remote attackers to bypass authentication via an empty password in an XML-RPC request. | |||||
| CVE-2014-3945 | 1 Typo3 | 1 Typo3 | 2014-06-04 | 4.0 MEDIUM | N/A |
| The Authentication component in TYPO3 before 6.2, when salting for password hashing is disabled, does not require knowledge of the cleartext password if the password hash is known, which allows remote attackers to bypass authentication and gain access to the backend by leveraging knowledge of a password hash. | |||||
| CVE-2014-3944 | 1 Typo3 | 1 Typo3 | 2014-06-04 | 5.8 MEDIUM | N/A |
| The Authentication component in TYPO3 6.2.0 before 6.2.3 does not properly invalidate timed out user sessions, which allows remote attackers to bypass authentication via unspecified vectors. | |||||
| CVE-2013-6470 | 1 Redhat | 1 Openstack | 2014-06-03 | 5.0 MEDIUM | N/A |
| The default configuration in the standalone controller quickstack manifest in openstack-foreman-installer, as used in Red Hat Enterprise Linux OpenStack Platform 4.0, disables authentication for Qpid, which allows remote attackers to gain access by connecting to Qpid. | |||||
| CVE-2013-4178 | 2 Drupal, Google Authenticator Login Project | 2 Drupal, Ga Login | 2014-05-30 | 5.0 MEDIUM | N/A |
| The Google Authenticator login module 6.x-1.x before 6.x-1.2 and 7.x-1.x before 7.x-1.4 for Drupal allows remote attackers to obtain access by replaying the username, password, and one-time password (OTP). | |||||
| CVE-2013-6766 | 1 Openvas | 1 Openvas Administrator | 2014-05-20 | 7.5 HIGH | N/A |
| OpenVAS Administrator 1.2 before 1.2.2 and 1.3 before 1.3.2 allows remote attackers to bypass the OAP authentication restrictions and execute OAP commands via a crafted OAP request for version information, which causes the state to be set to CLIENT_AUTHENTIC. | |||||
| CVE-2013-6806 | 1 Opentext | 1 Exceed Ondemand | 2014-05-19 | 6.8 MEDIUM | N/A |
| OpenText Exceed OnDemand (EoD) 8 allows man-in-the-middle attackers to disable bidirectional authentication and obtain sensitive information via a crafted string in a response, which triggers a downgrade to simple authentication that sends credentials in plaintext. | |||||
| CVE-2013-6765 | 1 Openvas | 1 Openvas Manager | 2014-05-19 | 7.5 HIGH | N/A |
| OpenVAS Manager 3.0 before 3.0.7 and 4.0 before 4.0.4 allows remote attackers to bypass the OMP authentication restrictions and execute OMP commands via a crafted OMP request for version information, which causes the state to be set to CLIENT_AUTHENTIC, as demonstrated by the omp_xml_handle_end_element function in omp.c. | |||||
| CVE-2013-7379 | 1 Ucdok | 1 Tomato | 2014-05-16 | 6.8 MEDIUM | N/A |
| The admin API in the tomato module before 0.0.6 for Node.js does not properly check the access key when it is set to a string, which allows remote attackers to bypass authentication via a string in the access-key header that partially matches config.master.api.access_key. | |||||
| CVE-2013-4552 | 1 Drupalauth Project | 1 Drupalauth | 2014-05-14 | 7.5 HIGH | N/A |
| lib/Auth/Source/External.php in the drupalauth module before 1.2.2 for simpleSAMLphp allows remote attackers to authenticate as an arbitrary user via the user name (uid) in a cookie. | |||||
| CVE-2014-0357 | 1 Amtelco | 1 Misecuremessages | 2014-05-10 | 5.0 MEDIUM | N/A |
| Amtelco miSecureMessages allows remote attackers to read the messages of arbitrary users via an XML request containing a valid license key and a modified contactID value, as demonstrated by a request from the iOS or Android application. | |||||
| CVE-2014-1682 | 2 Fedoraproject, Zabbix | 2 Fedora, Zabbix | 2014-05-09 | 4.0 MEDIUM | N/A |
| The API in Zabbix before 1.8.20rc1, 2.0.x before 2.0.11rc1, and 2.2.x before 2.2.2rc1 allows remote authenticated users to spoof arbitrary users via the user name in a user.login request. | |||||
| CVE-2014-3139 | 1 Unitrends | 1 Enterprise Backup | 2014-05-05 | 7.5 HIGH | N/A |
| recoveryconsole/bpl/snmpd.php in Unitrends Enterprise Backup 7.3.0 allows remote attackers to bypass authentication by setting the auth parameter to a certain string. | |||||
| CVE-2013-7302 | 2 Drupal, Ubercart | 2 Drupal, Ubercart | 2014-04-30 | 6.8 MEDIUM | N/A |
| Session fixation vulnerability in the Ubercart module 6.x-2.x before 6.x-2.13 and 7.x-3.x before 7.x-3.6 for Drupal, when the "Log in new customers after checkout" option is enabled, allows remote attackers to hijack web sessions by leveraging knowledge of the original session ID. | |||||
| CVE-2014-0769 | 3 3s-software, Festo, Softmotion3d | 4 Codesys Runtime System, Cecx-x-c1 Modular Master Controller, Cecx-x-m1 Modular Controller and 1 more | 2014-04-25 | 9.3 HIGH | N/A |
| The Festo CECX-X-C1 Modular Master Controller with CoDeSys and CECX-X-M1 Modular Controller with CoDeSys and SoftMotion do not require authentication for connections to certain TCP ports, which allows remote attackers to (1) modify the configuration via a request to the debug service on port 4000 or (2) delete log entries via a request to the log service on port 4001. | |||||
| CVE-2014-0760 | 3 3s-software, Festo, Softmotion3d | 4 Codesys Runtime System, Cecx-x-c1 Modular Master Controller, Cecx-x-m1 Modular Controller and 1 more | 2014-04-25 | 9.3 HIGH | N/A |
| The Festo CECX-X-C1 Modular Master Controller with CoDeSys and CECX-X-M1 Modular Controller with CoDeSys and SoftMotion provide an undocumented access method involving the FTP protocol, which allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via unspecified vectors. | |||||
| CVE-2014-2665 | 1 Mediawiki | 1 Mediawiki | 2014-04-24 | 4.0 MEDIUM | N/A |
| includes/specials/SpecialChangePassword.php in MediaWiki before 1.19.14, 1.20.x and 1.21.x before 1.21.8, and 1.22.x before 1.22.5 does not properly handle a correctly authenticated but unintended login attempt, which makes it easier for remote authenticated users to obtain sensitive information by arranging for a victim to login to the attacker's account, as demonstrated by tracking the victim's activity, related to a "login CSRF" issue. | |||||