Filtered by CWE-287
Filtered by vendor Subscriptions
Total 3838 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2019-18246 1 Biotronik 4 Cardiomessenger Ii-s Gsm, Cardiomessenger Ii-s Gsm Firmware, Cardiomessenger Ii-s T-line and 1 more 2024-11-21 4.3 Medium
BIOTRONIK CardioMessenger II, The affected products do not properly enforce mutual authentication with the BIOTRONIK Remote Communication infrastructure.
CVE-2019-17627 1 Yalehome 1 Yale Bluetooth Key 2024-11-21 6.5 Medium
The Yale Bluetooth Key application for mobile devices allows unauthorized unlock actions by sniffing Bluetooth Low Energy (BLE) traffic during one authorized unlock action, and then calculating the authentication key via simple computations on the hex digits of a valid authentication request. This affects the Yale ZEN-R lock and unspecified other locks.
CVE-2019-17567 4 Apache, Fedoraproject, Oracle and 1 more 6 Http Server, Fedora, Enterprise Manager Ops Center and 3 more 2024-11-21 5.3 Medium
Apache HTTP Server versions 2.4.6 to 2.4.46 mod_proxy_wstunnel configured on an URL that is not necessarily Upgraded by the origin server was tunneling the whole connection regardless, thus allowing for subsequent requests on the same connection to pass through with no HTTP validation, authentication or authorization possibly configured.
CVE-2019-17437 1 Paloaltonetworks 1 Pan-os 2024-11-21 7.8 High
An improper authentication check in Palo Alto Networks PAN-OS may allow an authenticated low privileged non-superuser custom role user to elevate privileges and become superuser. This issue affects PAN-OS 7.1 versions prior to 7.1.25; 8.0 versions prior to 8.0.20; 8.1 versions prior to 8.1.11; 9.0 versions prior to 9.0.5. PAN-OS version 7.0 and prior EOL versions have not been evaluated for this issue.
CVE-2019-17372 1 Netgear 66 Ac1450, Ac1450 Firmware, D8500 and 63 more 2024-11-21 8.1 High
Certain NETGEAR devices allow remote attackers to disable all authentication requirements by visiting genieDisableLanChanged.cgi. The attacker can then, for example, visit MNU_accessPassword_recovered.html to obtain a valid new admin password. This affects AC1450, D8500, DC112A, JNDR3000, LG2200D, R4500, R6200, R6200V2, R6250, R6300, R6300v2, R6400, R6700, R6900P, R6900, R7000P, R7000, R7100LG, R7300, R7900, R8000, R8300, R8500, WGR614v10, WN2500RPv2, WNDR3400v2, WNDR3700v3, WNDR4000, WNDR4500, WNDR4500v2, WNR1000, WNR1000v3, WNR3500L, and WNR3500L.
CVE-2019-17134 3 Canonical, Opendev, Redhat 3 Ubuntu Linux, Octavia, Openstack 2024-11-21 9.1 Critical
Amphora Images in OpenStack Octavia >=0.10.0 <2.1.2, >=3.0.0 <3.2.0, >=4.0.0 <4.1.0 allows anyone with access to the management network to bypass client-certificate based authentication and retrieve information or issue configuration commands via simple HTTP requests to the Agent on port https/9443, because the cmd/agent.py gunicorn cert_reqs option is True but is supposed to be ssl.CERT_REQUIRED.
CVE-2019-17023 4 Canonical, Debian, Mozilla and 1 more 5 Ubuntu Linux, Debian Linux, Firefox and 2 more 2024-11-21 6.5 Medium
After a HelloRetryRequest has been sent, the client may negotiate a lower protocol that TLS 1.3, resulting in an invalid state transition in the TLS State Machine. If the client gets into this state, incoming Application Data records will be ignored. This vulnerability affects Firefox < 72.
CVE-2019-16929 1 Auth0 1 Auth0.net 2024-11-21 7.5 High
Auth0 auth0.net before 6.5.4 has Incorrect Access Control because IdentityTokenValidator can be accidentally used to validate untrusted ID tokens.
CVE-2019-16649 1 Supermicro 672 A1sa2-2750f, A1sa2-2750f Firmware, A1sai-2550f and 669 more 2024-11-21 10.0 Critical
On Supermicro H11, H12, M11, X9, X10, and X11 products, a combination of encryption and authentication problems in the virtual media service allows capture of BMC credentials and data transferred over virtual media devices. Attackers can use captured credentials to connect virtual USB devices to the server managed by the BMC.
CVE-2019-16327 1 Dlink 2 Dir-601, Dir-601 Firmware 2024-11-21 9.8 Critical
D-Link DIR-601 B1 2.00NA devices are vulnerable to authentication bypass. They do not check for authentication at the server side and rely on client-side validation, which is bypassable. NOTE: this is an end-of-life product.
CVE-2019-16286 1 Hp 1 Thinpro Linux 2024-11-21 6.8 Medium
An attacker may be able to bypass the OS application filter meant to restrict applications that can be executed by changing browser preferences to launch a separate process that in turn can execute arbitrary commands.
CVE-2019-16250 1 Oceanwp 1 Ocean Extra 2024-11-21 7.5 High
includes/wizard/wizard.php in the Ocean Extra plugin through 1.5.8 for WordPress allows unauthenticated options changes and injection of a Cascading Style Sheets (CSS) token sequence.
CVE-2019-16201 3 Debian, Redhat, Ruby-lang 6 Debian Linux, Enterprise Linux, Rhel E4s and 3 more 2024-11-21 7.5 High
WEBrick::HTTPAuth::DigestAuth in Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 has a regular expression Denial of Service cause by looping/backtracking. A victim must expose a WEBrick server that uses DigestAuth to the Internet or a untrusted network.
CVE-2019-16190 1 Dlink 6 Dir-868l, Dir-868l Firmware, Dir-885l and 3 more 2024-11-21 9.8 Critical
SharePort Web Access on D-Link DIR-868L REVB through 2.03, DIR-885L REVA through 1.20, and DIR-895L REVA through 1.21 devices allows Authentication Bypass, as demonstrated by a direct request to folder_view.php or category_view.php.
CVE-2019-15993 1 Cisco 228 Sf200-24, Sf200-24 Firmware, Sf200-24fp and 225 more 2024-11-21 5.3 Medium
A vulnerability in the web UI of Cisco Small Business Switches could allow an unauthenticated, remote attacker to access sensitive device information. The vulnerability exists because the software lacks proper authentication controls to information accessible from the web UI. An attacker could exploit this vulnerability by sending a malicious HTTP request to the web UI of an affected device. A successful exploit could allow the attacker to access sensitive device information, which includes configuration files.
CVE-2019-15987 1 Cisco 6 Webex Event Center, Webex Meeting Center, Webex Meetings Online and 3 more 2024-11-21 5.3 Medium
A vulnerability in web interface of the Cisco Webex Event Center, Cisco Webex Meeting Center, Cisco Webex Support Center, and Cisco Webex Training Center could allow an unauthenticated, remote attacker to guess account usernames. The vulnerability is due to missing CAPTCHA protection in certain URLs. An attacker could exploit this vulnerability by sending a crafted request to the web interface. A successful exploit could allow the attacker to know if a given username is valid and find the real name of the user.
CVE-2019-15897 1 Thinkparq 1 Beegfs 2024-11-21 9.6 Critical
beegfs-ctl in ThinkParQ BeeGFS through 7.1.3 allows Authentication Bypass via communication with a BeeGFS metadata server (which is typically not exposed to external networks).
CVE-2019-15803 1 Zyxel 18 Gs1900-10hp, Gs1900-10hp Firmware, Gs1900-16 and 15 more 2024-11-21 9.1 Critical
An issue was discovered on Zyxel GS1900 devices with firmware before 2.50(AAHH.0)C0. Through an undocumented sequence of keypresses, undocumented functionality is triggered. A diagnostics shell is triggered via CTRL-ALT-t, which prompts for the password returned by fds_sys_passDebugPasswd_ret(). The firmware contains access control checks that determine if remote users are allowed to access this functionality. The function that performs this check (fds_sys_remoteDebugEnable_ret in libfds.so) always return TRUE with no actual checks performed. The diagnostics menu allows for reading/writing arbitrary registers and various other configuration parameters which are believed to be related to the network interface chips.
CVE-2019-15796 3 Canonical, Debian, Ubuntu 3 Ubuntu Linux, Python-apt, Python-apt 2024-11-21 4.7 Medium
Python-apt doesn't check if hashes are signed in `Version.fetch_binary()` and `Version.fetch_source()` of apt/package.py or in `_fetch_archives()` of apt/cache.py in version 1.9.3ubuntu2 and earlier. This allows downloads from unsigned repositories which shouldn't be allowed and has been fixed in verisions 1.9.5, 1.9.0ubuntu1.2, 1.6.5ubuntu0.1, 1.1.0~beta1ubuntu0.16.04.7, 0.9.3.5ubuntu3+esm2, and 0.8.3ubuntu7.5.
CVE-2019-15648 1 Elearningfreak 1 Insert Or Embed Articulate Content 2024-11-21 N/A
The insert-or-embed-articulate-content-into-wordpress plugin before 4.29991 for WordPress has insufficient restrictions on deleting or renaming by a Subscriber.