Filtered by vendor
Subscriptions
Total
3676 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2023-32222 | 2 D-link, Dlink | 3 Dsl-g256dg, Dsl-g256dg, Dsl-g256dg Firmware | 2024-11-27 | 9.8 Critical |
D-Link DSL-G256DG version vBZ_1.00.27 web management interface allows authentication bypass via an unspecified method. | ||||
CVE-2023-41900 | 3 Debian, Eclipse, Redhat | 3 Debian Linux, Jetty, Jboss Fuse | 2024-11-27 | 3.5 Low |
Jetty is a Java based web server and servlet engine. Versions 9.4.21 through 9.4.51, 10.0.15, and 11.0.15 are vulnerable to weak authentication. If a Jetty `OpenIdAuthenticator` uses the optional nested `LoginService`, and that `LoginService` decides to revoke an already authenticated user, then the current request will still treat the user as authenticated. The authentication is then cleared from the session and subsequent requests will not be treated as authenticated. So a request on a previously authenticated session could be allowed to bypass authentication after it had been rejected by the `LoginService`. This impacts usages of the jetty-openid which have configured a nested `LoginService` and where that `LoginService` will is capable of rejecting previously authenticated users. Versions 9.4.52, 10.0.16, and 11.0.16 have a patch for this issue. | ||||
CVE-2023-50714 | 1 Yiiframework | 1 Yii2-authclient | 2024-11-27 | 6.8 Medium |
yii2-authclient is an extension that adds OpenID, OAuth, OAuth2 and OpenId Connect consumers for the Yii framework 2.0. In yii2-authclient prior to version 2.2.15, the Oauth2 PKCE implementation is vulnerable in 2 ways. First, the `authCodeVerifier` should be removed after usage (similar to `authState`). Second, there is a risk for a `downgrade attack` if PKCE is being relied on for CSRF protection. Version 2.2.15 contains a patch for the issue. No known workarounds are available. | ||||
CVE-2023-28473 | 1 Concretecms | 1 Concrete Cms | 2024-11-27 | 3.3 Low |
Concrete CMS (previously concrete5) versions 8.5.12 and below, and 9.0 through 9.1.3 is vulnerable to possible Auth bypass in the jobs section. | ||||
CVE-2023-51708 | 1 Bentley | 2 Assetwise Alim For Transportation, Eb System Management Console | 2024-11-26 | 8.6 High |
Bentley eB System Management Console applications within Assetwise Integrity Information Server allow an unauthenticated user to view configuration options via a crafted request, leading to information disclosure. This affects eB System management Console before 23.00.02.03 and Assetwise ALIM For Transportation before 23.00.01.25. | ||||
CVE-2019-1980 | 1 Cisco | 3 Firepower Services Software For Asa, Firepower Threat Defense, Secure Firewall Management Center | 2024-11-26 | 5.3 Medium |
A vulnerability in the protocol detection component of Cisco Firepower Threat Defense Software, Cisco FirePOWER Services Software for ASA, and Cisco Firepower Management Center Software could allow an unauthenticated, remote attacker to bypass filtering protections. The vulnerability is due to improper detection of the initial use of a protocol on a nonstandard port. An attacker could exploit this vulnerability by sending traffic on a nonstandard port for the protocol in use through an affected device. An exploit could allow the attacker to bypass filtering and deliver malicious requests to protected systems that would otherwise be blocked. Once the initial protocol flow on the nonstandard port is detected, future flows on the nonstandard port will be successfully detected and handled as configured by the applied policy. | ||||
CVE-2020-3410 | 1 Cisco | 1 Secure Firewall Management Center | 2024-11-26 | 8.1 High |
A vulnerability in the Common Access Card (CAC) authentication feature of Cisco Firepower Management Center (FMC) Software could allow an unauthenticated, remote attacker to bypass authentication and access the FMC system. The attacker must have a valid CAC to initiate the access attempt. The vulnerability is due to incorrect session invalidation during CAC authentication. An attacker could exploit this vulnerability by performing a CAC-based authentication attempt to an affected system. A successful exploit could allow the attacker to access an affected system with the privileges of a CAC-authenticated user who is currently logged in. | ||||
CVE-2019-16028 | 1 Cisco | 1 Secure Firewall Management Center | 2024-11-26 | 9.8 Critical |
A vulnerability in the web-based management interface of Cisco Firepower Management Center (FMC) could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrative privileges on an affected device. The vulnerability is due to improper handling of Lightweight Directory Access Protocol (LDAP) authentication responses from an external authentication server. An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow the attacker to gain administrative access to the web-based management interface of the affected device. | ||||
CVE-2016-6434 | 1 Cisco | 1 Secure Firewall Management Center | 2024-11-26 | N/A |
Cisco Firepower Management Center 6.0.1 has hardcoded database credentials, which allows local users to obtain sensitive information by leveraging CLI access, aka Bug ID CSCva30370. | ||||
CVE-2022-20918 | 1 Cisco | 2 Firepower Services Software For Asa, Secure Firewall Management Center | 2024-11-26 | 7.5 High |
A vulnerability in the Simple Network Management Protocol (SNMP) access controls for Cisco FirePOWER Software for Adaptive Security Appliance (ASA) FirePOWER module, Cisco Firepower Management Center (FMC) Software, and Cisco Next-Generation Intrusion Prevention System (NGIPS) Software could allow an unauthenticated, remote attacker to perform an SNMP GET request using a default credential. This vulnerability is due to the presence of a default credential for SNMP version 1 (SNMPv1) and SNMP version 2 (SNMPv2). An attacker could exploit this vulnerability by sending an SNMPv1 or SNMPv2 GET request to an affected device. A successful exploit could allow the attacker to retrieve sensitive information from the device using the default credential. This attack will only be successful if SNMP is configured, and the attacker can only perform SNMP GET requests; write access using SNMP is not allowed. | ||||
CVE-2024-45369 | 1 Myscada | 2 Mypro Manager, Mypro Runtime | 2024-11-26 | 8.1 High |
The web application uses a weak authentication mechanism to verify that a request is coming from an authenticated and authorized resource. | ||||
CVE-2018-0435 | 1 Cisco | 1 Umbrella | 2024-11-26 | N/A |
A vulnerability in the Cisco Umbrella API could allow an authenticated, remote attacker to view and modify data across their organization and other organizations. The vulnerability is due to insufficient authentication configurations for the API interface of Cisco Umbrella. An attacker could exploit this vulnerability to view and potentially modify data for their organization or other organizations. A successful exploit could allow the attacker to read or modify data across multiple organizations. | ||||
CVE-2018-15371 | 1 Cisco | 1 Ios Xe | 2024-11-26 | N/A |
A vulnerability in the shell access request mechanism of Cisco IOS XE Software could allow an authenticated, local attacker to bypass authentication and gain unrestricted access to the root shell of an affected device. The vulnerability exists because the affected software has insufficient authentication mechanisms for certain commands. An attacker could exploit this vulnerability by requesting access to the root shell of an affected device, after the shell access feature has been enabled. A successful exploit could allow the attacker to bypass authentication and gain unrestricted access to the root shell of the affected device. | ||||
CVE-2016-10394 | 2024-11-26 | 9.8 Critical | ||
Initial xbl_sec revision does not have all the debug policy features and critical checks. | ||||
CVE-2018-11952 | 2024-11-26 | 7.8 High | ||
An image with a version lower than the fuse version may potentially be booted lead to improper authentication. | ||||
CVE-2023-44324 | 2 Adobe, Microsoft | 2 Framemaker Publishing Server, Windows | 2024-11-26 | 9.8 Critical |
Adobe FrameMaker Publishing Server versions 2022 and earlier are affected by an Improper Authentication vulnerability that could result in a Security feature bypass. An unauthenticated attacker can abuse this vulnerability to access the API and leak default admin's password. Exploitation of this issue does not require user interaction. | ||||
CVE-2024-11671 | 2024-11-25 | 5.4 Medium | ||
Improper authentication in SQL data source MFA validation in Devolutions Remote Desktop Manager 2024.3.17 and earlier on Windows allows an authenticated user to bypass the MFA validation via data source switching. | ||||
CVE-2022-1101 | 1 Event Management System Project | 1 Event Management System | 2024-11-25 | 7.3 High |
A vulnerability was found in SourceCodester Royale Event Management System 1.0. It has been rated as critical. This issue affects some unknown processing of the file /royal_event/userregister.php. The manipulation leads to improper authentication. The attack may be initiated remotely. The identifier VDB-195785 was assigned to this vulnerability. | ||||
CVE-2022-33862 | 1 Eaton | 1 Intelligent Power Protector | 2024-11-25 | 6.7 Medium |
IPP software prior to v1.71 is vulnerable to default credential vulnerability. This could lead attackers to identify and access vulnerable systems. | ||||
CVE-2024-7923 | 1 Redhat | 4 Satellite, Satellite Capsule, Satellite Maintenance and 1 more | 2024-11-24 | 9.8 Critical |
An authentication bypass vulnerability has been identified in Pulpcore when deployed with Gunicorn versions prior to 22.0, due to the puppet-pulpcore configuration. This issue arises from Apache's mod_proxy not properly unsetting headers because of restrictions on underscores in HTTP headers, allowing authentication through a malformed header. This flaw impacts all active Satellite deployments (6.13, 6.14 and 6.15) which are using Pulpcore version 3.0+ and could potentially enable unauthorized users to gain administrative access. |