Total
3556 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2014-0353 | 1 Zyxel | 2 N300 Netusb Nbg-419n, N300 Netusb Nbg-419n Firmware | 2024-11-21 | 6.1 MEDIUM | N/A |
| The ZyXEL Wireless N300 NetUSB NBG-419N router with firmware 1.00(BFQ.6)C0 allows remote attackers to bypass authentication by using %2F sequences in place of / (slash) characters. | |||||
| CVE-2014-0348 | 1 Ontariosystems | 4 Artiva Architect, Artiva Healthcare, Artiva Rm and 1 more | 2024-11-21 | 3.5 LOW | N/A |
| The Artiva Agency Single Sign-On (SSO) implementation in Artiva Workstation 1.3.x before 1.3.9, Artiva Rm 3.1 MR7, Artiva Healthcare 5.2 MR5, and Artiva Architect 3.2 MR5, when the domain-name option is enabled, allows remote attackers to login to arbitrary domain accounts by using the corresponding username on a Windows client machine. | |||||
| CVE-2014-0214 | 1 Moodle | 1 Moodle | 2024-11-21 | 6.8 MEDIUM | N/A |
| login/token.php in Moodle through 2.3.11, 2.4.x before 2.4.10, 2.5.x before 2.5.6, and 2.6.x before 2.6.3 creates a MoodleMobile web-service token with an infinite lifetime, which makes it easier for remote attackers to hijack sessions via a brute-force attack. | |||||
| CVE-2014-0188 | 1 Redhat | 1 Openshift | 2024-11-21 | 7.5 HIGH | N/A |
| The openshift-origin-broker in Red Hat OpenShift Enterprise 2.0.5, 1.2.7, and earlier does not properly handle authentication requests from the remote-user auth plugin, which allows remote attackers to bypass authentication and impersonate arbitrary users via the X-Remote-User header in a request to a passthrough trigger. | |||||
| CVE-2014-0166 | 1 Wordpress | 1 Wordpress | 2024-11-21 | 6.4 MEDIUM | N/A |
| The wp_validate_auth_cookie function in wp-includes/pluggable.php in WordPress before 3.7.2 and 3.8.x before 3.8.2 does not properly determine the validity of authentication cookies, which makes it easier for remote attackers to obtain access via a forged cookie. | |||||
| CVE-2014-0138 | 2 Debian, Haxx | 3 Debian Linux, Curl, Libcurl | 2024-11-21 | 6.4 MEDIUM | N/A |
| The default configuration in cURL and libcurl 7.10.6 before 7.36.0 re-uses (1) SCP, (2) SFTP, (3) POP3, (4) POP3S, (5) IMAP, (6) IMAPS, (7) SMTP, (8) SMTPS, (9) LDAP, and (10) LDAPS connections, which might allow context-dependent attackers to connect as other users via a request, a similar issue to CVE-2014-0015. | |||||
| CVE-2014-0132 | 1 Fedoraproject | 1 389 Directory Server | 2024-11-21 | 6.5 MEDIUM | N/A |
| The SASL authentication functionality in 389 Directory Server before 1.2.11.26 allows remote authenticated users to connect as an arbitrary user and gain privileges via the authzid parameter in a SASL/GSSAPI bind. | |||||
| CVE-2014-0121 | 2 Hawt, Redhat | 2 Hawtio, Jboss Fuse | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The admin terminal in Hawt.io does not require authentication, which allows remote attackers to execute arbitrary commands via the k parameter. | |||||
| CVE-2014-0097 | 1 Vmware | 1 Spring Security | 2024-11-21 | 7.5 HIGH | 7.3 HIGH |
| The ActiveDirectoryLdapAuthenticator in Spring Security 3.2.0 to 3.2.1 and 3.1.0 to 3.1.5 does not check the password length. If the directory allows anonymous binds then it may incorrectly authenticate a user who supplies an empty password. | |||||
| CVE-2014-0090 | 1 Theforeman | 1 Foreman | 2024-11-21 | 6.8 MEDIUM | N/A |
| Session fixation vulnerability in Foreman before 1.4.2 allows remote attackers to hijack web sessions via the session id cookie. | |||||
| CVE-2014-0074 | 1 Apache | 1 Shiro | 2024-11-21 | 7.5 HIGH | N/A |
| Apache Shiro 1.x before 1.2.3, when using an LDAP server with unauthenticated bind enabled, allows remote attackers to bypass authentication via an empty (1) username or (2) password. | |||||
| CVE-2014-0056 | 2 Canonical, Openstack | 2 Ubuntu Linux, Neutron | 2024-11-21 | 2.1 LOW | N/A |
| The l3-agent in OpenStack Neutron 2012.2 before 2013.2.3 does not check the tenant id when creating ports, which allows remote authenticated users to plug ports into the routers of arbitrary tenants via the device id in a port-create command. | |||||
| CVE-2013-7465 | 1 Icecoldapps | 1 Servers Ultimate | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Ice Cold Apps Servers Ultimate 6.0.2(12) does not require authentication for TELNET, SSH, or FTP, which allows remote attackers to execute arbitrary code by uploading PHP scripts. | |||||
| CVE-2013-7379 | 1 Ucdok | 1 Tomato | 2024-11-21 | 6.8 MEDIUM | N/A |
| The admin API in the tomato module before 0.0.6 for Node.js does not properly check the access key when it is set to a string, which allows remote attackers to bypass authentication via a string in the access-key header that partially matches config.master.api.access_key. | |||||
| CVE-2013-7366 | 1 Sap | 1 Software Deployment Manager | 2024-11-21 | 5.0 MEDIUM | N/A |
| The SAP Software Deployment Manager (SDM), in certain unspecified conditions, allows remote attackers to cause a denial of service via vectors related to failed authentications. | |||||
| CVE-2013-7322 | 1 Nongnu | 1 Oath Toolkit | 2024-11-21 | 4.9 MEDIUM | N/A |
| usersfile.c in liboath in OATH Toolkit before 2.4.1 does not properly handle lines containing an invalid one-time-password (OTP) type and a user name in /etc/users.oath, which causes the wrong line to be updated when invalidating an OTP and allows context-dependent attackers to conduct replay attacks, as demonstrated by a commented out line when using libpam-oath. | |||||
| CVE-2013-7302 | 2 Drupal, Ubercart | 2 Drupal, Ubercart | 2024-11-21 | 6.8 MEDIUM | N/A |
| Session fixation vulnerability in the Ubercart module 6.x-2.x before 6.x-2.13 and 7.x-3.x before 7.x-3.6 for Drupal, when the "Log in new customers after checkout" option is enabled, allows remote attackers to hijack web sessions by leveraging knowledge of the original session ID. | |||||
| CVE-2013-7051 | 1 Dlink | 2 Dir-100, Dir-100 Firmware | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| D-Link DIR-100 4.03B07: cli.cgi security bypass due to failure to check authentication parameters | |||||
| CVE-2013-6806 | 1 Opentext | 1 Exceed Ondemand | 2024-11-21 | 6.8 MEDIUM | N/A |
| OpenText Exceed OnDemand (EoD) 8 allows man-in-the-middle attackers to disable bidirectional authentication and obtain sensitive information via a crafted string in a response, which triggers a downgrade to simple authentication that sends credentials in plaintext. | |||||
| CVE-2013-6788 | 1 Bitrix | 2 Bitrix E-store Module, Bitrix Site Manager | 2024-11-21 | 7.5 HIGH | N/A |
| The Bitrix e-Store module before 14.0.1 for Bitrix Site Manager uses sequential values for the BITRIX_SM_SALE_UID cookie, which makes it easier for remote attackers to guess the cookie value and bypass authentication via a brute force attack. | |||||