Total
3677 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-14698 | 1 Asus | 32 Dsl-ac51, Dsl-ac51 Firmware, Dsl-ac52u and 29 more | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
| ASUS DSL-AC51, DSL-AC52U, DSL-AC55U, DSL-N55U C1, DSL-N55U D1, DSL-AC56U, DSL-N10_C1, DSL-N12U C1, DSL-N12E C1, DSL-N14U, DSL-N14U-B1, DSL-N16, DSL-N16U, DSL-N17U, DSL-N66U, and DSL-AC750 routers allow remote attackers to change passwords of arbitrary users via the http_passwd parameter to mod_login.asp. | |||||
| CVE-2017-14026 | 1 Iceqube | 2 Thermal Management Center, Thermal Management Center Firmware | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| In Ice Qube Thermal Management Center versions prior to version 4.13, the web application does not properly authenticate users which may allow an attacker to gain access to sensitive information. | |||||
| CVE-2017-13889 | 1 Apple | 1 Mac Os X | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| In macOS High Sierra before 10.13.3, Security Update 2018-001 Sierra, and Security Update 2018-001 El Capitan, a logic error existed in the validation of credentials. This was addressed with improved credential validation. | |||||
| CVE-2017-12778 | 1 Qbittorrent | 1 Qbittorrent | 2024-11-21 | 3.6 LOW | 7.1 HIGH |
| ** DISPUTED ** The UI Lock feature in qBittorrent version 3.3.15 is vulnerable to Authentication Bypass, which allows Attack to gain unauthorized access to qBittorrent functions by tampering the affected flag value of the config file at the C:\Users\<username>\Roaming\qBittorrent pathname. The attacker must change the value of the "locked" attribute to "false" within the "Locking" stanza. NOTE: This is an intended behavior. See https://github.com/qbittorrent/qBittorrent/wiki/I-forgot-my-UI-lock-password. | |||||
| CVE-2017-12712 | 1 Abbott | 14 Accent, Accent Firmware, Accent Mri and 11 more | 2024-11-21 | 8.3 HIGH | 8.8 HIGH |
| The authentication algorithm in Abbott Laboratories pacemakers manufactured prior to Aug 28, 2017, which involves an authentication key and time stamp, can be compromised or bypassed, which may allow a nearby attacker to issue unauthorized commands to the pacemaker via RF communications. CVSS v3 base score: 7.5, CVSS vector string: AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. Abbott has developed a firmware update to help mitigate the identified vulnerabilities. | |||||
| CVE-2017-12695 | 1 Gm | 1 Shanghai Onstar | 2024-11-21 | 4.0 MEDIUM | 8.8 HIGH |
| An Improper Authentication issue was discovered in General Motors (GM) and Shanghai OnStar (SOS) SOS iOS Client 7.1. Successful exploitation of this vulnerability may allow an attacker to subvert security mechanisms and reset a user account password. | |||||
| CVE-2017-12610 | 1 Apache | 1 Kafka | 2024-11-21 | 4.9 MEDIUM | 6.8 MEDIUM |
| In Apache Kafka 0.10.0.0 to 0.10.2.1 and 0.11.0.0 to 0.11.0.1, authenticated Kafka clients may use impersonation via a manually crafted protocol message with SASL/PLAIN or SASL/SCRAM authentication when using the built-in PLAIN or SCRAM server implementations in Apache Kafka. | |||||
| CVE-2017-12549 | 3 Hp, Linux, Microsoft | 3 System Management Homepage, Linux Kernel, Windows | 2024-11-21 | 5.5 MEDIUM | 5.6 MEDIUM |
| A local authentication bypass vulnerability in HPE System Management Homepage for Windows and Linux version prior to v7.6.1 was found. | |||||
| CVE-2017-11430 | 1 Omniauth | 1 Omniauth Saml | 2024-11-21 | 7.5 HIGH | 7.7 HIGH |
| OmniAuth OmnitAuth-SAML 1.9.0 and earlier may incorrectly utilize the results of XML DOM traversal and canonicalization APIs in such a way that an attacker may be able to manipulate the SAML data without invalidating the cryptographic signature, allowing the attack to potentially bypass authentication to SAML service providers. | |||||
| CVE-2017-11429 | 1 Clever | 1 Saml2-js | 2024-11-21 | 7.5 HIGH | 7.7 HIGH |
| Clever saml2-js 2.0 and earlier may incorrectly utilize the results of XML DOM traversal and canonicalization APIs in such a way that an attacker may be able to manipulate the SAML data without invalidating the cryptographic signature, allowing the attack to potentially bypass authentication to SAML service providers. | |||||
| CVE-2017-11428 | 1 Onelogin | 1 Ruby-saml | 2024-11-21 | 7.5 HIGH | 7.7 HIGH |
| OneLogin Ruby-SAML 1.6.0 and earlier may incorrectly utilize the results of XML DOM traversal and canonicalization APIs in such a way that an attacker may be able to manipulate the SAML data without invalidating the cryptographic signature, allowing the attack to potentially bypass authentication to SAML service providers. | |||||
| CVE-2017-11427 | 1 Onelogin | 1 Pythonsaml | 2024-11-21 | 7.5 HIGH | 7.7 HIGH |
| OneLogin PythonSAML 2.3.0 and earlier may incorrectly utilize the results of XML DOM traversal and canonicalization APIs in such a way that an attacker may be able to manipulate the SAML data without invalidating the cryptographic signature, allowing the attack to potentially bypass authentication to SAML service providers. | |||||
| CVE-2017-1000489 | 2 Acquia, Mautic | 2 Mautic, Mautic | 2024-11-21 | 6.8 MEDIUM | 8.1 HIGH |
| Mautic versions 2.0.0 - 2.11.0 with a SSO plugin installed could allow a disabled user to still login using email address | |||||
| CVE-2017-1000433 | 2 Debian, Pysaml2 Project | 2 Debian Linux, Pysaml2 | 2024-11-21 | 6.8 MEDIUM | 8.1 HIGH |
| pysaml2 version 4.4.0 and older accept any password when run with python optimizations enabled. This allows attackers to log in as any user without knowing their password. | |||||
| CVE-2017-1000354 | 1 Jenkins | 1 Jenkins | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to a login command which allowed impersonating any Jenkins user. The `login` command available in the remoting-based CLI stored the encrypted user name of the successfully authenticated user in a cache file used to authenticate further commands. Users with sufficient permission to create secrets in Jenkins, and download their encrypted values (e.g. with Job/Configure permission), were able to impersonate any other Jenkins user on the same instance. | |||||
| CVE-2017-0911 | 1 Twitter | 1 Twitter Kit | 2024-11-21 | 5.5 MEDIUM | 5.4 MEDIUM |
| Twitter Kit for iOS versions 3.0 to 3.2.1 is vulnerable to a callback verification flaw in the "Login with Twitter" component allowing an attacker to provide alternate credentials. In the final step of "Login with Twitter" authentication information is passed back to the application using the registered custom URL scheme (typically twitterkit-<consumer-key>) on iOS. Because the callback handler did not verify the authenticity of the response, this step is vulnerable to forgery, potentially allowing attacker to associate a Twitter account with a third-party service. | |||||
| CVE-2017-0356 | 2 Debian, Ikiwiki | 2 Debian Linux, Ikiwiki | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| A flaw, similar to to CVE-2016-9646, exists in ikiwiki before 3.20170111, in the passwordauth plugin's use of CGI::FormBuilder, allowing an attacker to bypass authentication via repeated parameters. | |||||
| CVE-2016-9880 | 1 Pivotal Software | 1 Gemfire For Pivotal Cloud Foundry | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The GemFire broker for Cloud Foundry 1.6.x before 1.6.5 and 1.7.x before 1.7.1 has multiple API endpoints which do not require authentication and could be used to gain access to the cluster managed by the broker. | |||||
| CVE-2016-9646 | 2 Debian, Ikiwiki | 2 Debian Linux, Ikiwiki | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| ikiwiki before 3.20161229 incorrectly called the CGI::FormBuilder->field method (similar to the CGI->param API that led to Bugzilla's CVE-2014-1572), which can be abused to lead to commit metadata forgery. | |||||
| CVE-2016-9497 | 1 Hughes | 8 Dw7000, Dw7000 Firmware, Hn7000s and 5 more | 2024-11-21 | 8.3 HIGH | 8.8 HIGH |
| Hughes high-performance broadband satellite modems, models HN7740S DW7000 HN7000S/SM, is vulnerable to an authentication bypass using an alternate path or channel. By default, port 1953 is accessible via telnet and does not require authentication. An unauthenticated remote user can access many administrative commands via this interface, including rebooting the modem. | |||||