| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| EMC RSA Authentication Agent for Web: Apache Web Server version 8.0 and RSA Authentication Agent for Web: Apache Web Server version 8.0.1 prior to Build 618 have a security vulnerability that could potentially lead to authentication bypass. |
| Cybozu Office 9.0.0 through 10.4.0 allows remote attackers to conduct a "reflected file download" attack. |
| The extensions API in Google Chrome prior to 55.0.2883.75 for Mac, Windows and Linux, and 55.0.2883.84 for Android incorrectly permitted access to privileged plugins, which allowed a remote attacker to bypass site isolation via a crafted HTML page. |
| An Improper Authorization issue was discovered in Sierra Wireless AirLink Raven XE, all versions prior to 4.0.14, and AirLink Raven XT, all versions prior to 4.0.11. Several files and directories can be accessed without authentication, which may allow a remote attacker to perform sensitive functions including arbitrary file upload, file download, and device reboot. |
| An issue was discovered in certain Apple products. macOS High Sierra before Security Update 2017-001 is affected. The issue involves the "Directory Utility" component. It allows attackers to obtain administrator access without a password via certain interactions involving entry of the root user name. |
| A vulnerability in the mesh code of Cisco Wireless LAN Controller (WLC) software could allow an unauthenticated, remote attacker to impersonate a WLC in a meshed topology. The vulnerability is due to insufficient authentication of the parent access point in a mesh configuration. An attacker could exploit this vulnerability by forcing the target system to disconnect from the correct parent access point and reconnect to a rogue access point owned by the attacker. An exploit could allow the attacker to control the traffic flowing through the impacted access point or take full control of the target system. This vulnerability affects the following products running a vulnerable version of Wireless LAN Controller software and configured for meshed mode: Cisco 8500 Series Wireless Controller, Cisco 5500 Series Wireless Controller, Cisco 2500 Series Wireless Controller, Cisco Flex 7500 Series Wireless Controller, Cisco Virtual Wireless Controller, Wireless Services Module 2 (WiSM2). Note that additional configuration is needed in addition to upgrading to a fixed release. Cisco Bug IDs: CSCuc98992 CSCuu14804. |
| A vulnerability in the web-based GUI of Cisco Mobility Express 1800 Series Access Points could allow an unauthenticated, remote attacker to bypass authentication. The attacker could be granted full administrator privileges. The vulnerability is due to improper implementation of authentication for accessing certain web pages using the GUI interface. An attacker could exploit this vulnerability by sending a crafted HTTP request to the web interface of the affected system. A successful exploit could allow the attacker to bypass authentication and perform unauthorized configuration changes or issue control commands to the affected device. This vulnerability affects Cisco Mobility Express 1800 Series Access Points running a software version prior to 8.2.110.0. Cisco Bug IDs: CSCuy68219. |
| Dataprobe iBootBar (with 2007-09-20 and possibly later beta firmware) allows remote attackers to bypass authentication, and conduct power-cycle attacks on connected devices, via a DCCOOKIE cookie. |
| Cybozu Garoon 3.0.0 to 4.2.2 allows remote authenticated attackers to bypass access restriction to alter or delete another user's private RSS settings via unspecified vectors. |
| Cybozu Garoon 3.0.0 to 4.2.2 allows remote authenticated attackers to bypass access restriction to delete other operational administrators' MultiReport filters via unspecified vectors. |
| A security vulnerability in cookie handling in the http stack implementation in NDSD in Novell eDirectory before 9.0.1 allows remote attackers to bypass intended access restrictions by leveraging predictable cookies. |
| An issue was discovered in OmniMetrix OmniView, Version 1.2. Insufficient password requirements for the OmniView web application may allow an attacker to gain access by brute forcing account passwords. |
| Kubernetes version 1.5.0-1.5.4 is vulnerable to a privilege escalation in the PodSecurityPolicy admission plugin resulting in the ability to make use of any existing PodSecurityPolicy object. |
| SYN Flood or FIN Flood attack in ECos 1 and other versions embedded devices results in web Authentication Bypass. "eCos Embedded Web Servers used by Multiple Routers and Home devices, while sending SYN Flood or FIN Flood packets fails to validate and handle the packets and does not ask for any sign of authentication resulting in Authentication Bypass. An attacker can take complete advantage of this bug and take over the device remotely or locally. The bug has been successfully tested and reproduced in some versions of SOHO Routers manufactured by TOTOLINK, GREATEK and others." |
| Dataprobe iBootBar (with 2007-09-20 and possibly later released firmware) allows remote attackers to bypass authentication, and conduct power-cycle attacks on connected devices, via a DCRABBIT cookie. |
| A vulnerability in the implementation of Protected Extensible Authentication Protocol (PEAP) functionality for standalone configurations of Cisco Aironet 1800, 2800, and 3800 Series Access Points could allow an unauthenticated, adjacent attacker to bypass authentication and connect to an affected device. The vulnerability exists because the affected device uses an incorrect default configuration setting of fail open when running in standalone mode. An attacker could exploit this vulnerability by attempting to connect to an affected device. A successful exploit could allow the attacker to bypass authentication and connect to the affected device. This vulnerability affects Cisco Aironet 1800, 2800, and 3800 Series Access Points that are running a vulnerable software release and use WLAN configuration settings that include FlexConnect local switching and central authentication with MAC filtering. Cisco Bug IDs: CSCvd46314. |
| xrdp 0.9.1 calls the PAM function auth_start_session() in an incorrect location, leading to PAM session modules not being properly initialized, with a potential consequence of incorrect configurations or elevation of privileges, aka a pam_limits.so bypass. |
| Remote file upload vulnerability in Wordpress Plugin Mobile App Native 3.0. |
| An issue was discovered on Schneider Electric IONXXXX series power meters ION73XX series, ION75XX series, ION76XX series, ION8650 series, ION8800 series, and PM5XXX series. No authentication is configured by default. An unauthorized user can access the device management portal and make configuration changes. |
| Improper authentication issue in PTW-WMS1 firmware version 2.000.012 allows remote attackers to log in to the device with root privileges and conduct arbitrary operations via unspecified vectors. |
