The libobby server in inc/server.hpp in libnet6 (aka net6) before 1.3.14 does not perform authentication before checking the user name, which allows remote attackers to obtain sensitive information such as server-usage patterns by a particular user and color preferences.
Max CVSS
5.0
EPSS Score
0.25%
Published
2014-02-10
Updated
2023-02-13
Red Hat JBoss Operations Network (JON) before 2.4.2 and 3.0.x before 3.0.1 allows remote attackers to hijack agent sessions via an agent registration request without a security token.
Max CVSS
5.8
EPSS Score
0.34%
Published
2014-02-14
Updated
2014-02-14
Red Hat JBoss Operations Network (JON) 3.0.x before 3.0.1, 2.4.2, and earlier, when LDAP authentication is enabled and the LDAP bind account credentials are invalid, allows remote attackers to login to LDAP-based accounts via an arbitrary password in a login request.
Max CVSS
5.8
EPSS Score
0.34%
Published
2014-02-14
Updated
2014-02-14
The ios-authproxy implementation in Cisco IOS before 15.1(1)SY3 allows remote attackers to cause a denial of service (webauth and HTTP service outage) via vectors that trigger incorrectly terminated HTTP sessions, aka Bug ID CSCtz99447.
Max CVSS
5.0
EPSS Score
0.26%
Published
2014-04-23
Updated
2014-04-23
The Flex-VPN load-balancing feature in the ipsec-ikev2 implementation in Cisco IOS before 15.1(1)SY3 does not require authentication, which allows remote attackers to trigger the forwarding of VPN traffic to an attacker-controlled destination, or the discarding of this traffic, by arranging for an arbitrary device to become a cluster member, aka Bug ID CSCub93641.
Max CVSS
6.4
EPSS Score
0.30%
Published
2014-04-23
Updated
2014-04-23
Puppet Enterprise (PE) before 2.6.1 does not properly invalidate sessions when the session secret has changed, which allows remote authenticated users to retain access via unspecified vectors.
Max CVSS
4.0
EPSS Score
0.09%
Published
2014-03-14
Updated
2019-07-10
Axway Secure Messenger before 6.5 Updated Release 7, as used in Axway Email Firewall, provides different responses to authentication requests depending on whether the user exists, which allows remote attackers to enumerate users via a series of requests.
Max CVSS
5.0
EPSS Score
0.33%
Published
2014-05-27
Updated
2017-08-29
libpam-pgsql (aka pam_pgsql) 0.7 does not properly handle a NULL value returned by the password search query, which allows remote attackers to bypass authentication via a crafted password.
Max CVSS
5.0
EPSS Score
0.75%
Published
2014-06-03
Updated
2017-08-29
The RPC protocol implementation in Apache Hadoop 2.x before 2.0.6-alpha, 0.23.x before 0.23.9, and 1.x before 1.2.1, when the Kerberos security features are enabled, allows man-in-the-middle attackers to disable bidirectional authentication and obtain sensitive information by forcing a downgrade to simple authentication.
Max CVSS
3.2
EPSS Score
0.09%
Published
2014-01-24
Updated
2017-03-24
Apache HBase 0.92.x before 0.92.3 and 0.94.x before 0.94.9, when the Kerberos features are enabled, allows man-in-the-middle attackers to disable bidirectional authentication and obtain sensitive information via unspecified vectors.
Max CVSS
4.3
EPSS Score
0.06%
Published
2014-05-29
Updated
2017-03-24
Apache CloudStack 4.0.0 before 4.0.2 and Citrix CloudPlatform (formerly Citrix CloudStack) 3.0.x before 3.0.6 Patch C allows remote attackers to bypass the console proxy authentication by leveraging knowledge of the source code.
Max CVSS
5.0
EPSS Score
0.20%
Published
2014-05-23
Updated
2017-08-29
The Sierra Wireless AirLink Raven X EV-DO gateway 4221_4.0.11.003 and 4228_4.0.11.003 allows remote attackers to reprogram the firmware via a replay attack using UDP ports 17336 and 17388.
Max CVSS
10.0
EPSS Score
0.52%
Published
2014-01-15
Updated
2014-01-16
The Meeting Server in IBM Sametime 8.x through 8.5.2.1 and 9.x through 9.0.0.1 does not send the HSTS Strict-Transport-Security header, which makes it easier for man-in-the-middle attackers to hijack sessions or obtain sensitive information by leveraging the presence of HTTP requests.
Max CVSS
4.3
EPSS Score
0.13%
Published
2014-05-26
Updated
2017-08-29
The Belkin N300 (F7D7301v1) router allows remote attackers to bypass authentication and gain privileges via vectors related to incorrect validation of the HTTP Authorization header.
Max CVSS
8.3
EPSS Score
0.41%
Published
2014-09-29
Updated
2014-10-01

CVE-2013-3977

Public exploit
The Meeting Server in IBM Sametime 8.x through 8.5.2.1 and 9.x through 9.0.0.1 allows remote attackers to determine which meeting rooms are owned by a user by leveraging knowledge of valid user names.
Max CVSS
4.3
EPSS Score
0.57%
Published
2014-05-26
Updated
2017-08-29
The Google Authenticator login module 6.x-1.x before 6.x-1.2 and 7.x-1.x before 7.x-1.4 for Drupal allows remote attackers to obtain access by replaying the username, password, and one-time password (OTP).
Max CVSS
5.0
EPSS Score
0.38%
Published
2014-05-29
Updated
2014-05-30
The CentralAuth extension for MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 caches a valid CentralAuthUser object in the centralauth_User cookie even when a user has not successfully logged in, which allows remote attackers to bypass authentication without a password.
Max CVSS
7.5
EPSS Score
2.20%
Published
2014-01-26
Updated
2017-08-29
The Identity v3 API in OpenStack Dashboard (Horizon) before 2013.2 does not require the current password when changing passwords for user accounts, which makes it easier for remote attackers to change a user password by leveraging the authentication token for that user.
Max CVSS
5.5
EPSS Score
0.13%
Published
2014-05-14
Updated
2021-03-09
lib/Auth/Source/External.php in the drupalauth module before 1.2.2 for simpleSAMLphp allows remote attackers to authenticate as an arbitrary user via the user name (uid) in a cookie.
Max CVSS
7.5
EPSS Score
0.72%
Published
2014-05-13
Updated
2014-05-14
GitLab before 5.4.2, Community Edition before 6.2.4, and Enterprise Edition before 6.2.1, when using a MySQL backend, allows remote attackers to impersonate arbitrary users and bypass authentication via unspecified API calls.
Max CVSS
6.8
EPSS Score
0.71%
Published
2014-05-12
Updated
2016-05-18
The Payment for Webform module 7.x-1.x before 7.x-1.5 for Drupal does not restrict access by anonymous users, which allows remote anonymous users to use the payment of other anonymous users when submitting a form that requires payment.
Max CVSS
4.3
EPSS Score
0.19%
Published
2014-10-25
Updated
2014-10-31
D-Link DIR-505L SharePort Mobile Companion 1.01 and DIR-826L Wireless N600 Cloud Router 1.02 allows remote attackers to bypass authentication via a direct request when an authorized session is active.
Max CVSS
9.3
EPSS Score
0.60%
Published
2014-05-12
Updated
2023-04-26
The update function in umbraco.webservices/templates/templateService.cs in the TemplateService component in Umbraco CMS before 6.0.4 does not require authentication, which allows remote attackers to execute arbitrary ASP.NET code via a crafted SOAP request.
Max CVSS
7.5
EPSS Score
0.60%
Published
2014-12-27
Updated
2014-12-30
The master external node classification script in Puppet Enterprise before 3.2.0 does not verify the identity of consoles, which allows remote attackers to create arbitrary classifications on the master by spoofing a console.
Max CVSS
6.4
EPSS Score
0.46%
Published
2014-03-09
Updated
2019-07-10
The Management Console in Symantec Endpoint Protection (SEP) 11.x before 11.0.7.4 and 12.x before 12.1.2 RU2 and Endpoint Protection Small Business Edition 12.x before 12.1.2 RU2 does not properly perform authentication, which allows remote authenticated users to gain privileges by leveraging access to a limited-admin account.
Max CVSS
7.4
EPSS Score
0.12%
Published
2014-01-10
Updated
2017-08-29
165 vulnerabilities found
1 2 3 4 5 6 7
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!