The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.36, 6.x before 6.0.36, and 7.x before 7.0.30 does not properly check for stale nonce values in conjunction with enforcement of proper credentials, which makes it easier for remote attackers to bypass intended access restrictions by sniffing the network for valid requests.
Max CVSS
5.0
EPSS Score
0.34%
Published
2012-11-17
Updated
2017-08-29
The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.36, 6.x before 6.0.36, and 7.x before 7.0.30 caches information about the authenticated user within the session state, which makes it easier for remote attackers to bypass authentication via vectors related to the session ID.
Max CVSS
5.0
EPSS Score
0.34%
Published
2012-11-17
Updated
2017-08-29
The IBM WebSphere DataPower XC10 Appliance 2.0.0.0 through 2.0.0.3 and 2.1.0.0 through 2.1.0.2 does not require authentication for an unspecified interface, which allows remote attackers to cause a denial of service (process exit) via unknown vectors.
Max CVSS
7.8
EPSS Score
2.35%
Published
2012-11-23
Updated
2017-08-29
The default configuration of EMC Smarts Network Configuration Manager (NCM) before 9.1 does not require authentication for database access, which allows remote attackers to have an unspecified impact via a network session.
Max CVSS
9.3
EPSS Score
1.06%
Published
2012-11-27
Updated
2013-08-17
EMC RSA Data Protection Manager Appliance 2.7.x and 3.x before 3.2.1 does not properly restrict the number of authentication attempts by a user account, which makes it easier for local users to bypass intended access restrictions via a brute-force attack.
Max CVSS
6.9
EPSS Score
0.04%
Published
2012-11-16
Updated
2013-02-26
MosP kintai kanri before 4.1.0 does not properly perform authentication, which allows remote authenticated users to impersonate arbitrary user accounts, and consequently obtain sensitive information or modify settings, via unspecified vectors.
Max CVSS
5.5
EPSS Score
0.23%
Published
2012-11-08
Updated
2013-03-02
The Java servlets in the management console in IBM Tivoli Federated Identity Manager (TFIM) through 6.2.2 and Tivoli Federated Identity Manager Business Gateway (TFIMBG) before 6.2.2 do not require authentication for all resource downloads, which allows remote attackers to bypass intended J2EE security constraints, and obtain sensitive information related to (1) federation metadata or (2) a web plugin configuration template, via a crafted request.
Max CVSS
5.0
EPSS Score
0.32%
Published
2012-11-08
Updated
2017-08-29
cookie_gen.php in ar web content manager (AWCM) 2.2 does not require authentication, which allows remote attackers to generate arbitrary cookies via the name parameter in conjunction with the content parameter.
Max CVSS
5.0
EPSS Score
4.57%
Published
2012-11-26
Updated
2017-08-29
JGroups diagnostics service in JBoss Enterprise Portal Platform before 5.2.2, SOA Platform before 5.3.0, and BRMS Platform before 5.3.0, is enabled without authentication when started by the JGroups channel, which allows remote attackers in adjacent networks to read diagnostics information via a crafted IP multicast.
Max CVSS
3.3
EPSS Score
0.44%
Published
2012-11-23
Updated
2017-08-29
The servlets invoked by httpha-invoker in JBoss Enterprise Application Platform before 5.1.2, SOA Platform before 5.2.0, BRMS Platform before 5.3.0, and Portal Platform before 4.3 CP07 perform access control only for the GET and POST methods, which allow remote attackers to bypass authentication by sending a request with a different method. NOTE: this vulnerability exists because of a CVE-2010-0738 regression.
Max CVSS
6.8
EPSS Score
2.24%
Published
2012-11-23
Updated
2023-02-13
10 vulnerabilities found
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!