CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register   Reset Password   Activate Account
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Related To CWE-287

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2014-4725 287 Exec Code Bypass 2014-07-27 2014-07-28
7.5
None Remote Low Not required Partial Partial Partial
The MailPoet Newsletters (wysija-newsletters) plugin before 2.6.7 for WordPress allows remote attackers to bypass authentication and execute arbitrary PHP code by uploading a crafted theme using wp-admin/admin-post.php and accessing the theme in wp-content/uploads/wysija/themes/mailp/.
2 CVE-2014-4668 287 Bypass 2014-07-02 2014-07-02
6.8
None Remote Medium Not required Partial Partial Partial
The cherokee_validator_ldap_check function in validator_ldap.c in Cherokee 1.2.103 and earlier, when LDAP is used, does not properly consider unauthenticated-bind semantics, which allows remote attackers to bypass authentication via an empty password.
3 CVE-2014-4168 287 Bypass 2014-07-03 2014-07-07
5.0
None Remote Low Not required Partial None None
(1) iodined.c and (2) user.c in iodine before 0.7.0 allows remote attackers to bypass authentication by continuing execution after an error has been triggering.
4 CVE-2014-3945 287 Bypass 2014-06-03 2014-06-04
4.0
None Remote High Not required Partial Partial None
The Authentication component in TYPO3 before 6.2, when salting for password hashing is disabled, does not require knowledge of the cleartext password if the password hash is known, which allows remote attackers to bypass authentication and gain access to the backend by leveraging knowledge of a password hash.
5 CVE-2014-3944 287 Bypass 2014-06-03 2014-06-04
5.8
None Remote Medium Not required Partial Partial None
The Authentication component in TYPO3 6.2.0 before 6.2.3 does not properly invalidate timed out user sessions, which allows remote attackers to bypass authentication via unspecified vectors.
6 CVE-2014-3781 287 Bypass 2014-06-11 2014-06-12
5.8
None Remote Medium Not required Partial Partial None
The dcXmlRpc::setUser method in nc/core/class.dc.xmlrpc.php in Dotclear before 2.6.3 allows remote attackers to bypass authentication via an empty password in an XML-RPC request.
7 CVE-2014-3780 287 Bypass 2014-05-30 2014-06-24
7.5
None Remote Low Not required Partial Partial Partial
Unspecified vulnerability in Citrix VDI-In-A-Box 5.3.x before 5.3.8 and 5.4.x before 5.4.4 allows remote attackers to bypass authentication via unspecified vectors, related to a Java servlet.
8 CVE-2014-3430 287 DoS 2014-05-14 2014-06-18
5.0
None Remote Low Not required None None Partial
Dovecot 1.1 before 2.2.13 and dovecot-ee before 2.1.7.7 and 2.2.x before 2.2.12.12 does not properly close old connections, which allows remote attackers to cause a denial of service (resource consumption) via an incomplete SSL/TLS handshake for an IMAP/POP3 connection.
9 CVE-2014-3312 287 Exec Code 2014-07-09 2014-07-18
6.9
None Local Medium Not required Complete Complete Complete
The debug console interface on Cisco Small Business SPA300 and SPA500 phones does not properly perform authentication, which allows local users to execute arbitrary debug-shell commands, or read or modify data in memory or a filesystem, via direct access to this interface, aka Bug ID CSCun77435.
10 CVE-2014-3295 287 DoS Bypass 2014-06-14 2014-06-21
4.8
None Local Network Low Not required None Partial Partial
The HSRP implementation in Cisco NX-OS 6.2(2a) and earlier allows remote attackers to bypass authentication and cause a denial of service (group-member state modification and traffic blackholing) via malformed HSRP packets, aka Bug ID CSCup11309.
11 CVE-2014-3277 287 +Info 2014-05-29 2014-06-13
4.0
None Remote Low Single system Partial None None
The Administration GUI in the web framework in VOSS in Cisco Unified Communications Domain Manager (CDM) 9.0(.1) and earlier does not properly implement access control, which allows remote authenticated users to obtain sensitive user and group information by leveraging Location Administrator privileges and entering a crafted URL, aka Bug ID CSCum77005.
12 CVE-2014-3139 287 1 Bypass 2014-05-02 2014-05-02
7.5
None Remote Low Not required Partial Partial Partial
recoveryconsole/bpl/snmpd.php in Unitrends Enterprise Backup 7.3.0 allows remote attackers to bypass authentication by setting the auth parameter to a certain string.
13 CVE-2014-3053 287 Bypass 2014-06-21 2014-07-17
8.0
None Local Network Low Not required Complete Partial Complete
The Local Management Interface (LMI) in IBM Security Access Manager (ISAM) for Mobile 8.0 with firmware 8.0.0.0 through 8.0.0.3 and IBM Security Access Manager for Web 7.0, and 8.0 with firmware 8.0.0.2 and 8.0.0.3, allows remote attackers to bypass authentication via a login action with invalid credentials.
14 CVE-2014-2955 287 Exec Code Bypass 2014-07-14 2014-07-15
10.0
None Remote Low Not required Complete Complete Complete
Raritan PX before 1.5.11 on DPXR20A-16 devices allows remote attackers to bypass authentication and execute arbitrary IPMI commands by using cipher suite 0 (aka cipher zero) and an arbitrary password.
15 CVE-2014-2938 287 2014-05-22 2014-07-16
8.3
None Remote Medium Not required Partial Complete Partial
Hanvon FaceID before 1.007.110 does not require authentication, which allows remote attackers to modify access-control and attendance-tracking data via API commands.
16 CVE-2014-2828 287 DoS 2014-04-15 2014-04-16
5.0
None Remote Low Not required None None Partial
The V3 API in OpenStack Identity (Keystone) 2013.1 before 2013.2.4 and icehouse before icehouse-rc2 allows remote attackers to cause a denial of service (CPU consumption) via a large number of the same authentication method in a request, aka "authentication chaining."
17 CVE-2014-2665 287 +Info CSRF 2014-04-19 2014-04-24
4.0
None Remote Low Single system Partial None None
includes/specials/SpecialChangePassword.php in MediaWiki before 1.19.14, 1.20.x and 1.21.x before 1.21.8, and 1.22.x before 1.22.5 does not properly handle a correctly authenticated but unintended login attempt, which makes it easier for remote authenticated users to obtain sensitive information by arranging for a victim to login to the attacker's account, as demonstrated by tracking the victim's activity, related to a "login CSRF" issue.
18 CVE-2014-2614 287 Bypass 2014-07-07 2014-07-07
7.5
None Remote Low Not required Partial Partial Partial
Unspecified vulnerability in HP SiteScope 11.1x through 11.13 and 11.2x through 11.24 allows remote attackers to bypass authentication via unknown vectors, aka ZDI-CAN-2140.
19 CVE-2014-2609 287 Exec Code 2014-06-19 2014-06-26
10.0
None Remote Low Not required Complete Complete Complete
The Java Glassfish Admin Console in HP Executive Scorecard 9.40 and 9.41 does not require authentication, which allows remote attackers to execute arbitrary code via a session on TCP port 10001, aka ZDI-CAN-2116.
20 CVE-2014-2341 287 1 2014-04-22 2014-04-22
6.8
None Remote Medium Not required Partial Partial Partial
Session fixation vulnerability in CubeCart before 5.2.9 allows remote attackers to hijack web sessions via the PHPSESSID parameter.
21 CVE-2014-2338 287 Bypass 2014-04-16 2014-05-31
6.4
None Remote Low Not required Partial Partial None
IKEv2 in strongSwan 4.0.7 before 5.1.3 allows remote attackers to bypass authentication by rekeying an IKE_SA during (1) initiation or (2) re-authentication, which triggers the IKE_SA state to be set to established.
22 CVE-2014-2181 287 2014-05-07 2014-05-07
6.8
None Remote Low Single system Complete None None
Cisco Adaptive Security Appliance (ASA) Software allows remote authenticated users to read files by sending a crafted URL to the HTTP server, as demonstrated by reading the running configuration, aka Bug ID CSCun78551.
23 CVE-2014-2128 287 Bypass 2014-04-10 2014-04-10
5.0
None Remote Low Not required Partial None None
The SSL VPN implementation in Cisco Adaptive Security Appliance (ASA) Software 8.2 before 8.2(5.47, 8.3 before 8.3(2.40), 8.4 before 8.4(7.3), 8.6 before 8.6(1.13), 9.0 before 9.0(3.8), and 9.1 before 9.1(3.2) allows remote attackers to bypass authentication via (1) a crafted cookie value within modified HTTP POST data or (2) a crafted URL, aka Bug ID CSCua85555.
24 CVE-2014-2075 287 Exec Code 2014-02-27 2014-02-27
10.0
None Remote Low Not required Complete Complete Complete
TIBCO Enterprise Administrator 1.0.0 and Enterprise Administrator SDK 1.0.0 do not properly enforce administrative authentication requirements, which allows remote attackers to execute arbitrary commands via unspecified vectors.
25 CVE-2014-2047 287 2014-03-14 2014-03-25
6.8
None Remote Medium Not required Partial Partial Partial
Session fixation vulnerability in ownCloud before 6.0.2, when PHP is configured to accept session parameters through a GET request, allows remote attackers to hijack web sessions via unspecified vectors.
26 CVE-2014-2005 287 2014-06-25 2014-06-25
4.7
None Local Medium Not required Complete None None
Sophos Disk Encryption (SDE) 5.x in Sophos Enterprise Console (SEC) 5.x before 5.2.2 does not enforce intended authentication requirements for a resume action from sleep mode, which allows physically proximate attackers to obtain desktop access by leveraging the absence of a login screen.
27 CVE-2014-1984 287 2014-04-19 2014-04-21
6.8
None Remote Medium Not required Partial Partial Partial
Session fixation vulnerability in the management screen in Cybozu Remote Service Manager through 2.3.0 and 3.x before 3.1.1 allows remote attackers to hijack web sessions via unspecified vectors.
28 CVE-2014-1982 287 1 Exec Code +Priv 2014-03-31 2014-03-31
10.0
None Remote Low Not required Complete Complete Complete
The administrative interface in Allied Telesis AT-RG634A ADSL Broadband router 3.3+, iMG624A firmware 3.5, iMG616LH firmware 2.4, and iMG646BD firmware 3.5 allows remote attackers to gain privileges and execute arbitrary commands via a direct request to cli.html.
29 CVE-2014-1911 287 2014-03-06 2014-03-07
7.8
None Remote Low Not required Complete None None
The Foscam FI8910W camera with firmware before 11.37.2.55 allows remote attackers to obtain sensitive video and image data via a blank username and password.
30 CVE-2014-1682 287 2014-05-08 2014-05-09
4.0
None Remote Low Single system None Partial None
The API in Zabbix before 1.8.20rc1, 2.0.x before 2.0.11rc1, and 2.2.x before 2.2.2rc1 allows remote authenticated users to spoof arbitrary users via the user name in a user.login request.
31 CVE-2014-1517 287 +Info CSRF 2014-04-19 2014-05-10
4.0
None Remote Low Single system Partial None None
The login form in Bugzilla 2.x, 3.x, 4.x before 4.4.3, and 4.5.x before 4.5.3 does not properly handle a correctly authenticated but unintended login attempt, which makes it easier for remote authenticated users to obtain sensitive information by arranging for a victim to login to the attacker's account and then submit a vulnerability report, related to a "login CSRF" issue.
32 CVE-2014-1295 287 +Info 2014-04-23 2014-04-23
6.8
None Remote Medium Not required Partial Partial Partial
Secure Transport in Apple iOS before 7.1.1, Apple OS X 10.8.x and 10.9.x through 10.9.2, and Apple TV before 6.1.1 does not ensure that a server's X.509 certificate is the same during renegotiation as it was before renegotiation, which allows man-in-the-middle attackers to obtain sensitive information or modify TLS session data via a "triple handshake attack."
33 CVE-2014-0769 287 2014-04-25 2014-04-25
9.3
None Remote Medium Not required Complete Complete Complete
The Festo CECX-X-C1 Modular Master Controller with CoDeSys and CECX-X-M1 Modular Controller with CoDeSys and SoftMotion do not require authentication for connections to certain TCP ports, which allows remote attackers to (1) modify the configuration via a request to the debug service on port 4000 or (2) delete log entries via a request to the log service on port 4001.
34 CVE-2014-0760 287 DoS Exec Code 2014-04-25 2014-04-25
9.3
None Remote Medium Not required Complete Complete Complete
The Festo CECX-X-C1 Modular Master Controller with CoDeSys and CECX-X-M1 Modular Controller with CoDeSys and SoftMotion provide an undocumented access method involving the FTP protocol, which allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via unspecified vectors.
35 CVE-2014-0743 287 Bypass 2014-02-26 2014-03-10
5.0
None Remote Low Not required None Partial None
The Certificate Authority Proxy Function (CAPF) component in Cisco Unified Communications Manager (Unified CM) 10.0(1) and earlier allows remote attackers to bypass authentication and modify registered-device information via crafted data, aka Bug ID CSCum95468.
36 CVE-2014-0739 287 Bypass 2014-02-22 2014-03-05
4.3
None Remote Medium Not required None Partial None
Race condition in the Phone Proxy component in Cisco Adaptive Security Appliance (ASA) Software 9.1(.3) and earlier allows remote attackers to bypass sec_db authentication and provide certain pass-through services to untrusted devices via a crafted configuration-file TFTP request, aka Bug ID CSCuj66766.
37 CVE-2014-0738 287 Bypass 2014-02-22 2014-03-05
4.3
None Remote Medium Not required None Partial None
The Phone Proxy component in Cisco Adaptive Security Appliance (ASA) Software 9.1(.3) and earlier allows remote attackers to bypass authentication and change trust relationships by injecting a Certificate Trust List (CTL) file, aka Bug ID CSCuj66770.
38 CVE-2014-0737 287 Bypass 2014-02-22 2014-03-05
4.3
None Remote Medium Not required None Partial None
The Cisco Unified IP Phone 7960G 9.2(1) and earlier allows remote attackers to bypass authentication and change trust relationships by injecting a Certificate Trust List (CTL) file, aka Bug ID CSCuj66795.
39 CVE-2014-0733 287 2014-02-20 2014-02-20
5.0
None Remote Low Not required Partial None None
The Enterprise License Manager (ELM) component in Cisco Unified Communications Manager (Unified CM) 10.0(1) and earlier does not properly enforce authentication requirements, which allows remote attackers to read ELM files via a direct request to a URL, aka Bug ID CSCum46494.
40 CVE-2014-0732 287 2014-02-20 2014-02-20
5.0
None Remote Low Not required Partial None None
The Real Time Monitoring Tool (RTMT) web application in Cisco Unified Communications Manager (Unified CM) 10.0(1) and earlier does not properly enforce authentication requirements, which allows remote attackers to read application files via a direct request to a URL, aka Bug ID CSCum46495.
41 CVE-2014-0725 287 +Info 2014-02-13 2014-02-13
5.0
None Remote Low Not required Partial None None
Cisco Unified Communications Manager (UCM) does not require authentication for reading WAR files, which allows remote attackers to obtain sensitive information via unspecified access to a "file storage location," aka Bug ID CSCum05337.
42 CVE-2014-0722 287 DoS 2014-02-13 2014-02-13
5.0
None Remote Low Not required None None Partial
The log4jinit web application in Cisco Unified Communications Manager (UCM) does not properly validate authentication, which allows remote attackers to cause a denial of service (performance degradation) via unspecified use of this application, aka Bug ID CSCum05347.
43 CVE-2014-0674 287 DoS +Info 2014-01-23 2014-01-31
6.8
None Remote Medium Not required Partial Partial Partial
Cisco Video Surveillance Operations Manager (VSOM) does not require authentication for MySQL database connections, which allows remote attackers to obtain sensitive information, modify data, or cause a denial of service by leveraging network connectivity from a client system with a crafted host name, aka Bug ID CSCud10992.
44 CVE-2014-0643 287 Bypass 2014-05-16 2014-05-16
7.6
None Remote High Not required Complete Complete Complete
EMC RSA NetWitness before 9.8.5.19 and RSA Security Analytics before 10.2.4 and 10.3.x before 10.3.2, when Kerberos PAM is enabled, do not require a password, which allows remote attackers to bypass authentication by leveraging knowledge of a valid account name.
45 CVE-2014-0635 287 2014-04-01 2014-04-01
7.5
None Remote Medium Single system Complete Partial Partial
Session fixation vulnerability in EMC VPLEX GeoSynchrony 4.x and 5.x before 5.3 allows remote attackers to hijack web sessions via unspecified vectors.
46 CVE-2014-0357 287 2014-04-15 2014-05-10
5.0
None Remote Low Not required Partial None None
Amtelco miSecureMessages allows remote attackers to read the messages of arbitrary users via an XML request containing a valid license key and a modified contactID value, as demonstrated by a request from the iOS or Android application.
47 CVE-2014-0353 287 Bypass 2014-04-15 2014-04-15
6.1
None Local Network Low Not required Complete None None
The ZyXEL Wireless N300 NetUSB NBG-419N router with firmware 1.00(BFQ.6)C0 allows remote attackers to bypass authentication by using %2F sequences in place of / (slash) characters.
48 CVE-2014-0348 287 2014-04-15 2014-04-15
3.5
None Remote Medium Single system Partial None None
The Artiva Agency Single Sign-On (SSO) implementation in Artiva Workstation 1.3.x before 1.3.9, Artiva Rm 3.1 MR7, Artiva Healthcare 5.2 MR5, and Artiva Architect 3.2 MR5, when the domain-name option is enabled, allows remote attackers to login to arbitrary domain accounts by using the corresponding username on a Windows client machine.
49 CVE-2014-0214 287 2014-05-26 2014-05-29
6.8
None Remote Medium Not required Partial Partial Partial
login/token.php in Moodle through 2.3.11, 2.4.x before 2.4.10, 2.5.x before 2.5.6, and 2.6.x before 2.6.3 creates a MoodleMobile web-service token with an infinite lifetime, which makes it easier for remote attackers to hijack sessions via a brute-force attack.
50 CVE-2014-0188 287 Bypass 2014-04-24 2014-04-24
7.5
None Remote Low Not required Partial Partial Partial
The openshift-origin-broker in Red Hat OpenShift Enterprise 2.0.5, 1.2.7, and earlier does not properly handle authentication requests from the remote-user auth plugin, which allows remote attackers to bypass authentication and impersonate arbitrary users via the X-Remote-User header in a request to a passthrough trigger.
Total number of vulnerabilities : 888   Page : 1 (This Page)2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.