CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register   Reset Password   Activate Account
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In 2013(Bypass)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2013-7093 287 Bypass 2013-12-13 2013-12-16
5.0
None Remote Low Not required None Partial None
SAP Network Interface Router (SAProuter) 39.3 SP4 allows remote attackers to bypass authentication and modify the configuration via unspecified vectors.
2 CVE-2013-7081 264 Bypass 2013-12-23 2014-01-13
4.9
None Remote Medium Single system Partial Partial None
The (old) Form Content Element component in TYPO3 4.5.0 through 4.5.31, 4.7.0 through 4.7.16, 6.0.0 through 6.0.11, and 6.1.0 through 6.1.6 allows remote authenticated editors to generate arbitrary HMAC signatures and bypass intended access restrictions via unspecified vectors.
3 CVE-2013-7067 264 Bypass 2013-12-18 2013-12-19
5.8
None Remote Medium Not required Partial Partial None
The OG Features module 6.x-1.x before 6.x-1.4 for Drupal does not properly override pages that have an access callback set to false, which allows remote attackers to bypass intended access restrictions via a request.
4 CVE-2013-6986 310 Bypass +Info 2013-12-12 2013-12-19
2.1
None Local Low Not required Partial None None
The ZippyYum Subway CA Kiosk app 3.4 for iOS uses cleartext storage in SQLite cache databases, which allows attackers to obtain sensitive information by reading data elements, as demonstrated by password elements.
5 CVE-2013-6979 287 Bypass 2013-12-23 2014-01-03
5.4
None Remote High Not required Complete None None
The VTY authentication implementation in Cisco IOS XE 03.02.xxSE and 03.03.xxSE incorrectly relies on the Linux-IOS internal-network configuration, which allows remote attackers to bypass authentication by leveraging access to a 192.168.x.2 source IP address, aka Bug ID CSCuj90227.
6 CVE-2013-6972 200 Bypass +Info 2013-12-14 2014-01-13
5.0
None Remote Low Not required Partial None None
Cisco WebEx Training Center allows remote attackers to discover session numbers, and bypass host approval for audio-conference attendance, by reading HTML source code, aka Bug ID CSCul57126.
7 CVE-2013-6965 264 Bypass 2013-12-14 2014-01-13
5.0
None Remote Low Not required Partial None None
The registration component in Cisco WebEx Training Center provides the training-session URL before e-mail confirmation is completed, which allows remote attackers to bypass intended access restrictions and join an audio conference by entering credential fields from this URL, aka Bug ID CSCul36183.
8 CVE-2013-6964 264 Bypass 2013-12-14 2013-12-16
3.5
None Remote Medium Single system None Partial None
Cisco WebEx Meeting Center allows remote authenticated users to bypass access control and inject content from a different WebEx site via unspecified vectors, aka Bug ID CSCul36197.
9 CVE-2013-6945 264 Bypass 2013-12-04 2014-02-25
7.5
None Remote Low Not required Partial Partial Partial
The M2M Broker in OSEHRA VistA, as distributed before September 30, 2013, allows attackers to bypass authentication and authorization to perform doctor-only actions and read or modify patient records via unspecified vectors related to a "logic flaw."
10 CVE-2013-6926 264 Bypass 2013-12-16 2013-12-17
8.0
None Remote Low Single system Partial Partial Complete
The integrated HTTPS server in Siemens RuggedCom ROS before 3.12.2 allows remote authenticated users to bypass intended restrictions on administrative actions by leveraging access to a (1) guest or (2) operator account.
11 CVE-2013-6920 287 Bypass 2013-12-06 2013-12-09
10.0
None Remote Low Not required Complete Complete Complete
Siemens SINAMICS S/G controllers with firmware before 4.6.11 do not require authentication for FTP and TELNET sessions, which allows remote attackers to bypass intended access restrictions via TCP traffic to port (1) 21 or (2) 23.
12 CVE-2013-6918 264 Bypass 2013-11-30 2014-03-05
5.8
None Remote Medium Not required Partial Partial None
The web interface on the Satechi travel router 1.5, when Wi-Fi is used for WAN access, exposes the console without authentication on the WAN IP address regardless of the "Web Management via WAN" setting, which allows remote attackers to bypass intended access restrictions via HTTP requests.
13 CVE-2013-6828 287 Bypass 2013-11-20 2013-11-21
6.4
None Remote Low Not required Partial Partial None
admin/management.html in PineApp Mail-SeCure allows remote attackers to bypass authentication and perform a sys_usermng operation via the it parameter.
14 CVE-2013-6823 264 Bypass 2013-11-20 2013-11-20
6.4
None Remote Low Not required Partial Partial None
GRMGApp in SAP NetWeaver allows remote attackers to bypass intended access restrictions via unspecified vectors.
15 CVE-2013-6818 264 Bypass 2013-11-20 2013-11-20
6.4
None Remote Low Not required Partial Partial None
SAP NetWeaver Logviewer 6.30, when running on Windows, allows remote attackers to bypass intended access restrictions via unspecified vectors.
16 CVE-2013-6802 264 Bypass 2013-11-18 2013-12-13
5.8
None Remote Medium Not required Partial Partial None
Google Chrome before 31.0.1650.57 allows remote attackers to bypass intended sandbox restrictions by leveraging access to a renderer process, as demonstrated during a Mobile Pwn2Own competition at PacSec 2013, a different vulnerability than CVE-2013-6632.
17 CVE-2013-6798 264 Bypass 2013-11-17 2013-12-13
5.8
None Remote Medium Not required Partial Partial None
BlackBerry Link before 1.2.1.31 on Windows and before 1.1.1 build 39 on Mac OS X does not properly determine the user account for execution of Peer Manager in certain situations involving successive logins with different accounts, which allows context-dependent attackers to bypass intended restrictions on remote file-access folders via IPv6 WebDAV requests, a different vulnerability than CVE-2013-3694.
18 CVE-2013-6709 200 Bypass +Info 2013-12-14 2014-01-13
5.0
None Remote Low Not required Partial None None
The registration component in Cisco WebEx Training Center provides the training-session URL before payment is completed, which allows remote attackers to bypass intended access restrictions and join an audio conference by entering credential fields from this URL, aka Bug ID CSCul57111.
19 CVE-2013-6689 20 Bypass 2013-11-17 2013-11-19
6.9
None Local Medium Not required Complete Complete Complete
Cisco Unified Communications Manager (Unified CM) 9.1(1) and earlier allows local users to bypass file permissions, and read, modify, or create arbitrary files, via an "overload" of the command-line utility, aka Bug ID CSCui58229.
20 CVE-2013-6428 264 Bypass 2013-12-14 2014-03-05
4.0
None Remote Low Single system None Partial None
The ReST API in OpenStack Orchestration API (Heat) before Havana 2013.2.1 and Icehouse before icehouse-2 allows remote authenticated users to bypass the tenant scoping restrictions via a modified tenant_id in the request path.
21 CVE-2013-6426 264 Bypass 2013-12-14 2014-03-05
4.0
None Remote Low Single system None Partial None
The cloudformation-compatible API in OpenStack Orchestration API (Heat) before Havana 2013.2.1 and Icehouse before icehouse-2 does not properly enforce policy rules, which allows local in-instance users to bypass intended access restrictions and (1) create a stack via the CreateStack method or (2) update a stack via the UpdateStack method.
22 CVE-2013-6417 264 Bypass 2013-12-06 2014-04-01
6.4
None Remote Low Not required Partial Partial None
actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request that leverages (1) third-party Rack middleware or (2) custom Rack middleware. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-0155.
23 CVE-2013-6410 264 Bypass 2013-12-07 2013-12-09
7.5
None Remote Low Not required Partial Partial Partial
nbd-server in Network Block Device (nbd) before 3.5 does not properly check IP addresses, which might allow remote attackers to bypass intended access restrictions via an IP address that has a partial match in the authfile configuration file.
24 CVE-2013-6403 264 Bypass 2013-12-24 2013-12-26
6.8
None Remote Medium Not required Partial Partial Partial
The admin page in ownCloud before 5.0.13 allows remote attackers to bypass intended access restrictions via unspecified vectors, related to MariaDB.
25 CVE-2013-6386 310 Bypass 2013-12-07 2014-01-13
6.8
None Remote Medium Not required Partial Partial Partial
Drupal 6.x before 6.29 and 7.x before 7.24 uses the PHP mt_rand function to generate random numbers, which uses predictable seeds and allows remote attackers to predict security strings and bypass intended restrictions via a brute force attack.
26 CVE-2013-6383 264 Bypass 2013-11-26 2014-03-26
6.9
None Local Medium Not required Complete Complete Complete
The aac_compat_ioctl function in drivers/scsi/aacraid/linit.c in the Linux kernel before 3.11.8 does not require the CAP_SYS_RAWIO capability, which allows local users to bypass intended access restrictions via a crafted ioctl call.
27 CVE-2013-6271 264 Bypass 2013-12-14 2013-12-18
8.8
None Remote Medium Not required Complete Complete None
Android 4.0 through 4.3 allows attackers to bypass intended access restrictions and remove device locks via a crafted application that invokes the updateUnlockMethodAndFinish method in the com.android.settings.ChooseLockGeneric class with the PASSWORD_QUALITY_UNSPECIFIED option.
28 CVE-2013-6246 264 Bypass +Info 2013-10-23 2013-10-24
5.0
None Remote Low Not required Partial None None
The Dell Quest One Password Manager, possibly 5.0, allows remote attackers to bypass CAPTCHA protections and obtain sensitive information (user's full name) by sending a login request with a valid domain and username but without the CaptchaType, UseCaptchaEveryTime, and CaptchaResponse parameters.
29 CVE-2013-6230 264 Bypass 2013-11-07 2013-11-14
6.8
None Remote Medium Not required Partial Partial Partial
The Winsock WSAIoctl API in Microsoft Windows Server 2008, as used in ISC BIND 9.6-ESV before 9.6-ESV-R10-P1, 9.8 before 9.8.6-P1, 9.9 before 9.9.4-P1, 9.9.3-S1, 9.9.4-S1, and other products, does not properly support the SIO_GET_INTERFACE_LIST command for netmask 255.255.255.255, which allows remote attackers to bypass intended IP address restrictions by leveraging misinterpretation of this netmask as a 0.0.0.0 netmask.
30 CVE-2013-6180 264 Bypass 2013-12-09 2014-01-07
6.8
None Remote Medium Not required Partial Partial Partial
EMC RSA Security Analytics (SA) 10.x before 10.3, and RSA NetWitness NextGen 9.8, does not ensure that SA Core requests originate from the SA REST UI, which allows remote attackers to bypass intended access restrictions by sending a Core request from a web browser or other unintended user agent.
31 CVE-2013-6171 287 Bypass 2013-12-09 2013-12-11
5.8
None Remote Medium Not required Partial Partial None
checkpassword-reply in Dovecot before 2.2.7 performs setuid operations to a user who is authenticating, which allows local users to bypass authentication and access virtual email accounts by attaching to the process and using a restricted file descriptor to modify account information in the response to the dovecot-auth server.
32 CVE-2013-6122 20 DoS Mem. Corr. Bypass 2013-11-12 2013-11-13
6.9
None Local Medium Not required Complete Complete Complete
goodix_tool.c in the Goodix gt915 touchscreen driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, does not properly synchronize updates to a global variable, which allows local users to bypass intended access restrictions or cause a denial of service (memory corruption) via crafted arguments to the procfs write handler.
33 CVE-2013-6077 264 Bypass 2013-11-05 2013-11-06
5.8
None Remote Medium Not required Partial Partial None
Citrix XenDesktop 7.0, when upgraded from XenDesktop 5.x, does not properly enforce policy rule permissions, which allows remote attackers to bypass intended restrictions.
34 CVE-2013-6075 119 DoS Overflow Bypass 2013-11-02 2013-11-21
5.0
None Remote Low Not required None None Partial
The compare_dn function in utils/identification.c in strongSwan 4.3.3 through 5.1.1 allows (1) remote attackers to cause a denial of service (out-of-bounds read, NULL pointer dereference, and daemon crash) or (2) remote authenticated users to impersonate arbitrary users and bypass access restrictions via a crafted ID_DER_ASN1_DN ID, related to an "insufficient length check" during identity comparison.
35 CVE-2013-6026 264 Bypass 2013-10-19 2013-10-21
10.0
None Remote Low Not required Complete Complete Complete
The web interface on D-Link DIR-100, DIR-120, DI-624S, DI-524UP, DI-604S, DI-604UP, DI-604+, and TM-G5240 routers; Planex BRL-04R, BRL-04UR, and BRL-04CW routers; and Alpha Networks routers allows remote attackers to bypass authentication and modify settings via an xmlset_roodkcableoj28840ybtide User-Agent HTTP header, as exploited in the wild in October 2013.
36 CVE-2013-6012 287 Bypass 2013-10-28 2013-10-29
8.5
None Remote Medium Single system Complete Complete Complete
Juniper Junos 12.1X44 before 12.1.X44-D20 and 12.1X45 before 12.1X45-D15, when the no-validate option is enabled, does not properly handle configuration validation errors during the config commit phase of the boot-up sequence, which allows remote attackers to bypass authentication via unspecified vectors.
37 CVE-2013-6006 287 Bypass 2013-12-27 2013-12-30
5.8
None Remote Medium Not required Partial Partial None
Cybozu Garoon 3.5 through 3.7 SP2 allows remote attackers to bypass Keitai authentication via a modified user ID in a request.
38 CVE-2013-5960 310 Bypass 2013-09-30 2013-10-10
5.8
None Remote Medium Not required Partial Partial None
The authenticated-encryption feature in the symmetric-encryption implementation in the OWASP Enterprise Security API (ESAPI) for Java 2.x before 2.1.1 does not properly resist tampering with serialized ciphertext, which makes it easier for remote attackers to bypass intended cryptographic protection mechanisms via an attack against the intended cipher mode in a non-default configuration, a different vulnerability than CVE-2013-5679.
39 CVE-2013-5740 Exec Code Bypass 2013-09-12 2013-09-13
6.9
None Local Medium Not required Complete Complete Complete
Unspecified vulnerability in the Intel Trusted Execution Technology (TXT) SINIT Authenticated Code Modules (ACM) before 1.2, as used by the Intel QM77, QS77, Q77 Express, C216, Q67 Express, C202, C204, and C206 chipsets and Mobile Intel QM67 and QS67 chipsets, when the measured launch environment (MLE) is invoked, allows local users to bypass the Trusted Execution Technology protection mechanism and perform other unspecified SINIT ACM functions via unspecified vectors.
40 CVE-2013-5710 264 Bypass 2013-09-23 2013-10-23
3.7
None Local High Not required Partial Partial Partial
The nullfs implementation in sys/fs/nullfs/null_vnops.c in the kernel in FreeBSD 8.3 through 9.2 allows local users with certain permissions to bypass access restrictions via a hardlink in a nullfs instance to a file in a different instance.
41 CVE-2013-5679 310 Bypass 2013-09-30 2013-10-10
2.6
None Local High Not required Partial Partial None
The authenticated-encryption feature in the symmetric-encryption implementation in the OWASP Enterprise Security API (ESAPI) for Java 2.x before 2.1.0 does not properly resist tampering with serialized ciphertext, which makes it easier for remote attackers to bypass intended cryptographic protection mechanisms via an attack against authenticity in the default configuration, involving a null MAC and a zero MAC length.
42 CVE-2013-5663 264 Bypass 2013-08-31 2013-09-30
4.3
None Remote Medium Not required None Partial None
The App-ID cache feature in Palo Alto Networks PAN-OS before 4.0.14, 4.1.x before 4.1.11, and 5.0.x before 5.0.2 allows remote attackers to bypass intended security policies via crafted requests that trigger invalid caching, as demonstrated by incorrect identification of HTTP traffic as SIP traffic, aka Ref ID 47195.
43 CVE-2013-5636 255 Bypass 2013-11-30 2013-12-02
3.3
None Local Medium Not required Partial Partial None
Unlock.exe in Media Encryption EPM Explorer in Check Point Endpoint Security through E80.50 does not associate password failures with a device ID, which makes it easier for physically proximate attackers to bypass the device-locking protection mechanism by overwriting DVREM.EPM with a copy of itself after each few password guesses.
44 CVE-2013-5635 255 Bypass 2013-11-30 2013-12-02
3.3
None Local Medium Not required Partial Partial None
Media Encryption EPM Explorer in Check Point Endpoint Security through E80.50 does not properly maintain the state of password failures, which makes it easier for physically proximate attackers to bypass the device-locking protection mechanism by entering password guesses within multiple Unlock.exe processes that are running simultaneously.
45 CVE-2013-5614 264 Bypass 2013-12-11 2014-01-30
4.3
None Remote Medium Not required None Partial None
Mozilla Firefox before 26.0 and SeaMonkey before 2.23 do not properly consider the sandbox attribute of an IFRAME element during processing of a contained OBJECT element, which allows remote attackers to bypass intended sandbox restrictions via a crafted web site.
46 CVE-2013-5606 264 Bypass 2013-11-18 2014-03-05
5.8
None Remote Medium Not required Partial Partial None
The CERT_VerifyCert function in lib/certhigh/certvfy.c in Mozilla Network Security Services (NSS) 3.15 before 3.15.3 provides an unexpected return value for an incompatible key-usage certificate when the CERTVerifyLog argument is valid, which might allow remote attackers to bypass intended access restrictions via a crafted certificate.
47 CVE-2013-5576 20 1 Bypass 2013-10-09 2013-11-30
6.8
None Remote Medium Not required Partial Partial Partial
administrator/components/com_media/helpers/media.php in the media manager in Joomla! 2.5.x before 2.5.14 and 3.x before 3.1.5 allows remote authenticated users or remote attackers to bypass intended access restrictions and upload files with dangerous extensions via a filename with a trailing . (dot), as exploited in the wild in August 2013.
48 CVE-2013-5561 20 Bypass 2013-11-04 2013-11-15
5.0
None Remote Low Not required Partial None None
The Safe Search enforcement feature in Cisco Adaptive Security Appliance (ASA) CX Context-Aware Security Software does not properly perform filtering, which allows remote attackers to bypass intended policy restrictions via unspecified vectors, aka Bug ID CSCui94622.
49 CVE-2013-5552 264 Bypass 2013-11-13 2013-11-14
6.4
None Remote Low Not required Partial Partial None
Cisco IOS 12.4(24)MDB9 and earlier on Content Services Gateway (CSG) devices does not properly implement the "parse error drop" feature, which allows remote attackers to bypass intended access restrictions via a crafted series of packets, aka Bug ID CSCug90143.
50 CVE-2013-5548 264 Bypass 2013-10-31 2013-11-21
4.3
None Remote Medium Not required None Partial None
The IKEv2 implementation in Cisco IOS, when AES-GCM or AES-GMAC is used, allows remote attackers to bypass certain IPsec anti-replay features via IPsec tunnel traffic, aka Bug ID CSCuj47795.
Total number of vulnerabilities : 350   Page : 1 (This Page)2 3 4 5 6 7
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.