Search Results (4210 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2007-1062 1 Cisco 4 Unified Ip Conference Station 7935, Unified Ip Conference Station 7935 Firmware, Unified Ip Conference Station 7936 and 1 more 2025-04-09 N/A
The Cisco Unified IP Conference Station 7935 3.2(15) and earlier, and Station 7936 3.3(12) and earlier does not properly handle administrator HTTP sessions, which allows remote attackers to bypass authentication controls via a direct URL request to the administrative HTTP interface for a limited time
CVE-2006-6783 1 Logahead 1 Logahead Unu 2025-04-09 N/A
logahead UNU 1.0 before 20061226 allows remote attackers to upload arbitrary files via unspecified vectors related to plugins/widged/_widged.php (aka the WidgEd plugin), possibly because of an authentication bypass. NOTE: some of these details are obtained from third party information.
CVE-2006-6705 1 Soumu 3 Koukyoumuke Soumu Workflow, Soumo Workflow, Soumu Workflow 2025-04-09 N/A
Multiple unspecified vulnerabilities in the template files in Soumu Workflow for Groupmax 01-00 through 01-01, Soumu Workflow 02-00 through 03-03, and Koukyoumuke Soumu Workflow 01-00 through 01-01 allow remote attackers to bypass authentication mechanisms on web pages via unknown vectors.
CVE-2007-4438 1 Ampache 1 Ampache 2025-04-09 N/A
Session fixation vulnerability in Ampache before 3.3.3.5 allows remote attackers to hijack web sessions via unspecified vectors.
CVE-2009-2505 1 Microsoft 2 Windows Server 2008, Windows Vista 2025-04-09 N/A
The Internet Authentication Service (IAS) in Microsoft Windows Vista SP2 and Server 2008 SP2 does not properly validate MS-CHAP v2 Protected Extensible Authentication Protocol (PEAP) authentication requests, which allows remote attackers to execute arbitrary code via crafted structures in a malformed request, aka "Internet Authentication Service Memory Corruption Vulnerability."
CVE-2009-2481 2 Six Apart, Sixapart 2 Movable Type, Movable Type 2025-04-09 N/A
mt-wizard.cgi in Six Apart Movable Type before 4.261, when global templates are not initialized, allows remote attackers to bypass access restrictions and (1) send e-mail to arbitrary addresses or (2) obtain sensitive information via unspecified vectors.
CVE-2009-2422 2 Apple, Rubyonrails 3 Mac Os X, Mac Os X Server, Ruby On Rails 2025-04-09 9.8 Critical
The example code for the digest authentication functionality (http_authentication.rb) in Ruby on Rails before 2.3.3 defines an authenticate_or_request_with_http_digest block that returns nil instead of false when the user does not exist, which allows context-dependent attackers to bypass authentication for applications that are derived from this example by sending an invalid username without a password.
CVE-2009-2410 1 Fedorahosted 1 Sssd 2025-04-09 N/A
The local_handler_callback function in server/responder/pam/pam_LOCAL_domain.c in sssd 0.4.1 does not properly handle blank-password accounts in the SSSD BE database, which allows context-dependent attackers to obtain access by sending the account's username, in conjunction with an arbitrary password, over an ssh connection.
CVE-2009-2382 1 Jay-jayx0r 1 Phpmyblockchecker 2025-04-09 9.8 Critical
admin.php in phpMyBlockchecker 1.0.0055 allows remote attackers to bypass authentication and gain administrative access by setting the PHPMYBCAdmin cookie to LOGGEDIN.
CVE-2009-1826 1 Collector 1 Mygesuad 2025-04-09 N/A
modules/admuser.php in myGesuad 0.9.14 (aka 0.9) does not require administrative authentication, which allows remote authenticated users to list user accounts via a Find action.
CVE-2009-1825 1 Collector 1 Mycolex 2025-04-09 N/A
modules/admuser.php in myColex 1.4.2 does not require administrative authentication, which allows remote authenticated users to list user accounts via a Find action.
CVE-2009-1754 1 Google 1 Android 2025-04-09 N/A
The PackageManagerService class in services/java/com/android/server/PackageManagerService.java in Android 1.5 through 1.5 CRB42 does not properly check developer certificates during processing of sharedUserId requests at an application's installation time, which allows remote user-assisted attackers to access application data by creating a package that specifies a shared user ID with an arbitrary application.
CVE-2009-1670 1 Tcpdb 1 Tcpdb 2025-04-09 N/A
user/index.php in TCPDB 3.8 does not require administrative authentication, which allows remote attackers to add admin accounts via unspecified vectors. NOTE: some of these details are obtained from third party information.
CVE-2009-1664 1 Easy-scripts 1 Answer And Question Script 2025-04-09 N/A
myaccount.php in Easy Scripts Answer and Question Script does not verify the original password before changing passwords, which allows remote attackers to change the password of other users and gain privileges via modified userid, txtpassword, and txtRpassword parameters.
CVE-2009-1638 1 T-dreams 1 Job Career Package 2025-04-09 N/A
Techno Dreams Job Career Package 3.0 allows remote attackers to bypass authentication and obtain administrative access by setting the JobCareerAdmin cookie to Login.
CVE-2009-1629 1 Antony Lesuisse 1 Ajaxterm 2025-04-09 N/A
ajaxterm.js in AjaxTerm 0.10 and earlier generates session IDs with predictable random numbers based on certain JavaScript functions, which makes it easier for remote attackers to (1) hijack a session or (2) cause a denial of service (session ID exhaustion) via a brute-force attack.
CVE-2009-1619 1 Teraway 1 Filestream 2025-04-09 N/A
Teraway FileStream 1.0 allows remote attackers to bypass authentication and gain administrative access by setting the twFSadmin cookie to 1.
CVE-2009-1618 1 Teraway 1 Livehelp 2025-04-09 N/A
Teraway LiveHelp 2.0 allows remote attackers to bypass authentication and gain administrative access via a pwd=&lvl=1&usr=&alias=admin&userid=1 value for the TWLHadmin cookie.
CVE-2009-1617 1 Teraway 1 Linktracker 2025-04-09 N/A
Teraway LinkTracker 1.0 allows remote attackers to bypass authentication and gain administrative access via a userid=1&lvl=1 value for the twLTadmin cookie.
CVE-2009-1596 1 Igniterealtime 1 Openfire 2025-04-09 6.5 Medium
Ignite Realtime Openfire before 3.6.5 does not properly implement the register.password (aka canChangePassword) console configuration setting, which allows remote authenticated users to bypass intended policy and change their own passwords via a passwd_change IQ packet.