Total
3717 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2016-3176 | 1 Saltstack | 1 Salt | 2025-04-20 | 4.3 MEDIUM | 5.6 MEDIUM |
| Salt before 2015.5.10 and 2015.8.x before 2015.8.8, when PAM external authentication is enabled, allows attackers to bypass the configured authentication service by passing an alternate service with a command sent to LocalClient. | |||||
| CVE-2017-12337 | 1 Cisco | 11 Emergency Responder, Finesse, Hosted Collaboration Solution and 8 more | 2025-04-20 | 10.0 HIGH | 9.8 CRITICAL |
| A vulnerability in the upgrade mechanism of Cisco collaboration products based on the Cisco Voice Operating System software platform could allow an unauthenticated, remote attacker to gain unauthorized, elevated access to an affected device. The vulnerability occurs when a refresh upgrade (RU) or Prime Collaboration Deployment (PCD) migration is performed on an affected device. When a refresh upgrade or PCD migration is completed successfully, an engineering flag remains enabled and could allow root access to the device with a known password. If the vulnerable device is subsequently upgraded using the standard upgrade method to an Engineering Special Release, service update, or a new major release of the affected product, this vulnerability is remediated by that action. Note: Engineering Special Releases that are installed as COP files, as opposed to the standard upgrade method, do not remediate this vulnerability. An attacker who can access an affected device over SFTP while it is in a vulnerable state could gain root access to the device. This access could allow the attacker to compromise the affected system completely. Cisco Bug IDs: CSCvg22923, CSCvg55112, CSCvg55128, CSCvg55145, CSCvg58619, CSCvg64453, CSCvg64456, CSCvg64464, CSCvg64475, CSCvg68797. | |||||
| CVE-2017-2767 | 1 Emc | 1 Smarts Network Configuration Manager | 2025-04-20 | 10.0 HIGH | 9.8 CRITICAL |
| EMC Network Configuration Manager (NCM) 9.3.x, EMC Network Configuration Manager (NCM) 9.4.0.x, EMC Network Configuration Manager (NCM) 9.4.1.x, EMC Network Configuration Manager (NCM) 9.4.2.x contains a Java RMI Remote Code Execution vulnerability that could potentially be exploited by malicious users to compromise the affected system. | |||||
| CVE-2016-9361 | 1 Moxa | 51 Nport 5100 Series Firmware, Nport 5100a Series Firmware, Nport 5110 and 48 more | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Moxa NPort 5110 versions prior to 2.6, NPort 5130/5150 Series versions prior to 3.6, NPort 5200 Series versions prior to 2.8, NPort 5400 Series versions prior to 3.11, NPort 5600 Series versions prior to 3.7, NPort 5100A Series & NPort P5150A versions prior to 1.3, NPort 5200A Series versions prior to 1.3, NPort 5150AI-M12 Series versions prior to 1.2, NPort 5250AI-M12 Series versions prior to 1.2, NPort 5450AI-M12 Series versions prior to 1.2, NPort 5600-8-DT Series versions prior to 2.4, NPort 5600-8-DTL Series versions prior to 2.4, NPort 6x50 Series versions prior to 1.13.11, NPort IA5450A versions prior to v1.4. Administration passwords can be retried without authenticating. | |||||
| CVE-2017-14243 | 1 Utstar | 2 Wa3002g4, Wa3002g4 Firmware | 2025-04-20 | 10.0 HIGH | 9.8 CRITICAL |
| An authentication bypass vulnerability on UTStar WA3002G4 ADSL Broadband Modem WA3002G4-0021.01 devices allows attackers to directly access administrative settings and obtain cleartext credentials from HTML source, as demonstrated by info.cgi, upload.cgi, backupsettings.cgi, pppoe.cgi, resetrouter.cgi, and password.cgi. | |||||
| CVE-2017-16953 | 1 Zte | 2 Zxdsl 831cii, Zxdsl 831cii Firmware | 2025-04-20 | 5.0 MEDIUM | 7.5 HIGH |
| connoppp.cgi on ZTE ZXDSL 831CII devices does not require HTTP Basic Authentication, which allows remote attackers to modify the PPPoE configuration or set up a malicious configuration via a GET request. | |||||
| CVE-2016-7836 | 1 Skygroup | 1 Skysea Client View | 2025-04-20 | 10.0 HIGH | 9.8 CRITICAL |
| SKYSEA Client View Ver.11.221.03 and earlier allows remote code execution via a flaw in processing authentication on the TCP connection with the management console program. | |||||
| CVE-2017-15295 | 1 Sap | 1 Point Of Sale Xpress Server | 2025-04-20 | 10.0 HIGH | 9.8 CRITICAL |
| Xpress Server in SAP POS does not require authentication for read/write/delete file access. This is SAP Security Note 2520064. | |||||
| CVE-2017-15293 | 1 Sap | 1 Point Of Sale Xpress Server | 2025-04-20 | 10.0 HIGH | 9.8 CRITICAL |
| Xpress Server in SAP POS does not require authentication for file read and erase operations, daemon shutdown, terminal read operations, or certain attacks on credentials. This is SAP Security Note 2520064. | |||||
| CVE-2017-1000020 | 3 Ecos, Greatek, Totolink | 3 Embedded Web Servers, Soho, Soho | 2025-04-20 | 10.0 HIGH | 9.8 CRITICAL |
| SYN Flood or FIN Flood attack in ECos 1 and other versions embedded devices results in web Authentication Bypass. "eCos Embedded Web Servers used by Multiple Routers and Home devices, while sending SYN Flood or FIN Flood packets fails to validate and handle the packets and does not ask for any sign of authentication resulting in Authentication Bypass. An attacker can take complete advantage of this bug and take over the device remotely or locally. The bug has been successfully tested and reproduced in some versions of SOHO Routers manufactured by TOTOLINK, GREATEK and others." | |||||
| CVE-2015-6237 | 1 Tripwire | 1 Ip360 | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| The RPC service in Tripwire (formerly nCircle) IP360 VnE Manager 7.2.2 before 7.2.6 allows remote attackers to bypass authentication and (1) enumerate users, (2) reset passwords, or (3) manipulate IP filter restrictions via crafted "privileged commands." | |||||
| CVE-2016-9124 | 1 Revive-adserver | 1 Revive Adserver | 2025-04-20 | 5.0 MEDIUM | 9.8 CRITICAL |
| Revive Adserver before 3.2.3 suffers from Improper Restriction of Excessive Authentication Attempts. The login page of Revive Adserver is vulnerable to password-guessing attacks. An account lockdown feature was considered, but rejected to avoid introducing service disruptions to regular users during such attacks. A random delay has instead been introduced as a countermeasure in case of password failures, along with a system to discourage parallel brute forcing. These systems will effectively allow the valid users to log in to the adserver, even while an attack is in progress. | |||||
| CVE-2017-8151 | 1 Huawei | 2 Honor 5s, Honor 5s Firmware | 2025-04-20 | 7.2 HIGH | 6.8 MEDIUM |
| Huawei Honor 5S smart phones with software the versions before TAG-TL00C01B173 have an authentication bypass vulnerability due to the improper design of some components. An attacker can get a user's smart phone and install malicious apps in the mobile phone, allowing the attacker to reset the password and fingerprint of the phone without authentication. | |||||
| CVE-2017-9860 | 1 Sma | 78 Sunny Boy 1.5, Sunny Boy 1.5 Firmware, Sunny Boy 2.5 and 75 more | 2025-04-20 | 10.0 HIGH | 9.8 CRITICAL |
| An issue was discovered in SMA Solar Technology products. An attacker can use Sunny Explorer or the SMAdata2+ network protocol to update the device firmware without ever having to authenticate. If an attacker is able to create a custom firmware version that is accepted by the inverter, the inverter is compromised completely. This allows the attacker to do nearly anything: for example, giving access to the local OS, creating a botnet, using the inverters as a stepping stone into companies, etc. NOTE: the vendor reports that this attack has always been blocked by "a final integrity and compatibility check." Also, only Sunny Boy TLST-21 and TL-21 and Sunny Tripower TL-10 and TL-30 could potentially be affected | |||||
| CVE-2016-4460 | 1 Apache | 1 Pony Mail | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| Apache Pony Mail 0.6c through 0.8b allows remote attackers to bypass authentication. | |||||
| CVE-2016-1502 | 1 Netapp | 1 Snapcenter Server | 2025-04-20 | 7.5 HIGH | 7.3 HIGH |
| NetApp SnapCenter Server 1.0 and 1.0P1 allows remote attackers to partially bypass authentication and then list and delete backups via unspecified vectors. | |||||
| CVE-2014-9624 | 1 Mantisbt | 1 Mantisbt | 2025-04-20 | 5.0 MEDIUM | 7.5 HIGH |
| CAPTCHA bypass vulnerability in MantisBT before 1.2.19. | |||||
| CVE-2017-2329 | 1 Juniper | 1 Northstar Controller | 2025-04-20 | 2.1 LOW | 6.2 MEDIUM |
| An insufficient authentication vulnerability in Juniper Networks NorthStar Controller Application prior to version 2.1.0 Service Pack 1 may allow an unprivileged, authenticated, user to execute certain specific unprivileged system files capable of causing widespread denials of system services. | |||||
| CVE-2017-14080 | 1 Trendmicro | 1 Mobile Security | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| Authentication bypass vulnerability in Trend Micro Mobile Security (Enterprise) versions before 9.7 Patch 3 allows attackers to access a specific part of the console using a blank password. | |||||
| CVE-2017-12160 | 1 Redhat | 1 Keycloak | 2025-04-20 | 6.5 MEDIUM | 7.2 HIGH |
| It was found that Keycloak oauth would permit an authenticated resource to obtain an access/refresh token pair from the authentication server, permitting indefinite usage in the case of permission revocation. An attacker on an already compromised resource could use this flaw to grant himself continued permissions and possibly conduct further attacks. | |||||