Asterisk Open Source 1.2.x before 1.2.26 and 1.4.x before 1.4.16, and Business Edition B.x.x before B.2.3.6 and C.x.x before C.1.0-beta8, when using database-based registrations ("realtime") and host-based authentication, does not check the IP address when the username is correct and there is no password, which allows remote attackers to bypass authentication using a valid username.
Max CVSS
4.3
EPSS Score
0.65%
Published
2007-12-20
Updated
2018-10-15
Flat PHP Board 1.2 and earlier allows remote attackers to bypass authentication and obtain limited access to an arbitrary user account via the fpb_username cookie.
Max CVSS
5.0
EPSS Score
0.32%
Published
2007-12-17
Updated
2018-10-15
The proxy server in Kerio WinRoute Firewall before 6.4.1 does not properly enforce authentication for HTTPS pages, which has unknown impact and attack vectors. NOTE: it is not clear whether this issue crosses privilege boundaries.
Max CVSS
2.1
EPSS Score
0.06%
Published
2007-12-15
Updated
2017-08-08
Unspecified vulnerability in the Image Converter functionality in BEA WebLogic Mobility Server 3.3, 3.5, and 3.6 through 3.6 SP1 allows remote attackers to obtain application file and resource access via unspecified vectors.
Max CVSS
7.5
EPSS Score
2.06%
Published
2007-12-15
Updated
2017-08-08
cp.php in DeluxeBB 1.09 does not verify that the membercookie parameter corresponds to the authenticated member during a profile update, which allows remote authenticated users to change the e-mail addresses of arbitrary accounts via a modified membercookie parameter, a different vector than CVE-2006-4078. NOTE: this can be leveraged for administrative access by requesting password-reset e-mail through a lostpw action to misc.php.
Max CVSS
9.0
EPSS Score
0.89%
Published
2007-12-04
Updated
2018-10-15
index.php in FTP Admin 0.1.0 allows remote attackers to bypass authentication and obtain administrative access via a loggedin parameter with a value of true, as demonstrated by adding a user account.
Max CVSS
10.0
EPSS Score
0.76%
Published
2007-12-04
Updated
2017-09-29
The American Power Conversion (APC) AP7932 0u 30amp Switched Rack Power Distribution Unit (PDU), with rpdu 3.5.5 and aos 3.5.6, allows remote attackers to bypass authentication and obtain login access by making a login attempt while a different client is logged in, and then resubmitting the login attempt once the other client exits.
Max CVSS
7.1
EPSS Score
1.26%
Published
2007-12-04
Updated
2018-10-15
Unspecified vulnerability in Hitachi JP1/File Transmission Server/FTP 01-00 through 08-10-01 allows remote attackers to bypass authentication and "view files" via unspecified vectors.
Max CVSS
5.0
EPSS Score
0.48%
Published
2007-11-27
Updated
2017-07-29
gnump3d 2.9final does not apply password protection to its plugins, which might allow remote attackers to bypass intended access restrictions.
Max CVSS
5.0
EPSS Score
0.64%
Published
2007-11-26
Updated
2011-03-08
Unspecified vulnerability in main.php of BugHotel Reservation System before 4.9.9 P3 allows remote attackers to bypass authentication and gain administrative access via unspecified vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
Max CVSS
10.0
EPSS Score
0.31%
Published
2007-11-16
Updated
2008-09-05
TestLink before 1.7.1 does not enforce an unspecified authorization mechanism, which has unknown impact and attack vectors.
Max CVSS
10.0
EPSS Score
0.34%
Published
2007-11-15
Updated
2008-11-15
blocks/shoutbox_block.php in BtiTracker 1.4.4 does not verify user accounts, which allows remote attackers to post shoutbox entries as arbitrary users via a modified nick field.
Max CVSS
7.5
EPSS Score
1.28%
Published
2007-11-15
Updated
2017-07-29
details.php in BtiTracker before 1.4.5, when torrent viewing is disabled for guests, allows remote attackers to bypass protection mechanisms via a direct request, as demonstrated by (1) reading the details of an arbitrary torrent and (2) modifying a torrent owned by a guest.
Max CVSS
6.8
EPSS Score
1.28%
Published
2007-11-15
Updated
2017-07-29
dirsys/modules/auth.php in JBC Explorer 7.20 RC1 and earlier does not require authentication, which allows remote attackers to (1) delete auth.inc.php via the suppr parameter, and (2) re-create the auth.inc.php file with contents that specify a new account name and password for JBC Explorer via the login and password parameters.
Max CVSS
6.8
EPSS Score
1.93%
Published
2007-11-10
Updated
2018-10-15
Java in Mac OS X 10.4 through 10.4.11 allows remote attackers to bypass Keychain access controls and add or delete arbitrary Keychain items via a crafted Java applet.
Max CVSS
9.4
EPSS Score
2.09%
Published
2007-12-18
Updated
2011-03-08
Mail in Apple Mac OS X 10.4.11 and 10.5.1, when an SMTP account has been set up using Account Assistant, can use plaintext authentication even when MD5 Challenge-Response authentication is available, which makes it easier for remote attackers to sniff account activity.
Max CVSS
6.4
EPSS Score
0.74%
Published
2007-12-19
Updated
2017-07-29
SQLLoginModule in Apache Geronimo 2.0 through 2.1 does not throw an exception for a nonexistent username, which allows remote attackers to bypass authentication via a login attempt with any username not contained in the database.
Max CVSS
7.5
EPSS Score
0.62%
Published
2007-11-03
Updated
2011-03-08
The Vonage Motorola Phone Adapter VT 2142-VD does not properly verify that a SIP INVITE message originated from a legitimate server, which allows remote attackers to send spoofed INVITE messages, as demonstrated by a flood of messages triggering a denial of service, and by phone calls with malicious content.
Max CVSS
10.0
EPSS Score
3.56%
Published
2007-11-01
Updated
2017-07-29
The (1) Net::ftptls, (2) Net::telnets, (3) Net::imap, (4) Net::pop, and (5) Net::smtp libraries in Ruby 1.8.5 and 1.8.6 do not verify that the commonName (CN) field in a server certificate matches the domain name in a request sent over SSL, which makes it easier for remote attackers to intercept SSL transmissions via a man-in-the-middle attack or spoofed web site, different components than CVE-2007-5162.
Max CVSS
5.0
EPSS Score
0.60%
Published
2007-11-14
Updated
2017-09-29
adduser.php in PHP-AGTC Membership (AGTC-Membership) System 1.1a does not require authentication, which allows remote attackers to create accounts via a modified form, as demonstrated by an account with admin (userlevel 4) privileges.
Max CVSS
7.5
EPSS Score
4.68%
Published
2007-10-31
Updated
2018-10-15
The Gentoo ebuild of MLDonkey before 2.9.0-r3 has a p2p user account with an empty default password and valid login shell, which might allow remote attackers to obtain login access and execute arbitrary code.
Max CVSS
6.8
EPSS Score
0.60%
Published
2007-10-30
Updated
2008-09-05
Basic Analysis and Security Engine (BASE) before 1.3.8 sends a redirect to the web browser but does not exit, which allows remote attackers to bypass authentication via (1) base_main.php, (2) base_qry_alert.php, and possibly other vectors.
Max CVSS
7.5
EPSS Score
1.98%
Published
2007-10-18
Updated
2017-07-29
Unspecified vulnerability in HP Select Identity 4.01 through 4.01.010 and 4.10 through 4.13.001 allows remote attackers to obtain unspecified access via unknown vectors.
Max CVSS
10.0
EPSS Score
2.67%
Published
2007-10-12
Updated
2011-03-08
The Thomson/Alcatel SpeedTouch 7G router, as used for the BT Home Hub 6.2.6.B and earlier, allows remote attackers on an intranet to bypass authentication and gain administrative access via vectors including a '/' (slash) character at the end of the PATH_INFO to cgi/b, aka "double-slash auth bypass." NOTE: remote attackers outside the intranet can exploit this by leveraging a separate CSRF vulnerability. NOTE: SpeedTouch 780 might also be affected by some of these issues.
Max CVSS
10.0
EPSS Score
2.32%
Published
2007-10-12
Updated
2018-10-15
cp_memberedit.php in LightBlog 8.4.1.1 does not check for administrative credentials when processing an admin action, which allows remote authenticated users to increase the privileges of any account.
Max CVSS
6.5
EPSS Score
0.89%
Published
2007-10-11
Updated
2017-09-29
69 vulnerabilities found
1 2 3
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!