CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register   Reset Password   Activate Account
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Related To CWE-287

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2016-5804 287 Bypass 2016-07-15 2016-07-19
5.0
None Remote Low Not required Partial None None
Moxa MGate MB3180 before 1.8, MGate MB3280 before 2.7, MGate MB3480 before 2.6, MGate MB3170 before 2.5, and MGate MB3270 before 2.7 use weak encryption, which allows remote attackers to bypass authentication via a brute-force series of guesses for a parameter value.
2 CVE-2016-5133 287 2016-07-23 2016-07-28
4.3
None Remote Medium Not required None Partial None
Google Chrome before 52.0.2743.82 mishandles origin information during proxy authentication, which allows man-in-the-middle attackers to spoof a proxy-authentication login prompt or trigger incorrect credential storage by modifying the client-server data stream.
3 CVE-2016-4510 287 Bypass 2016-06-09 2016-06-10
6.4
None Remote Low Not required Partial Partial None
The WAP interface in Trihedral VTScada (formerly VTS) 8.x through 11.x before 11.2.02 allows remote attackers to bypass authentication and read arbitrary files via unspecified vectors.
4 CVE-2016-4503 287 Bypass 2016-07-11 2016-07-12
5.0
None Remote Low Not required Partial None None
Moxa Device Server Web Console 5232-N allows remote attackers to bypass authentication, and consequently modify settings and data, via vectors related to reading a cookie parameter containing a UserId value.
5 CVE-2016-4432 287 Bypass 2016-06-01 2016-06-15
5.0
None Remote Low Not required None Partial None
The AMQP 0-8, 0-9, 0-91, and 0-10 connection handling in Apache Qpid Java before 6.0.3 might allow remote attackers to bypass authentication and consequently perform actions via vectors related to connection state logging.
6 CVE-2016-4422 287 +Priv Bypass 2016-05-06 2016-05-10
10.0
None Remote Low Not required Complete Complete Complete
The pam_sm_authenticate function in pam_sshauth.c in libpam-sshauth might allow context-dependent attackers to bypass authentication or gain privileges via a system user account.
7 CVE-2016-3085 287 Bypass 2016-06-10 2016-06-14
5.8
None Remote Medium Not required Partial Partial None
Apache CloudStack 4.5.x before 4.5.2.1, 4.6.x before 4.6.2.1, 4.7.x before 4.7.1.1, and 4.8.x before 4.8.0.1, when SAML-based authentication is enabled and used, allow remote attackers to bypass authentication and access the user interface via vectors related to the SAML plugin.
8 CVE-2016-2300 287 Bypass 2016-04-21 2016-04-27
6.4
None Remote Low Not required Partial Partial None
Ecava IntegraXor before 5.0 build 4522 allows remote attackers to bypass authentication and access unspecified web pages via unknown vectors.
9 CVE-2016-2286 287 2016-05-30 2016-06-01
5.0
None Remote Low Not required Partial None None
Moxa MiiNePort_E1_4641 devices with firmware 1.1.10 Build 09120714, MiiNePort_E1_7080 devices with firmware 1.1.10 Build 09120714, MiiNePort_E2_1242 devices with firmware 1.1 Build 10080614, MiiNePort_E2_4561 devices with firmware 1.1 Build 10080614, and MiiNePort E3 devices with firmware 1.0 Build 11071409 have a blank default password, which allows remote attackers to obtain access via unspecified vectors.
10 CVE-2016-2245 287 Bypass 2016-03-19 2016-03-22
10.0
None Remote Low Not required Complete Complete Complete
HP Support Assistant before 8.1.52.1 allows remote attackers to bypass authentication via unspecified vectors.
11 CVE-2016-2076 287 2016-04-15 2016-08-03
6.8
None Remote Medium Not required Partial Partial Partial
Client Integration Plugin (CIP) in VMware vCenter Server 5.5 U3a, U3b, and U3c and 6.0 before U2; vCloud Director 5.5.5; and vRealize Automation Identity Appliance 6.2.4 before 6.2.4.1 mishandles session content, which allows remote attackers to hijack sessions via a crafted web site.
12 CVE-2016-2012 287 Bypass 2016-05-07 2016-08-23
7.5
None Remote Low Not required Partial Partial Partial
HPE Network Node Manager i (NNMi) 9.20, 9.23, 9.24, 9.25, 10.00, and 10.01 allows remote attackers to bypass authentication via unspecified vectors.
13 CVE-2016-1427 287 +Info 2016-06-17 2016-06-20
5.0
None Remote Low Not required Partial None None
The System Configuration Protocol (SCP) core messaging interface in Cisco Prime Network Registrar 8.2 before 8.2.3.1 and 8.3 before 8.3.2 allows remote attackers to obtain sensitive information via crafted SCP messages, aka Bug ID CSCuv35694.
14 CVE-2016-1387 287 Exec Code 2016-05-05 2016-05-06
9.0
None Remote Low Not required Partial Partial Complete
The XML API in TelePresence Codec (TC) 7.2.0, 7.2.1, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, and 7.3.5 and Collaboration Endpoint (CE) 8.0.0, 8.0.1, and 8.1.0 in Cisco TelePresence Software mishandles authentication, which allows remote attackers to execute control commands or make configuration changes via an API request, aka Bug ID CSCuz26935.
15 CVE-2016-1356 287 2016-03-03 2016-03-04
4.3
None Remote Medium Not required Partial None None
Cisco FireSIGHT System Software 6.1.0 does not use a constant-time algorithm for verifying credentials, which makes it easier for remote attackers to enumerate valid usernames by measuring timing differences, aka Bug ID CSCuy41615.
16 CVE-2016-1329 287 2016-03-03 2016-03-18
10.0
None Remote Low Not required Complete Complete Complete
Cisco NX-OS 6.0(2)U6(1) through 6.0(2)U6(5) on Nexus 3000 devices and 6.0(2)A6(1) through 6.0(2)A6(5) and 6.0(2)A7(1) on Nexus 3500 devices has hardcoded credentials, which allows remote attackers to obtain root privileges via a (1) TELNET or (2) SSH session, aka Bug ID CSCuy25800.
17 CVE-2016-1307 287 2016-02-07 2016-02-24
5.5
None Remote Low Single system Partial Partial None
The Openfire server in Cisco Finesse Desktop 10.5(1) and 11.0(1) and Unified Contact Center Express 10.6(1) has a hardcoded account, which makes it easier for remote attackers to obtain access via an XMPP session, aka Bug ID CSCuw79085.
18 CVE-2016-1278 287 +Priv 2016-08-05 2016-08-12
6.9
None Local Medium Not required Complete Complete Complete
Juniper Junos OS before 12.1X46-D50 on SRX Series devices reverts to "safe mode" authentication and allows root CLI logins without a password after a failed upgrade to 12.1X46, which might allow local users to gain privileges by leveraging use of the "request system software" command with the "partition" option.
19 CVE-2016-0916 287 Exec Code 2016-06-09 2016-06-24
10.0
None Remote Low Not required Complete Complete Complete
EMC NetWorker 8.2.1.x and 8.2.2.x before 8.2.2.6 and 9.x before 9.0.0.6 mishandles authentication, which allows remote attackers to execute arbitrary commands by leveraging access to a different NetWorker instance.
20 CVE-2016-0755 287 2016-01-29 2016-02-17
5.0
None Remote Low Not required None Partial None
The ConnectionExists function in lib/url.c in libcurl before 7.47.0 does not properly re-use NTLM-authenticated proxy connections, which might allow remote attackers to authenticate as other users via a request, a similar issue to CVE-2014-0015.
21 CVE-2016-0733 287 Bypass 2016-04-12 2016-04-18
7.5
None Remote Low Not required Partial Partial Partial
The Admin UI in Apache Ranger before 0.5.1 does not properly handle authentication requests that lack a password, which allows remote attackers to bypass authentication by leveraging knowledge of a valid username.
22 CVE-2015-8269 287 +Info 2016-02-04 2016-02-24
6.5
None Remote Low Single system Partial Partial Partial
The API on Fisher-Price Smart Toy Bear devices allows remote attackers to obtain sensitive information or modify data by leveraging presence in an 802.11 network's coverage area and entering an account number.
23 CVE-2015-7938 287 Bypass 2016-01-08 2016-01-18
10.0
None Remote Low Not required Complete Complete Complete
Advantech EKI-132x devices with firmware before 2015-12-31 allow remote attackers to bypass authentication via unspecified vectors.
24 CVE-2015-7914 287 Bypass 2016-02-06 2016-02-23
9.3
None Remote Medium Not required Complete Complete Complete
Sauter EY-WS505F0x0 moduWeb Vision before 1.6.0 allows remote attackers to bypass authentication by leveraging knowledge of a password hash without knowledge of the associated password.
25 CVE-2015-7755 287 2015-12-19 2015-12-21
10.0
None Remote Low Not required Complete Complete Complete
Juniper ScreenOS 6.2.0r15 through 6.2.0r18, 6.3.0r12 before 6.3.0r12b, 6.3.0r13 before 6.3.0r13b, 6.3.0r14 before 6.3.0r14b, 6.3.0r15 before 6.3.0r15b, 6.3.0r16 before 6.3.0r16b, 6.3.0r17 before 6.3.0r17b, 6.3.0r18 before 6.3.0r18b, 6.3.0r19 before 6.3.0r19b, and 6.3.0r20 before 6.3.0r21 allows remote attackers to obtain administrative access by entering an unspecified password during a (1) SSH or (2) TELNET session.
26 CVE-2015-7521 287 Bypass 2016-01-29 2016-02-29
7.5
None Remote Low Not required Partial Partial Partial
The authorization framework in Apache Hive 1.0.0, 1.0.1, 1.1.0, 1.1.1, 1.2.0 and 1.2.1, on clusters protected by Ranger and SqlStdHiveAuthorization, allows attackers to bypass intended parent table access restrictions via unspecified partition-level operations.
27 CVE-2015-7285 287 Bypass 2015-11-24 2015-11-25
5.8
None Remote Medium Not required Partial Partial None
CSL DualCom GPRS CS2300-R devices with firmware 1.25 through 3.53 do not require authentication from Alarm Receiving Center (ARC) servers, which allows man-in-the-middle attackers to bypass intended access restrictions via a spoofed HSxx response.
28 CVE-2015-6480 287 2015-12-21 2015-12-21
7.5
None Remote Low Not required Partial Partial Partial
The MessageBrokerServlet servlet in Moxa OnCell Central Manager before 2.2 does not require authentication, which allows remote attackers to obtain administrative access via a command, as demonstrated by the addUserAndGroup action.
29 CVE-2015-6401 287 Bypass 2015-12-13 2015-12-14
7.5
None Remote Low Not required Partial Partial Partial
Cisco EPC3928 devices with EDVA 5.5.10, 5.5.11, and 5.7.1 allow remote attackers to bypass an intended authentication requirement and execute unspecified administrative functions via a crafted HTTP request, aka Bug ID CSCux24941.
30 CVE-2015-6397 287 2016-08-07 2016-08-11
9.0
None Remote Low Single system Complete Complete Complete
Cisco RV110W, RV130W, and RV215W devices have an incorrect RBAC configuration for the default account, which allows remote authenticated users to obtain root access via a login session with that account, aka Bug IDs CSCuv90139, CSCux58175, and CSCux73557.
31 CVE-2015-6389 287 2015-12-12 2015-12-14
9.0
None Remote Low Not required Partial Partial Complete
Cisco Prime Collaboration Assurance before 11.0 has a hardcoded cmuser account, which allows remote attackers to obtain access by establishing an SSH session and leveraging knowledge of this account's password, aka Bug ID CSCus62707.
32 CVE-2015-6314 287 2016-01-14 2016-01-20
10.0
None Remote Low Not required Complete Complete Complete
Cisco Wireless LAN Controller (WLC) devices with software 7.6.x, 8.0 before 8.0.121.0, and 8.1 before 8.1.131.0 allow remote attackers to change configuration settings via unspecified vectors, aka Bug ID CSCuw06153.
33 CVE-2015-6280 287 2015-09-27 2015-09-28
9.3
None Remote Medium Not required Complete Complete Complete
The SSHv2 functionality in Cisco IOS 15.2, 15.3, 15.4, and 15.5 and IOS XE 3.6E before 3.6.3E, 3.7E before 3.7.1E, 3.10S before 3.10.6S, 3.11S before 3.11.4S, 3.12S before 3.12.3S, 3.13S before 3.13.3S, and 3.14S before 3.14.1S does not properly implement RSA authentication, which allows remote attackers to obtain login access by leveraging knowledge of a username and the associated public key, aka Bug ID CSCus73013.
34 CVE-2015-6266 287 +Info 2015-08-28 2015-08-31
5.0
None Remote Low Not required Partial None None
The guest portal in Cisco Identity Services Engine (ISE) 3300 1.2(0.899) does not restrict access to uploaded HTML documents, which allows remote attackers to obtain sensitive information from customized documents via a direct request, aka Bug ID CSCuo78045.
35 CVE-2015-5998 287 Exec Code 2015-09-14 2015-09-16
10.0
None Remote Low Not required Complete Complete Complete
Impero Education Pro before 5105 relies on the -1|AUTHENTICATE\x02PASSWORD string for authentication, which allows remote attackers to execute arbitrary programs via an encrypted command.
36 CVE-2015-5649 287 Bypass +Info 2015-10-08 2015-10-09
7.0
None Remote Medium Single system Complete Partial None
Cybozu Garoon 3.x through 3.7.5 and 4.x through 4.0.3 mishandles authentication requests, which allows remote authenticated users to conduct LDAP injection attacks, and consequently bypass intended login restrictions or obtain sensitive information, by leveraging certain group-administration privileges.
37 CVE-2015-5372 287 2015-09-28 2015-09-29
5.0
None Remote Low Not required None Partial None
The SAML 2.0 implementation in AdNovum nevisAuth 4.13.0.0 before 4.18.3.1, when using SAML POST-Binding, does not match all attributes of the X.509 certificate embedded in the assertion against the certificate from the identity provider (IdP), which allows remote attackers to inject arbitrary SAML assertions via a crafted certificate.
38 CVE-2015-4453 287 Bypass +Info 2015-07-04 2015-07-09
5.0
None Remote Low Not required Partial None None
The web interface in OpenEMR 2.x, 3.x, and 4.x before 4.2.0 patch 2 allows remote attackers to bypass authentication and obtain sensitive information via unspecified vectors.
39 CVE-2015-3775 287 2015-08-16 2015-08-19
7.2
None Local Low Not required Complete Complete Complete
Apple OS X before 10.10.5 does not properly implement authentication, which allows local users to obtain admin privileges via unspecified vectors.
40 CVE-2015-3457 287 Bypass 2015-04-29 2016-05-26
5.0
None Remote Low Not required None Partial None
Magento Community Edition (CE) 1.9.1.0 and Enterprise Edition (EE) 1.14.1.0 allow remote attackers to bypass authentication via the forwarded parameter.
41 CVE-2015-2978 287 Bypass 2015-07-29 2015-07-29
5.0
None Remote Low Not required None Partial None
Webservice-DIC yoyaku_v41 allows remote attackers to bypass authentication and complete a conference-room reservation via unspecified vectors, as demonstrated by an "unintentional reservation."
42 CVE-2015-2823 287 2015-04-08 2015-04-09
6.8
None Remote Medium Not required Partial Partial Partial
Siemens SIMATIC HMI Basic Panels 2nd Generation before WinCC (TIA Portal) 13 SP1 Upd2, SIMATIC HMI Comfort Panels before WinCC (TIA Portal) 13 SP1 Upd2, SIMATIC WinCC Runtime Advanced before WinCC (TIA Portal) 13 SP1 Upd2, SIMATIC WinCC Runtime Professional before WinCC (TIA Portal) 13 SP1 Upd2, SIMATIC HMI Basic Panels 1st Generation (WinCC TIA Portal), SIMATIC HMI Mobile Panel 277 (WinCC TIA Portal), SIMATIC HMI Multi Panels (WinCC TIA Portal), and SIMATIC WinCC 7.x before 7.3 Upd4 allow remote attackers to complete authentication by leveraging knowledge of a password hash without knowledge of the associated password.
43 CVE-2015-2117 287 Exec Code 2015-04-27 2016-04-01
7.5
None Remote Low Not required Partial Partial Partial
HP TippingPoint Security Management System (SMS) and TippingPoint Virtual Security Management System (vSMS) before 4.1 patch 3 and 4.2 before patch 1 do not require authentication for JBoss RMI requests, which allows remote attackers to execute arbitrary code by (1) uploading this code within an archive or (2) instantiating a class.
44 CVE-2015-2047 287 Bypass 2015-02-23 2015-11-16
2.6
None Remote High Not required None Partial None
The rsaauth extension in TYPO3 4.3.0 through 4.3.14, 4.4.0 through 4.4.15, 4.5.0 through 4.5.39, and 4.6.0 through 4.6.18, when configured for the frontend, allows remote attackers to bypass authentication via a password that is casted to an empty value.
45 CVE-2015-2033 287 Exec Code 2015-02-20 2015-02-20
10.0
None Remote Low Not required Complete Complete Complete
Anyterm Daemon in Infoblox Network Automation NetMRI before NETMRI-23483 allows remote attackers to execute arbitrary commands with root privileges via a crafted terminal/anyterm-module request.
46 CVE-2015-1772 287 Bypass 2015-12-21 2015-12-22
4.3
None Remote Medium Not required None Partial None
The LDAP implementation in HiveServer2 in Apache Hive before 1.0.1 and 1.1.x before 1.1.1, as used in IBM InfoSphere BigInsights 3.0, 3.0.0.1, and 3.0.0.2 and other products, mishandles simple unauthenticated and anonymous bind configurations, which allows remote attackers to bypass authentication via a crafted LDAP request.
47 CVE-2015-1486 287 Bypass 2015-07-31 2015-08-03
7.5
None Remote Low Not required Partial Partial Partial
The management console in Symantec Endpoint Protection Manager (SEPM) 12.1 before 12.1-RU6-MP1 allows remote attackers to bypass authentication via a crafted password-reset action that triggers a new administrative session.
48 CVE-2015-1330 287 2015-07-01 2015-07-02
6.8
None Remote Medium Not required Partial Partial Partial
unattended-upgrades before 0.86.1 does not properly authenticate packages when the (1) force-confold or (2) force-confnew dpkg options are enabled in the DPkg::Options::* apt configuration, which allows remote man-in-the-middle attackers to upload and execute arbitrary packages via unspecified vectors.
49 CVE-2015-0670 287 2015-03-20 2015-10-22
6.4
None Remote Low Not required Partial Partial None
The default configuration of Cisco Small Business IP phones SPA 300 7.5.5 and SPA 500 7.5.5 does not properly support authentication, which allows remote attackers to read audio-stream data or originate telephone calls via a crafted XML request, aka Bug ID CSCuo52482.
50 CVE-2015-0653 287 Bypass 2015-03-12 2015-09-11
10.0
None Remote Low Not required Complete Complete Complete
The management interface in Cisco TelePresence Video Communication Server (VCS) and Cisco Expressway before X7.2.4, X8 before X8.1.2, and X8.2 before X8.2.2 and Cisco TelePresence Conductor before X2.3.1 and XC2.4 before XC2.4.1 allows remote attackers to bypass authentication via crafted login parameters, aka Bug IDs CSCur02680 and CSCur05556.
Total number of vulnerabilities : 997   Page : 1 (This Page)2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.