CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register   Reset Password   Activate Account
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Related To CWE-287

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2015-7938 287 Bypass 2016-01-08 2016-01-18
10.0
None Remote Low Not required Complete Complete Complete
Advantech EKI-132x devices with firmware before 2015-12-31 allow remote attackers to bypass authentication via unspecified vectors.
2 CVE-2015-7755 287 2015-12-19 2015-12-21
10.0
None Remote Low Not required Complete Complete Complete
Juniper ScreenOS 6.2.0r15 through 6.2.0r18, 6.3.0r12 before 6.3.0r12b, 6.3.0r13 before 6.3.0r13b, 6.3.0r14 before 6.3.0r14b, 6.3.0r15 before 6.3.0r15b, 6.3.0r16 before 6.3.0r16b, 6.3.0r17 before 6.3.0r17b, 6.3.0r18 before 6.3.0r18b, 6.3.0r19 before 6.3.0r19b, and 6.3.0r20 before 6.3.0r21 allows remote attackers to obtain administrative access by entering an unspecified password during a (1) SSH or (2) TELNET session.
3 CVE-2015-7285 287 Bypass 2015-11-24 2015-11-25
5.8
None Remote Medium Not required Partial Partial None
CSL DualCom GPRS CS2300-R devices with firmware 1.25 through 3.53 do not require authentication from Alarm Receiving Center (ARC) servers, which allows man-in-the-middle attackers to bypass intended access restrictions via a spoofed HSxx response.
4 CVE-2015-6480 287 2015-12-21 2015-12-21
7.5
None Remote Low Not required Partial Partial Partial
The MessageBrokerServlet servlet in Moxa OnCell Central Manager before 2.2 does not require authentication, which allows remote attackers to obtain administrative access via a command, as demonstrated by the addUserAndGroup action.
5 CVE-2015-6401 287 Bypass 2015-12-13 2015-12-14
7.5
None Remote Low Not required Partial Partial Partial
Cisco EPC3928 devices with EDVA 5.5.10, 5.5.11, and 5.7.1 allow remote attackers to bypass an intended authentication requirement and execute unspecified administrative functions via a crafted HTTP request, aka Bug ID CSCux24941.
6 CVE-2015-6389 287 2015-12-12 2015-12-14
9.0
None Remote Low Not required Partial Partial Complete
Cisco Prime Collaboration Assurance before 11.0 has a hardcoded cmuser account, which allows remote attackers to obtain access by establishing an SSH session and leveraging knowledge of this account's password, aka Bug ID CSCus62707.
7 CVE-2015-6314 287 2016-01-14 2016-01-20
10.0
None Remote Low Not required Complete Complete Complete
Cisco Wireless LAN Controller (WLC) devices with software 7.6.x, 8.0 before 8.0.121.0, and 8.1 before 8.1.131.0 allow remote attackers to change configuration settings via unspecified vectors, aka Bug ID CSCuw06153.
8 CVE-2015-6280 287 2015-09-27 2015-09-28
9.3
None Remote Medium Not required Complete Complete Complete
The SSHv2 functionality in Cisco IOS 15.2, 15.3, 15.4, and 15.5 and IOS XE 3.6E before 3.6.3E, 3.7E before 3.7.1E, 3.10S before 3.10.6S, 3.11S before 3.11.4S, 3.12S before 3.12.3S, 3.13S before 3.13.3S, and 3.14S before 3.14.1S does not properly implement RSA authentication, which allows remote attackers to obtain login access by leveraging knowledge of a username and the associated public key, aka Bug ID CSCus73013.
9 CVE-2015-6266 287 +Info 2015-08-28 2015-08-31
5.0
None Remote Low Not required Partial None None
The guest portal in Cisco Identity Services Engine (ISE) 3300 1.2(0.899) does not restrict access to uploaded HTML documents, which allows remote attackers to obtain sensitive information from customized documents via a direct request, aka Bug ID CSCuo78045.
10 CVE-2015-5998 287 Exec Code 2015-09-14 2015-09-16
10.0
None Remote Low Not required Complete Complete Complete
Impero Education Pro before 5105 relies on the -1|AUTHENTICATE\x02PASSWORD string for authentication, which allows remote attackers to execute arbitrary programs via an encrypted command.
11 CVE-2015-5649 287 Bypass +Info 2015-10-08 2015-10-09
7.0
None Remote Medium Single system Complete Partial None
Cybozu Garoon 3.x through 3.7.5 and 4.x through 4.0.3 mishandles authentication requests, which allows remote authenticated users to conduct LDAP injection attacks, and consequently bypass intended login restrictions or obtain sensitive information, by leveraging certain group-administration privileges.
12 CVE-2015-5372 287 2015-09-28 2015-09-29
5.0
None Remote Low Not required None Partial None
The SAML 2.0 implementation in AdNovum nevisAuth 4.13.0.0 before 4.18.3.1, when using SAML POST-Binding, does not match all attributes of the X.509 certificate embedded in the assertion against the certificate from the identity provider (IdP), which allows remote attackers to inject arbitrary SAML assertions via a crafted certificate.
13 CVE-2015-4453 287 Bypass +Info 2015-07-04 2015-07-09
5.0
None Remote Low Not required Partial None None
The web interface in OpenEMR 2.x, 3.x, and 4.x before 4.2.0 patch 2 allows remote attackers to bypass authentication and obtain sensitive information via unspecified vectors.
14 CVE-2015-3775 287 2015-08-16 2015-08-19
7.2
None Local Low Not required Complete Complete Complete
Apple OS X before 10.10.5 does not properly implement authentication, which allows local users to obtain admin privileges via unspecified vectors.
15 CVE-2015-3457 287 Bypass 2015-04-29 2015-05-14
5.0
None Remote Low Not required None Partial None
Magento Community Edition (CE) 1.9.1.0 and Enterprise Edition (EE) 1.14.1.0 allows remote attackers to bypass authentication via the forwarded parameter.
16 CVE-2015-2978 287 Bypass 2015-07-29 2015-07-29
5.0
None Remote Low Not required None Partial None
Webservice-DIC yoyaku_v41 allows remote attackers to bypass authentication and complete a conference-room reservation via unspecified vectors, as demonstrated by an "unintentional reservation."
17 CVE-2015-2823 287 2015-04-08 2015-04-09
6.8
None Remote Medium Not required Partial Partial Partial
Siemens SIMATIC HMI Basic Panels 2nd Generation before WinCC (TIA Portal) 13 SP1 Upd2, SIMATIC HMI Comfort Panels before WinCC (TIA Portal) 13 SP1 Upd2, SIMATIC WinCC Runtime Advanced before WinCC (TIA Portal) 13 SP1 Upd2, SIMATIC WinCC Runtime Professional before WinCC (TIA Portal) 13 SP1 Upd2, SIMATIC HMI Basic Panels 1st Generation (WinCC TIA Portal), SIMATIC HMI Mobile Panel 277 (WinCC TIA Portal), SIMATIC HMI Multi Panels (WinCC TIA Portal), and SIMATIC WinCC 7.x before 7.3 Upd4 allow remote attackers to complete authentication by leveraging knowledge of a password hash without knowledge of the associated password.
18 CVE-2015-2117 287 Exec Code 2015-04-27 2015-05-11
7.5
None Remote Low Not required Partial Partial Partial
HP TippingPoint Security Management System (SMS) and TippingPoint Virtual Security Management System (vSMS) before 4.1 patch 3 and 4.2 before patch 1 do not require authentication for JBoss RMI requests, which allows remote attackers to execute arbitrary code by (1) uploading this code within an archive or (2) instantiating a class.
19 CVE-2015-2047 287 Bypass 2015-02-23 2015-11-16
2.6
None Remote High Not required None Partial None
The rsaauth extension in TYPO3 4.3.0 through 4.3.14, 4.4.0 through 4.4.15, 4.5.0 through 4.5.39, and 4.6.0 through 4.6.18, when configured for the frontend, allows remote attackers to bypass authentication via a password that is casted to an empty value.
20 CVE-2015-2033 287 Exec Code 2015-02-20 2015-02-20
10.0
None Remote Low Not required Complete Complete Complete
Anyterm Daemon in Infoblox Network Automation NetMRI before NETMRI-23483 allows remote attackers to execute arbitrary commands with root privileges via a crafted terminal/anyterm-module request.
21 CVE-2015-1772 287 Bypass 2015-12-21 2015-12-22
4.3
None Remote Medium Not required None Partial None
The LDAP implementation in HiveServer2 in Apache Hive before 1.0.1 and 1.1.x before 1.1.1, as used in IBM InfoSphere BigInsights 3.0, 3.0.0.1, and 3.0.0.2 and other products, mishandles simple unauthenticated and anonymous bind configurations, which allows remote attackers to bypass authentication via a crafted LDAP request.
22 CVE-2015-1486 287 Bypass 2015-07-31 2015-08-03
7.5
None Remote Low Not required Partial Partial Partial
The management console in Symantec Endpoint Protection Manager (SEPM) 12.1 before 12.1-RU6-MP1 allows remote attackers to bypass authentication via a crafted password-reset action that triggers a new administrative session.
23 CVE-2015-1330 287 2015-07-01 2015-07-02
6.8
None Remote Medium Not required Partial Partial Partial
unattended-upgrades before 0.86.1 does not properly authenticate packages when the (1) force-confold or (2) force-confnew dpkg options are enabled in the DPkg::Options::* apt configuration, which allows remote man-in-the-middle attackers to upload and execute arbitrary packages via unspecified vectors.
24 CVE-2015-0670 287 2015-03-20 2015-10-22
6.4
None Remote Low Not required Partial Partial None
The default configuration of Cisco Small Business IP phones SPA 300 7.5.5 and SPA 500 7.5.5 does not properly support authentication, which allows remote attackers to read audio-stream data or originate telephone calls via a crafted XML request, aka Bug ID CSCuo52482.
25 CVE-2015-0653 287 Bypass 2015-03-12 2015-09-11
10.0
None Remote Low Not required Complete Complete Complete
The management interface in Cisco TelePresence Video Communication Server (VCS) and Cisco Expressway before X7.2.4, X8 before X8.1.2, and X8.2 before X8.2.2 and Cisco TelePresence Conductor before X2.3.1 and XC2.4 before XC2.4.1 allows remote attackers to bypass authentication via crafted login parameters, aka Bug IDs CSCur02680 and CSCur05556.
26 CVE-2015-0607 287 Bypass 2015-03-05 2015-03-06
4.3
None Remote Medium Not required Partial None None
The Authentication Proxy feature in Cisco IOS does not properly handle invalid AAA return codes from RADIUS and TACACS+ servers, which allows remote attackers to bypass authentication in opportunistic circumstances via a connection attempt that triggers an invalid code, as demonstrated by a connection attempt with a blank password, aka Bug IDs CSCuo09400 and CSCun16016.
27 CVE-2015-0198 287 Bypass 2015-03-23 2015-03-24
10.0
Admin Remote Low Not required Complete Complete Complete
IBM General Parallel File System (GPFS) 3.4 before 3.4.0.32, 3.5 before 3.5.0.24, and 4.1 before 4.1.0.7 in certain cipherList configurations allows remote attackers to bypass authentication and execute arbitrary programs as root via unspecified vectors.
28 CVE-2014-9605 287 Sql Bypass 2015-09-04 2015-09-04
9.4
None Remote Low Not required Complete None Complete
WebUpgrade in Netsweeper before 3.1.10, 4.0.x before 4.0.9, and 4.1.x before 4.1.2 allows remote attackers to bypass authentication and create a system backup tarball, restart the server, or stop the filters on the server via a ' (single quote) character in the login and password parameters to webupgrade/webupgrade.php. NOTE: this was originally reported as an SQL injection vulnerability, but this may be inaccurate.
29 CVE-2014-9578 287 2015-01-08 2015-01-08
5.0
None Remote Low Not required None Partial None
VDG Security SENSE (formerly DIVA) 2.3.13 performs authentication with a password hash instead of a password, which allows remote attackers to gain login access by leveraging knowledge of password hash.
30 CVE-2014-9278 287 Bypass 2014-12-06 2015-03-17
4.0
None Remote Low Single system None Partial None
The OpenSSH server, as used in Fedora and Red Hat Enterprise Linux 7 and when running in a Kerberos environment, allows remote authenticated users to log in as another user when they are listed in the .k5users file of that user, which might bypass intended authentication requirements that would force a local login.
31 CVE-2014-9217 287 Bypass 2014-12-08 2014-12-08
5.0
None Remote Low Not required None Partial None
Graylog2 before 0.92 allows remote attackers to bypass LDAP authentication via crafted wildcards.
32 CVE-2014-9184 287 Bypass 2014-12-02 2014-12-03
5.0
None Remote Low Not required None Partial None
ZTE ZXDSL 831CII allows remote attackers to bypass authentication via a direct request to (1) main.cgi, (2) adminpasswd.cgi, (3) userpasswd.cgi, (4) upload.cgi, (5) conprocess.cgi, or (6) connect.cgi.
33 CVE-2014-9045 287 Bypass 2015-02-04 2015-02-05
5.0
None Remote Low Not required None Partial None
The FTP backend in user_external in ownCloud Server before 5.0.18 and 6.x before 6.0.6 allows remote attackers to bypass intended authentication requirements via a crafted password.
34 CVE-2014-9043 287 Bypass 2015-02-04 2015-02-05
5.0
None Remote Low Not required None Partial None
The user_ldap (aka LDAP user and group backend) application in ownCloud before 5.0.18, 6.x before 6.0.6, and 7.x before 7.0.3 allows remote attackers to bypass authentication via a null byte in the password and a valid user name, which triggers an unauthenticated bind.
35 CVE-2014-8896 287 +Priv 2014-12-22 2014-12-22
4.0
None Remote Low Single system None Partial None
The Collaboration Server in IBM InfoSphere Master Data Management Server for Product Information Management 9.x through 9.1 and InfoSphere Master Data Management - Collaborative Edition 10.x through 10.1, 11.0 before FP7, and 11.3 and 11.4 before 11.4 FP1 allows remote authenticated users to modify the administrator's credentials and consequently gain privileges via unspecified vectors.
36 CVE-2014-8764 287 Bypass 2014-10-22 2015-04-02
5.0
None Remote Low Not required None Partial None
DokuWiki 2014-05-05a and earlier, when using Active Directory for LDAP authentication, allows remote attackers to bypass authentication via a user name and password starting with a null (\0) character, which triggers an anonymous bind.
37 CVE-2014-8763 287 Bypass 2014-10-22 2015-04-02
5.0
None Remote Low Not required None Partial None
DokuWiki before 2014-05-05b, when using Active Directory for LDAP authentication, allows remote attackers to bypass authentication via a password starting with a null (\0) character and a valid user name, which triggers an unauthenticated bind.
38 CVE-2014-8522 287 2014-10-29 2014-10-30
7.5
None Remote Low Not required Partial Partial Partial
The MySQL database in McAfee Network Data Loss Prevention (NDLP) before 9.3 does not require a password, which makes it easier for remote attackers to obtain access.
39 CVE-2014-8472 287 Bypass 2014-11-04 2015-11-20
6.8
None Remote Medium Not required Partial Partial Partial
CA Cloud Service Management (CSM) before Summer 2014 does not properly verify authentication tokens from an Identity Provider, which allows user-assisted remote attackers to bypass intended access restrictions via unspecified vectors.
40 CVE-2014-8424 287 Bypass 2014-11-28 2014-11-28
7.8
None Remote Low Not required Complete None None
ARRIS VAP2500 before FW08.41 does not properly validate passwords, which allows remote attackers to bypass authentication.
41 CVE-2014-8329 287 +Info 2014-10-20 2014-10-22
10.0
None Remote Low Not required Complete Complete Complete
Schrack Technik microControl with firmware before 1.7.0 (937) stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain access data for the ftp and telnet services via a direct request for ZTPUsrDtls.txt.
42 CVE-2014-8088 287 Bypass 2014-10-22 2014-10-23
5.0
None Remote Low Not required None Partial None
The (1) Zend_Ldap class in Zend before 1.12.9 and (2) Zend\Ldap component in Zend 2.x before 2.2.8 and 2.3.x before 2.3.3 allows remote attackers to bypass authentication via a password starting with a null byte, which triggers an unauthenticated bind.
43 CVE-2014-8033 287 2015-01-08 2015-11-02
5.0
None Remote Low Not required None Partial None
The play/modules component in Cisco WebEx Meetings Server allows remote attackers to obtain administrator access via crafted API requests, aka Bug ID CSCuj40421.
44 CVE-2014-8006 287 Bypass 2014-12-16 2014-12-17
4.3
None Remote Medium Not required None Partial None
The Disaster Recovery (DRA) feature on the Cisco ISB8320-E High-Definition IP-Only DVR allows remote attackers to bypass authentication by establishing a TELNET session during a recovery boot, aka Bug ID CSCup85422.
45 CVE-2014-7879 287 Exec Code Bypass 2014-12-10 2014-12-11
8.5
None Remote Medium Single system Complete Complete Complete
HP HP-UX B.11.11, B.11.23, and B.11.31, when the PAM configuration includes libpam_updbe, allows remote authenticated users to bypass authentication, and consequently execute arbitrary code, via unspecified vectors.
46 CVE-2014-7807 287 Bypass 2014-12-10 2014-12-10
5.0
None Remote Low Not required None Partial None
Apache CloudStack 4.3.x before 4.3.2 and 4.4.x before 4.4.2 allows remote attackers to bypass authentication via a login request without a password, which triggers an unauthenticated bind.
47 CVE-2014-6632 287 Bypass 2014-10-08 2014-10-09
7.5
None Remote Low Not required Partial Partial Partial
Joomla! 2.5.x before 2.5.25, 3.x before 3.2.4, and 3.3.x before 3.3.4 allows remote attackers to authenticate and bypass intended access restrictions via vectors involving LDAP authentication.
48 CVE-2014-6387 287 Bypass 2014-10-22 2014-10-23
5.0
None Remote Low Not required None Partial None
gpc_api.php in MantisBT 1.2.17 and earlier allows remote attackers to bypass authenticated via a password starting will a null byte, which triggers an unauthenticated bind.
49 CVE-2014-6379 287 Bypass 2014-10-14 2014-10-24
7.5
None Remote Low Not required Partial Partial Partial
Juniper Junos 11.4 before R12, 12.1 before R10, 12.1X44 before D35, 12.1X45 before D25, 12.1X46 before D20, 12.1X47 before D10, 12.2 before R8, 12.2X50 before D70, 12.3 before R6, 13.1 before R4-S3, 13.1X49 before D55, 13.1X50 before D30, 13.2 before R4, 13.2X50 before D20, 13.2X51 before D26 and D30, 13.2X52 before D15, 13.3 before R2, and 14.1 before R1, when a RADIUS accounting server is configured as [system accounting destination radius], creates an entry in /var/etc/pam_radius.conf, which might allow remote attackers to bypass authentication via unspecified vectors.
50 CVE-2014-6318 287 Bypass 2014-11-11 2014-11-12
5.0
None Remote Low Not required None Partial None
The audit logon feature in Remote Desktop Protocol (RDP) in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 does not properly log unauthorized login attempts supplying valid credentials, which makes it easier for remote attackers to bypass intended access restrictions via a series of attempts, aka "Remote Desktop Protocol (RDP) Failure to Audit Vulnerability."
Total number of vulnerabilities : 971   Page : 1 (This Page)2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.