CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register   Reset Password   Activate Account
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (Bypass)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2014-5206 264 Bypass 2014-08-18 2014-08-18
7.2
None Local Low Not required Complete Complete Complete
The do_remount function in fs/namespace.c in the Linux kernel through 3.16.1 does not maintain the MNT_LOCK_READONLY bit across a remount of a bind mount, which allows local users to bypass an intended read-only restriction and defeat certain sandbox protection mechanisms via a "mount -o remount" command within a user namespace.
2 CVE-2014-5205 352 Bypass CSRF 2014-08-18 2014-08-18
6.8
None Remote Medium Not required Partial Partial Partial
wp-includes/pluggable.php in WordPress before 3.9.2 does not use delimiters during concatenation of action values and uid values in CSRF tokens, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force attack.
3 CVE-2014-5204 352 Bypass CSRF 2014-08-18 2014-08-18
6.8
None Remote Medium Not required Partial Partial Partial
wp-includes/pluggable.php in WordPress before 3.9.2 rejects invalid CSRF nonces with a different timing depending on which characters in the nonce are incorrect, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force attack.
4 CVE-2014-5195 362 Bypass 2014-08-07 2014-08-07
7.2
None Local Low Not required Complete Complete Complete
Unity before 7.2.3 and 7.3.x before 7.3.1, as used in Ubuntu, does not properly take focus of the keyboard when switching to the lock screen, which allows physically proximate attackers to bypass the lock screen by (1) leveraging a machine that had text selected when locking or (2) resuming from a suspension.
5 CVE-2014-5175 287 Bypass 2014-07-31 2014-08-01
7.5
None Remote Low Not required Partial Partial Partial
The License Measurement servlet in SAP Solution Manager 7.1 allows remote attackers to bypass authentication via unspecified vectors, related to a verb tampering attack and SAP_JTECHS.
6 CVE-2014-5173 264 Bypass 2014-07-31 2014-08-01
5.0
None Remote Low Not required Partial None None
SAP HANA Extend Application Services (XS) allows remote attackers to bypass access restrictions via a request to a private IU5 SDK application that was once public.
7 CVE-2014-5033 362 Bypass 2014-08-19 2014-08-20
6.9
None Local Medium Not required Complete Complete Complete
KDE kdelibs before 4.14 and kauth before 5.1 does not properly use D-Bus for communication with a polkit authority, which allows local users to bypass intended access restrictions by leveraging a PolkitUnixProcess PolkitSubject race condition via a (1) setuid process or (2) pkexec process, related to CVE-2013-4288 and "PID reuse race conditions."
8 CVE-2014-5020 264 Bypass 2014-07-22 2014-07-22
4.9
None Remote Medium Single system Partial Partial None
The File module in Drupal 7.x before 7.29 does not properly check permissions to view files, which allows remote authenticated users with certain permissions to bypass intended restrictions and read files by attaching the file to content with a file field.
9 CVE-2014-5015 264 Bypass 2014-07-24 2014-07-25
5.0
None Remote Low Not required Partial None None
bozotic HTTP server (aka bozohttpd) before 20140708, as used in NetBSD, truncates paths when checking .htpasswd restrictions, which allows remote attackers to bypass the HTTP authentication scheme and access restrictions via a long path.
10 CVE-2014-4987 264 Bypass 2014-07-20 2014-07-22
4.0
None Remote Low Single system Partial None None
server_user_groups.php in phpMyAdmin 4.1.x before 4.1.14.2 and 4.2.x before 4.2.6 allows remote authenticated users to bypass intended access restrictions and read the MySQL user list via a viewUsers request.
11 CVE-2014-4757 264 Bypass 2014-08-11 2014-08-12
2.1
None Local Low Not required Partial None None
The Outlook Extension in IBM Content Collector 4.0.0.x before 4.0.0.0-ICC-OE-IF004 allows local users to bypass the intended Reviewer privilege requirement and read e-mail messages from an arbitrary mailbox by invoking the Search function.
12 CVE-2014-4725 287 Exec Code Bypass 2014-07-27 2014-07-28
7.5
None Remote Low Not required Partial Partial Partial
The MailPoet Newsletters (wysija-newsletters) plugin before 2.6.7 for WordPress allows remote attackers to bypass authentication and execute arbitrary PHP code by uploading a crafted theme using wp-admin/admin-post.php and accessing the theme in wp-content/uploads/wysija/themes/mailp/.
13 CVE-2014-4668 287 Bypass 2014-07-02 2014-07-02
6.8
None Remote Medium Not required Partial Partial Partial
The cherokee_validator_ldap_check function in validator_ldap.c in Cherokee 1.2.103 and earlier, when LDAP is used, does not properly consider unauthenticated-bind semantics, which allows remote attackers to bypass authentication via an empty password.
14 CVE-2014-4655 189 DoS Overflow Bypass 2014-07-03 2014-08-01
4.9
None Local Low Not required None None Complete
The snd_ctl_elem_add function in sound/core/control.c in the ALSA control implementation in the Linux kernel before 3.15.2 does not properly maintain the user_ctl_count value, which allows local users to cause a denial of service (integer overflow and limit bypass) by leveraging /dev/snd/controlCX access for a large number of SNDRV_CTL_IOCTL_ELEM_REPLACE ioctl calls.
15 CVE-2014-4338 264 Bypass 2014-06-22 2014-06-23
4.0
None Remote High Not required Partial Partial None
cups-browsed in cups-filters before 1.0.53 allows remote attackers to bypass intended access restrictions in opportunistic circumstances by leveraging a malformed cups-browsed.conf BrowseAllow directive that is interpreted as granting browse access to all IP addresses.
16 CVE-2014-4168 287 Bypass 2014-07-03 2014-07-07
5.0
None Remote Low Not required Partial None None
(1) iodined.c and (2) user.c in iodine before 0.7.0 allows remote attackers to bypass authentication by continuing execution after an error has been triggering.
17 CVE-2014-4157 264 Bypass 2014-06-23 2014-06-25
4.6
None Local Low Not required Partial Partial Partial
arch/mips/include/asm/thread_info.h in the Linux kernel before 3.14.8 on the MIPS platform does not configure _TIF_SECCOMP checks on the fast system-call path, which allows local users to bypass intended PR_SET_SECCOMP restrictions by executing a crafted application without invoking a trace or audit subsystem.
18 CVE-2014-4014 264 Bypass 2014-06-23 2014-07-11
6.2
None Local High Not required Complete Complete Complete
The capabilities implementation in the Linux kernel before 3.14.8 does not properly consider that namespaces are inapplicable to inodes, which allows local users to bypass intended chmod restrictions by first creating a user namespace, as demonstrated by setting the setgid bit on a file with group ownership of root.
19 CVE-2014-3945 287 Bypass 2014-06-03 2014-06-04
4.0
None Remote High Not required Partial Partial None
The Authentication component in TYPO3 before 6.2, when salting for password hashing is disabled, does not require knowledge of the cleartext password if the password hash is known, which allows remote attackers to bypass authentication and gain access to the backend by leveraging knowledge of a password hash.
20 CVE-2014-3944 287 Bypass 2014-06-03 2014-06-04
5.8
None Remote Medium Not required Partial Partial None
The Authentication component in TYPO3 6.2.0 before 6.2.3 does not properly invalidate timed out user sessions, which allows remote attackers to bypass authentication via unspecified vectors.
21 CVE-2014-3895 287 Bypass 2014-07-29 2014-07-30
6.4
None Remote Low Not required Partial Partial None
The I-O DATA TS-WLCAM camera with firmware 1.06 and earlier, TS-WLCAM/V camera with firmware 1.06 and earlier, TS-WPTCAM camera with firmware 1.08 and earlier, TS-PTCAM camera with firmware 1.08 and earlier, TS-PTCAM/POE camera with firmware 1.08 and earlier, and TS-WLC2 camera with firmware 1.02 and earlier allow remote attackers to bypass authentication, and consequently obtain sensitive credential and configuration data, via unspecified vectors.
22 CVE-2014-3781 287 Bypass 2014-06-11 2014-06-12
5.8
None Remote Medium Not required Partial Partial None
The dcXmlRpc::setUser method in nc/core/class.dc.xmlrpc.php in Dotclear before 2.6.3 allows remote attackers to bypass authentication via an empty password in an XML-RPC request.
23 CVE-2014-3780 287 Bypass 2014-05-30 2014-06-24
7.5
None Remote Low Not required Partial Partial Partial
Unspecified vulnerability in Citrix VDI-In-A-Box 5.3.x before 5.3.8 and 5.4.x before 5.4.4 allows remote attackers to bypass authentication via unspecified vectors, related to a Java servlet.
24 CVE-2014-3772 264 Bypass 2014-08-07 2014-08-07
7.5
None Remote Low Not required Partial Partial Partial
TeamPass before 2.1.20 allows remote attackers to bypass access restrictions via a request to index.php followed by a direct request to a file that calls the session_start function before checking the CPM key, as demonstrated by a request to sources/upload/upload.files.php.
25 CVE-2014-3771 264 Bypass 2014-08-07 2014-08-07
7.5
None Remote Low Not required Partial Partial Partial
TeamPass before 2.1.20 allows remote attackers to bypass access restrictions via the language file path in a (1) request to index.php or (2) "change_user_language" request to sources/main.queries.php.
26 CVE-2014-3553 264 Bypass 2014-07-29 2014-07-29
4.9
None Remote Medium Single system Partial Partial None
mod/forum/classes/post_form.php in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 does not enforce the moodle/site:accessallgroups capability requirement before proceeding with a post to all groups, which allows remote authenticated users to bypass intended access restrictions by leveraging two or more group memberships.
27 CVE-2014-3514 264 Bypass 2014-08-20 2014-08-20
7.5
None Remote Low Not required Partial Partial Partial
activerecord/lib/active_record/relation/query_methods.rb in Active Record in Ruby on Rails 4.0.x before 4.0.9 and 4.1.x before 4.1.5 allows remote attackers to bypass the strong parameters protection mechanism via crafted input to an application that makes create_with calls.
28 CVE-2014-3472 264 Bypass 2014-08-19 2014-08-20
4.9
None Remote Medium Single system Partial Partial None
The isCallerInRole function in SimpleSecurityManager in JBoss Application Server (AS) 7, as used in Red Hat JBoss Enterprise Application Platform (JBEAP) 6.3.0, does not properly check caller roles, which allows remote authenticated users to bypass access restrictions via unspecified vectors.
29 CVE-2014-3431 264 Bypass 2014-06-21 2014-06-23
4.3
None Local Low Single system Partial Partial Partial
Symantec PGP Desktop 10.x, and Encryption Desktop Professional 10.3.x before 10.3.2 MP2, on OS X uses world-writable permissions for temporary files, which allows local users to bypass intended restrictions on file reading, modification, creation, and permission changes via unspecified vectors.
30 CVE-2014-3330 264 Bypass 2014-08-11 2014-08-12
5.0
None Remote Low Not required Partial None None
Cisco NX-OS 6.1(2)I2(1) on Nexus 9000 switches does not properly process packet-drop policy checks for logged packets, which allows remote attackers to bypass intended access restrictions via a flood of packets matching a policy that contains the log keyword, aka Bug ID CSCuo02489.
31 CVE-2014-3316 20 Bypass 2014-07-10 2014-07-18
4.0
None Remote Low Single system None Partial None
The Multiple Analyzer in the Dialed Number Analyzer (DNA) component in Cisco Unified Communications Manager allows remote authenticated users to bypass intended upload restrictions via a crafted parameter, aka Bug ID CSCup76297.
32 CVE-2014-3309 264 Bypass 2014-07-09 2014-07-18
5.0
None Remote Low Not required Partial None None
The NTP implementation in Cisco IOS and IOS XE does not properly support use of the access-group command for a "deny all" configuration, which allows remote attackers to bypass intended restrictions on time synchronization via a standard query, aka Bug ID CSCuj66318.
33 CVE-2014-3295 287 DoS Bypass 2014-06-14 2014-06-21
4.8
None Local Network Low Not required None Partial Partial
The HSRP implementation in Cisco NX-OS 6.2(2a) and earlier allows remote attackers to bypass authentication and cause a denial of service (group-member state modification and traffic blackholing) via malformed HSRP packets, aka Bug ID CSCup11309.
34 CVE-2014-3204 264 Exec Code Bypass 2014-05-06 2014-05-07
4.4
None Local Medium Not required Partial Partial Partial
Unity before 7.2.1, as used in Ubuntu 14.04, does not properly handle keyboard shortcuts, which allows physically proximate attackers to bypass the lock screen and execute arbitrary commands, as demonstrated by right-clicking on the indicator bar and then pressing the ALT and F2 keys.
35 CVE-2014-3203 264 Exec Code Bypass 2014-05-06 2014-05-07
4.4
None Local Medium Not required Partial Partial Partial
Unity before 7.2.1, as used in Ubuntu 14.04, does not properly restrict access to the Dash when the lock screen is active, which allows physically proximate attackers to bypass the lock screen and execute arbitrary commands, as demonstrated by pressing the SUPER key before the screen auto-locks.
36 CVE-2014-3202 264 Bypass 2014-05-06 2014-05-07
4.4
None Local Medium Not required Partial Partial Partial
Unity before 7.2.1 does not properly handle entry activation, which allows physically proximate attackers to bypass the lock screen by holding the ENTER key, which triggers the process to crash.
37 CVE-2014-3161 264 Bypass 2014-07-20 2014-07-21
7.5
None Remote Low Not required Partial Partial Partial
The WebMediaPlayerAndroid::load function in content/renderer/media/android/webmediaplayer_android.cc in Google Chrome before 36.0.1985.122 on Android does not properly interact with redirects, which allows remote attackers to bypass the Same Origin Policy via a crafted web site that hosts a video stream.
38 CVE-2014-3160 264 Bypass 2014-07-20 2014-08-04
6.8
None Remote Medium Not required Partial Partial Partial
The ResourceFetcher::canRequest function in core/fetch/ResourceFetcher.cpp in Blink, as used in Google Chrome before 36.0.1985.125, does not properly restrict subresource requests associated with SVG files, which allows remote attackers to bypass the Same Origin Policy via a crafted file.
39 CVE-2014-3139 287 1 Bypass 2014-05-02 2014-05-02
7.5
None Remote Low Not required Partial Partial Partial
recoveryconsole/bpl/snmpd.php in Unitrends Enterprise Backup 7.3.0 allows remote attackers to bypass authentication by setting the auth parameter to a certain string.
40 CVE-2014-3100 119 Exec Code Overflow Bypass +Info 2014-07-02 2014-07-02
5.1
None Remote High Not required Partial Partial Partial
Stack-based buffer overflow in the encode_key function in /system/bin/keystore in the KeyStore service in Android 4.3 allows attackers to execute arbitrary code, and consequently obtain sensitive key information or bypass intended restrictions on cryptographic operations, via a long key name.
41 CVE-2014-3088 264 Bypass 2014-07-01 2014-07-02
5.5
None Remote Low Single system Partial Partial None
stconf.nsf in IBM Sametime Meeting Server 8.5.1 relies on the client to validate the file format used in wAttach?OpenForm multipart/form-data POST requests, which allows remote authenticated users to bypass intended upload restrictions by modifying the Content-Type header and file extension, as demonstrated by replacing a text/plain .txt upload with an application/octet-stream .exe upload.
42 CVE-2014-3053 287 Bypass 2014-06-21 2014-07-17
8.0
None Local Network Low Not required Complete Partial Complete
The Local Management Interface (LMI) in IBM Security Access Manager (ISAM) for Mobile 8.0 with firmware 8.0.0.0 through 8.0.0.3 and IBM Security Access Manager for Web 7.0, and 8.0 with firmware 8.0.0.2 and 8.0.0.3, allows remote attackers to bypass authentication via a login action with invalid credentials.
43 CVE-2014-3038 264 Bypass 2014-06-08 2014-06-18
3.6
None Local Low Not required Partial Partial None
IBM SPSS Modeler 16.0 before 16.0.0.1 on UNIX does not properly drop group privileges, which allows local users to bypass intended file-access restrictions by leveraging (1) gid 0 or (2) root's group memberships.
44 CVE-2014-3036 Bypass +Info 2014-06-08 2014-06-18
4.3
None Remote Medium Not required Partial None None
Unspecified vulnerability in IBM API Management 3.0.0.0, when basic authentication is used for APIs, allows remote attackers to bypass intended restrictions on topology access, and obtain sensitive information, via unknown vectors.
45 CVE-2014-3001 Bypass 2014-05-02 2014-05-02
0.0
None ??? ??? ??? ??? ??? ???
The device file system (aka devfs) in FreeBSD 10.0 before p2 does not load default rulesets when booting, which allows context-dependent attackers to bypass intended restrictions by leveraging a jailed device node process.
46 CVE-2014-2966 264 XSS Bypass 2014-07-26 2014-07-28
5.0
None Remote Low Not required None Partial None
The ISO-8859-1 encoder in Resin Pro before 4.0.40 does not properly perform Unicode transformations, which allows remote attackers to bypass intended text restrictions via crafted characters, as demonstrated by bypassing an XSS protection mechanism.
47 CVE-2014-2955 287 Exec Code Bypass 2014-07-14 2014-07-15
10.0
None Remote Low Not required Complete Complete Complete
Raritan PX before 1.5.11 on DPXR20A-16 devices allows remote attackers to bypass authentication and execute arbitrary IPMI commands by using cipher suite 0 (aka cipher zero) and an arbitrary password.
48 CVE-2014-2865 264 Bypass 2014-04-15 2014-04-16
7.5
None Remote Low Not required Partial Partial Partial
PaperThin CommonSpot before 7.0.2 and 8.x before 8.0.3 allows remote attackers to bypass intended access restrictions via a '\0' character, as demonstrated by using this character within a pathname on the drive containing the web root directory of a ColdFusion installation.
49 CVE-2014-2861 XSS Bypass 2014-04-15 2014-04-16
4.3
None Remote Medium Not required None Partial None
Incomplete blacklist vulnerability in PaperThin CommonSpot before 7.0.2 and 8.x before 8.0.3 allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted string, as demonstrated by bypassing a protection mechanism that removes only the "alert" string.
50 CVE-2014-2859 264 Bypass 2014-04-15 2014-04-16
7.5
None Remote Low Not required Partial Partial Partial
PaperThin CommonSpot before 7.0.2 and 8.x before 8.0.3 allows remote attackers to bypass intended access restrictions via a direct request.
Total number of vulnerabilities : 3378   Page : 1 (This Page)2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.