CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register   Reset Password   Activate Account
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (Bypass)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2015-2047 287 Bypass 2015-02-23 2015-02-26
2.6
None Remote High Not required None Partial None
The rsaauth extension in TYPO3 4.3.0 through 4.3.14, 4.4.0 through 4.4.15, 4.5.0 through 4.5.39, and 4.6.0 through 4.6.18, when configured for the frontend, allows remote attackers to bypass authentication via a password that is casted to an empty value.
2 CVE-2015-1482 200 1 Bypass +Info 2015-02-04 2015-02-05
5.0
None Remote Low Not required Partial None None
Ansible Tower (aka Ansible UI) before 2.0.5 allows remote attackers to bypass authentication and obtain sensitive information via a websocket connection to socket.io/1/.
3 CVE-2015-1458 264 +Priv Bypass 2015-02-03 2015-02-04
6.9
None Local Medium Not required Complete Complete Complete
Fortinet FortiAuthenticator 3.0.0 allows local users to bypass intended restrictions and gain privileges by creating /tmp/privexec/dbgcore_enable_shell_access and executing the "shell" command.
4 CVE-2015-1448 264 Bypass 2015-02-02 2015-02-04
10.0
None Remote Low Not required Complete Complete Complete
The integrated management service on Siemens Ruggedcom WIN51xx devices with firmware before SS4.4.4624.35, WIN52xx devices with firmware before SS4.4.4624.35, WIN70xx devices with firmware before BS4.4.4621.32, and WIN72xx devices with firmware before BS4.4.4621.32 allows remote attackers to bypass authentication and perform administrative actions via unspecified vectors.
5 CVE-2015-1427 284 Exec Code Bypass 2015-02-17 2015-02-18
7.5
None Remote Low Not required Partial Partial Partial
The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to bypass the sandbox protection mechanism and execute arbitrary shell commands via a crafted script.
6 CVE-2015-1419 Bypass 2015-01-28 2015-01-28
5.0
None Remote Low Not required None Partial None
Unspecified vulnerability in vsftp 3.0.2 and earlier allows remote attackers to bypass access restrictions via unknown vectors, related to deny_file parsing.
7 CVE-2015-1210 264 Bypass 2015-02-06 2015-02-20
5.0
None Remote Low Not required None Partial None
The V8ThrowException::createDOMException function in bindings/core/v8/V8ThrowException.cpp in the V8 bindings in Blink, as used in Google Chrome before 40.0.2214.111 on Windows, OS X, and Linux and before 40.0.2214.109 on Android, does not properly consider frame access restrictions during the throwing of an exception, which allows remote attackers to bypass the Same Origin Policy via a crafted web site.
8 CVE-2015-1200 362 Bypass 2015-01-23 2015-01-26
2.1
None Local Low Not required None Partial None
Race condition in pxz 4.999.99 Beta 3 uses weak file permissions for the output file when compressing a file before changing the permission to match the original file, which allows local users to bypass the intended access restrictions.
9 CVE-2015-1169 74 Bypass 2015-02-10 2015-02-11
7.5
None Remote Low Not required Partial Partial Partial
Apereo Central Authentication Service (CAS) Server before 3.5.3 allows remote attackers to conduct LDAP injection attacks via a crafted username, as demonstrated by using a wildcard and a valid password to bypass LDAP authentication.
10 CVE-2015-0929 284 Bypass 2015-02-03 2015-02-04
10.0
None Remote Low Not required Complete Complete Complete
time.htm in the web interface on SerVision HVG Video Gateway devices with firmware before 2.2.26a78 allows remote attackers to bypass authentication and obtain administrative access by leveraging a cookie received in an HTTP response.
11 CVE-2015-0890 Bypass 2015-03-03 2015-03-03
5.0
None Remote Low Not required None Partial None
The BestWebSoft Google Captcha (aka reCAPTCHA) plugin before 1.13 for WordPress allows remote attackers to bypass the CAPTCHA protection mechanism and obtain administrative access via unspecified vectors.
12 CVE-2015-0832 254 Bypass 2015-02-25 2015-03-02
5.0
None Remote Low Not required None Partial None
Mozilla Firefox before 36.0 does not properly recognize the equivalence of domain names with and without a trailing . (dot) character, which allows man-in-the-middle attackers to bypass the HPKP and HSTS protection mechanisms by constructing a URL with this character and leveraging access to an X.509 certificate for a domain with this character.
13 CVE-2015-0820 284 Bypass 2015-02-25 2015-03-02
2.6
None Remote High Not required None Partial None
Mozilla Firefox before 36.0 does not properly restrict transitions of JavaScript objects from a non-extensible state to an extensible state, which allows remote attackers to bypass a Caja Compiler sandbox protection mechanism or a Secure EcmaScript sandbox protection mechanism via a crafted web site.
14 CVE-2015-0633 20 Bypass 2015-02-25 2015-03-02
6.8
None Local Network Low Not required None Partial Complete
The Integrated Management Controller (IMC) in Cisco Unified Computing System (UCS) 1.4(7h) and earlier on C-Series servers allows remote attackers to bypass intended access restrictions by sending crafted DHCP response packets on the local network, aka Bug ID CSCuf52876.
15 CVE-2015-0628 200 Bypass +Info 2015-02-19 2015-02-20
5.0
None Remote Low Not required Partial None None
The proxy engine on Cisco Web Security Appliance (WSA) devices allows remote attackers to bypass intended proxying restrictions via a malformed HTTP method, aka Bug ID CSCus79174.
16 CVE-2015-0610 362 Bypass 2015-02-11 2015-02-18
4.3
None Remote Medium Not required None Partial None
Race condition in the object-group ACL feature in Cisco IOS 15.5(2)T and earlier allows remote attackers to bypass intended access restrictions via crafted network traffic that triggers improper handling of the timing of process switching and Cisco Express Forwarding (CEF) switching, aka Bug ID CSCun21071.
17 CVE-2015-0605 264 Bypass 2015-02-06 2015-02-19
4.3
None Remote Medium Not required None Partial None
The uuencode inspection engine in Cisco AsyncOS on Cisco Email Security Appliance (ESA) devices 8.5 and earlier allows remote attackers to bypass intended content restrictions via a crafted e-mail attachment with uuencode encoding, aka Bug ID CSCzv54343.
18 CVE-2015-0310 264 Bypass 2015-01-23 2015-02-13
10.0
None Remote Low Not required Complete Complete Complete
Adobe Flash Player before 13.0.0.262 and 14.x through 16.x before 16.0.0.287 on Windows and OS X and before 11.2.202.438 on Linux does not properly restrict discovery of memory addresses, which allows attackers to bypass the ASLR protection mechanism on Windows, and have an unspecified impact on other platforms, via unknown vectors, as exploited in the wild in January 2015.
19 CVE-2015-0227 264 Bypass 2015-02-12 2015-02-18
5.0
None Remote Low Not required None Partial None
Apache WSS4J before 1.6.17 and 2.x before 2.0.2 allows remote attackers to bypass the requireSignedEncryptedDataElements configuration via a vectors related to "wrapping attacks."
20 CVE-2015-0223 264 Bypass 2015-02-02 2015-02-04
5.0
None Remote Low Not required None Partial None
Unspecified vulnerability in Apache Qpid 0.30 and earlier allows remote attackers to bypass access restrictions on qpidd via unknown vectors, related to 0-10 connection handling.
21 CVE-2015-0072 79 XSS Bypass 2015-02-07 2015-02-13
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in Microsoft Internet Explorer 10 and 11 allows remote attackers to bypass the Same Origin Policy and inject arbitrary web script or HTML via vectors involving an IFRAME element that triggers a redirect, a second IFRAME element that does not trigger a redirect, and an eval of a WindowProxy object, aka "Universal XSS (UXSS)."
22 CVE-2015-0071 264 Bypass 2015-02-10 2015-02-18
4.3
None Remote Medium Not required Partial None None
Microsoft Internet Explorer 9 through 11 allows remote attackers to bypass the ASLR protection mechanism via a crafted web site, aka "Internet Explorer ASLR Bypass Vulnerability."
23 CVE-2015-0069 264 Bypass 2015-02-10 2015-02-18
4.3
None Remote Medium Not required Partial None None
Microsoft Internet Explorer 10 and 11 allows remote attackers to bypass the ASLR protection mechanism via a crafted web site, aka "Internet Explorer ASLR Bypass Vulnerability."
24 CVE-2015-0051 264 Bypass 2015-02-10 2015-02-18
4.3
None Remote Medium Not required Partial None None
Microsoft Internet Explorer 8 allows remote attackers to bypass the ASLR protection mechanism via a crafted web site, aka "Internet Explorer ASLR Bypass Vulnerability."
25 CVE-2015-0011 264 Bypass 2015-01-13 2015-01-14
4.7
None Local Medium Not required None Complete None
mrxdav.sys (aka the WebDAV driver) in the kernel-mode drivers in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows local users to bypass an impersonation protection mechanism, and obtain privileges for redirection of WebDAV requests, via a crafted application, aka "WebDAV Elevation of Privilege Vulnerability."
26 CVE-2015-0010 200 Bypass +Info 2015-02-10 2015-02-18
1.9
None Local Medium Not required Partial None None
The CryptProtectMemory function in cng.sys (aka the Cryptography Next Generation driver) in the kernel-mode drivers in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1, when the CRYPTPROTECTMEMORY_SAME_LOGON option is used, does not check an impersonation token's level, which allows local users to bypass intended decryption restrictions by leveraging a service that (1) has a named-pipe planting vulnerability or (2) uses world-readable shared memory for encrypted data, aka "CNG Security Feature Bypass Vulnerability" or MSRC ID 20707.
27 CVE-2015-0009 254 Bypass 2015-02-10 2015-02-18
3.3
None Local Network Low Not required None Partial None
The Group Policy Security Configuration policy implementation in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows man-in-the-middle attackers to disable a signing requirement and trigger a revert-to-default action by spoofing domain-controller responses, aka "Group Policy Security Feature Bypass Vulnerability."
28 CVE-2015-0006 264 Bypass 2015-01-13 2015-01-14
6.1
None Local Network Low Not required None Complete None
The Network Location Awareness (NLA) service in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2 does not perform mutual authentication to determine a domain connection, which allows remote attackers to trigger an unintended permissive configuration by spoofing DNS and LDAP responses on a local network, aka "NLA Security Feature Bypass Vulnerability."
29 CVE-2015-0001 264 Bypass 2015-01-13 2015-01-14
1.9
None Local Medium Not required Partial None None
The Windows Error Reporting (WER) component in Microsoft Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows local users to bypass the Protected Process Light protection mechanism and read the contents of arbitrary process-memory locations by leveraging administrative privileges, aka "Windows Error Reporting Security Feature Bypass Vulnerability."
30 CVE-2014-10026 200 Bypass +Info 2015-01-13 2015-01-13
5.0
None Remote Low Not required Partial None None
index.cgi in D-Link DAP-1360 with firmware 2.5.4 and earlier allows remote attackers to bypass authentication and obtain sensitive information by setting the client_login cookie to admin.
31 CVE-2014-9675 264 Bypass 2015-02-08 2015-02-27
5.0
None Remote Low Not required Partial None None
bdf/bdflib.c in FreeType before 2.5.4 identifies property names by only verifying that an initial substring is present, which allows remote attackers to discover heap pointer values and bypass the ASLR protection mechanism via a crafted BDF font.
32 CVE-2014-9623 399 DoS Bypass 2015-01-23 2015-02-05
4.0
None Remote Low Single system None None Partial
OpenStack Glance 2014.2.x through 2014.2.1, 2014.1.3, and earlier allows remote authenticated users to bypass the storage quota and cause a denial of service (disk consumption) by deleting an image in the saving state.
33 CVE-2014-9585 264 Bypass 2015-01-09 2015-01-12
2.1
None Local Low Not required None Partial None
The vdso_addr function in arch/x86/vdso/vma.c in the Linux kernel through 3.18.2 does not properly choose memory locations for the vDSO area, which makes it easier for local users to bypass the ASLR protection mechanism by guessing a location at the end of a PMD.
34 CVE-2014-9583 264 1 Exec Code Bypass 2015-01-08 2015-01-09
10.0
None Remote Low Not required Complete Complete Complete
common.c in infosvr in ASUS WRT firmware 3.0.0.4.376_1071, 3.0.0.376.2524-g0013f52, and other versions, as used in RT-AC66U, RT-N66U, and other routers, does not properly check the MAC address for a request, which allows remote attackers to bypass authentication and execute arbitrary commands via a NET_CMD_ID_MANU_CMD packet to UDP port 9999. NOTE: this issue was incorrectly mapped to CVE-2014-10000, but that ID is invalid due to its use as an example of the 2014 CVE ID syntax change.
35 CVE-2014-9575 264 Bypass 2015-01-08 2015-01-08
6.4
None Remote Low Not required Partial Partial None
VDG Security SENSE (formerly DIVA) before 2.3.15 allows remote attackers to bypass authentication, and consequently read and modify arbitrary plugin settings, via an encoded : (colon) character in the Authorization HTTP header.
36 CVE-2014-9494 264 Bypass 2015-01-20 2015-01-22
5.0
None Remote Low Not required None Partial None
RabbitMQ before 3.4.0 allows remote attackers to bypass the loopback_users restriction via a crafted X-Forwareded-For header.
37 CVE-2014-9476 264 Bypass 2015-01-16 2015-02-05
5.0
None Remote Low Not required None Partial None
MediaWiki 1.2x before 1.22.15, 1.23.x before 1.23.8, and 1.24.x before 1.24.1 allows remote attackers to bypass CORS restrictions in $wgCrossSiteAJAXdomains via a domain that has a partial match to an allowed origin, as demonstrated by "http://en.wikipedia.org.evilsite.example/."
38 CVE-2014-9422 284 Bypass 2015-02-19 2015-02-19
6.1
None Remote High Single system Partial Partial Complete
The check_rpcsec_auth function in kadmin/server/kadm_rpc_svc.c in kadmind in MIT Kerberos 5 (aka krb5) through 1.11.5, 1.12.x through 1.12.2, and 1.13.x before 1.13.1 allows remote authenticated users to bypass a kadmin/* authorization check and obtain administrative access by leveraging access to a two-component principal with an initial "kadmind" substring, as demonstrated by a "ka/x" principal.
39 CVE-2014-9419 200 Bypass +Info 2014-12-25 2014-12-29
2.1
None Local Low Not required Partial None None
The __switch_to function in arch/x86/kernel/process_64.c in the Linux kernel through 3.18.1 does not ensure that Thread Local Storage (TLS) descriptors are loaded before proceeding with other steps, which makes it easier for local users to bypass the ASLR protection mechanism via a crafted application that reads a TLS base address.
40 CVE-2014-9304 264 Bypass 2014-12-07 2014-12-08
7.5
None Remote Low Not required Partial Partial Partial
Plex Media Server before 0.9.9.3 allows remote attackers to bypass the web server whitelist, conduct SSRF attacks, and execute arbitrary administrative actions via multiple crafted X-Plex-Url headers to system/proxy, which are inconsistently processed by the request handler in the backend web server.
41 CVE-2014-9283 Bypass 2015-03-03 2015-03-03
5.0
None Remote Low Not required None Partial None
The BestWebSoft Captcha plugin before 4.0.7 for WordPress allows remote attackers to bypass the CAPTCHA protection mechanism and obtain administrative access via unspecified vectors.
42 CVE-2014-9278 287 Bypass 2014-12-06 2014-12-23
4.0
None Remote Low Single system None Partial None
The OpenSSH server, as used in Fedora and Red Hat Enterprise Linux 7 and when running in a Kerberos environment, allows remote authenticated users to log in as another user when they are listed in the .k5users file of that user, which might bypass intended authentication requirements that would force a local login.
43 CVE-2014-9226 264 Bypass 2015-01-21 2015-01-22
7.2
None Local Low Not required Complete Complete Complete
The management server in Symantec Critical System Protection (SCSP) 5.2.9 through MP6 and Symantec Data Center Security: Server Advanced (SDCS:SA) 6.0.x through 6.0 MP1 allows local users to bypass intended Protection Policies via unspecified vectors.
44 CVE-2014-9217 287 Bypass 2014-12-08 2014-12-08
5.0
None Remote Low Not required None Partial None
Graylog2 before 0.92 allows remote attackers to bypass LDAP authentication via crafted wildcards.
45 CVE-2014-9184 287 Bypass 2014-12-02 2014-12-03
5.0
None Remote Low Not required None Partial None
ZTE ZXDSL 831CII allows remote attackers to bypass authentication via a direct request to (1) main.cgi, (2) adminpasswd.cgi, (3) userpasswd.cgi, (4) upload.cgi, (5) conprocess.cgi, or (6) connect.cgi.
46 CVE-2014-9150 362 Bypass 2014-11-29 2014-12-17
6.4
None Remote Low Not required None Partial Partial
Race condition in the MoveFileEx call hook feature in Adobe Reader and Acrobat 11.x before 11.0.09 on Windows allows attackers to bypass a sandbox protection mechanism, and consequently write to files in arbitrary locations, via an NTFS junction attack, a similar issue to CVE-2014-0568.
47 CVE-2014-9135 264 Bypass 2014-12-19 2014-12-22
4.3
None Remote Medium Not required None Partial None
The PackageInstaller module in Huawei P7-L10 smartphones before V100R001C00B136 allows remote attackers to spoof the origin website and bypass the website whitelist protection mechanism via a crafted package.
48 CVE-2014-9117 284 Bypass 2014-12-06 2015-01-10
5.0
None Remote Low Not required None Partial None
MantisBT before 1.2.18 uses the public_key parameter value as the key to the CAPTCHA answer, which allows remote attackers to bypass the CAPTCHA protection mechanism by leveraging knowledge of a CAPTCHA answer for a public_key parameter value, as demonstrated by E4652 for the public_key value 0.
49 CVE-2014-9048 264 Bypass 2015-02-04 2015-02-05
5.0
None Remote Low Not required None Partial None
The documents application in ownCloud Server 6.x before 6.0.6 and 7.x before 7.0.3 allows remote attackers to bypass the password-protection for shared files via the API.
50 CVE-2014-9045 287 Bypass 2015-02-04 2015-02-05
5.0
None Remote Low Not required None Partial None
The FTP backend in user_external in ownCloud Server before 5.0.18 and 6.x before 6.0.6 allows remote attackers to bypass intended authentication requirements via a crafted password.
Total number of vulnerabilities : 3610   Page : 1 (This Page)2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.