CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register   Reset Password   Activate Account
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (Bypass)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2016-6364 200 Bypass +Info 2016-08-22 2016-08-23
5.0
None Remote Low Not required Partial None None
The User Data Services (UDS) API implementation in Cisco Unified Communications Manager 11.5 allows remote attackers to bypass intended access restrictions and obtain sensitive information via unspecified API calls, aka Bug ID CSCux67855.
2 CVE-2016-6150 284 Bypass 2016-08-05 2016-08-10
7.5
None Remote Low Not required Partial Partial Partial
The multi-tenant database container feature in SAP HANA does not properly encrypt communications, which allows remote attackers to bypass intended access restrictions and possibly have unspecified other impact via unknown vectors, aka SAP Security Note 2233550.
3 CVE-2016-6144 284 Bypass 2016-08-05 2016-08-05
4.3
None Remote Medium Not required Partial None None
The SQL interface in SAP HANA before Revision 102 does not limit the number of login attempts for the SYSTEM user when the password_lock_for_system_user is not supported or is configured as "False," which makes it easier for remote attackers to bypass authentication via a brute force attack, aka SAP Security Note 2216869.
4 CVE-2016-6136 362 Bypass 2016-08-06 2016-08-10
1.9
None Local Medium Not required None Partial None
Race condition in the audit_log_single_execve_arg function in kernel/auditsc.c in the Linux kernel through 4.7 allows local users to bypass intended character-set restrictions or disrupt system-call auditing by changing a certain string, aka a "double fetch" vulnerability.
5 CVE-2016-5839 Bypass 2016-06-29 2016-07-29
5.0
None Remote Low Not required None Partial None
WordPress before 4.5.3 allows remote attackers to bypass the sanitize_file_name protection mechanism via unspecified vectors.
6 CVE-2016-5838 255 Bypass 2016-06-29 2016-07-29
5.0
None Remote Low Not required None Partial None
WordPress before 4.5.3 allows remote attackers to bypass intended password-change restrictions by leveraging knowledge of a cookie.
7 CVE-2016-5837 Bypass 2016-06-29 2016-08-01
5.0
None Remote Low Not required None Partial None
WordPress before 4.5.3 allows remote attackers to bypass intended access restrictions and remove a category attribute from a post via unspecified vectors.
8 CVE-2016-5832 Bypass 2016-06-29 2016-08-02
5.0
None Remote Low Not required None Partial None
The customizer in WordPress before 4.5.3 allows remote attackers to bypass intended redirection restrictions via unspecified vectors.
9 CVE-2016-5807 284 Bypass 2016-07-15 2016-07-18
5.5
None Remote Low Single system Partial Partial None
Tollgrade LightHouse SMS before 5.1 patch 3 allows remote authenticated users to bypass an intended administrative-authentication requirement, and read or change parameter values, via a direct request.
10 CVE-2016-5804 287 Bypass 2016-07-15 2016-07-19
5.0
None Remote Low Not required Partial None None
Moxa MGate MB3180 before 1.8, MGate MB3280 before 2.7, MGate MB3480 before 2.6, MGate MB3170 before 2.5, and MGate MB3270 before 2.7 use weak encryption, which allows remote attackers to bypass authentication via a brute-force series of guesses for a parameter value.
11 CVE-2016-5790 Bypass 2016-07-15 2016-07-18
5.0
None Remote Low Not required None None Partial
Tollgrade LightHouse SMS before 5.1 patch 3 allows remote attackers to bypass authentication and restart the software via unspecified vectors.
12 CVE-2016-5668 Bypass 2016-08-02 2016-08-15
7.5
None Remote Low Not required Partial Partial Partial
Crestron Electronics DM-TXRX-100-STR devices with firmware before 1.3039.00040 allow remote attackers to bypass authentication and change settings via a JSON API call.
13 CVE-2016-5667 Bypass 2016-08-02 2016-08-15
7.5
None Remote Low Not required Partial Partial Partial
Crestron Electronics DM-TXRX-100-STR devices with firmware before 1.3039.00040 allow remote attackers to bypass authentication via a direct request to a page other than index.html.
14 CVE-2016-5637 119 DoS Exec Code Overflow Bypass 2016-07-15 2016-07-18
6.8
None Remote Medium Not required Partial Partial Partial
The restore_tqb_pixels function in libbpg 0.9.5 through 0.9.7 mishandles the transquant_bypass_enable_flag value, which allows remote attackers to execute arbitrary code or cause a denial of service (out-of-bounds write) via a crafted BPG image, related to a "type confusion" issue.
15 CVE-2016-5419 310 Bypass 2016-08-10 2016-08-12
5.0
None Remote Low Not required Partial None None
curl and libcurl before 7.50.1 do not prevent TLS session resumption when the client certificate has changed, which allows remote attackers to bypass intended restrictions by resuming a session.
16 CVE-2016-5363 254 DoS Bypass 2016-06-17 2016-06-20
6.4
None Remote Low Not required Partial None Partial
The IPTables firewall in OpenStack Neutron before 7.0.4 and 8.0.0 through 8.1.0 allows remote attackers to bypass an intended MAC-spoofing protection mechanism and consequently cause a denial of service or intercept network traffic via (1) a crafted DHCP discovery message or (2) crafted non-IP traffic.
17 CVE-2016-5362 254 DoS Bypass 2016-06-17 2016-06-21
6.4
None Remote Low Not required Partial None Partial
The IPTables firewall in OpenStack Neutron before 7.0.4 and 8.0.0 through 8.1.0 allows remote attackers to bypass an intended DHCP-spoofing protection mechanism and consequently cause a denial of service or intercept network traffic via a crafted DHCP discovery message.
18 CVE-2016-5340 20 Bypass 2016-08-07 2016-08-11
7.2
None Local Low Not required Complete Complete Complete
The is_ashmem_file function in drivers/staging/android/ashmem.c in a certain Qualcomm Innovation Center (QuIC) Android patch for the Linux kernel 3.x mishandles pointer validation within the KGSL Linux Graphics Module, which allows attackers to bypass intended access restrictions by using the /ashmem string as the dentry name.
19 CVE-2016-5265 200 XSS Bypass +Info 2016-08-04 2016-08-05
4.0
None Remote High Not required Partial Partial None
Mozilla Firefox before 48.0 and Firefox ESR 45.x before 45.3 allow user-assisted remote attackers to bypass the Same Origin Policy, and conduct Universal XSS (UXSS) attacks or read arbitrary files, by arranging for the presence of a crafted HTML document and a crafted shortcut file in the same local directory.
20 CVE-2016-5145 254 Bypass 2016-08-07 2016-08-10
6.8
None Remote Medium Not required Partial Partial Partial
Blink, as used in Google Chrome before 52.0.2743.116, does not ensure that a taint property is preserved after a structure-clone operation on an ImageBitmap object derived from a cross-origin image, which allows remote attackers to bypass the Same Origin Policy via crafted JavaScript code.
21 CVE-2016-5144 284 Bypass 2016-08-07 2016-08-10
7.5
None Remote Low Not required Partial Partial Partial
The Developer Tools (aka DevTools) subsystem in Blink, as used in Google Chrome before 52.0.2743.116, mishandles the script-path hostname, remoteBase parameter, and remoteFrontendUrl parameter, which allows remote attackers to bypass intended access restrictions via a crafted URL, a different vulnerability than CVE-2016-5143.
22 CVE-2016-5143 264 Bypass 2016-08-07 2016-08-10
7.5
None Remote Low Not required Partial Partial Partial
The Developer Tools (aka DevTools) subsystem in Blink, as used in Google Chrome before 52.0.2743.116, mishandles the script-path hostname, remoteBase parameter, and remoteFrontendUrl parameter, which allows remote attackers to bypass intended access restrictions via a crafted URL, a different vulnerability than CVE-2016-5144.
23 CVE-2016-5135 20 Bypass 2016-07-23 2016-07-27
4.3
None Remote Medium Not required None Partial None
WebKit/Source/core/html/parser/HTMLPreloadScanner.cpp in Blink, as used in Google Chrome before 52.0.2743.82, does not consider referrer-policy information inside an HTML document during a preload request, which allows remote attackers to bypass the Content Security Policy (CSP) protection mechanism via a crafted web site, as demonstrated by a "Content-Security-Policy: referrer origin-when-cross-origin" header that overrides a "<META name='referrer' content='no-referrer'>" element.
24 CVE-2016-5132 254 Bypass 2016-07-23 2016-07-27
6.8
None Remote Medium Not required Partial Partial Partial
The Service Workers subsystem in Google Chrome before 52.0.2743.82 does not properly implement the Secure Contexts specification during decisions about whether to control a subframe, which allows remote attackers to bypass the Same Origin Policy via an https IFRAME element inside an http IFRAME element.
25 CVE-2016-5128 254 Bypass 2016-07-23 2016-07-28
6.8
None Remote Medium Not required Partial Partial Partial
objects.cc in Google V8 before 5.2.361.27, as used in Google Chrome before 52.0.2743.82, does not prevent API interceptors from modifying a store target without setting a property, which allows remote attackers to bypass the Same Origin Policy via a crafted web site.
26 CVE-2016-5109 284 Bypass 2016-07-13 2016-07-14
2.1
None Local Low Not required None Partial None
Citrix Worx Home for iOS before 10.3.6 and XenMobile MDX Toolkit for iOS before 10.3.6 might allow physically proximate attackers to bypass in-application Apple Touch ID authentication via unspecified vectors, related to an application requiring re-authentication.
27 CVE-2016-5104 284 Bypass 2016-06-13 2016-07-14
5.0
None Remote Low Not required None Partial None
The socket_create function in common/socket.c in libimobiledevice and libusbmuxd allows remote attackers to bypass intended access restrictions and communicate with services on iOS devices by connecting to an IPv4 TCP socket.
28 CVE-2016-5008 284 Bypass 2016-07-13 2016-07-14
4.3
None Remote Medium Not required None Partial None
libvirt before 2.0.0 improperly disables password checking when the password on a VNC server is set to an empty string, which allows remote attackers to bypass authentication and establish a VNC session by connecting to the server.
29 CVE-2016-4979 284 Bypass 2016-07-06 2016-07-08
5.0
None Remote Low Not required None Partial None
The Apache HTTP Server 2.4.18 through 2.4.20, when mod_http2 and mod_ssl are enabled, does not properly recognize the "SSLVerifyClient require" directive for HTTP/2 request authorization, which allows remote attackers to bypass intended access restrictions by leveraging the ability to send multiple requests over a single connection and aborting a renegotiation.
30 CVE-2016-4911 284 Bypass 2016-06-13 2016-06-15
4.0
None Remote Low Single system None Partial None
The Fernet Token Provider in OpenStack Identity (Keystone) 9.0.x before 9.0.1 (mitaka) allows remote authenticated users to prevent revocation of a chain of tokens and bypass intended access restrictions by rescoping a token.
31 CVE-2016-4603 254 Bypass +Info 2016-07-21 2016-07-27
4.3
None Remote Medium Not required Partial None None
Web Media in Apple iOS before 9.3.3 allows attackers to bypass the Private Browsing protection mechanism and obtain sensitive video URL information by leveraging Safari View Controller misbehavior.
32 CVE-2016-4590 20 Bypass 2016-07-21 2016-07-26
4.3
None Remote Medium Not required None Partial None
WebKit in Apple iOS before 9.3.3 and Safari before 9.1.2 mishandles about: URLs, which allows remote attackers to bypass the Same Origin Policy via a crafted web site.
33 CVE-2016-4583 362 Bypass 2016-07-21 2016-07-26
4.3
None Remote Medium Not required Partial None None
WebKit in Apple iOS before 9.3.3, Safari before 9.1.2, and tvOS before 9.2.2 allows remote attackers to bypass the Same Origin Policy and obtain image date from an unintended web site via a timing attack involving an SVG document.
34 CVE-2016-4554 345 Bypass 2016-05-10 2016-06-21
5.0
None Remote Low Not required None Partial None
mime_header.cc in Squid before 3.5.18 allows remote attackers to bypass intended same-origin restrictions and possibly conduct cache-poisoning attacks via a crafted HTTP Host header, aka a "header smuggling" issue.
35 CVE-2016-4534 264 Bypass 2016-05-05 2016-05-09
3.0
None Local Medium Single system None Partial Partial
The McAfee VirusScan Console (mcconsol.exe) in McAfee VirusScan Enterprise 8.8.0 before Hotfix 1123565 (8.8.0.1546) on Windows allows local administrators to bypass intended self-protection rules and unlock the console window by closing registry handles.
36 CVE-2016-4510 287 Bypass 2016-06-09 2016-06-10
6.4
None Remote Low Not required Partial Partial None
The WAP interface in Trihedral VTScada (formerly VTS) 8.x through 11.x before 11.2.02 allows remote attackers to bypass authentication and read arbitrary files via unspecified vectors.
37 CVE-2016-4503 287 Bypass 2016-07-11 2016-07-12
5.0
None Remote Low Not required Partial None None
Moxa Device Server Web Console 5232-N allows remote attackers to bypass authentication, and consequently modify settings and data, via vectors related to reading a cookie parameter containing a UserId value.
38 CVE-2016-4502 284 Bypass 2016-05-30 2016-06-07
5.0
None Remote Low Not required Partial None None
Environmental Systems Corporation (ESC) 8832 Data Controller 3.02 and earlier allows remote attackers to bypass intended access restrictions and execute arbitrary functions via a modified parameter.
39 CVE-2016-4501 284 Bypass 2016-05-30 2016-06-07
6.4
None Remote Low Not required Partial Partial None
Environmental Systems Corporation (ESC) 8832 Data Controller 3.02 and earlier mishandles sessions, which allows remote attackers to bypass authentication and make arbitrary configuration changes via unspecified vectors.
40 CVE-2016-4495 284 Bypass 2016-06-09 2016-06-14
5.0
None Remote Low Not required Partial None None
KMC Controls BAC-5051E devices with firmware before E0.2.0.2 allow remote attackers to bypass intended access restrictions and read a configuration file via unspecified vectors.
41 CVE-2016-4475 254 Bypass 2016-08-19 2016-08-22
6.5
None Remote Low Single system Partial Partial Partial
The (1) Organization and (2) Locations APIs and UIs in Foreman before 1.11.4 and 1.12.x before 1.12.0-RC3 allow remote authenticated users to bypass organization and location restrictions and (a) read, (b) edit, or (c) delete arbitrary organizations or locations via unspecified vectors.
42 CVE-2016-4451 254 Bypass 2016-08-19 2016-08-22
6.0
None Remote Medium Single system Partial Partial Partial
The (1) Organization and (2) Locations APIs in Foreman before 1.11.3 and 1.12.x before 1.12.0-RC1 allow remote authenticated users with unlimited filters to bypass organization and location restrictions and read or modify data for an arbitrary organization by leveraging knowledge of the id of that organization.
43 CVE-2016-4437 284 Exec Code Bypass 2016-06-07 2016-06-09
6.8
None Remote Medium Not required Partial Partial Partial
Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter.
44 CVE-2016-4433 20 Bypass 2016-07-04 2016-07-06
5.0
None Remote Low Not required None Partial None
Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to bypass intended access restrictions and conduct redirection attacks via a crafted request.
45 CVE-2016-4432 287 Bypass 2016-06-01 2016-06-15
5.0
None Remote Low Not required None Partial None
The AMQP 0-8, 0-9, 0-91, and 0-10 connection handling in Apache Qpid Java before 6.0.3 might allow remote attackers to bypass authentication and consequently perform actions via vectors related to connection state logging.
46 CVE-2016-4431 20 Bypass 2016-07-04 2016-07-06
5.0
None Remote Low Not required None Partial None
Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to bypass intended access restrictions and conduct redirection attacks by leveraging a default method.
47 CVE-2016-4422 287 +Priv Bypass 2016-05-06 2016-05-10
10.0
None Remote Low Not required Complete Complete Complete
The pam_sm_authenticate function in pam_sshauth.c in libpam-sshauth might allow context-dependent attackers to bypass authentication or gain privileges via a system user account.
48 CVE-2016-4215 284 Bypass 2016-07-12 2016-07-19
10.0
None Remote Low Not required Complete Complete Complete
Adobe Reader and Acrobat before 11.0.17, Acrobat and Acrobat Reader DC Classic before 15.006.30198, and Acrobat and Acrobat Reader DC Continuous before 15.017.20050 on Windows and OS X allow attackers to bypass JavaScript API execution restrictions via unspecified vectors.
49 CVE-2016-4178 200 Bypass +Info 2016-07-12 2016-07-14
5.0
None Remote Low Not required Partial None None
Adobe Flash Player before 18.0.0.366 and 19.x through 22.x before 22.0.0.209 on Windows and OS X and before 11.2.202.632 on Linux allows attackers to bypass intended access restrictions and obtain sensitive information via unspecified vectors.
50 CVE-2016-4029 285 Bypass 2016-08-07 2016-08-10
5.0
None Remote Low Not required None Partial None
WordPress before 4.5 does not consider octal and hexadecimal IP address formats when determining an intranet address, which allows remote attackers to bypass an intended SSRF protection mechanism via a crafted address.
Total number of vulnerabilities : 4432   Page : 1 (This Page)2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.