CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Debian : Security Vulnerabilities (Bypass)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2016-7401 254 Bypass CSRF 2016-10-03 2016-10-04
5.0
None Remote Low Not required None Partial None
The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an intended CSRF protection mechanism by setting arbitrary cookies.
2 CVE-2016-5419 310 Bypass 2016-08-10 2016-11-28
5.0
None Remote Low Not required Partial None None
curl and libcurl before 7.50.1 do not prevent TLS session resumption when the client certificate has changed, which allows remote attackers to bypass intended restrictions by resuming a session.
3 CVE-2016-5008 284 Bypass 2016-07-13 2016-11-28
4.3
None Remote Medium Not required None Partial None
libvirt before 2.0.0 improperly disables password checking when the password on a VNC server is set to an empty string, which allows remote attackers to bypass authentication and establish a VNC session by connecting to the server.
4 CVE-2016-4422 287 +Priv Bypass 2016-05-06 2016-05-10
10.0
None Remote Low Not required Complete Complete Complete
The pam_sm_authenticate function in pam_sshauth.c in libpam-sshauth might allow context-dependent attackers to bypass authentication or gain privileges via a system user account.
5 CVE-2016-3162 284 Bypass 2016-04-12 2016-04-22
6.5
None Remote Low Single system Partial Partial Partial
The File module in Drupal 7.x before 7.43 and 8.x before 8.0.4 allows remote authenticated users to bypass access restrictions and read, delete, or substitute a link to a file uploaded to an unprocessed form by leveraging permission to create content or comment and upload files.
6 CVE-2016-2860 284 Bypass 2016-05-13 2016-05-19
4.0
None Remote Low Single system None Partial None
The newEntry function in ptserver/ptprocs.c in OpenAFS before 1.6.17 allows remote authenticated users from foreign Kerberos realms to bypass intended access restrictions and create arbitrary groups as administrators by leveraging mishandling of the creator ID.
7 CVE-2016-2381 20 Bypass 2016-04-08 2016-11-28
5.0
None Remote Low Not required None Partial None
Perl might allow context-dependent attackers to bypass the taint protection mechanism in a child process via duplicate environment variables in envp.
8 CVE-2016-1699 284 Bypass 2016-06-05 2016-07-29
4.3
None Remote Medium Not required None Partial None
WebKit/Source/devtools/front_end/devtools.js in the Developer Tools (aka DevTools) subsystem in Blink, as used in Google Chrome before 51.0.2704.79, does not ensure that the remoteFrontendUrl parameter is associated with a chrome-devtools-frontend.appspot.com URL, which allows remote attackers to bypass intended access restrictions via a crafted URL.
9 CVE-2016-1697 284 Bypass 2016-06-05 2016-07-29
6.8
None Remote Medium Not required Partial Partial Partial
The FrameLoader::startLoad function in WebKit/Source/core/loader/FrameLoader.cpp in Blink, as used in Google Chrome before 51.0.2704.79, does not prevent frame navigations during DocumentLoader detach operations, which allows remote attackers to bypass the Same Origin Policy via crafted JavaScript code.
10 CVE-2016-1696 284 Bypass 2016-06-05 2016-07-29
6.8
None Remote Medium Not required Partial Partial Partial
The extensions subsystem in Google Chrome before 51.0.2704.79 does not properly restrict bindings access, which allows remote attackers to bypass the Same Origin Policy via unspecified vectors.
11 CVE-2016-1692 284 Bypass 2016-06-05 2016-11-28
4.3
None Remote Medium Not required None Partial None
WebKit/Source/core/css/StyleSheetContents.cpp in Blink, as used in Google Chrome before 51.0.2704.63, permits cross-origin loading of CSS stylesheets by a ServiceWorker even when the stylesheet download has an incorrect MIME type, which allows remote attackers to bypass the Same Origin Policy via a crafted web site.
12 CVE-2016-1682 284 Bypass 2016-06-05 2016-11-28
4.3
None Remote Medium Not required None Partial None
The ServiceWorkerContainer::registerServiceWorkerImpl function in WebKit/Source/modules/serviceworkers/ServiceWorkerContainer.cpp in Blink, as used in Google Chrome before 51.0.2704.63, allows remote attackers to bypass the Content Security Policy (CSP) protection mechanism via a ServiceWorker registration.
13 CVE-2016-1676 284 Bypass 2016-06-05 2016-11-28
6.8
None Remote Medium Not required Partial Partial Partial
extensions/renderer/resources/binding.js in the extension bindings in Google Chrome before 51.0.2704.63 does not properly use prototypes, which allows remote attackers to bypass the Same Origin Policy via unspecified vectors.
14 CVE-2016-1675 284 Bypass 2016-06-05 2016-11-28
6.8
None Remote Medium Not required Partial Partial Partial
Blink, as used in Google Chrome before 51.0.2704.63, allows remote attackers to bypass the Same Origin Policy by leveraging the mishandling of Document reattachment during destruction, related to FrameLoader.cpp and LocalFrame.cpp.
15 CVE-2016-1674 Bypass 2016-06-05 2016-11-28
6.8
None Remote Medium Not required Partial Partial Partial
The extensions subsystem in Google Chrome before 51.0.2704.63 allows remote attackers to bypass the Same Origin Policy via unspecified vectors.
16 CVE-2016-1673 Bypass 2016-06-05 2016-11-28
6.8
None Remote Medium Not required Partial Partial Partial
Blink, as used in Google Chrome before 51.0.2704.63, allows remote attackers to bypass the Same Origin Policy via unspecified vectors.
17 CVE-2016-1672 284 Bypass 2016-06-05 2016-11-28
6.8
None Remote Medium Not required Partial Partial Partial
The ModuleSystem::RequireForJsInner function in extensions/renderer/module_system.cc in the extension bindings in Google Chrome before 51.0.2704.63 mishandles properties, which allows remote attackers to conduct bindings-interception attacks and bypass the Same Origin Policy via unspecified vectors.
18 CVE-2016-1668 284 Bypass 2016-05-14 2016-11-30
6.8
None Remote Medium Not required Partial Partial Partial
The forEachForBinding function in WebKit/Source/bindings/core/v8/Iterable.h in the V8 bindings in Blink, as used in Google Chrome before 50.0.2661.102, uses an improper creation context, which allows remote attackers to bypass the Same Origin Policy via a crafted web site.
19 CVE-2016-1667 284 Bypass 2016-05-14 2016-11-30
6.8
None Remote Medium Not required Partial Partial Partial
The TreeScope::adoptIfNeeded function in WebKit/Source/core/dom/TreeScope.cpp in the DOM implementation in Blink, as used in Google Chrome before 50.0.2661.102, does not prevent script execution during node-adoption operations, which allows remote attackers to bypass the Same Origin Policy via a crafted web site.
20 CVE-2016-1658 284 Bypass +Info 2016-04-18 2016-11-30
4.3
None Remote Medium Not required Partial None None
The Extensions subsystem in Google Chrome before 50.0.2661.75 incorrectly relies on GetOrigin method calls for origin comparisons, which allows remote attackers to bypass the Same Origin Policy and obtain sensitive information via a crafted extension.
21 CVE-2016-1629 264 Bypass 2016-02-21 2016-11-28
10.0
None Remote Low Not required Complete Complete Complete
Google Chrome before 48.0.2564.116 allows remote attackers to bypass the Blink Same Origin Policy and a sandbox protection mechanism via unspecified vectors.
22 CVE-2016-1627 264 Bypass 2016-02-13 2016-11-28
6.8
None Remote Medium Not required Partial Partial Partial
The Developer Tools (aka DevTools) subsystem in Google Chrome before 48.0.2564.109 does not validate URL schemes and ensure that the remoteBase parameter is associated with a chrome-devtools-frontend.appspot.com URL, which allows remote attackers to bypass intended access restrictions via a crafted URL, related to browser/devtools/devtools_ui_bindings.cc and WebKit/Source/devtools/front_end/Runtime.js.
23 CVE-2016-1625 264 Bypass 2016-02-13 2016-11-28
4.3
None Remote Medium Not required Partial None None
The Chrome Instant feature in Google Chrome before 48.0.2564.109 does not ensure that a New Tab Page (NTP) navigation target is on the most-visited or suggestions list, which allows remote attackers to bypass intended restrictions via unspecified vectors, related to instant_service.cc and search_tab_helper.cc.
24 CVE-2016-1623 264 Bypass 2016-02-13 2016-11-28
6.8
None Remote Medium Not required Partial Partial Partial
The DOM implementation in Google Chrome before 48.0.2564.109 does not properly restrict frame-attach operations from occurring during or after frame-detach operations, which allows remote attackers to bypass the Same Origin Policy via a crafted web site, related to FrameLoader.cpp, HTMLFrameOwnerElement.h, LocalFrame.cpp, and WebLocalFrameImpl.cpp.
25 CVE-2016-1622 264 Bypass 2016-02-13 2016-11-28
6.8
None Remote Medium Not required Partial Partial Partial
The Extensions subsystem in Google Chrome before 48.0.2564.109 does not prevent use of the Object.defineProperty method to override intended extension behavior, which allows remote attackers to bypass the Same Origin Policy via crafted JavaScript code.
26 CVE-2016-0763 264 DoS Bypass 2016-02-24 2016-11-29
6.5
None Remote Low Single system Partial Partial Partial
The setGlobalContext method in org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M3 does not consider whether ResourceLinkFactory.setGlobalContext callers are authorized, which allows remote authenticated users to bypass intended SecurityManager restrictions and read or write to arbitrary application data, or cause a denial of service (application disruption), via a web application that sets a crafted global context.
27 CVE-2016-0714 264 Exec Code Bypass 2016-02-24 2016-11-29
6.5
None Remote Low Single system Partial Partial Partial
The session-persistence implementation in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 mishandles session attributes, which allows remote authenticated users to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that places a crafted object in a session.
28 CVE-2016-0706 200 Bypass +Info 2016-02-24 2016-11-29
4.0
None Remote Low Single system Partial None None
Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 does not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catalina/core/RestrictedServlets.properties list, which allows remote authenticated users to bypass intended SecurityManager restrictions and read arbitrary HTTP requests, and consequently discover session ID values, via a crafted web application.
29 CVE-2015-8607 20 Bypass 2016-01-13 2016-08-23
7.5
None Remote Low Not required Partial Partial Partial
The canonpath function in the File::Spec module in PathTools before 3.62, as used in Perl, does not properly preserve the taint attribute of data, which might allow context-dependent attackers to bypass the taint protection mechanism via a crafted string.
30 CVE-2015-8080 189 DoS Overflow Mem. Corr. Bypass 2016-04-13 2016-11-30
5.0
None Remote Low Not required None None Partial
Integer overflow in the getnum function in lua_struct.c in Redis 2.8.x before 2.8.24 and 3.0.x before 3.0.6 allows context-dependent attackers with permission to run Lua code in a Redis session to cause a denial of service (memory corruption and application crash) or possibly bypass intended sandbox restrictions via a large number, which triggers a stack-based buffer overflow.
31 CVE-2015-5623 284 Bypass 2015-08-03 2016-11-28
4.0
None Remote Low Single system None Partial None
WordPress before 4.2.3 does not properly verify the edit_posts capability, which allows remote authenticated users to bypass intended access restrictions and create drafts by leveraging the Subscriber role, as demonstrated by a post-quickdraft-save action to wp-admin/post.php.
32 CVE-2015-5400 264 Bypass 2015-09-28 2016-11-28
6.8
None Remote Medium Not required Partial Partial Partial
Squid before 3.5.6 does not properly handle CONNECT method peer responses when configured with cache_peer, which allows remote attackers to bypass intended restrictions and gain access to a backend proxy via a CONNECT request.
33 CVE-2015-5351 352 Bypass CSRF 2016-02-24 2016-11-29
6.8
None Remote Medium Not required Partial Partial Partial
The (1) Manager and (2) Host Manager applications in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 establish sessions and send CSRF tokens for arbitrary new requests, which allows remote attackers to bypass a CSRF protection mechanism by using a token.
34 CVE-2015-5174 22 Dir. Trav. Bypass 2016-02-24 2016-11-28
4.0
None Remote Low Single system Partial None None
Directory traversal vulnerability in RequestUtil.java in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.65, and 8.x before 8.0.27 allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via a /.. (slash dot dot) in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call, as demonstrated by the $CATALINA_BASE/webapps directory.
35 CVE-2015-2830 264 Bypass 2015-05-27 2016-10-11
1.9
None Local Medium Not required None Partial None
arch/x86/kernel/entry_64.S in the Linux kernel before 3.19.2 does not prevent the TS_COMPAT flag from reaching a user-mode task, which might allow local users to bypass the seccomp or audit protection mechanism via a crafted application that uses the (1) fork or (2) close system call, as demonstrated by an attack against seccomp before 3.16.
36 CVE-2015-2047 287 Bypass 2015-02-23 2016-11-29
2.6
None Remote High Not required None Partial None
The rsaauth extension in TYPO3 4.3.0 through 4.3.14, 4.4.0 through 4.4.15, 4.5.0 through 4.5.39, and 4.6.0 through 4.6.18, when configured for the frontend, allows remote attackers to bypass authentication via a password that is casted to an empty value.
37 CVE-2015-1420 362 Bypass 2015-03-16 2016-11-28
1.9
None Local Medium Not required Partial None None
Race condition in the handle_to_path function in fs/fhandle.c in the Linux kernel through 3.19.1 allows local users to bypass intended size restrictions and trigger read operations on additional memory locations by changing the handle_bytes value of a file handle during the execution of this function.
38 CVE-2015-1287 17 Bypass 2015-07-22 2016-11-28
4.3
None Remote Medium Not required Partial None None
Blink, as used in Google Chrome before 44.0.2403.89, enables a quirks-mode exception that limits the cases in which a Cascading Style Sheets (CSS) document is required to have the text/css content type, which allows remote attackers to bypass the Same Origin Policy via a crafted web site, related to core/fetch/CSSStyleSheetResource.cpp.
39 CVE-2015-1281 254 Bypass 2015-07-22 2016-11-28
4.3
None Remote Medium Not required None Partial None
core/loader/ImageLoader.cpp in Blink, as used in Google Chrome before 44.0.2403.89, does not properly determine the V8 context of a microtask, which allows remote attackers to bypass Content Security Policy (CSP) restrictions by providing an image from an unintended source.
40 CVE-2015-1254 264 Bypass 2015-05-20 2016-03-31
5.0
None Remote Low Not required None Partial None
core/dom/Document.cpp in Blink, as used in Google Chrome before 43.0.2357.65, enables the inheritance of the designMode attribute, which allows remote attackers to bypass the Same Origin Policy by leveraging the availability of editing.
41 CVE-2015-1253 284 Exec Code Bypass 2015-05-20 2016-03-31
7.5
None Remote Low Not required Partial Partial Partial
core/html/parser/HTMLConstructionSite.cpp in the DOM implementation in Blink, as used in Google Chrome before 43.0.2357.65, allows remote attackers to bypass the Same Origin Policy via crafted JavaScript code that appends a child to a SCRIPT element, related to the insert and executeReparentTask functions.
42 CVE-2015-1252 119 DoS Overflow Bypass 2015-05-20 2016-04-01
7.5
None Remote Low Not required Partial Partial Partial
common/partial_circular_buffer.cc in Google Chrome before 43.0.2357.65 does not properly handle wraps, which allows remote attackers to bypass a sandbox protection mechanism or cause a denial of service (out-of-bounds write) via vectors that trigger a write operation with a large amount of data, related to the PartialCircularBuffer::Write and PartialCircularBuffer::DoWrite functions.
43 CVE-2015-1248 264 Bypass 2015-04-19 2015-10-23
4.3
None Remote Medium Not required None Partial None
The FileSystem API in Google Chrome before 40.0.2214.91 allows remote attackers to bypass the SafeBrowsing for Executable Files protection mechanism by creating a .exe file in a temporary filesystem and then referencing this file with a filesystem:http: URL.
44 CVE-2015-1236 264 Bypass 2015-04-19 2016-06-28
4.3
None Remote Medium Not required Partial None None
The MediaElementAudioSourceNode::process function in modules/webaudio/MediaElementAudioSourceNode.cpp in the Web Audio API implementation in Blink, as used in Google Chrome before 42.0.2311.90, allows remote attackers to bypass the Same Origin Policy and obtain sensitive audio sample values via a crafted web site containing a media element.
45 CVE-2015-1235 264 Bypass 2015-04-19 2016-06-28
5.0
None Remote Low Not required None Partial None
The ContainerNode::parserRemoveChild function in core/dom/ContainerNode.cpp in the HTML parser in Blink, as used in Google Chrome before 42.0.2311.90, allows remote attackers to bypass the Same Origin Policy via a crafted HTML document with an IFRAME element.
46 CVE-2015-0861 264 Bypass 2016-04-13 2016-04-19
4.0
None Remote Low Single system None Partial None
model/modelstorage.py in trytond 3.2.x before 3.2.10, 3.4.x before 3.4.8, 3.6.x before 3.6.5, and 3.8.x before 3.8.1 allows remote authenticated users to bypass intended access restrictions and write to arbitrary fields via a sequence of records.
47 CVE-2015-0840 284 Bypass 2015-04-13 2015-04-14
4.3
None Remote Medium Not required None Partial None
The dpkg-source command in Debian dpkg before 1.16.16 and 1.17.x before 1.17.25 allows remote attackers to bypass signature verification via a crafted Debian source control file (.dsc).
48 CVE-2014-9675 264 Bypass 2015-02-08 2016-11-28
5.0
None Remote Low Not required Partial None None
bdf/bdflib.c in FreeType before 2.5.4 identifies property names by only verifying that an initial substring is present, which allows remote attackers to discover heap pointer values and bypass the ASLR protection mechanism via a crafted BDF font.
49 CVE-2014-7810 284 Bypass 2015-06-07 2016-11-28
5.0
None Remote Low Not required None Partial None
The Expression Language (EL) implementation in Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.58, and 8.x before 8.0.16 does not properly consider the possibility of an accessible interface implemented by an inaccessible class, which allows attackers to bypass a SecurityManager protection mechanism via a web application that leverages use of incorrect privileges during EL evaluation.
50 CVE-2014-5204 352 Bypass CSRF 2014-08-18 2015-11-25
6.8
None Remote Medium Not required Partial Partial Partial
wp-includes/pluggable.php in WordPress before 3.9.2 rejects invalid CSRF nonces with a different timing depending on which characters in the nonce are incorrect, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force attack.
Total number of vulnerabilities : 68   Page : 1 (This Page)2
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.