CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register   Reset Password   Activate Account
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In 2014(Bypass)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2014-9024 264 Bypass 2014-11-20 2014-11-20
7.5
None Remote Low Not required Partial Partial Partial
The Protected Pages module 7.x-2.x before 7.x-2.4 for Drupal allows remote attackers to bypass the password protection via a crafted path.
2 CVE-2014-9022 264 Bypass 2014-11-20 2014-11-20
6.4
None Remote Low Not required None Partial Partial
The Webform Component Roles module 6.x-1.x before 6.x-1.8 and 7.x-1.x before 7.x-1.8 for Drupal allows remote attackers to bypass the "disabled" restriction and modify read-only components via a crafted form.
3 CVE-2014-8988 264 Bypass 2014-11-24 2014-11-24
4.0
None Remote Low Single system Partial None None
MantisBT before 1.2.18 allows remote authenticated users to bypass the $g_download_attachments_threshold and $g_view_attachments_threshold restrictions and read attachments for private projects by leveraging access to a project that does not restrict access to attachments and a request to the download URL.
4 CVE-2014-8764 287 Bypass 2014-10-22 2014-11-13
5.0
None Remote Low Not required None Partial None
DokuWiki 2014-05-05a and earlier, when using Active Directory for LDAP authentication, allows remote attackers to bypass authentication via a user name and password starting with a null (\0) character, which triggers an anonymous bind.
5 CVE-2014-8763 287 Bypass 2014-10-22 2014-11-13
5.0
None Remote Low Not required None Partial None
DokuWiki before 2014-05-05b, when using Active Directory for LDAP authentication, allows remote attackers to bypass authentication via a password starting with a null (\0) character and a valid user name, which triggers an unauthenticated bind.
6 CVE-2014-8736 200 Bypass +Info 2014-11-12 2014-11-13
5.0
None Remote Low Not required Partial None None
The Open Atrium Core module for Drupal before 7.x-2.22 allows remote attackers to bypass access restrictions and read file attachments that have been removed from a node by leveraging a previous revision of the node.
7 CVE-2014-8655 264 1 Bypass +Info 2014-11-06 2014-11-06
5.0
None Remote Low Not required Partial None None
The Compal Broadband Networks (CBN) CH6640E and CG6640E Wireless Gateway 1.0 with firmware CH6640-3.5.11.7-NOSH allows remote attackers to bypass authentication and obtain sensitive information via an (a) admin or a (b) root value in the userData cookie in a request to (1) CmgwWirelessSecurity.xml, (2) DocsisConfigFile.xml, or (3) CmgwBasicSetup.xml in xml/ or (4) basicDDNS.html, (5) basicLanUsers.html, or (6) rootDesc.xml.
8 CVE-2014-8558 Bypass 2014-11-25 2014-11-25
0.0
None ??? ??? ??? ??? ??? ???
JExperts Channel Platform 5.0.33_CCB allows remote authenticated users to bypass access restrictions via crafted action and key parameters.
9 CVE-2014-8535 Bypass 2014-10-29 2014-10-30
4.6
None Local Low Not required Partial Partial Partial
McAfee Network Data Loss Prevention (NDLP) before 9.2.2 allows local users to bypass intended restriction on unspecified functionality via unknown vectors.
10 CVE-2014-8472 287 Bypass 2014-11-04 2014-11-20
6.8
None Remote Medium Not required Partial Partial Partial
CA Cloud Service Management (CSM) before Summer 2014 does not properly verify authentication tokens from an Identity Provider, which allows user-assisted remote attackers to bypass intended access restrictions via unspecified vectors.
11 CVE-2014-8413 264 Bypass 2014-11-24 2014-11-25
7.5
None Remote Low Not required Partial Partial Partial
The res_pjsip_acl module in Asterisk Open Source 12.x before 12.7.1 and 13.x before 13.0.1 does properly create and load ACLs defined in pjsip.conf at startup, which allows remote attackers to bypass intended PJSIP ACL rules.
12 CVE-2014-8412 264 Bypass 2014-11-24 2014-11-25
5.0
None Remote Low Not required None Partial None
The (1) VoIP channel drivers, (2) DUNDi, and (3) Asterisk Manager Interface (AMI) in Asterisk Open Source 1.8.x before 1.8.32.1, 11.x before 11.14.1, 12.x before 12.7.1, and 13.x before 13.0.1 and Certified Asterisk 1.8.28 before 1.8.28-cert3 and 11.6 before 11.6-cert8 allows remote attackers to bypass the ACL restrictions via a packet with a source IP that does not share the address family as the first ACL entry.
13 CVE-2014-8350 94 Exec Code Bypass 2014-11-03 2014-11-04
7.5
None Remote Low Not required Partial Partial Partial
Smarty before 3.1.21 allows remote attackers to bypass the secure mode restrictions and execute arbitrary PHP code as demonstrated by "{literal}<{/literal}script language=php>" in a template.
14 CVE-2014-8088 287 Bypass 2014-10-22 2014-10-23
5.0
None Remote Low Not required None Partial None
The (1) Zend_Ldap class in Zend before 1.12.9 and (2) Zend\Ldap component in Zend 2.x before 2.2.8 and 2.3.x before 2.3.3 allows remote attackers to bypass authentication via a password starting with a null byte, which triggers an unauthenticated bind.
15 CVE-2014-7984 264 Bypass 2014-10-08 2014-10-09
7.5
None Remote Low Not required Partial Partial Partial
Joomla! CMS 2.5.x before 2.5.19 and 3.x before 3.2.3 allows remote attackers to authenticate and bypass intended restrictions via vectors involving GMail authentication.
16 CVE-2014-7960 399 Bypass 2014-10-17 2014-10-23
4.0
None Remote Low Single system None Partial None
OpenStack Object Storage (Swift) before 2.2.0 allows remote authenticated users to bypass the max_meta_count and other metadata constraints via multiple crafted requests which exceed the limit when combined.
17 CVE-2014-7905 284 Bypass 2014-11-19 2014-11-19
5.0
None Remote Low Not required None Partial None
Google Chrome before 39.0.2171.65 on Android does not prevent navigation to a URL in cases where an intent for the URL lacks CATEGORY_BROWSABLE, which allows remote attackers to bypass intended access restrictions via a crafted web site.
18 CVE-2014-7846 264 Bypass 2014-11-24 2014-11-24
4.0
None Remote Low Single system Partial None None
tag/tag_autocomplete.php in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 does not consider the moodle/tag:edit capability before adding a tag, which allows remote authenticated users to bypass intended access restrictions via an AJAX request.
19 CVE-2014-7832 264 Bypass 2014-11-24 2014-11-24
4.0
None Remote Low Single system Partial None None
mod/lti/launch.php in the LTI module in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 performs access control at the course level rather than at the activity level, which allows remote authenticated users to bypass the mod/lti:view capability requirement by viewing an activity instance.
20 CVE-2014-7828 264 Bypass 2014-11-19 2014-11-19
3.5
None Remote Medium Single system None Partial None
FreeIPA 4.0.x before 4.0.5 and 4.1.x before 4.1.1, when 2FA is enabled, allows remote attackers to bypass the password requirement of the two-factor authentication leveraging an enabled OTP token, which triggers an anonymous bind.
21 CVE-2014-7825 119 DoS Overflow Bypass 2014-11-10 2014-11-10
4.9
None Local Low Not required None None Complete
kernel/trace/trace_syscalls.c in the Linux kernel through 3.17.2 does not properly handle private syscall numbers during use of the perf subsystem, which allows local users to cause a denial of service (out-of-bounds read and OOPS) or bypass the ASLR protection mechanism via a crafted application.
22 CVE-2014-7299 Bypass +Info 2014-10-07 2014-10-08
7.5
None Remote Low Not required Partial Partial Partial
Unspecified vulnerability in administrative interfaces in ArubaOS 6.3.1.11, 6.3.1.11-FIPS, 6.4.2.1, and 6.4.2.1-FIPS on Aruba controllers allows remote attackers to bypass authentication, and obtain potentially sensitive information or add guest accounts, via an SSH session.
23 CVE-2014-7237 264 Exec Code Bypass 2014-10-15 2014-10-22
6.8
None Remote Medium Not required Partial Partial Partial
lib/TWiki/Sandbox.pm in TWiki 6.0.0 and earlier, when running on Windows, allows remote attackers to bypass intended access restrictions and upload files with restricted names via a null byte (%00) in a filename to bin/upload.cgi, as demonstrated using .htaccess to execute arbitrary code.
24 CVE-2014-7228 310 Exec Code Bypass 2014-11-03 2014-11-04
7.5
None Remote Low Not required Partial Partial Partial
Akeeba Restore (restore.php), as used in Joomla! 2.5.4 through 2.5.25, 3.x through 3.2.5, and 3.3.0 through 3.3.4; Akeeba Backup for Joomla! Professional 3.0.0 through 4.0.2; Backup Professional for WordPress 1.0.b1 through 1.1.3; Solo 1.0.b1 through 1.1.2; Admin Tools Core and Professional 2.0.0 through 2.4.4; and CMS Update 1.0.a1 through 1.0.1, when performing a backup or update for an archive, does not delete parameters from $_GET and $_POST when it is cleansing $_REQUEST, but later accesses $_GET and $_POST using the getQueryParam function, which allows remote attackers to bypass encryption and execute arbitrary code via a command message that extracts a crafted archive.
25 CVE-2014-6632 287 Bypass 2014-10-08 2014-10-09
7.5
None Remote Low Not required Partial Partial Partial
Joomla! 2.5.x before 2.5.25, 3.x before 3.2.4, and 3.3.x before 3.3.4 allows remote attackers to authenticate and bypass intended access restrictions via vectors involving LDAP authentication.
26 CVE-2014-6626 284 Bypass 2014-11-19 2014-11-19
10.0
Admin Remote Low Not required Complete Complete Complete
Aruba Networks ClearPass before 6.3.6 and 6.4.x before 6.4.1 does not properly restrict access to unspecified administrative functions, which allows remote attackers to bypass authentication and execute administrative actions via unknown vectors.
27 CVE-2014-6603 399 DoS Bypass 2014-10-07 2014-10-08
5.0
None Remote Low Not required None None Partial
The SSHParseBanner function in SSH parser (app-layer-ssh.c) in Suricata before 2.0.4 allows remote attackers to bypass SSH rules, cause a denial of service (crash), or possibly have unspecified other impact via a crafted banner, which triggers a large memory allocation or an out-of-bounds write.
28 CVE-2014-6602 264 Bypass 2014-09-21 2014-09-22
6.6
None Local Low Not required Complete Complete None
Microsoft Asha OS on the Microsoft Mobile Nokia Asha 501 phone 14.0.4 allows physically proximate attackers to bypass the lock-screen protection mechanism, and read or modify contact information or dial arbitrary telephone numbers, by tapping the SOS Option and then tapping the Green Call Option.
29 CVE-2014-6387 287 Bypass 2014-10-22 2014-10-23
5.0
None Remote Low Not required None Partial None
gpc_api.php in MantisBT 1.2.17 and earlier allows remote attackers to bypass authenticated via a password starting will a null byte, which triggers an unauthenticated bind.
30 CVE-2014-6379 287 Bypass 2014-10-14 2014-10-24
7.5
None Remote Low Not required Partial Partial Partial
Juniper Junos 11.4 before R12, 12.1 before R10, 12.1X44 before D35, 12.1X45 before D25, 12.1X46 before D20, 12.1X47 before D10, 12.2 before R8, 12.2X50 before D70, 12.3 before R6, 13.1 before R4-S3, 13.1X49 before D55, 13.1X50 before D30, 13.2 before R4, 13.2X50 before D20, 13.2X51 before D26 and D30, 13.2X52 before D15, 13.3 before R2, and 14.1 before R1, when a RADIUS accounting server is configured as [system accounting destination radius], creates an entry in /var/etc/pam_radius.conf, which might allow remote attackers to bypass authentication via unspecified vectors.
31 CVE-2014-6339 264 Bypass 2014-11-11 2014-11-12
5.0
None Remote Low Not required None Partial None
Microsoft Internet Explorer 8 and 9 allows remote attackers to bypass the ASLR protection mechanism via a crafted web site, aka "Internet Explorer ASLR Bypass Vulnerability."
32 CVE-2014-6318 287 Bypass 2014-11-11 2014-11-12
5.0
None Remote Low Not required None Partial None
The audit logon feature in Remote Desktop Protocol (RDP) in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 does not properly log unauthorized login attempts supplying valid credentials, which makes it easier for remote attackers to bypass intended access restrictions via a series of attempts, aka "Remote Desktop Protocol (RDP) Failure to Audit Vulnerability."
33 CVE-2014-6289 264 Bypass 2014-10-03 2014-10-06
7.5
None Remote Low Not required Partial Partial Partial
The Ajax dispatcher for Extbase in the Yet Another Gallery (yag) extension before 3.0.1 and Tools for Extbase development (pt_extbase) extension before 1.5.1 allows remote attackers to bypass access restrictions and execute arbitrary controller actions via unspecified vectors.
34 CVE-2014-6288 264 Bypass 2014-10-03 2014-10-10
7.5
None Remote Low Not required Partial Partial Partial
The powermail extension 2.x before 2.0.11 for TYPO3 allows remote attackers to bypass the CAPTCHA protection mechanism via unspecified vectors.
35 CVE-2014-6230 20 Bypass 2014-10-24 2014-10-27
4.3
None Remote Medium Not required Partial None None
WP-Ban plugin before 1.6.4 for WordPress, when running in certain configurations, allows remote attackers to bypass the IP blacklist via a crafted X-Forwarded-For header.
36 CVE-2014-6116 287 Bypass 2014-10-18 2014-10-28
4.3
None Remote Medium Not required None Partial None
The Telemetry Component in WebSphere MQ 8.0.0.1 before p000-001-L140910 allows remote attackers to bypass authentication by setting the JAASConfig property in an MQTT client configuration.
37 CVE-2014-6041 264 Bypass 2014-09-02 2014-09-19
5.8
None Remote Medium Not required Partial Partial None
The Android WebView in Android before 4.4 allows remote attackers to bypass the Same Origin Policy via a crafted attribute containing a \u0000 character, as demonstrated by an onclick="window.open('\u0000javascript: sequence to the Android Browser application 4.2.1 or a third-party web browser.
38 CVE-2014-5318 264 Bypass 2014-09-26 2014-09-26
5.8
None Remote Medium Not required Partial Partial None
The jigbrowser+ application 1.8.1 and earlier for iOS allows remote attackers to bypass the Same Origin Policy via crafted JavaScript code.
39 CVE-2014-5300 287 1 Exec Code Bypass 2014-10-08 2014-10-09
5.0
None Remote Low Not required None Partial None
Adaptive Computing Moab before 7.2.9 and 8 before 8.0.0 allows remote attackers to bypass the signature check, impersonate arbitrary users, and execute commands via a message without a signature.
40 CVE-2014-5298 264 Bypass 2014-10-09 2014-10-10
5.0
None Remote Low Not required None None Partial
FileUploadsFilter.php in X2Engine 4.1.7 and earlier, when running on case-insensitive file systems, allows remote attackers to bypass the upload blacklist and conduct unrestricted file upload attacks by uploading a file with an executable extension that contains uppercase letters, as demonstrated using a PHP program.
41 CVE-2014-5269 264 Bypass +Info 2014-09-04 2014-09-08
5.0
None Remote Low Not required Partial None None
Plack::App::File in Plack before 1.0031 removes trailing slash characters from paths, which allows remote attackers to bypass the whitelist of generated files and obtain sensitive information via a crafted path, related to Plack::Middleware::Static.
42 CVE-2014-5252 255 Bypass 2014-08-25 2014-10-10
4.9
None Remote Medium Single system Partial Partial None
The V3 API in OpenStack Identity (Keystone) 2014.1.x before 2014.1.2.1 and Juno before Juno-3 updates the issued_at value for UUID v2 tokens, which allows remote authenticated users to bypass the token expiration and retain access via a verification (1) GET or (2) HEAD request to v3/auth/tokens/.
43 CVE-2014-5246 264 1 Bypass 2014-08-22 2014-08-27
10.0
None Remote Low Not required Complete Complete Complete
The Shenzhen Tenda Technology Tenda A5s router with firmware 3.02.05_CN allows remote attackers to bypass authentication and gain administrator access by setting the admin:language cookie to zh-cn.
44 CVE-2014-5206 264 Bypass 2014-08-18 2014-11-13
7.2
None Local Low Not required Complete Complete Complete
The do_remount function in fs/namespace.c in the Linux kernel through 3.16.1 does not maintain the MNT_LOCK_READONLY bit across a remount of a bind mount, which allows local users to bypass an intended read-only restriction and defeat certain sandbox protection mechanisms via a "mount -o remount" command within a user namespace.
45 CVE-2014-5205 352 Bypass CSRF 2014-08-18 2014-11-13
6.8
None Remote Medium Not required Partial Partial Partial
wp-includes/pluggable.php in WordPress before 3.9.2 does not use delimiters during concatenation of action values and uid values in CSRF tokens, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force attack.
46 CVE-2014-5204 352 Bypass CSRF 2014-08-18 2014-11-13
6.8
None Remote Medium Not required Partial Partial Partial
wp-includes/pluggable.php in WordPress before 3.9.2 rejects invalid CSRF nonces with a different timing depending on which characters in the nonce are incorrect, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force attack.
47 CVE-2014-5195 362 Bypass 2014-08-07 2014-08-22
7.2
None Local Low Not required Complete Complete Complete
Unity before 7.2.3 and 7.3.x before 7.3.1, as used in Ubuntu, does not properly take focus of the keyboard when switching to the lock screen, which allows physically proximate attackers to bypass the lock screen by (1) leveraging a machine that had text selected when locking or (2) resuming from a suspension.
48 CVE-2014-5175 287 Bypass 2014-07-31 2014-08-27
7.5
None Remote Low Not required Partial Partial Partial
The License Measurement servlet in SAP Solution Manager 7.1 allows remote attackers to bypass authentication via unspecified vectors, related to a verb tampering attack and SAP_JTECHS.
49 CVE-2014-5173 264 Bypass 2014-07-31 2014-08-01
5.0
None Remote Low Not required Partial None None
SAP HANA Extend Application Services (XS) allows remote attackers to bypass access restrictions via a request to a private IU5 SDK application that was once public.
50 CVE-2014-5033 362 Bypass 2014-08-19 2014-10-16
6.9
None Local Medium Not required Complete Complete Complete
KDE kdelibs before 4.14 and kauth before 5.1 does not properly use D-Bus for communication with a polkit authority, which allows local users to bypass intended access restrictions by leveraging a PolkitUnixProcess PolkitSubject race condition via a (1) setuid process or (2) pkexec process, related to CVE-2013-4288 and "PID reuse race conditions."
Total number of vulnerabilities : 418   Page : 1 (This Page)2 3 4 5 6 7 8 9
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.