CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In 2019(Bypass)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
51 CVE-2019-15805 255 Bypass 2019-08-29 2019-09-05
7.5
None Remote Low Not required Partial Partial Partial
CommScope ARRIS TR4400 devices with firmware through A1.00.004-180301 are vulnerable to an authentication bypass to the administrative interface because they include the current base64 encoded password within http://192.168.1.1/login.html. Any user connected to the Wi-Fi can exploit this.
52 CVE-2019-15732 200 Bypass +Info 2019-09-16 2019-09-18
5.0
None Remote Low Not required Partial None None
An issue was discovered in GitLab Community and Enterprise Edition 12.2 through 12.2.1. The project import API could be used to bypass project visibility restrictions.
53 CVE-2019-15730 918 Bypass 2019-09-16 2019-09-18
5.0
None Remote Low Not required None Partial None
An issue was discovered in GitLab Community and Enterprise Edition 8.14 through 12.2.1. The Jira integration contains a SSRF vulnerability as a result of a bypass of the current protection mechanisms against this type of attack, which would allow sending requests to any resources accessible in the local network by the GitLab server.
54 CVE-2019-15723 732 Bypass 2019-09-16 2019-09-18
5.0
None Remote Low Not required None Partial None
An issue was discovered in GitLab Community and Enterprise Edition 11.9.x and 11.10.x before 11.10.1. Merge requests created by email could be used to bypass push rules in certain situations.
55 CVE-2019-15272 444 Bypass 2019-10-02 2019-10-09
6.4
None Remote Low Not required Partial Partial None
A vulnerability in the web-based interface of Cisco Unified Communications Manager and Cisco Unified Communications Manager Session Management Edition (SME) could allow an unauthenticated, remote attacker to bypass security restrictions. The vulnerability is due to improper handling of malformed HTTP methods. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected system. A successful exploit could allow the attacker to gain unauthorized access to the system.
56 CVE-2019-15136 275 Bypass 2019-08-18 2019-08-29
5.0
None Remote Low Not required None Partial None
The Access Control plugin in eProsima Fast RTPS through 1.9.0 does not check partition permissions from remote participant connections, which can lead to policy bypass for a secure Data Distribution Service (DDS) partition.
57 CVE-2019-15106 264 Exec Code Bypass 2019-08-15 2019-08-27
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in Zoho ManageEngine OpManager in builds before 14310. One can bypass the user password requirement and execute commands on the server. The "username+'@opm' string is used for the password. For example, if the username is admin, the password is [email protected]
58 CVE-2019-15088 704 Bypass 2019-09-20 2019-09-20
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in PRiSE adAS 1.7.0. Password hashes are compared using the equality operator. Thus, under specific circumstances, it is possible to bypass login authentication.
59 CVE-2019-15069 287 +Priv Bypass 2019-09-25 2019-09-26
7.5
None Remote Low Not required Partial Partial Partial
An unsafe authentication interface was discovered in Smart Battery A4, a multifunctional portable charger, firmware version ?<= r1.7.9 . An attacker can bypass authentication without modifying device file and gain web page management privilege.
60 CVE-2019-15067 287 +Priv Bypass 2019-09-25 2019-10-01
10.0
None Remote Low Not required Complete Complete Complete
An authentication bypass vulnerability discovered in Smart Battery A2-25DE, a multifunctional portable charger, firmware version ?<= SECFS-2013-10-16-13:42:58-629c30ee-60c68be6. An attacker can bypass authentication and gain privilege by modifying the login page.
61 CVE-2019-15062 352 Bypass CSRF 2019-08-14 2019-08-28
6.0
None Remote Medium Single system Partial Partial Partial
An issue was discovered in Dolibarr 11.0.0-alpha. A user can store an IFRAME element (containing a user/card.php CSRF request) in his Linked Files settings page. When visited by the admin, this could completely take over the admin account. (The protection mechanism for CSRF is to check the Referer header; however, because the attack is from one of the application's own settings pages, this mechanism is bypassed.)
62 CVE-2019-15053 79 XSS Bypass 2019-08-14 2019-08-21
6.0
None Remote Medium Single system Partial Partial Partial
The "HTML Include and replace macro" plugin before 1.5.0 for Confluence Server allows a bypass of the includeScripts=false XSS protection mechanism via vectors involving an IFRAME element.
63 CVE-2019-14998 352 Bypass CSRF 2019-09-11 2019-09-16
4.3
None Remote Medium Not required None Partial None
The Webwork action Cross-Site Request Forgery (CSRF) protection implementation in Jira before version 8.4.0 allows remote attackers to bypass its protection via "cookie tossing" a CSRF cookie from a subdomain of a Jira instance.
64 CVE-2019-14845 Bypass 2019-10-08 2019-10-08
0.0
None ??? ??? ??? ??? ??? ???
A vulnerability was found in OpenShift builds, versions 4.1 up to 4.3. Builds that extract source from a container image, bypass the TLS hostname verification. An attacker can take advantage of this flaw by launching a man-in-the-middle attack and injecting malicious content.
65 CVE-2019-14817 264 Exec Code Bypass 2019-09-03 2019-09-09
6.8
None Remote Medium Not required Partial Partial Partial
A flaw was found in, ghostscript versions prior to 9.28, in the .pdfexectoken and other procedures where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.
66 CVE-2019-14813 264 Exec Code Bypass 2019-09-06 2019-09-09
7.5
None Remote Low Not required Partial Partial Partial
A flaw was found in ghostscript, versions 9.x before 9.28, in the setsystemparams procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.
67 CVE-2019-14811 264 Exec Code Bypass 2019-09-03 2019-09-09
6.8
None Remote Medium Not required Partial Partial Partial
A flaw was found in, ghostscript versions prior to 9.28, in the .pdf_hook_DSC_Creator procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.
68 CVE-2019-14809 20 Bypass 2019-08-13 2019-08-24
7.5
None Remote Low Not required Partial Partial Partial
net/url in Go before 1.11.13 and 1.12.x before 1.12.8 mishandles malformed hosts in URLs, leading to an authorization bypass in some applications. This is related to a Host field with a suffix appearing in neither Hostname() nor Port(), and is related to a non-numeric port number. For example, an attacker can compose a crafted javascript:// URL that results in a hostname of google.com.
69 CVE-2019-14664 326 Bypass 2019-08-05 2019-08-13
4.3
None Remote Medium Not required Partial None None
In Enigmail below 2.1, an attacker in possession of PGP encrypted emails can wrap them as sub-parts within a crafted multipart email. The encrypted part(s) can further be hidden using HTML/CSS or ASCII newline characters. This modified multipart email can be re-sent by the attacker to the intended receiver. If the receiver replies to this (benign looking) email, he unknowingly leaks the plaintext of the encrypted message part(s) back to the attacker. This attack variant bypasses protection mechanisms implemented after the "EFAIL" attacks.
70 CVE-2019-14537 287 Bypass 2019-08-07 2019-08-14
7.5
None Remote Low Not required Partial Partial Partial
YOURLS through 1.7.3 is affected by a type juggling vulnerability in the api component that can result in login bypass.
71 CVE-2019-14526 352 Bypass CSRF 2019-08-14 2019-08-27
5.8
None Remote Medium Not required Partial Partial None
An issue was discovered on NETGEAR Nighthawk M1 (MR1100) devices before 12.06.03. The web-interface Cross-Site Request Forgery token is stored in a dynamically generated JavaScript file, and therefore can be embedded in third party pages, and re-used against the Nighthawk web interface. This entirely bypasses the intended security benefits of the use of a CSRF-protection token.
72 CVE-2019-14253 863 Bypass 2019-09-18 2019-09-18
6.4
None Remote Low Not required Partial Partial None
An issue was discovered in servletcontroller in the secure portal in Publisure 2.1.2. One can bypass authentication and perform a query on PHP forms within the /AdminDir folder that should be restricted.
73 CVE-2019-13953 287 Bypass 2019-09-06 2019-09-06
8.3
None Local Network Low Not required Complete Complete Complete
An exploitable authentication bypass vulnerability exists in the Bluetooth Low Energy (BLE) authentication module of YI M1 Mirrorless Camera V3.2-cn. An attacker can send a set of BLE commands to trigger this vulnerability, resulting in sensitive data leakage (e.g., personal photos). An attacker can also control the camera to record or take a picture after bypassing authentication.
74 CVE-2019-13605 287 Bypass 2019-07-16 2019-07-18
6.5
None Remote Low Single system Partial Partial Partial
In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.838 to 0.9.8.846, remote attackers can bypass authentication in the login process by leveraging the knowledge of a valid username. The attacker must defeat an encoding that is not equivalent to base64, and thus this is different from CVE-2019-13360.
75 CVE-2019-13526 287 Exec Code Bypass 2019-08-30 2019-10-09
6.5
None Remote Low Single system Partial Partial Partial
Datalogic AV7000 Linear barcode scanner all versions prior to 4.6.0.0 is vulnerable to authentication bypass, which may allow an attacker to remotely execute arbitrary code.
76 CVE-2019-13483 345 Bypass 2019-07-25 2019-07-31
7.5
None Remote Low Not required Partial Partial Partial
Auth0 Passport-SharePoint before 0.4.0 does not validate the JWT signature of an Access Token before processing. This allows attackers to forge tokens and bypass authentication and authorization mechanisms.
77 CVE-2019-13464 434 Bypass 2019-07-09 2019-07-15
5.0
None Remote Low Not required None Partial None
An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) 3.0.2. Use of X.Filename instead of X_Filename can bypass some PHP Script Uploads rules, because PHP automatically transforms dots into underscores in certain contexts where dots are invalid.
78 CVE-2019-13372 287 Exec Code Bypass 2019-07-06 2019-07-12
7.5
None Remote Low Not required Partial Partial Partial
/web/Lib/Action/IndexAction.class.php in D-Link Central WiFi Manager CWM(100) before v1.03R0100_BETA6 allows remote attackers to execute arbitrary PHP code via a cookie because a cookie's username field allows eval injection, and an empty password bypasses authentication.
79 CVE-2019-13360 287 Bypass 2019-07-16 2019-07-18
7.5
None Remote Low Not required Partial Partial Partial
In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.836, remote attackers can bypass authentication in the login process by leveraging knowledge of a valid username.
80 CVE-2019-13344 287 Bypass 2019-07-05 2019-07-31
5.0
None Remote Low Not required None Partial None
An authentication bypass vulnerability in the CRUDLab WP Like Button plugin through 1.6.0 for WordPress allows unauthenticated attackers to change settings. The contains() function in wp_like_button.php did not check if the current request is made by an authorized user, thus allowing any unauthenticated user to successfully update settings, as demonstrated by the wp-admin/admin.php?page=facebook-like-button each_page_url or code_snippet parameter.
81 CVE-2019-13337 287 Bypass 2019-07-09 2019-07-16
5.0
None Remote Low Not required None Partial None
In WESEEK GROWI before 3.5.0, the site-wide basic authentication can be bypassed by adding a URL parameter access_token (this is the parameter used by the API). No valid token is required since it is not validated by the backend. The website can then be browsed as if no basic authentication is required.
82 CVE-2019-13190 287 Bypass 2019-09-05 2019-09-06
5.0
None Remote Low Not required None None Partial
In Knowage through 6.1.1, the sign up page does not invalidate a valid CAPTCHA token. This allows for CAPTCHA bypass in the signup page.
83 CVE-2019-13188 284 Bypass 2019-09-05 2019-09-05
5.0
None Remote Low Not required Partial None None
In Knowage through 6.1.1, an unauthenticated user can bypass access controls and access the entire application.
84 CVE-2019-13164 254 Bypass 2019-07-03 2019-08-26
4.6
None Local Low Not required Partial Partial Partial
qemu-bridge-helper.c in QEMU 4.0.0 does not ensure that a network interface name (obtained from bridge.conf or a --br=bridge option) is limited to the IFNAMSIZ size, which can lead to an ACL bypass.
85 CVE-2019-13054 74 Bypass 2019-06-29 2019-07-08
3.3
None Local Network Low Not required None Partial None
The Logitech R500 presentation clicker allows attackers to determine the AES key, leading to keystroke injection. On Windows, any text may be injected by using ALT+NUMPAD input to bypass the restriction on the characters A through Z.
86 CVE-2019-13053 74 Bypass 2019-06-29 2019-07-08
3.3
None Local Network Low Not required None Partial None
Logitech Unifying devices allow keystroke injection, bypassing encryption. The attacker must press a "magic" key combination while sniffing cryptographic data from a Radio Frequency transmission. NOTE: this issue exists because of an incomplete fix for CVE-2016-10761.
87 CVE-2019-12970 79 XSS Bypass 2019-07-01 2019-07-30
4.3
None Remote Medium Not required None Partial None
XSS was discovered in SquirrelMail through 1.4.22 and 1.5.x through 1.5.2. Due to improper handling of RCDATA and RAWTEXT type elements, the built-in sanitization mechanism can be bypassed. Malicious script content from HTML e-mail can be executed within the application context via crafted use of (for example) a NOEMBED, NOFRAMES, NOSCRIPT, or TEXTAREA element.
88 CVE-2019-12923 352 Bypass CSRF 2019-07-08 2019-07-16
4.3
None Remote Medium Not required None Partial None
In MailEnable Enterprise Premium 10.23, the potential cross-site request forgery (CSRF) protection mechanism was not implemented correctly and it was possible to bypass it by removing the anti-CSRF token parameter from the request. This could allow an attacker to manipulate a user into unwittingly performing actions within the application (such as sending email, adding contacts, or changing settings) on behalf of the attacker.
89 CVE-2019-12866 285 Bypass 2019-07-03 2019-07-10
7.5
None Remote Low Not required Partial Partial Partial
An Insecure Direct Object Reference, with Authorization Bypass through a User-Controlled Key, was possible in JetBrains YouTrack. The issue was fixed in 2018.4.49168.
90 CVE-2019-12799 502 Exec Code Bypass 2019-06-13 2019-10-09
6.5
None Remote Low Single system Partial Partial Partial
In createInstanceFromNamedArguments in Shopware through 5.6.x, a crafted web request can trigger a PHP object instantiation vulnerability, which can result in an arbitrary deserialization if the right class is instantiated. An attacker can leverage this deserialization to achieve remote code execution. NOTE: this issue is a bypass for a CVE-2017-18357 whitelist patch.
91 CVE-2019-12782 285 Bypass 2019-07-09 2019-07-19
5.5
None Remote Low Single system None Partial Partial
An authorization bypass vulnerability in pinboard updates in ThoughtSpot 4.4.1 through 5.1.1 (before 5.1.2) allows a low-privilege user with write access to at least one pinboard to corrupt pinboards of another user in the application by spoofing GUIDs in pinboard update requests, effectively deleting them.
92 CVE-2019-12754 79 XSS Bypass 2019-08-30 2019-09-03
3.5
None Remote Medium Single system None Partial None
Symantec My VIP portal, previous version which has already been auto updated, was susceptible to a cross-site scripting (XSS) exploit, which is a type of issue that can enable attackers to inject client-side scripts into web pages viewed by other users or potentially bypass access controls such as the same-origin policy.
93 CVE-2019-12749 287 Bypass 2019-06-11 2019-06-14
3.6
None Local Low Not required Partial Partial None
dbus before 1.10.28, 1.12.x before 1.12.16, and 1.13.x before 1.13.12, as used in DBusServer in Canonical Upstart in Ubuntu 14.04 (and in some, less common, uses of dbus-daemon), allows cookie spoofing because of symlink mishandling in the reference implementation of DBUS_COOKIE_SHA1 in the libdbus library. (This only affects the DBUS_COOKIE_SHA1 authentication mechanism.) A malicious client with write access to its own home directory could manipulate a ~/.dbus-keyrings symlink to cause a DBusServer with a different uid to read and write in unintended locations. In the worst case, this could result in the DBusServer reusing a cookie that is known to the malicious client, and treating that cookie as evidence that a subsequent client connection came from an attacker-chosen uid, allowing authentication bypass.
94 CVE-2019-12706 20 Bypass 2019-10-02 2019-10-10
5.0
None Remote Low Not required None Partial None
A vulnerability in the Sender Policy Framework (SPF) functionality of Cisco AsyncOS Software for Cisco Email Security Appliance (ESA) could allow an unauthenticated, remote attacker to bypass the configured user filters on an affected device. The vulnerability exists because the affected software insufficiently validates certain incoming SPF messages. An attacker could exploit this vulnerability by sending a custom SPF packet to an affected device. A successful exploit could allow the attacker to bypass the configured header filters, which could allow malicious content to pass through the device.
95 CVE-2019-12701 20 Bypass 2019-10-02 2019-10-10
5.0
None Remote Low Not required None Partial None
A vulnerability in the file and malware inspection feature of Cisco Firepower Management Center (FMC) Software could allow an unauthenticated, remote attacker to bypass the file and malware inspection policies on an affected system. The vulnerability exists because the affected software insufficiently validates incoming traffic. An attacker could exploit this vulnerability by sending a crafted HTTP request through an affected device. A successful exploit could allow the attacker to bypass the file and malware inspection policies and send malicious traffic through the affected device.
96 CVE-2019-12697 20 Bypass 2019-10-02 2019-10-10
5.0
None Remote Low Not required None Partial None
Multiple vulnerabilities in the Cisco Firepower System Software Detection Engine could allow an unauthenticated, remote attacker to bypass configured Malware and File Policies for RTF and RAR file types. For more information about these vulnerabilities, see the Details section of this advisory.
97 CVE-2019-12696 20 Bypass 2019-10-02 2019-10-10
5.0
None Remote Low Not required None Partial None
Multiple vulnerabilities in the Cisco Firepower System Software Detection Engine could allow an unauthenticated, remote attacker to bypass configured Malware and File Policies for RTF and RAR file types. For more information about these vulnerabilities, see the Details section of this advisory.
98 CVE-2019-12691 22 Dir. Trav. Bypass 2019-10-02 2019-10-10
4.0
None Remote Low Single system Partial None None
A vulnerability in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to perform a directory traversal attack on an affected device. The vulnerability is due to insufficient input validation by the web-based management interface. An attacker could exploit this vulnerability by sending a crafted HTTP request to the web-based management interface. A successful exploit could allow the attacker to bypass Cisco FMC Software security restrictions and gain access to the underlying filesystem of the affected device.
99 CVE-2019-12662 347 Exec Code Bypass 2019-09-25 2019-10-09
7.2
None Local Low Not required Complete Complete Complete
A vulnerability in Cisco NX-OS Software and Cisco IOS XE Software could allow an authenticated, local attacker with valid administrator or privilege level 15 credentials to load a virtual service image and bypass signature verification on an affected device. The vulnerability is due to improper signature verification during the installation of an Open Virtual Appliance (OVA) image. An authenticated, local attacker could exploit this vulnerability and load a malicious, unsigned OVA image on an affected device. A successful exploit could allow an attacker to perform code execution on a crafted software OVA image.
100 CVE-2019-12643 287 Exec Code Bypass +Info 2019-08-28 2019-10-09
10.0
None Remote Low Not required Complete Complete Complete
A vulnerability in the Cisco REST API virtual service container for Cisco IOS XE Software could allow an unauthenticated, remote attacker to bypass authentication on the managed Cisco IOS XE device. The vulnerability is due to an improper check performed by the area of code that manages the REST API authentication service. An attacker could exploit this vulnerability by submitting malicious HTTP requests to the targeted device. A successful exploit could allow the attacker to obtain the token-id of an authenticated user. This token-id could be used to bypass authentication and execute privileged actions through the interface of the REST API virtual service container on the affected Cisco IOS XE device. The REST API interface is not enabled by default and must be installed and activated separately on IOS XE devices. See the Details section for more information.
Total number of vulnerabilities : 495   Page : 1 2 (This Page)3 4 5 6 7 8 9 10
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.