CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In 2014(Bypass)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
401 CVE-2013-5704 264 Bypass 2014-04-15 2017-01-06
5.0
None Remote Low Not required None Partial None
The mod_headers module in the Apache HTTP Server 2.2.22 allows remote attackers to bypass "RequestHeader unset" directives by placing a header in the trailer portion of data sent with chunked transfer coding. NOTE: the vendor states "this is not a security issue in httpd as such."
402 CVE-2013-5464 264 Bypass 2014-05-26 2017-08-28
6.0
None Remote Medium Single system Partial Partial Partial
IBM Maximo Asset Management 7.5.x before 7.5.0.3 IFIX027, 7.5.0.4 before IFIX011, and 7.5.0.5 before IFIX006 and SmartCloud Control Desk 7.x before 7.5.0.3 and 7.5.1.x before 7.5.1.2 allow remote authenticated users to bypass intended access restrictions, and modify physical counts associated with restricted storerooms, via unspecified vectors.
403 CVE-2013-5460 264 Bypass 2014-05-26 2017-08-28
3.5
None Remote Medium Single system Partial None None
IBM Maximo Asset Management 7.x before 7.5.0.6 and SmartCloud Control Desk 7.x before 7.5.0.3 and 7.5.1.x before 7.5.1.2 allow remote authenticated users to bypass intended access restrictions, and read communication logs associated with unrelated records, via unspecified vectors.
404 CVE-2013-5400 255 Bypass 2014-02-14 2017-08-28
10.0
None Remote Low Not required Complete Complete Complete
An unspecified servlet in IBM Platform Symphony Developer Edition (DE) 5.2 and 6.1.x through 6.1.1 has hardcoded credentials, which allows remote attackers to bypass authentication and obtain "local environment" access via unknown vectors.
405 CVE-2013-5371 264 Bypass 2014-01-23 2017-08-28
2.1
None Local Low Not required Partial None None
The client in IBM Tivoli Storage Manager (TSM) 6.3.1 and 6.4.0 on Windows does not preserve permissions of Resilient File System (ReFS) files across backup and restore operations, which allows local users to bypass intended access restrictions via standard filesystem operations.
406 CVE-2013-5356 264 Bypass 2014-06-13 2017-08-28
7.5
None Remote Low Not required Partial Partial Partial
Sharetronix 3.1.1.3, 3.1.1, and earlier does not properly restrict access to unspecified AJAX functionality, which allows remote attackers to bypass authentication via unknown vectors.
407 CVE-2013-5016 264 Bypass 2014-05-08 2014-05-08
7.6
None Remote High Not required Complete Complete Complete
Symantec Critical System Protection (SCSP) before 5.2.9, when installed on an unpatched Windows Server 2003 R2 platform, allows remote attackers to bypass policy settings via unspecified vectors.
408 CVE-2013-5010 264 Bypass 2014-01-10 2017-08-28
4.6
None Local Low Not required Partial Partial Partial
The Application/Device Control (ADC) component in the client in Symantec Endpoint Protection (SEP) 11.x before 11.0.7.4 and 12.x before 12.1.2 RU2 and Endpoint Protection Small Business Edition 12.x before 12.1.2 RU2 does not properly handle custom polices, which allows local users to bypass intended policy restrictions and access files or directories via unspecified vectors.
409 CVE-2013-4772 287 Bypass 2014-05-12 2014-05-12
9.3
None Remote Medium Not required Complete Complete Complete
D-Link DIR-505L SharePort Mobile Companion 1.01 and DIR-826L Wireless N600 Cloud Router 1.02 allows remote attackers to bypass authentication via a direct request when an authorized session is active.
410 CVE-2013-4737 264 Bypass 2014-02-15 2014-02-18
9.3
None Remote Medium Not required Complete Complete Complete
The CONFIG_STRICT_MEMORY_RWX implementation for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, does not properly consider certain memory sections, which makes it easier for attackers to bypass intended access restrictions by leveraging the presence of RWX memory at a fixed location.
411 CVE-2013-4662 89 Sql Bypass 2014-01-29 2014-02-21
6.5
None Remote Low Single system Partial Partial Partial
The Quick Search API in CiviCRM 4.2.0 through 4.2.9 and 4.3.0 through 4.3.3 allows remote authenticated users to bypass the validation layer and conduct SQL injection attacks via a direct request to the "second layer" of the API, related to contact.getquick.
412 CVE-2013-4661 264 Bypass 2014-01-29 2014-02-21
4.9
None Remote Medium Single system Partial Partial None
CiviCRM 2.0.0 through 4.2.9 and 4.3.0 through 4.3.3 does not properly enforce role-based access control (RBAC) restrictions for default custom searches, which allows remote authenticated users with the "access CiviCRM" permission to bypass intended access restrictions, as demonstrated by accessing custom contribution data without having the "access CiviContribute" permission.
413 CVE-2013-4596 264 Bypass 2014-06-02 2014-06-03
5.8
None Remote Medium Not required Partial Partial None
The Node Access Keys module 7.x-1.x before 7.x-1.1 for Drupal does not properly check permissions, which allows remote attackers to bypass access restrictions via a node listing.
414 CVE-2013-4580 287 Bypass 2014-05-12 2016-05-18
6.8
None Remote Medium Not required Partial Partial Partial
GitLab before 5.4.2, Community Edition before 6.2.4, and Enterprise Edition before 6.2.1, when using a MySQL backend, allows remote attackers to impersonate arbitrary users and bypass authentication via unspecified API calls.
415 CVE-2013-4570 DoS Bypass 2014-05-12 2014-05-12
5.0
None Remote Low Not required None None Partial
The zend_inline_hash_func function in php-luasandbox in the Scribuntu extension for MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via vectors related to converting Lua data structures to PHP, as demonstrated by passing { [{}] = 1 } to a module function.
416 CVE-2013-4426 Bypass 2014-05-19 2014-05-19
3.6
None Local Low Not required Partial None Partial
pyxtrlock before 0.1 uses an incorrect variable name, which allows physically proximate attackers to bypass the lock screen via multiple failed authentication attempts, which trigger a crash.
417 CVE-2013-4304 287 Bypass 2014-01-26 2017-08-28
7.5
None Remote Low Not required Partial Partial Partial
The CentralAuth extension for MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 caches a valid CentralAuthUser object in the centralauth_User cookie even when a user has not successfully logged in, which allows remote attackers to bypass authentication without a password.
418 CVE-2013-4200 264 Bypass 2014-01-21 2018-10-09
5.8
None Remote Medium Not required Partial Partial None
The isURLInPortal method in the URLTool class in in_portal.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 treats URLs starting with a space as a relative URL, which allows remote attackers to bypass the allow_external_login_sites filtering property, redirect users to arbitrary web sites, and conduct phishing attacks via a space before a URL in the "next" parameter to acl_users/credentials_cookie_auth/require_login.
419 CVE-2013-4198 264 Bypass 2014-03-11 2014-03-11
4.0
None Remote Low Single system None Partial None
mail_password.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allows remote authenticated users to bypass the prohibition on password changes via the forgotten password email functionality.
420 CVE-2013-4177 264 Bypass 2014-05-29 2014-05-30
5.0
None Remote Low Not required None Partial None
The Google Authenticator login module 6.x-1.x before 6.x-1.2 and 7.x-1.x before 7.x-1.4 for Drupal does not properly identify user account names, which might allow remote attackers to bypass the two-factor authentication requirement via unspecified vectors.
421 CVE-2013-4143 Bypass 2014-05-30 2014-06-26
2.1
None Local Low Not required None None Partial
The (1) checkPasswd and (2) checkGroupXlockPasswds functions in xlockmore before 5.43 do not properly handle when a NULL value is returned upon an error by the crypt or dispcrypt function as implemented in glibc 2.17 and later, which allows attackers to bypass the screen lock via vectors related to invalid salts.
422 CVE-2013-3993 264 Bypass 2014-07-07 2017-08-28
3.5
None Remote Medium Single system Partial None None
IBM InfoSphere BigInsights before 2.1.0.3 allows remote authenticated users to bypass intended file and directory restrictions, or access untrusted data or code, via crafted parameters in unspecified API calls.
423 CVE-2013-3092 287 +Priv Bypass 2014-09-29 2014-09-30
8.3
None Local Network Low Not required Complete Complete Complete
The Belkin N300 (F7D7301v1) router allows remote attackers to bypass authentication and gain privileges via vectors related to incorrect validation of the HTTP Authorization header.
424 CVE-2013-2974 264 Sql Bypass 2014-01-29 2017-08-28
7.5
None Remote Low Not required Partial Partial Partial
The BIRT viewer in IBM Tivoli Application Dependency Discovery Manager (TADDM) 7.2.1.x before 7.2.1.5 allows remote authenticated users to bypass authorization checks and obtain report-administration privileges, and consequently create or delete reports or conduct SQL injection attacks, via crafted parameters to the BIRT reporting URL.
425 CVE-2013-2826 264 Bypass 2014-01-15 2014-01-16
6.4
None Remote Low Not required Partial Partial None
WellinTech KingSCADA before 3.1.2, KingAlarm&Event before 3.1, and KingGraphic before 3.1.2 perform authentication on the KAEClientManager console rather than on the server, which allows remote attackers to bypass intended access restrictions and discover credentials via a crafted packet to TCP port 8130.
426 CVE-2013-2756 287 Bypass 2014-05-23 2017-08-28
5.0
None Remote Low Not required None Partial None
Apache CloudStack 4.0.0 before 4.0.2 and Citrix CloudPlatform (formerly Citrix CloudStack) 3.0.x before 3.0.6 Patch C allows remote attackers to bypass the console proxy authentication by leveraging knowledge of the source code.
427 CVE-2013-2747 264 Exec Code Bypass 2014-01-29 2014-02-21
6.5
None Remote Low Single system Partial Partial Partial
The password reset feature in Courion Access Risk Management Suite Version 8 Update 9 allows remote authenticated users to bypass intended Internet Explorer usage restrictions and execute arbitrary commands by using keyboard shortcuts to navigate the file system and open a command prompt.
428 CVE-2013-2182 264 Bypass 2014-06-13 2014-06-13
5.8
None Remote Medium Not required Partial Partial None
The Mandril security plugin in Monkey HTTP Daemon (monkeyd) before 1.5.0 allows remote attackers to bypass access restrictions via a crafted URI, as demonstrated by an encoded forward slash.
429 CVE-2013-1841 264 Bypass 2014-06-13 2017-08-28
4.3
None Remote Medium Not required None Partial None
Net-Server, when the reverse-lookups option is enabled, does not check if the hostname resolves to the source IP address, which might allow remote attackers to bypass ACL restrictions via the hostname parameter.
430 CVE-2013-0296 264 Bypass 2014-04-27 2014-04-28
4.4
None Local Medium Not required Partial Partial Partial
Race condition in pigz before 2.2.5 uses permissions derived from the umask when compressing a file before setting that file's permissions to match those of the original file, which might allow local users to bypass intended access permissions while compression is occurring.
431 CVE-2013-0191 287 Bypass 2014-06-03 2017-08-28
5.0
None Remote Low Not required None Partial None
libpam-pgsql (aka pam_pgsql) 0.7 does not properly handle a NULL value returned by the password search query, which allows remote attackers to bypass authentication via a crafted password.
432 CVE-2012-6637 20 Bypass 2014-03-02 2014-03-03
7.5
None Remote Low Not required Partial Partial Partial
Apache Cordova 3.3.0 and earlier and Adobe PhoneGap 2.9.0 and earlier do not anchor the end of domain-name regular expressions, which allows remote attackers to bypass a whitelist protection mechanism via a domain name that contains an acceptable name as an initial substring.
433 CVE-2012-6634 264 Bypass +Info 2014-01-20 2014-02-24
6.4
None Remote Low Not required Partial Partial None
wp-admin/media-upload.php in WordPress before 3.3.3 allows remote attackers to obtain sensitive information or bypass intended media-attachment restrictions via a post_id value.
434 CVE-2012-5498 264 DoS Bypass 2014-09-30 2015-11-17
5.0
None Remote Low Not required None None Partial
queryCatalog.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to bypass caching and cause a denial of service via a crafted request to a collection.
435 CVE-2012-5493 94 Exec Code Bypass 2014-09-30 2014-10-01
8.5
None Remote Medium Single system Complete Complete Complete
gtbn.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote authenticated users with certain permissions to bypass the Python sandbox and execute arbitrary Python code via unspecified vectors.
436 CVE-2012-5487 264 Exec Code Bypass 2014-09-30 2014-10-01
8.5
None Remote Medium Single system Complete Complete Complete
The sandbox whitelisting function (allowmodule.py) in Plone before 4.2.3 and 4.3 before beta 1 allows remote authenticated users with certain privileges to bypass the Python sandbox restriction and execute arbitrary Python code via vectors related to importing.
437 CVE-2012-3946 264 Bypass 2014-04-24 2014-04-24
5.0
None Remote Low Not required Partial None None
Cisco IOS before 15.3(2)S allows remote attackers to bypass interface ACL restrictions in opportunistic circumstances by sending IPv6 packets in an unspecified scenario in which expected packet drops do not occur for "a small percentage" of the packets, aka Bug ID CSCty73682.
438 CVE-2012-3406 264 DoS Exec Code Bypass 2014-02-10 2019-04-22
6.8
None Remote Medium Not required Partial Partial Partial
The vfprintf function in stdio-common/vfprintf.c in GNU C Library (aka glibc) 2.5, 2.12, and probably other versions does not "properly restrict the use of" the alloca function when allocating the SPECS array, which allows context-dependent attackers to bypass the FORTIFY_SOURCE format-string protection mechanism and cause a denial of service (crash) or possibly execute arbitrary code via a crafted format string using positional parameters and a large number of format specifiers, a different vulnerability than CVE-2012-3404 and CVE-2012-3405.
439 CVE-2012-3405 189 DoS Bypass 2014-02-10 2019-04-22
5.0
None Remote Low Not required None None Partial
The vfprintf function in stdio-common/vfprintf.c in libc in GNU C Library (aka glibc) 2.14 and other versions does not properly calculate a buffer length, which allows context-dependent attackers to bypass the FORTIFY_SOURCE format-string protection mechanism and cause a denial of service (segmentation fault and crash) via a format string with a large number of format specifiers that triggers "desynchronization within the buffer size handling," a different vulnerability than CVE-2012-3404.
440 CVE-2012-3404 189 DoS Bypass 2014-02-10 2019-04-22
5.0
None Remote Low Not required None None Partial
The vfprintf function in stdio-common/vfprintf.c in libc in GNU C Library (aka glibc) 2.12 and other versions does not properly calculate a buffer length, which allows context-dependent attackers to bypass the FORTIFY_SOURCE format-string protection mechanism and cause a denial of service (stack corruption and crash) via a format string that uses positional parameters and many format specifiers.
441 CVE-2012-2899 79 XSS Bypass 2014-01-05 2014-01-06
4.3
None Remote Medium Not required None Partial None
Google Chrome before 21.0.1180.82 on iOS makes certain incorrect calls to WebView methods that trigger use of an applewebdata: URL, which allows remote attackers to bypass the Same Origin Policy and conduct Universal XSS (UXSS) attacks via vectors involving the document.write method.
442 CVE-2012-2663 20 Bypass 2014-02-15 2014-02-18
7.5
None Remote Low Not required Partial Partial Partial
extensions/libxt_tcp.c in iptables through 1.4.21 does not match TCP SYN+FIN packets in --syn rules, which might allow remote attackers to bypass intended firewall restrictions via crafted packets. NOTE: the CVE-2012-6638 fix makes this issue less relevant.
443 CVE-2012-1171 200 Bypass +Info 2014-02-15 2014-02-18
5.0
None Remote Low Not required Partial None None
The libxml RSHUTDOWN function in PHP 5.x allows remote attackers to bypass the open_basedir protection mechanism and read arbitrary files via vectors involving a stream_close method call during use of a custom stream wrapper.
444 CVE-2012-0064 264 Bypass 2014-02-10 2014-02-11
4.6
None Local Low Not required Partial Partial Partial
xkeyboard-config before 2.5 in X.Org before 7.6 enables certain XKB debugging functions by default, which allows physically proximate attackers to bypass an X screen lock via keyboard combinations that break the input grab.
445 CVE-2011-4613 264 Bypass 2014-02-05 2014-02-24
4.6
None Local Low Not required Partial Partial Partial
The X.Org X wrapper (xserver-wrapper.c) in Debian GNU/Linux and Ubuntu Linux does not properly verify the TTY of a user who is starting X, which allows local users to bypass intended access restrictions by associating stdin with a file that is misinterpreted as the console TTY.
446 CVE-2011-4099 264 Bypass 2014-02-07 2014-02-10
4.6
None Local Low Not required Partial Partial Partial
The capsh program in libcap before 2.22 does not change the current working directory when the --chroot option is specified, which allows local users to bypass the chroot restrictions via unspecified vectors.
447 CVE-2011-3377 264 Bypass 2014-02-05 2018-10-30
4.3
None Remote Medium Not required None Partial None
The web browser plug-in in IcedTea-Web 1.0.x before 1.0.6 and 1.1.x before 1.1.4 allows remote attackers to bypass the Same Origin Policy (SOP) and execute arbitrary script or establish network connections to unintended hosts via an applet whose origin has the same second-level domain, but a different sub-domain than the targeted domain.
448 CVE-2011-3152 310 Dir. Trav. Bypass 2014-04-27 2017-08-28
6.4
None Remote Low Not required Partial Partial None
DistUpgrade/DistUpgradeFetcherCore.py in Update Manager before 1:0.87.31.1, 1:0.134.x before 1:0.134.11.1, 1:0.142.x before 1:0.142.23.1, 1:0.150.x before 1:0.150.5.1, and 1:0.152.x before 1:0.152.25.5 on Ubuntu 8.04 through 11.10 does not verify the GPG signature before extracting an upgrade tarball, which allows man-in-the-middle attackers to (1) create or overwrite arbitrary files via a directory traversal attack using a crafted tar file, or (2) bypass authentication via a crafted meta-release file.
449 CVE-2011-1836 264 Bypass 2014-02-15 2014-03-07
4.6
None Local Low Not required Partial Partial Partial
utils/ecryptfs-recover-private in ecryptfs-utils before 90 does not establish a subdirectory with safe permissions, which might allow local users to bypass intended access restrictions via standard filesystem operations during the recovery process.
450 CVE-2011-1835 255 Bypass 2014-02-15 2014-03-07
4.4
None Local Medium Not required Partial Partial Partial
The encrypted private-directory setup process in utils/ecryptfs-setup-private in ecryptfs-utils before 90 does not properly ensure that the passphrase file is created, which might allow local users to bypass intended access restrictions at a certain time in the new-user creation steps.
Total number of vulnerabilities : 457   Page : 1 2 3 4 5 6 7 8 9 (This Page)10
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.