CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Related To CWE-287

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2019-0246 287 2019-01-08 2019-01-17
7.5
None Remote Low Not required Partial Partial Partial
SAP Cloud Connector, before version 2.11.3, does not perform any authentication checks for functionalities that require user identity.
2 CVE-2018-1999045 287 2018-08-23 2018-10-29
5.5
None Remote Low Single system Partial Partial None
A improper authentication vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in SecurityRealm.java, TokenBasedRememberMeServices2.java that allows attackers with a valid cookie to remain logged in even if that feature is disabled.
3 CVE-2018-1000875 287 Bypass 2018-12-20 2019-01-09
7.5
None Remote Low Not required Partial Partial Partial
Berkeley Open Infrastructure for Network Computing BOINC Server and Website Code version 0.9-1.0.2 contains a CWE-302: Authentication Bypass by Assumed-Immutable Data vulnerability in Website Terms of Service Acceptance Page that can result in Access to any user account. This attack appear to be exploitable via Specially crafted URL. This vulnerability appears to have been fixed in 1.0.3.
4 CVE-2018-19458 287 2018-11-22 2018-12-18
5.0
None Remote Low Not required Partial None None
In PHP Proxy 3.0.3, any user can read files from the server without authentication due to an index.php?q=file:/// LFI URI, a different vulnerability than CVE-2018-19246.
5 CVE-2018-19076 287 2018-11-07 2018-12-11
5.0
None Remote Low Not required Partial None None
An issue was discovered on Foscam C2 devices with System Firmware 1.11.1.8 and Application Firmware 2.72.1.32, and Opticam i5 devices with System Firmware 1.5.2.11 and Application Firmware 2.21.1.128. The FTP and RTSP services make it easier for attackers to conduct brute-force authentication attacks, because failed-authentication limits apply only to HTTP (not FTP or RTSP).
6 CVE-2018-18891 287 2018-10-31 2018-12-03
6.4
None Remote Low Not required None Partial Partial
MiniCMS 1.10 allows file deletion via /mc-admin/post.php?state=delete&delete= because the authentication check occurs too late.
7 CVE-2018-18561 287 Exec Code 2018-11-20 2018-12-28
7.7
None Local Network Low Single system Complete Complete Complete
An issue was discovered in Roche Accu-Chek Inform II Base Unit / Base Unit Hub before 03.01.04 and CoaguChek / cobas h232 Handheld Base Unit before 03.01.04. Insecure permissions in a service interface may allow authenticated attackers in the adjacent network to execute arbitrary commands on the operating system.
8 CVE-2018-18389 287 2018-10-16 2019-01-18
7.5
None Remote Low Not required Partial Partial Partial
Due to incorrect access control in Neo4j Enterprise Database Server 3.4.x before 3.4.9, the setting of LDAP for authentication with STARTTLS, and System Account for authorization, allows an attacker to log into the server by sending any valid username with an arbitrary password.
9 CVE-2018-18061 287 2018-10-10 2018-11-28
6.4
None Remote Low Not required None Partial Partial
An issue was discovered in dialog.php in tecrail Responsive FileManager 9.8.1. Attackers can access the file manager interface that provides them with the ability to upload and delete files.
10 CVE-2018-17923 287 2018-10-24 2019-01-22
6.9
None Local Medium Not required Complete Complete Complete
SAGA1-L8B with any firmware versions prior to A0.10 are vulnerable to an attack that an attacker with physical access to the product may able to reprogram it.
11 CVE-2018-17918 287 Bypass 2018-11-02 2018-12-12
7.5
None Remote Low Not required Partial Partial Partial
Circontrol CirCarLife all versions prior to 4.3.1, authentication to the device can be bypassed by entering the URL of a specific page.
12 CVE-2018-17341 287 Bypass 2018-09-23 2018-11-21
6.8
None Remote Medium Not required Partial Partial Partial
BigTree 4.2.23 on Windows, when Advanced or Simple Rewrite routing is enabled, allows remote attackers to bypass authentication via a ..\ substring, as demonstrated by a launch.php?bigtree_htaccess_url=admin/images/..\ URI.
13 CVE-2018-17176 287 2018-09-18 2018-12-07
5.0
None Remote Low Not required None Partial None
A replay issue was discovered on Neato Botvac Connected 2.2.0 devices. Manual control mode requires authentication, but once recorded, the authentication (always transmitted in cleartext) can be replayed to /bin/webserver on port 8081. There are no nonces, and timestamps are not checked at all.
14 CVE-2018-17153 287 +Priv Bypass 2018-09-18 2018-12-18
10.0
None Remote Low Not required Complete Complete Complete
It was discovered that the Western Digital My Cloud device before 2.30.196 is affected by an authentication bypass vulnerability. An unauthenticated attacker can exploit this vulnerability to authenticate as an admin user without needing to provide a password, thereby gaining full control of the device. (Whenever an admin logs into My Cloud, a server-side session is created that is bound to the user's IP address. After the session is created, it is possible to call authenticated CGI modules by sending the cookie username=admin in the HTTP request. The invoked CGI will check if a valid session is present and bound to the user's IP address.) It was found that it is possible for an unauthenticated attacker to create a valid session without a login. The network_mgr.cgi CGI module contains a command called "cgi_get_ipv6" that starts an admin session -- tied to the IP address of the user making the request -- if the additional parameter "flag" with the value "1" is provided. Subsequent invocation of commands that would normally require admin privileges now succeed if an attacker sets the username=admin cookie.
15 CVE-2018-16738 287 2018-10-10 2019-01-03
4.3
None Remote Medium Not required None Partial None
tinc 1.0.30 through 1.0.34 has a broken authentication protocol, although there is a partial mitigation. This is fixed in 1.1.
16 CVE-2018-16737 287 2018-10-10 2019-01-03
5.0
None Remote Low Not required None Partial None
tinc before 1.0.30 has a broken authentication protocol, without even a partial mitigation.
17 CVE-2018-16670 287 2018-09-18 2018-11-07
5.0
None Remote Low Not required Partial None None
An issue was discovered in CIRCONTROL CirCarLife before 4.3. There is PLC status disclosure due to lack of authentication for /html/devstat.html.
18 CVE-2018-16590 287 2018-09-06 2018-11-14
10.0
None Remote Low Not required Complete Complete Complete
FURUNO FELCOM 250 and 500 devices use only client-side JavaScript in login.js for authentication.
19 CVE-2018-16467 287 2018-10-30 2019-01-11
5.0
None Remote Low Not required Partial None None
A missing check in Nextcloud Server prior to 14.0.0 could give unauthorized access to the previews of single file password protected shares.
20 CVE-2018-16465 287 2018-10-30 2019-01-24
4.3
None Remote Medium Not required None Partial None
Missing state in Nextcloud Server prior to 14.0.0 would not enforce the use of a second factor at login if the the provider of the second factor failed to load.
21 CVE-2018-16464 287 2018-10-30 2019-01-17
3.5
None Remote Medium Single system Partial None None
A missing access check in Nextcloud Server prior to 14.0.0 could lead to continued access to password protected link shares when the owner had changed the password.
22 CVE-2018-16286 287 Bypass 2018-09-14 2018-11-07
5.0
None Remote Low Not required Partial None None
LG SuperSign CMS allows authentication bypass because the CAPTCHA requirement is skipped if a captcha:pass cookie is sent, and because the PIN is limited to four digits.
23 CVE-2018-16225 287 Bypass 2018-09-18 2018-12-07
6.1
None Local Network Low Not required None None Complete
The QBee MultiSensor Camera through 4.16.4 accepts unencrypted network traffic from clients (such as the QBee Cam application through 1.0.5 for Android and the Swisscom Home application up to 10.7.2 for Android), which results in an attacker being able to reuse cookies to bypass authentication and disable the camera.
24 CVE-2018-16160 287 Bypass 2018-11-15 2018-12-20
4.6
None Local Low Not required Partial Partial Partial
SecureCore Standard Edition Version 2.x allows an attacker to bypass the product 's authentication to log in to a Windows PC.
25 CVE-2018-15727 287 Bypass 2018-08-29 2019-01-04
7.5
None Remote Low Not required Partial Partial Partial
Grafana 2.x, 3.x, and 4.x before 4.6.4 and 5.x before 5.2.3 allows authentication bypass because an attacker can generate a valid "remember me" cookie knowing only a username of an LDAP or OAuth user.
26 CVE-2018-15598 287 2018-08-20 2018-10-15
5.0
None Remote Low Not required Partial None None
Containous Traefik 1.6.x before 1.6.6, when --api is used, exposes the configuration and secret if authentication is missing and the API's port is publicly reachable.
27 CVE-2018-15543 287 Bypass 2018-10-09 2018-11-23
4.6
None Local Low Not required Partial Partial Partial
** DISPUTED ** An issue was discovered in the org.telegram.messenger application 4.8.11 for Android. The FingerprintManager class for Biometric validation allows authentication bypass through the callback method from onAuthenticationFailed to onAuthenticationSucceeded with null, because the fingerprint API in conjunction with the Android keyGenerator class is not implemented. In other words, an attacker could authenticate with an arbitrary fingerprint. NOTE: the vendor indicates that this is not an attack of interest within the context of their threat model, which excludes Android devices on which rooting has occurred.
28 CVE-2018-15542 287 Bypass 2018-10-09 2018-11-26
4.4
None Local Medium Not required Partial Partial Partial
** DISPUTED ** An issue was discovered in the org.telegram.messenger application 4.8.11 for Android. The Passcode feature allows authentication bypass via runtime manipulation that forces a certain method's return value to true. In other words, an attacker could authenticate with an arbitrary passcode. NOTE: the vendor indicates that this is not an attack of interest within the context of their threat model, which excludes Android devices on which rooting has occurred.
29 CVE-2018-15485 287 2018-09-07 2018-11-13
6.4
None Remote Low Not required Partial Partial None
An issue was discovered on KONE Group Controller (KGC) devices before 4.6.5. FTP does not require authentication or authorization, aka KONE-03.
30 CVE-2018-15479 287 2018-08-30 2018-11-09
6.4
None Remote Low Not required Partial Partial None
An issue was discovered in myStrom WiFi Switch V1 before 2.66, WiFi Switch V2 before 3.80, WiFi Switch EU before 3.80, WiFi Bulb before 2.58, WiFi LED Strip before 3.80, WiFi Button before 2.73, and WiFi Button Plus before 2.73. Devices did not authenticate themselves to the cloud in device to cloud communication. This lack of device authentication allowed an attacker to impersonate any device by guessing or learning their MAC address.
31 CVE-2018-15152 287 Bypass 2018-08-15 2018-10-23
6.4
None Remote Low Not required Partial Partial None
Authentication bypass vulnerability in portal/account/register.php in versions of OpenEMR before 5.0.1.4 allows a remote attacker to access (1) portal/add_edit_event_user.php, (2) portal/find_appt_popup_user.php, (3) portal/get_allergies.php, (4) portal/get_amendments.php, (5) portal/get_lab_results.php, (6) portal/get_medications.php, (7) portal/get_patient_documents.php, (8) portal/get_problems.php, (9) portal/get_profile.php, (10) portal/portal_payment.php, (11) portal/messaging/messages.php, (12) portal/messaging/secure_chat.php, (13) portal/report/pat_ledger.php, (14) portal/report/portal_custom_report.php, or (15) portal/report/portal_patient_report.php without authenticating as a patient.
32 CVE-2018-14847 287 Dir. Trav. 2018-08-02 2018-11-16
5.0
None Remote Low Not required Partial None None
MikroTik RouterOS through 6.42 allows unauthenticated remote attackers to read arbitrary files and remote authenticated attackers to write arbitrary files due to a directory traversal vulnerability in the WinBox interface.
33 CVE-2018-14805 287 2018-08-29 2018-11-05
7.5
None Remote Low Not required Partial Partial Partial
ABB eSOMS version 6.0.2 may allow unauthorized access to the system when LDAP is set to allow anonymous authentication, and specific key values within the eSOMS web.config file are present. Both conditions are required to exploit this vulnerability.
34 CVE-2018-14782 287 2018-08-10 2018-10-06
5.0
None Remote Low Not required Partial None None
NetComm Wireless G LTE Light Industrial M2M Router (NWL-25) with firmware 2.0.29.11 and prior. The device allows access to configuration files and profiles without authenticating the user.
35 CVE-2018-14781 287 2018-08-13 2018-10-26
2.9
None Local Network Medium Not required None Partial None
Medtronic MMT 508 MiniMed insulin pump, 522 / MMT - 722 Paradigm REAL-TIME, 523 / MMT - 723 Paradigm Revel, 523K / MMT - 723K Paradigm Revel, and 551 / MMT - 751 MiniMed 530G The models identified above, when paired with a remote controller and having the "easy bolus" and "remote bolus" options enabled (non-default), are vulnerable to a capture-replay attack. An attacker can capture the wireless transmissions between the remote controller and the pump and replay them to cause an insulin (bolus) delivery.
36 CVE-2018-14709 287 Bypass 2018-12-03 2018-12-21
5.0
None Remote Low Not required Partial None None
Incorrect access control in the Dashboard API on Drobo 5N2 NAS version 4.0.5-13.28.96115 allows attackers to bypass authentication due to insecure token generation.
37 CVE-2018-14643 287 Exec Code Bypass 2018-09-21 2018-12-13
10.0
None Remote Low Not required Complete Complete Complete
An authentication bypass flaw was found in the smart_proxy_dynflow component used by Foreman. A malicious attacker can use this flaw to remotely execute arbitrary commands on machines managed by vulnerable Foreman instances, in a highly privileged context.
38 CVE-2018-14080 287 Bypass 2018-10-09 2019-01-10
5.0
None Remote Low Not required Partial None None
An issue was discovered on D-Link DIR-809 A1 through 1.09, A2 through 1.11, and Guest Zone through 1.09 devices. One can bypass authentication mechanisms to download the configuration file.
39 CVE-2018-13821 287 2018-08-30 2018-11-05
7.5
None Remote Low Not required Partial Partial Partial
A lack of authentication, in CA Unified Infrastructure Management 8.5.1, 8.5, and 8.4.7, allows remote attackers to conduct a variety of attacks, including file reading/writing.
40 CVE-2018-13446 287 Bypass 2018-08-16 2018-11-08
4.4
None Local Medium Not required Partial Partial Partial
** DISPUTED ** An issue was discovered in the LINE jp.naver.line application 8.8.1 for Android. The Passcode feature allows authentication bypass via runtime manipulation that forces a certain method's return value to true. In other words, an attacker could authenticate with an arbitrary passcode. NOTE: the vendor indicates that this is not an attack of interest within the context of their threat model, which excludes Android devices on which rooting has occurred.
41 CVE-2018-13435 287 Bypass 2018-08-16 2018-11-08
4.4
None Local Medium Not required Partial Partial Partial
** DISPUTED ** An issue was discovered in the LINE jp.naver.line application 8.8.0 for iOS. The Passcode feature allows authentication bypass via runtime manipulation that forces a certain method to disable passcode authentication. NOTE: the vendor indicates that this is not an attack of interest within the context of their threat model, which excludes iOS devices on which a jailbreak has occurred.
42 CVE-2018-13434 287 Bypass 2018-08-16 2018-11-08
4.4
None Local Medium Not required Partial Partial Partial
** DISPUTED ** An issue was discovered in the LINE jp.naver.line application 8.8.0 for iOS. The LAContext class for Biometric (TouchID) validation allows authentication bypass by overriding the LAContext return Boolean value to be "true" because the kSecAccessControlUserPresence protection mechanism is not used. In other words, an attacker could authenticate with an arbitrary fingerprint. NOTE: the vendor indicates that this is not an attack of interest within the context of their threat model, which excludes iOS devices on which a jailbreak has occurred.
43 CVE-2018-12984 287 Bypass 2018-06-29 2018-08-20
7.5
None Remote Low Not required Partial Partial Partial
Hycus CMS 1.0.4 allows Authentication Bypass via "'=' 'OR'" credentials.
44 CVE-2018-12804 287 Bypass 2018-07-20 2018-09-17
7.5
None Remote Low Not required Partial Partial Partial
Adobe Connect versions 9.7.5 and earlier have an Authentication Bypass vulnerability. Successful exploitation could lead to session hijacking.
45 CVE-2018-12613 287 Exec Code Bypass 2018-06-21 2018-08-21
6.5
None Remote Low Single system Partial Partial Partial
An issue was discovered in phpMyAdmin 4.8.x before 4.8.2, in which an attacker can include (view and potentially execute) files on the server. The vulnerability comes from a portion of code where pages are redirected and loaded within phpMyAdmin, and an improper test for whitelisted pages. An attacker must be authenticated, except in the "$cfg['AllowArbitraryServer'] = true" case (where an attacker can specify any host he/she is already in control of, and execute arbitrary code on phpMyAdmin) and the "$cfg['ServerDefault'] = 0" case (which bypasses the login requirement and runs the vulnerable code without any authentication).
46 CVE-2018-12575 287 Bypass 2018-07-02 2018-09-04
7.5
None Remote Low Not required Partial Partial Partial
On TP-Link TL-WR841N v13 00000001 0.9.1 4.16 v0001.0 Build 171019 Rel.55346n devices, all actions in the web interface are affected by bypass of authentication via an HTTP request.
47 CVE-2018-12472 287 2018-10-04 2018-11-27
6.4
None Remote Low Not required Partial Partial None
A improper authentication using the HOST header in SUSE Linux SMT allows remote attackers to spoof a sibling server. Affected releases are SUSE Linux SMT: versions prior to 3.0.37.
48 CVE-2018-12455 287 2018-10-10 2018-11-28
9.3
None Remote Medium Not required Complete Complete Complete
Intelbras NPLUG 1.0.0.14 wireless repeater devices have a critical vulnerability that allows an attacker to authenticate in the web interface just by using "admin:" as the name of a cookie.
49 CVE-2018-12446 287 Bypass 2018-06-20 2018-08-23
3.3
None Local Medium Not required Partial Partial None
** DISPUTED ** An issue was discovered in the com.dropbox.android application 98.2.2 for Android. The Passcode feature allows authentication bypass via runtime manipulation that forces a certain method's return value to true. In other words, an attacker could authenticate with an arbitrary passcode. NOTE: the vendor indicates that this is not an attack of interest within the context of their threat model, which excludes Android devices on which rooting has occurred.
50 CVE-2018-12445 287 Bypass 2018-06-20 2018-08-23
3.3
None Local Medium Not required Partial Partial None
** DISPUTED ** An issue was discovered in the com.dropbox.android application 98.2.2 for Android. The FingerprintManager class for Biometric validation allows authentication bypass through the callback method from onAuthenticationFailed to onAuthenticationSucceeded with null, because the fingerprint API in conjunction with the Android keyGenerator class is not implemented. In other words, an attacker could authenticate with an arbitrary fingerprint. NOTE: the vendor indicates that this is not an attack of interest within the context of their threat model, which excludes Android devices on which rooting has occurred.
Total number of vulnerabilities : 1436   Page : 1 (This Page)2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.