A improper authentication vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in SecurityRealm.java, TokenBasedRememberMeServices2.java that allows attackers with a valid cookie to remain logged in even if that feature is disabled.
Max CVSS
5.5
EPSS Score
0.05%
Published
2018-08-23
Updated
2019-05-08
Berkeley Open Infrastructure for Network Computing BOINC Server and Website Code version 0.9-1.0.2 contains a CWE-302: Authentication Bypass by Assumed-Immutable Data vulnerability in Website Terms of Service Acceptance Page that can result in Access to any user account. This attack appear to be exploitable via Specially crafted URL. This vulnerability appears to have been fixed in 1.0.3.
Max CVSS
9.8
EPSS Score
0.17%
Published
2018-12-20
Updated
2019-01-09
Battelle V2I Hub 2.5.1 could allow a remote attacker to obtain sensitive information, caused by the failure to restrict access to the API key file. An attacker could exploit this vulnerability to obtain the current API key to gain unauthorized access to the system.
Max CVSS
9.8
EPSS Score
0.60%
Published
2018-12-28
Updated
2019-10-03
Battelle V2I Hub 2.5.1 could allow a remote attacker to bypass security restrictions, caused by the lack of requirement to change the default API key. An attacker could exploit this vulnerability using all available API functions containing an unchanged API key to gain unauthorized access to the system.
Max CVSS
9.8
EPSS Score
0.58%
Published
2018-12-28
Updated
2019-10-03
Battelle V2I Hub 2.5.1 contains hard-coded credentials for the administrative account. An attacker could exploit this vulnerability to log in as an admin on any installation and gain unauthorized access to the system.
Max CVSS
10.0
EPSS Score
0.21%
Published
2018-12-28
Updated
2019-01-11
OpenFlow version 1.0 onwards contains a Denial of Service and Improper authorization vulnerability in OpenFlow handshake: The DPID (DataPath IDentifier) in the features_reply message are inherently trusted by the controller. that can result in Denial of Service, Unauthorized Access, Network Instability. This attack appear to be exploitable via Network connectivity: the attacker must first establish a transport connection with the OpenFlow controller and then initiate the OpenFlow handshake.
Max CVSS
9.8
EPSS Score
0.22%
Published
2018-05-24
Updated
2019-10-03
I, Librarian version 4.9 and earlier contains an Incorrect Access Control vulnerability in ajaxdiscussion.php that can result in any users gaining unauthorized access (read, write and delete) to project discussions.
Max CVSS
9.1
EPSS Score
0.14%
Published
2018-03-23
Updated
2019-10-03
Discuz! DiscuzX 3.4, when WeChat login is enabled, allows remote attackers to bypass authentication by leveraging a non-empty #wechat#common_member_wechatmp to gain login access to an account via a plugin.php ac=wxregister request (the attacker does not have control over which account will be accessed).
Max CVSS
8.1
EPSS Score
0.46%
Published
2018-12-24
Updated
2019-10-03
The Floureon IP Camera SP012 provides a root terminal on a UART serial interface without proper access control. This allows attackers with physical access to execute arbitrary commands with root privileges.
Max CVSS
7.2
EPSS Score
0.08%
Published
2018-12-21
Updated
2019-10-03
A local, authenticated attacker can bypass the passcode in the VideoLAN VLC media player app before 3.1.5 for iOS by opening a URL and turning the phone.
Max CVSS
6.6
EPSS Score
0.04%
Published
2018-12-31
Updated
2019-10-03
An issue was discovered in Rockwell Automation Allen-Bradley PowerMonitor 1000. An unauthenticated user can add/edit/remove administrators because access control is implemented on the client side via a disabled attribute for a BUTTON element.
Max CVSS
8.1
EPSS Score
2.16%
Published
2018-12-26
Updated
2020-08-24
In PHP Proxy 3.0.3, any user can read files from the server without authentication due to an index.php?q=file:/// LFI URI, a different vulnerability than CVE-2018-19246.
Max CVSS
7.5
EPSS Score
3.53%
Published
2018-11-22
Updated
2018-12-18
An issue was discovered on Foscam C2 devices with System Firmware 1.11.1.8 and Application Firmware 2.72.1.32, and Opticam i5 devices with System Firmware 1.5.2.11 and Application Firmware 2.21.1.128. The FTP and RTSP services make it easier for attackers to conduct brute-force authentication attacks, because failed-authentication limits apply only to HTTP (not FTP or RTSP).
Max CVSS
9.8
EPSS Score
0.66%
Published
2018-11-07
Updated
2018-12-11
MiniCMS 1.10 allows file deletion via /mc-admin/post.php?state=delete&delete= because the authentication check occurs too late.
Max CVSS
7.5
EPSS Score
0.08%
Published
2018-11-01
Updated
2018-12-03
Due to incorrect access control in Neo4j Enterprise Database Server 3.4.x before 3.4.9, the setting of LDAP for authentication with STARTTLS, and System Account for authorization, allows an attacker to log into the server by sending any valid username with an arbitrary password.
Max CVSS
9.8
EPSS Score
0.22%
Published
2018-10-16
Updated
2019-01-18
An issue was discovered in dialog.php in tecrail Responsive FileManager 9.8.1. Attackers can access the file manager interface that provides them with the ability to upload and delete files.
Max CVSS
7.5
EPSS Score
0.10%
Published
2018-10-10
Updated
2018-11-28
** DISPUTED *** Lack of authentication in Citrix Xen Mobile through 10.8 allows low-privileged local users to execute system commands as root by making requests to private services listening on ports 8000, 30000 and 30001. NOTE: the vendor disputes that this is a vulnerability, stating it is "already mitigated by the internal firewall that limits access to configuration services to localhost."
Max CVSS
7.8
EPSS Score
0.04%
Published
2018-10-24
Updated
2019-10-03
The YaST2 RMT module for configuring the SUSE Repository Mirroring Tool (RMT) before 1.1.2 exposed MySQL database passwords on process commandline, allowing local attackers to access or corrupt the RMT database.
Max CVSS
7.8
EPSS Score
0.04%
Published
2018-12-26
Updated
2019-10-09
A incorrect variable in a SUSE specific patch for pam_access rule matching in PAM 1.3.0 in openSUSE Leap 15.0 and SUSE Linux Enterprise 15 could lead to pam_access rules not being applied (fail open).
Max CVSS
9.3
EPSS Score
0.22%
Published
2018-11-27
Updated
2019-10-09
VGo Robot (Versions 3.0.3.52164 and 3.0.3.53662. Prior versions may also be affected) connected to the VGo XAMPP. User accounts may be able to execute commands that are outside the scope of their privileges and within the scope of an admin account. If an attacker has access to VGo XAMPP Client credentials, they may be able to execute admin commands on the connected robot.
Max CVSS
8.8
EPSS Score
0.10%
Published
2018-10-30
Updated
2019-10-09
If an attacker has physical access to the VGo Robot (Versions 3.0.3.52164 and 3.0.3.53662. Prior versions may also be affected) they may be able to alter scripts, which may allow code execution with root privileges.
Max CVSS
7.2
EPSS Score
0.08%
Published
2018-10-30
Updated
2019-10-09
SAGA1-L8B with any firmware versions prior to A0.10 are vulnerable to an attack that an attacker with physical access to the product may able to reprogram it.
Max CVSS
6.9
EPSS Score
0.05%
Published
2018-10-24
Updated
2019-10-09
SAGA1-L8B with any firmware versions prior to A0.10 are vulnerable to an attack that may allow an attacker to force-pair the device without human interaction.
Max CVSS
8.8
EPSS Score
0.15%
Published
2018-10-24
Updated
2020-09-18
Circontrol CirCarLife all versions prior to 4.3.1, authentication to the device can be bypassed by entering the URL of a specific page.
Max CVSS
9.8
EPSS Score
0.26%
Published
2018-11-02
Updated
2019-10-09
WebAccess Versions 8.3.2 and prior. During installation, the application installer disables user access control and does not re-enable it after the installation is complete. This could allow an attacker to run elevated arbitrary code.
Max CVSS
7.8
EPSS Score
0.06%
Published
2018-10-29
Updated
2019-10-09
666 vulnerabilities found
1 2 3 4 5 6 ...... 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!