| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| An Improper Authentication issue was discovered in Siemens SIMATIC CP 44x-1 RNA, all versions prior to 1.4.1. An unauthenticated remote attacker may be able to perform administrative actions on the Communication Process (CP) of the RNA series module, if network access to Port 102/TCP is available and the configuration file for the CP is stored on the RNA's CPU. |
| A vulnerability was discovered in Siemens ViewPort for Web Office Portal before revision number 1453 that could allow an unauthenticated remote user to upload arbitrary code and execute it with the permissions of the operating-system user running the web server by sending specially crafted network packets to port 443/TCP or port 80/TCP. |
| In Pivotal Spring-LDAP versions 1.3.0 - 2.3.1, when connected to some LDAP servers, when no additional attributes are bound, and when using LDAP BindAuthenticator with org.springframework.ldap.core.support.DefaultTlsDirContextAuthenticationStrategy as the authentication strategy, and setting userSearch, authentication is allowed with an arbitrary password when the username is correct. This occurs because some LDAP vendors require an explicit operation for the LDAP bind to take effect. |
| On the TP-Link TL-SG108E 1.0, the upgrade process can be requested remotely without authentication (httpupg.cgi with a parameter called cmd). This affects the 1.1.2 Build 20141017 Rel.50749 firmware. |
| Huawei Honor 5S smart phones with software the versions before TAG-TL00C01B173 have an authentication bypass vulnerability due to the improper design of some components. An attacker can get a user's smart phone and install malicious apps in the mobile phone, allowing the attacker to reset the password and fingerprint of the phone without authentication. |
| An issue was discovered in Advantech WebAccess Version 8.1. By accessing a specific uniform resource locator (URL) on the web server, a malicious user is able to access pages unrestricted (AUTHENTICATION BYPASS). |
| Jenkins Favorite Plugin 2.1.4 and older does not perform permission checks when changing favorite status, allowing any user to set any other user's favorites |
| The Basic authentication code in WEBrick library in Ruby before 2.2.8, 2.3.x before 2.3.5, and 2.4.x through 2.4.1 allows remote attackers to inject terminal emulator escape sequences into its log and possibly execute arbitrary commands via a crafted user name. |
| A vulnerability in the web-based GUI of Cisco Prime Home could allow an unauthenticated, remote attacker to bypass authentication and execute actions with administrator privileges. The vulnerability is due to a processing error in the role-based access control (RBAC) of URLs. An attacker could exploit this vulnerability by sending API commands via HTTP to a particular URL without prior authentication. An exploit could allow the attacker to perform any actions in Cisco Prime Home with administrator privileges. This vulnerability affects Cisco Prime Home versions from 6.3.0.0 to the first fixed release 6.5.0.1. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. Cisco Bug IDs: CSCvb49837. |
| In Lenovo XClarity Administrator (LXCA) before 1.3.0, if service data is downloaded from LXCA, a non-administrative user may have access to password information for users that have previously authenticated to the LXCA's internal LDAP server, including administrative accounts and service accounts with administrative privileges. This is an issue only for users who have used local authentication with LXCA and not remote authentication against external LDAP or ADFS servers. |
| An exploitable vulnerability exists in the generation of authentication token functionality of Circle with Disney. Specially crafted network packets can cause a valid authentication token to be returned to the attacker resulting in authentication bypass. An attacker can send a series of packets to trigger this vulnerability. |
| Improper authentication issue in PTW-WMS1 firmware version 2.000.012 allows remote attackers to log in to the device with root privileges and conduct arbitrary operations via unspecified vectors. |
| The FusionSphere OpenStack V100R006C00SPC102(NFV) has an improper authentication vulnerability. Due to improper authentication on one port, an authenticated, remote attacker may exploit the vulnerability to execute more operations by send a crafted rest message. |
| NetComm Wireless 4GT101W routers with Hardware: 0.01 / Software: V1.1.8.8 / Bootloader: 1.1.3 do not require authentication for logfile.html, status.html, or system_config.html. |
| IBM Security Guardium 10.0 and 10.1 does not perform an authentication check for a critical resource or functionality allowing anonymous users access to protected areas. IBM X-Force ID: 124685 |
| In Moodle 2.x and 3.x, non-admin site managers may accidentally edit admins via web services. |
| In Moodle 2.x and 3.x, the question engine allows access to files that should not be available. |
| The admin terminal in Hawt.io does not require authentication, which allows remote attackers to execute arbitrary commands via the k parameter. |
| A write protection and execution bypass vulnerability in McAfee (now Intel Security) Application Control (MAC) 6.1.0 for Linux and earlier allows authenticated users to change binaries that are part of the Application Control whitelist and allows execution of binaries via specific conditions. |
| EMC Network Configuration Manager (NCM) 9.3.x, EMC Network Configuration Manager (NCM) 9.4.0.x, EMC Network Configuration Manager (NCM) 9.4.1.x, EMC Network Configuration Manager (NCM) 9.4.2.x contains an Improper Authentication vulnerability that could potentially be exploited by malicious users to compromise the affected system. |
