Vulnerabilities (CVE)

Filtered by CWE-287
Total 3633 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2008-6118 1 Goople Cms 1 Goople Cms 2025-04-09 7.5 HIGH N/A
win/content/upload.php in Goople CMS 1.7 allows remote attackers to bypass authentication and gain administrative access by setting the loggedin cookie to 1.
CVE-2008-1971 1 Phphq 1 Phshoutbox Final 2025-04-09 7.5 HIGH N/A
phShoutBox Final 1.5 and earlier only checks passwords when specified in $_POST, which allows remote attackers to gain privileges by setting the (1) phadmin cookie to admin.php, or (2) in 1.4 and earlier, the ssbadmin cookie to shoutadmin.php.
CVE-2009-1384 2 Eyrie, Redhat 2 Pam-krb5, Enterprise Linux 2025-04-09 5.0 MEDIUM N/A
pam_krb5 2.2.14 through 2.3.4, as used in Red Hat Enterprise Linux (RHEL) 5, generates different password prompts depending on whether the user account exists, which allows remote attackers to enumerate valid usernames.
CVE-2009-1390 3 Gnu, Mutt, Openssl 3 Gnutls, Mutt, Openssl 2025-04-09 6.8 MEDIUM N/A
Mutt 1.5.19, when linked against (1) OpenSSL (mutt_ssl.c) or (2) GnuTLS (mutt_ssl_gnutls.c), allows connections when only one TLS certificate in the chain is accepted instead of verifying the entire chain, which allows remote attackers to spoof trusted servers via a man-in-the-middle attack.
CVE-2008-5880 1 Gobbl 1 Gobbl Cms 2025-04-09 7.5 HIGH N/A
admin/auth.php in Gobbl CMS 1.0 allows remote attackers to bypass authentication and gain administrative access by setting the auth cookie to "ok".
CVE-2008-3729 1 Microworld Technologies 1 Mailscan 2025-04-09 7.5 HIGH N/A
Web Based Administration in MicroWorld Technologies MailScan 5.6.a espatch 1 allows remote attackers to bypass authentication and obtain administrative access via a direct request with (1) an IsAdmin=true cookie value or (2) no cookie.
CVE-2009-1754 1 Google 1 Android 2025-04-09 4.3 MEDIUM N/A
The PackageManagerService class in services/java/com/android/server/PackageManagerService.java in Android 1.5 through 1.5 CRB42 does not properly check developer certificates during processing of sharedUserId requests at an application's installation time, which allows remote user-assisted attackers to access application data by creating a package that specifies a shared user ID with an arbitrary application.
CVE-2008-3411 1 Axesstel 1 Akw-d800 2025-04-09 10.0 HIGH N/A
The Axesstel AXW-D800 modem with D2_ETH_109_01_VEBR Jun-14-2006 software does not require authentication for (1) etc/config/System.html, (2) etc/config/Network.html, (3) etc/config/Security.html, (4) cgi-bin/sysconf.cgi, and (5) cgi-bin/route.cgi, which allows remote attackers to change the modem's configuration via direct requests.
CVE-2008-4783 1 Easy-script 1 Tlads 2025-04-09 7.5 HIGH N/A
tlAds 1.0 allows remote attackers to bypass authentication and gain administrative access by setting the tlAds_login cookie to "admin."
CVE-2009-2410 1 Fedorahosted 1 Sssd 2025-04-09 7.5 HIGH N/A
The local_handler_callback function in server/responder/pam/pam_LOCAL_domain.c in sssd 0.4.1 does not properly handle blank-password accounts in the SSSD BE database, which allows context-dependent attackers to obtain access by sending the account's username, in conjunction with an arbitrary password, over an ssh connection.
CVE-2009-2072 1 Apple 1 Safari 2025-04-09 5.4 MEDIUM N/A
Apple Safari does not require a cached certificate before displaying a lock icon for an https web site, which allows man-in-the-middle attackers to spoof an arbitrary https site by sending the browser a crafted (1) 4xx or (2) 5xx CONNECT response page for an https request sent through a proxy server.
CVE-2008-1528 1 Zyxel 3 Prestige 660, Prestige 661, Zynos 2025-04-09 4.0 MEDIUM N/A
ZyXEL Prestige routers, including P-660, P-661, and P-662 models with firmware 3.40(AGD.2) through 3.40(AHQ.3), allow remote authenticated users to obtain authentication data by making direct HTTP requests and then reading the HTML source, as demonstrated by a request for (1) RemMagSNMP.html, which discloses SNMP communities; or (2) WLAN.html, which discloses WEP keys.
CVE-2009-2068 1 Opera 1 Opera 2025-04-09 5.8 MEDIUM N/A
Google Chrome detects http content in https web pages only when the top-level frame uses https, which allows man-in-the-middle attackers to execute arbitrary web script, in an https site's context, by modifying an http page to include an https iframe that references a script file on an http site, related to "HTTP-Intended-but-HTTPS-Loadable (HPIHSL) pages."
CVE-2008-0403 1 Belkin 1 F5d9230-4 2025-04-09 5.5 MEDIUM N/A
The web server in Belkin Wireless G Plus MIMO Router F5D9230-4 does not require authentication for SaveCfgFile.cgi, which allows remote attackers to read and modify configuration via a direct request to SaveCfgFile.cgi.
CVE-2007-4747 1 Cisco 3 Video Surveillance Ip Gateway Encoder Decoder, Video Surveillance Sp Isp, Video Surveillance Sp Isp Decoder Software 2025-04-09 10.0 HIGH N/A
The telnet service in Cisco Video Surveillance IP Gateway Encoder/Decoder (Standalone and Module) firmware 1.8.1 and earlier, Video Surveillance SP/ISP Decoder Software firmware 1.11.0 and earlier, and the Video Surveillance SP/ISP firmware 1.23.7 and earlier does not require authentication, which allows remote attackers to perform administrative actions, aka CSCsj31729.
CVE-2009-2066 1 Apple 1 Safari 2025-04-09 6.8 MEDIUM N/A
Apple Safari detects http content in https web pages only when the top-level frame uses https, which allows man-in-the-middle attackers to execute arbitrary web script, in an https site's context, by modifying an http page to include an https iframe that references a script file on an http site, related to "HTTP-Intended-but-HTTPS-Loadable (HPIHSL) pages."
CVE-2008-7179 1 Otmanager 1 Otmanager Cms 2025-04-09 7.5 HIGH N/A
OTManager CMS 2.4 allows remote attackers to bypass authentication and gain administrator privileges by setting the ADMIN_Hora, ADMIN_Logado, and ADMIN_Nome cookies to certain values, as reachable in Admin/index.php.
CVE-2008-4784 1 Aflog 1 Aflog 2025-04-09 7.5 HIGH N/A
aflog 1.01 allows remote attackers to bypass authentication and gain administrative access by setting the aflog_auth_a cookie to "A" or "O" in (1) edit_delete.php, (2) edit_cat.php, (3) edit_lock.php, and (4) edit_form.php.
CVE-2008-6707 1 Avaya 2 Communication Manager, Sip Enablement Services 2025-04-09 6.4 MEDIUM N/A
The Web management interface in Avaya SIP Enablement Services (SES) 3.x and 4.0, as used with Avaya Communication Manager 3.1.x, does not perform authentication for certain functionality, which allows remote attackers to obtain sensitive information and access restricted functionality via (1) the certificate installation utility, (2) unspecified scripts in the objects folder, (3) an "unnecessary default application," (4) unspecified scripts in the states folder, (5) an unspecified "default application" that lists server configuration, and (6) "full system help."
CVE-2008-6719 1 Uochm 1 Justlistit 2025-04-09 7.5 HIGH N/A
U&M Software Event Lister (aka JustListIt) 1.0 does not require administrative authentication for all scripts in the admin/ directory, which allows remote attackers to have an unspecified impact via a direct request to (1) start.php, (2) aktivitet.php, (3) prop_aktivitet.php, (4) kategorier.php, (5) konfig.php, (6) security.php, (7) manual.php, and possibly (8) index.php.