Total
3657 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2009-0412 | 1 Interspire | 1 Shopping Cart | 2025-04-09 | 7.5 HIGH | N/A |
The ProcessLogin function in class.auth.php in Interspire Shopping Cart (ISC) 4.0.1 Ultimate edition allows remote attackers to bypass authentication and obtain administrative access by reusing the RememberToken cookie after a failed admin login attempt. | |||||
CVE-2008-6854 | 1 Xigla | 1 Absolute Faq Manager .net | 2025-04-09 | 7.5 HIGH | N/A |
Xigla Software Absolute FAQ Manager.NET 6.0 allows remote attackers to bypass authentication and gain administrative access by setting a cookie to a certain value. | |||||
CVE-2008-6816 | 1 Eaton | 1 Network Shutdown Module | 2025-04-09 | 10.0 HIGH | N/A |
Eaton MGEOPS Network Shutdown Module before 3.10 Build 13 allows remote attackers to execute arbitrary code by adding a custom action to the MGE frontend via pane_actionbutton.php, and then executing this action via exec_action.php. | |||||
CVE-2007-5797 | 1 Apache | 1 Geronimo | 2025-04-09 | 7.5 HIGH | N/A |
SQLLoginModule in Apache Geronimo 2.0 through 2.1 does not throw an exception for a nonexistent username, which allows remote attackers to bypass authentication via a login attempt with any username not contained in the database. | |||||
CVE-2007-5162 | 1 Ruby-lang | 1 Ruby | 2025-04-09 | 4.3 MEDIUM | N/A |
The connect method in lib/net/http.rb in the (1) Net::HTTP and (2) Net::HTTPS libraries in Ruby 1.8.5 and 1.8.6 does not verify that the commonName (CN) field in a server certificate matches the domain name in an HTTPS request, which makes it easier for remote attackers to intercept SSL transmissions via a man-in-the-middle attack or spoofed web site. | |||||
CVE-2009-4367 | 1 Sitecore | 1 Staging Module | 2025-04-09 | 6.8 MEDIUM | N/A |
The Staging Webservice ("sitecore modules/staging/service/api.asmx") in Sitecore Staging Module 5.4.0 rev.080625 and earlier allows remote attackers to bypass authentication and (1) upload files, (2) download files, (3) list directories, and (4) clear the server cache via crafted SOAP requests with arbitrary Username and Password values, possibly related to a direct request. | |||||
CVE-2008-3033 | 1 Rss Aggregator | 1 Rss Aggregator | 2025-04-09 | 9.3 HIGH | N/A |
RSS-aggregator 1.0 does not require administrative authentication for the admin/fonctions/ directory, which allows remote attackers to access admin functions and have unspecified other impact, as demonstrated by (1) an IdFlux request to supprimer_flux.php and (2) a TpsRafraich request to modifier_tps_rafraich.php. | |||||
CVE-2008-1262 | 1 Airspan | 1 Wimax Prost | 2025-04-09 | 10.0 HIGH | N/A |
The administration panel on the Airspan WiMax ProST 4.1 antenna with 6.5.38.0 software does not verify authentication credentials, which allows remote attackers to (1) upload malformed firmware or (2) bind the antenna to a different WiMAX base station via unspecified requests to forms under process_adv/. | |||||
CVE-2009-2071 | 1 Google | 1 Chrome | 2025-04-09 | 6.8 MEDIUM | N/A |
Google Chrome before 1.0.154.53 displays a cached certificate for a (1) 4xx or (2) 5xx CONNECT response page returned by a proxy server, which allows man-in-the-middle attackers to spoof an arbitrary https site by letting a browser obtain a valid certificate from this site during one request, and then sending the browser a crafted 502 response page upon a subsequent request. | |||||
CVE-2008-4032 | 1 Microsoft | 2 Office Sharepoint Server, Search Server | 2025-04-09 | 7.5 HIGH | N/A |
Microsoft Office SharePoint Server 2007 Gold and SP1 and Microsoft Search Server 2008 do not properly perform authentication and authorization for administrative functions, which allows remote attackers to cause a denial of service (server load), obtain sensitive information, and "create scripts that would run in the context of the site" via requests to administrative URIs, aka "Access Control Vulnerability." | |||||
CVE-2008-6523 | 1 Cale Dunlap | 1 Openinvoice | 2025-04-09 | 7.5 HIGH | N/A |
auth.php in openInvoice 0.90 beta and earlier allows remote attackers to bypass authentication and gain privileges by setting the oiauth cookie. NOTE: this can be leveraged with a separate vulnerability in resetpass.php to modify passwords for arbitrary users. | |||||
CVE-2008-6718 | 1 Uochm | 1 Justbookit | 2025-04-09 | 7.5 HIGH | N/A |
U&M Software JustBookIt 1.0 does not require administrative authentication for all scripts in the admin/ directory, which allows remote attackers to have an unspecified impact via a direct request to (1) user_manual.php, (2) user_config.php, (3) user_kundnamn.php, (4) user_kundlista.php, (5) user_aktiva_kunder.php, (6) database.php, and possibly (7) index.php. | |||||
CVE-2009-1670 | 1 Tcpdb | 1 Tcpdb | 2025-04-09 | 7.5 HIGH | N/A |
user/index.php in TCPDB 3.8 does not require administrative authentication, which allows remote attackers to add admin accounts via unspecified vectors. NOTE: some of these details are obtained from third party information. | |||||
CVE-2009-3966 | 1 Arcadetradescript | 1 Arcade Trade Script | 2025-04-09 | 7.5 HIGH | N/A |
Arcade Trade Script 1.0 allows remote attackers to bypass authentication and gain administrative access by setting the adminLoggedIn cookie to true. | |||||
CVE-2008-4146 | 1 Addalink | 1 Addalink | 2025-04-09 | 5.0 MEDIUM | N/A |
Addalink 1.0 beta 4 and earlier allows remote attackers to (1) approve web-site additions via a modified approved field and (2) change the visit-counter value via a modified counter field. | |||||
CVE-2008-6739 | 1 Toddwoolums | 1 Asp Download | 2025-04-09 | 7.5 HIGH | N/A |
Todd Woolums ASP Download management script 1.03 does not require authentication for setupdownload.asp, which allows remote attackers to gain administrator privileges via a direct request. | |||||
CVE-2008-7081 | 1 Raidsonic | 1 Icy Box Nas | 2025-04-09 | 10.0 HIGH | N/A |
userHandler.cgi in RaidSonic ICY BOX NAS firmware 2.3.2.IB.2.RS.1 allows remote attackers to bypass authentication and gain administrator privileges by setting the login parameter to admin. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. | |||||
CVE-2009-2085 | 1 Ibm | 1 Websphere Application Server | 2025-04-09 | 7.5 HIGH | N/A |
The Security component in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.25 and 7.0 before 7.0.0.5 does not properly handle use of Identity Assertion with CSIv2 Security, which allows remote attackers to bypass intended CSIv2 access restrictions via vectors involving Enterprise JavaBeans (EJB). | |||||
CVE-2007-4438 | 1 Ampache | 1 Ampache | 2025-04-09 | 6.8 MEDIUM | N/A |
Session fixation vulnerability in Ampache before 3.3.3.5 allows remote attackers to hijack web sessions via unspecified vectors. | |||||
CVE-2008-0408 | 1 Hfs | 1 Http File Server | 2025-04-09 | 6.4 MEDIUM | N/A |
HTTP File Server (HFS) before 2.2c allows remote attackers to append arbitrary text to the log file by using the base64 representation of this text during HTTP Basic Authentication. |