Vulnerabilities (CVE)

Filtered by CWE-287
Total 3657 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2009-0412 1 Interspire 1 Shopping Cart 2025-04-09 7.5 HIGH N/A
The ProcessLogin function in class.auth.php in Interspire Shopping Cart (ISC) 4.0.1 Ultimate edition allows remote attackers to bypass authentication and obtain administrative access by reusing the RememberToken cookie after a failed admin login attempt.
CVE-2008-6854 1 Xigla 1 Absolute Faq Manager .net 2025-04-09 7.5 HIGH N/A
Xigla Software Absolute FAQ Manager.NET 6.0 allows remote attackers to bypass authentication and gain administrative access by setting a cookie to a certain value.
CVE-2008-6816 1 Eaton 1 Network Shutdown Module 2025-04-09 10.0 HIGH N/A
Eaton MGEOPS Network Shutdown Module before 3.10 Build 13 allows remote attackers to execute arbitrary code by adding a custom action to the MGE frontend via pane_actionbutton.php, and then executing this action via exec_action.php.
CVE-2007-5797 1 Apache 1 Geronimo 2025-04-09 7.5 HIGH N/A
SQLLoginModule in Apache Geronimo 2.0 through 2.1 does not throw an exception for a nonexistent username, which allows remote attackers to bypass authentication via a login attempt with any username not contained in the database.
CVE-2007-5162 1 Ruby-lang 1 Ruby 2025-04-09 4.3 MEDIUM N/A
The connect method in lib/net/http.rb in the (1) Net::HTTP and (2) Net::HTTPS libraries in Ruby 1.8.5 and 1.8.6 does not verify that the commonName (CN) field in a server certificate matches the domain name in an HTTPS request, which makes it easier for remote attackers to intercept SSL transmissions via a man-in-the-middle attack or spoofed web site.
CVE-2009-4367 1 Sitecore 1 Staging Module 2025-04-09 6.8 MEDIUM N/A
The Staging Webservice ("sitecore modules/staging/service/api.asmx") in Sitecore Staging Module 5.4.0 rev.080625 and earlier allows remote attackers to bypass authentication and (1) upload files, (2) download files, (3) list directories, and (4) clear the server cache via crafted SOAP requests with arbitrary Username and Password values, possibly related to a direct request.
CVE-2008-3033 1 Rss Aggregator 1 Rss Aggregator 2025-04-09 9.3 HIGH N/A
RSS-aggregator 1.0 does not require administrative authentication for the admin/fonctions/ directory, which allows remote attackers to access admin functions and have unspecified other impact, as demonstrated by (1) an IdFlux request to supprimer_flux.php and (2) a TpsRafraich request to modifier_tps_rafraich.php.
CVE-2008-1262 1 Airspan 1 Wimax Prost 2025-04-09 10.0 HIGH N/A
The administration panel on the Airspan WiMax ProST 4.1 antenna with 6.5.38.0 software does not verify authentication credentials, which allows remote attackers to (1) upload malformed firmware or (2) bind the antenna to a different WiMAX base station via unspecified requests to forms under process_adv/.
CVE-2009-2071 1 Google 1 Chrome 2025-04-09 6.8 MEDIUM N/A
Google Chrome before 1.0.154.53 displays a cached certificate for a (1) 4xx or (2) 5xx CONNECT response page returned by a proxy server, which allows man-in-the-middle attackers to spoof an arbitrary https site by letting a browser obtain a valid certificate from this site during one request, and then sending the browser a crafted 502 response page upon a subsequent request.
CVE-2008-4032 1 Microsoft 2 Office Sharepoint Server, Search Server 2025-04-09 7.5 HIGH N/A
Microsoft Office SharePoint Server 2007 Gold and SP1 and Microsoft Search Server 2008 do not properly perform authentication and authorization for administrative functions, which allows remote attackers to cause a denial of service (server load), obtain sensitive information, and "create scripts that would run in the context of the site" via requests to administrative URIs, aka "Access Control Vulnerability."
CVE-2008-6523 1 Cale Dunlap 1 Openinvoice 2025-04-09 7.5 HIGH N/A
auth.php in openInvoice 0.90 beta and earlier allows remote attackers to bypass authentication and gain privileges by setting the oiauth cookie. NOTE: this can be leveraged with a separate vulnerability in resetpass.php to modify passwords for arbitrary users.
CVE-2008-6718 1 Uochm 1 Justbookit 2025-04-09 7.5 HIGH N/A
U&M Software JustBookIt 1.0 does not require administrative authentication for all scripts in the admin/ directory, which allows remote attackers to have an unspecified impact via a direct request to (1) user_manual.php, (2) user_config.php, (3) user_kundnamn.php, (4) user_kundlista.php, (5) user_aktiva_kunder.php, (6) database.php, and possibly (7) index.php.
CVE-2009-1670 1 Tcpdb 1 Tcpdb 2025-04-09 7.5 HIGH N/A
user/index.php in TCPDB 3.8 does not require administrative authentication, which allows remote attackers to add admin accounts via unspecified vectors. NOTE: some of these details are obtained from third party information.
CVE-2009-3966 1 Arcadetradescript 1 Arcade Trade Script 2025-04-09 7.5 HIGH N/A
Arcade Trade Script 1.0 allows remote attackers to bypass authentication and gain administrative access by setting the adminLoggedIn cookie to true.
CVE-2008-4146 1 Addalink 1 Addalink 2025-04-09 5.0 MEDIUM N/A
Addalink 1.0 beta 4 and earlier allows remote attackers to (1) approve web-site additions via a modified approved field and (2) change the visit-counter value via a modified counter field.
CVE-2008-6739 1 Toddwoolums 1 Asp Download 2025-04-09 7.5 HIGH N/A
Todd Woolums ASP Download management script 1.03 does not require authentication for setupdownload.asp, which allows remote attackers to gain administrator privileges via a direct request.
CVE-2008-7081 1 Raidsonic 1 Icy Box Nas 2025-04-09 10.0 HIGH N/A
userHandler.cgi in RaidSonic ICY BOX NAS firmware 2.3.2.IB.2.RS.1 allows remote attackers to bypass authentication and gain administrator privileges by setting the login parameter to admin. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
CVE-2009-2085 1 Ibm 1 Websphere Application Server 2025-04-09 7.5 HIGH N/A
The Security component in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.25 and 7.0 before 7.0.0.5 does not properly handle use of Identity Assertion with CSIv2 Security, which allows remote attackers to bypass intended CSIv2 access restrictions via vectors involving Enterprise JavaBeans (EJB).
CVE-2007-4438 1 Ampache 1 Ampache 2025-04-09 6.8 MEDIUM N/A
Session fixation vulnerability in Ampache before 3.3.3.5 allows remote attackers to hijack web sessions via unspecified vectors.
CVE-2008-0408 1 Hfs 1 Http File Server 2025-04-09 6.4 MEDIUM N/A
HTTP File Server (HFS) before 2.2c allows remote attackers to append arbitrary text to the log file by using the base64 representation of this text during HTTP Basic Authentication.