Search Results (4519 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2017-9803 1 Apache 1 Solr 2025-04-20 N/A
Apache Solr's Kerberos plugin can be configured to use delegation tokens, which allows an application to reuse the authentication of an end-user or another application. There are two issues with this functionality (when using SecurityAwareZkACLProvider type of ACL provider e.g. SaslZkACLProvider). Firstly, access to the security configuration can be leaked to users other than the solr super user. Secondly, malicious users can exploit this leaked configuration for privilege escalation to further expose/modify private data and/or disrupt operations in the Solr cluster. The vulnerability is fixed from Apache Solr 6.6.1 onwards.
CVE-2017-7546 3 Debian, Postgresql, Redhat 4 Debian Linux, Postgresql, Enterprise Linux and 1 more 2025-04-20 N/A
PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are vulnerable to incorrect authentication flaw allowing remote attackers to gain access to database accounts with an empty password.
CVE-2017-15295 1 Sap 1 Point Of Sale Xpress Server 2025-04-20 N/A
Xpress Server in SAP POS does not require authentication for read/write/delete file access. This is SAP Security Note 2520064.
CVE-2017-6617 1 Cisco 1 Integrated Management Controller Supervisor 2025-04-20 N/A
A vulnerability in the session identification management functionality of the web-based GUI of Cisco Integrated Management Controller (IMC) 3.0(1c) could allow an unauthenticated, remote attacker to hijack a valid user session on an affected system. The vulnerability exists because the affected software does not assign a new session identifier to a user session when a user authenticates to the web-based GUI. An attacker could exploit this vulnerability by using a hijacked session identifier to connect to the software through the web-based GUI. A successful exploit could allow the attacker to hijack an authenticated user's browser session on the affected system. Cisco Bug IDs: CSCvd14583.
CVE-2017-7588 1 Brother 33 Ads-1000w, Ads-1500w, Ads-2500w and 30 more 2025-04-20 N/A
On certain Brother devices, authorization is mishandled by including a valid AuthCookie cookie in the HTTP response to a failed login attempt. Affected models are: MFC-J6973CDW MFC-J4420DW MFC-8710DW MFC-J4620DW MFC-L8850CDW MFC-J3720 MFC-J6520DW MFC-L2740DW MFC-J5910DW MFC-J6920DW MFC-L2700DW MFC-9130CW MFC-9330CDW MFC-9340CDW MFC-J5620DW MFC-J6720DW MFC-L8600CDW MFC-L9550CDW MFC-L2720DW DCP-L2540DW DCP-L2520DW HL-3140CW HL-3170CDW HL-3180CDW HL-L8350CDW HL-L2380DW ADS-2500W ADS-1000W ADS-1500W.
CVE-2016-4460 1 Apache 1 Pony Mail 2025-04-20 N/A
Apache Pony Mail 0.6c through 0.8b allows remote attackers to bypass authentication.
CVE-2023-31292 1 Sesami 1 Cash Point \& Transport Optimizer 2025-04-17 5.5 Medium
An issue was discovered in Sesami Cash Point & Transport Optimizer (CPTO) 6.3.8.6 (#718), allows local attackers to obtain sensitive information and bypass authentication via "Back Button Refresh" attack.
CVE-2021-35252 1 Solarwinds 1 Serv-u 2025-04-17 7.5 High
Common encryption key appears to be used across all deployed instances of Serv-U FTP Server. Because of this an encrypted value that is exposed to an attacker can be simply recovered to plaintext.
CVE-2022-47209 1 Netgear 2 Rax30, Rax30 Firmware 2025-04-17 8.8 High
A support user exists on the device and appears to be a backdoor for Technical Support staff. The default password for this account is “support” and cannot be changed by a user via any normally accessible means.
CVE-2020-14504 1 Rockwellautomation 4 1734-aentr Point I\/o Dual Port Network Adaptor Series B, 1734-aentr Point I\/o Dual Port Network Adaptor Series B Firmware, 1734-aentr Point I\/o Dual Port Network Adaptor Series C and 1 more 2025-04-17 5.3 Medium
The web interface of the 1734-AENTR communication module mishandles authentication for HTTP POST requests. A remote, unauthenticated attacker can send a crafted request that may allow for modification of the configuration settings.
CVE-2022-46400 1 Microchip 18 Bm70, Bm70 Firmware, Bm71 and 15 more 2025-04-17 5.4 Medium
The Microchip RN4870 module firmware 1.43 (and the Microchip PIC LightBlue Explorer Demo 4.2 DT100112) allows attackers to bypass passkey entry in legacy pairing.
CVE-2022-42453 1 Hcltech 1 Bigfix Platform 2025-04-17 6.9 Medium
There are insufficient warnings when a Fixlet is imported by a user. The warning message currently assumes the owner of the script is the logged in user, with insufficient warnings when attempting to run the script.
CVE-2022-40494 1 Ehang-io 1 Nps 2025-04-17 9.8 Critical
NPS before v0.26.10 was discovered to contain an authentication bypass vulnerability via constantly generating and sending the Auth key and Timestamp parameters.
CVE-2022-46316 1 Huawei 1 Harmonyos 2025-04-17 9.8 Critical
A thread security vulnerability exists in the authentication process. Successful exploitation of this vulnerability may affect data integrity, confidentiality, and availability.
CVE-2022-46313 1 Huawei 1 Harmonyos 2025-04-17 5.3 Medium
The sensor privacy module has an authentication vulnerability. Successful exploitation of this vulnerability may cause unavailability of the smartphone's camera and microphone.
CVE-2022-41590 1 Huawei 1 Harmonyos 2025-04-16 5.5 Medium
Some smartphones have authentication-related (including session management) vulnerabilities as the setup wizard is bypassed. Successful exploitation of this vulnerability affects the smartphone availability.
CVE-2022-2662 1 Sequi 2 Portbloque S, Portbloque S Firmware 2025-04-16 9.6 Critical
Sequi PortBloque S has a improper authentication issues which may allow an attacker to bypass the authentication process and gain user-level access to the device.
CVE-2021-23196 1 Fresenius-kabi 8 Agilia Connect, Agilia Connect Firmware, Agilia Partner Maintenance Software and 5 more 2025-04-16 7.3 High
The web application on Agilia Link+ version 3.0 implements authentication and session management mechanisms exclusively on the client-side and does not protect authentication attributes sufficiently.
CVE-2021-43355 1 Fresenius-kabi 8 Agilia Connect, Agilia Connect Firmware, Agilia Partner Maintenance Software and 5 more 2025-04-16 7.3 High
Fresenius Kabi Vigilant Software Suite (Mastermed Dashboard) version 2.0.1.3 allows user input to be validated on the client side without authentication by the server. The server should not rely on the correctness of the data because users might not support or block JavaScript or intentionally bypass the client-side checks. An attacker with knowledge of the service user could circumvent the client-side control and login with service privileges.
CVE-2022-21196 1 Airspan 9 A5x, A5x Firmware, C5c and 6 more 2025-04-16 10 Critical
MMP: All versions prior to v1.0.3, PTP C-series: Device versions prior to v2.8.6.1, and PTMP C-series and A5x: Device versions prior to v2.5.4.1 does not perform proper authorization and authentication checks on multiple API routes. An attacker may gain access to these API routes and achieve remote code execution, create a denial-of-service condition, and obtain sensitive information.