| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| SQLLoginModule in Apache Geronimo 2.0 through 2.1 does not throw an exception for a nonexistent username, which allows remote attackers to bypass authentication via a login attempt with any username not contained in the database. |
| modules/admuser.php in myColex 1.4.2 does not require administrative authentication, which allows remote authenticated users to list user accounts via a Find action. |
| admin/index.php in Maian Search 1.1 and earlier allows remote attackers to bypass authentication and gain administrative access by sending an arbitrary search_cookie cookie. |
| Session fixation vulnerability in phpFreeChat 1.1 allows remote authenticated users to hijack web sessions by setting the session_id parameter to match the victim's nickid parameter. |
| phpLinkat 0.1 allows remote attackers to bypass authentication and access unspecified pages under admin/ by sending a login=right cookie. |
| The Staging Webservice ("sitecore modules/staging/service/api.asmx") in Sitecore Staging Module 5.4.0 rev.080625 and earlier allows remote attackers to bypass authentication and (1) upload files, (2) download files, (3) list directories, and (4) clear the server cache via crafted SOAP requests with arbitrary Username and Password values, possibly related to a direct request. |
| Lenovo Veriface III allows physically proximate attackers to login to a Windows account by presenting a "plain image" of the authorized user. |
| admin/sauvBase.php in Blog Pixel Motion (aka Blog PixelMotion) does not require authentication, which allows remote attackers to trigger a database backup dump, and obtain the resulting blogPM.sql file that contains sensitive information. |
| BEA WebLogic Server and WebLogic Express 6.1 through 10.0 allows remote attackers to bypass authentication for application servlets via crafted request headers. |
| Unspecified vulnerability in Trend Micro ServerProtect 5.7 and 5.58 allows remote attackers to execute arbitrary code via vectors related to obtaining "administrative access to the RPC interface." |
| MicroNews allows remote attackers to bypass authentication and gain administrative privileges via a direct request to admin.php. |
| Microsoft Office SharePoint Server 2007 Gold and SP1 and Microsoft Search Server 2008 do not properly perform authentication and authorization for administrative functions, which allows remote attackers to cause a denial of service (server load), obtain sensitive information, and "create scripts that would run in the context of the site" via requests to administrative URIs, aka "Access Control Vulnerability." |
| Session fixation vulnerability in Pro Clan Manager 0.4.2 and earlier allows remote attackers to hijack web sessions by setting the PHPSESSID parameter. |
| KnowledgeQuest 2.5 and 2.6 does not require authentication for access to admincheck.php, which allows remote attackers to create arbitrary admin accounts. |
| The Axesstel AXW-D800 modem with D2_ETH_109_01_VEBR Jun-14-2006 software does not require authentication for (1) etc/config/System.html, (2) etc/config/Network.html, (3) etc/config/Security.html, (4) cgi-bin/sysconf.cgi, and (5) cgi-bin/route.cgi, which allows remote attackers to change the modem's configuration via direct requests. |
| Maian Greetings 2.1 allows remote attackers to bypass authentication and gain administrative privileges by setting the mecard_admin_cookie cookie to admin. |
| tlAds 1.0 allows remote attackers to bypass authentication and gain administrative access by setting the tlAds_login cookie to "admin." |
| The Vonage Motorola Phone Adapter VT 2142-VD does not properly verify that a SIP INVITE message originated from a legitimate server, which allows remote attackers to send spoofed INVITE messages, as demonstrated by a flood of messages triggering a denial of service, and by phone calls with malicious content. |
| Unspecified vulnerability in a cryptographic feature in MailEnable Standard Edition before 1.93, Professional Edition before 1.73, and Enterprise Edition before 1.21 leads to "weakened authentication security" with unknown impact and attack vectors. NOTE: due to lack of details, it is not clear whether this is the same as CVE-2006-1792. |
| The WebDAV extension in Microsoft Internet Information Services (IIS) 5.0 on Windows 2000 SP4 does not properly decode URLs, which allows remote attackers to bypass authentication, and possibly read or create files, via a crafted HTTP request, aka "IIS 5.0 WebDAV Authentication Bypass Vulnerability," a different vulnerability than CVE-2009-1535. |