Export limit exceeded: 335114 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 10670 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (10670 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2017-1000433 | 2 Debian, Pysaml2 Project | 2 Debian Linux, Pysaml2 | 2024-11-21 | 8.1 High |
| pysaml2 version 4.4.0 and older accept any password when run with python optimizations enabled. This allows attackers to log in as any user without knowing their password. | ||||
| CVE-2017-1000354 | 1 Jenkins | 1 Jenkins | 2024-11-21 | N/A |
| Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to a login command which allowed impersonating any Jenkins user. The `login` command available in the remoting-based CLI stored the encrypted user name of the successfully authenticated user in a cache file used to authenticate further commands. Users with sufficient permission to create secrets in Jenkins, and download their encrypted values (e.g. with Job/Configure permission), were able to impersonate any other Jenkins user on the same instance. | ||||
| CVE-2017-0927 | 1 Gitlab | 1 Gitlab | 2024-11-21 | N/A |
| Gitlab Community Edition version 10.3 is vulnerable to an improper authorization issue in the deployment keys component resulting in unauthorized use of deployment keys by guest users. | ||||
| CVE-2017-0926 | 2 Debian, Gitlab | 2 Debian Linux, Gitlab | 2024-11-21 | N/A |
| Gitlab Community Edition version 10.3 is vulnerable to an improper authorization issue in the Oauth sign-in component resulting in unauthorized user login. | ||||
| CVE-2017-0911 | 1 Twitter | 1 Twitter Kit | 2024-11-21 | N/A |
| Twitter Kit for iOS versions 3.0 to 3.2.1 is vulnerable to a callback verification flaw in the "Login with Twitter" component allowing an attacker to provide alternate credentials. In the final step of "Login with Twitter" authentication information is passed back to the application using the registered custom URL scheme (typically twitterkit-<consumer-key>) on iOS. Because the callback handler did not verify the authenticity of the response, this step is vulnerable to forgery, potentially allowing attacker to associate a Twitter account with a third-party service. | ||||
| CVE-2017-0369 | 2 Debian, Mediawiki | 2 Debian Linux, Mediawiki | 2024-11-21 | N/A |
| Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains a flaw, allowing a sysops to undelete pages, although the page is protected against it. | ||||
| CVE-2017-0362 | 2 Debian, Mediawiki | 2 Debian Linux, Mediawiki | 2024-11-21 | N/A |
| Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains a flaw where the "Mark all pages visited" on the watchlist does not require a CSRF token. | ||||
| CVE-2017-0356 | 2 Debian, Ikiwiki | 2 Debian Linux, Ikiwiki | 2024-11-21 | N/A |
| A flaw, similar to to CVE-2016-9646, exists in ikiwiki before 3.20170111, in the passwordauth plugin's use of CGI::FormBuilder, allowing an attacker to bypass authentication via repeated parameters. | ||||
| CVE-2016-9880 | 1 Pivotal Software | 1 Gemfire For Pivotal Cloud Foundry | 2024-11-21 | N/A |
| The GemFire broker for Cloud Foundry 1.6.x before 1.6.5 and 1.7.x before 1.7.1 has multiple API endpoints which do not require authentication and could be used to gain access to the cluster managed by the broker. | ||||
| CVE-2016-9722 | 1 Ibm | 1 Qradar Security Information And Event Manager | 2024-11-21 | N/A |
| IBM QRadar 7.2 and 7.3 specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors. IBM X-Force ID: 119737. | ||||
| CVE-2016-9646 | 2 Debian, Ikiwiki | 2 Debian Linux, Ikiwiki | 2024-11-21 | N/A |
| ikiwiki before 3.20161229 incorrectly called the CGI::FormBuilder->field method (similar to the CGI->param API that led to Bugzilla's CVE-2014-1572), which can be abused to lead to commit metadata forgery. | ||||
| CVE-2016-9645 | 1 Ikiwiki | 1 Ikiwiki | 2024-11-21 | N/A |
| The fix for ikiwiki for CVE-2016-10026 was incomplete resulting in editing restriction bypass for git revert when using git versions older than 2.8.0. This has been fixed in 3.20161229. | ||||
| CVE-2016-9599 | 2 Openstack, Redhat | 2 Puppet-tripleo, Openstack | 2024-11-21 | N/A |
| puppet-tripleo before versions 5.5.0, 6.2.0 is vulnerable to an access-control flaw in the IPtables rules management, which allowed the creation of TCP/UDP rules with empty port values. If SSL is enabled, a malicious user could use these open ports to gain access to unauthorized resources. | ||||
| CVE-2016-9575 | 2 Freeipa, Redhat | 2 Freeipa, Enterprise Linux | 2024-11-21 | N/A |
| Ipa versions 4.2.x, 4.3.x before 4.3.3 and 4.4.x before 4.4.3 did not properly check the user's permissions while modifying certificate profiles in IdM's certprofile-mod command. An authenticated, unprivileged attacker could use this flaw to modify profiles to issue certificates with arbitrary naming or key usage information and subsequently use such certificates for other attacks. | ||||
| CVE-2016-9497 | 1 Hughes | 8 Dw7000, Dw7000 Firmware, Hn7000s and 5 more | 2024-11-21 | N/A |
| Hughes high-performance broadband satellite modems, models HN7740S DW7000 HN7000S/SM, is vulnerable to an authentication bypass using an alternate path or channel. By default, port 1953 is accessible via telnet and does not require authentication. An unauthenticated remote user can access many administrative commands via this interface, including rebooting the modem. | ||||
| CVE-2016-9482 | 1 Jqueryform | 1 Php Formmail Generator | 2024-11-21 | N/A |
| Code generated by PHP FormMail Generator may allow a remote unauthenticated user to bypass authentication in the to access the administrator panel by navigating directly to /admin.php?mod=admin&func=panel | ||||
| CVE-2016-8656 | 1 Redhat | 1 Jboss Enterprise Application Platform | 2024-11-21 | N/A |
| Jboss jbossas before versions 5.2.0-23, 6.4.13, 7.0.5 is vulnerable to an unsafe file handling in the jboss init script which could result in local privilege escalation. | ||||
| CVE-2016-8629 | 1 Redhat | 5 Enterprise Linux Server, Jboss Single Sign On, Keycloak and 2 more | 2024-11-21 | N/A |
| Red Hat Keycloak before version 2.4.0 did not correctly check permissions when handling service account user deletion requests sent to the rest server. An attacker with service account authentication could use this flaw to bypass normal permissions and delete users in a separate realm. | ||||
| CVE-2016-8616 | 2 Haxx, Redhat | 3 Curl, Jboss Core Services, Rhel Software Collections | 2024-11-21 | N/A |
| A flaw was found in curl before version 7.51.0 When re-using a connection, curl was doing case insensitive comparisons of user name and password with the existing connections. This means that if an unused connection with proper credentials exists for a protocol that has connection-scoped credentials, an attacker can cause that connection to be reused if s/he knows the case-insensitive version of the correct password. | ||||
| CVE-2016-8609 | 1 Redhat | 2 Jboss Single Sign On, Keycloak | 2024-11-21 | N/A |
| It was found that the keycloak before 2.3.0 did not implement authentication flow correctly. An attacker could use this flaw to construct a phishing URL, from which he could hijack the user's session. This could lead to information disclosure, or permit further possible attacks. | ||||