| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| ZTE ADSL ZXV10 W300 modems W300V2.1.0f_ER7_PE_O57 and W300V2.1.0h_ER7_PE_O57 allow user accounts to have multiple valid username and password pairs, which allows remote authenticated users to login to a target account via any of its username and password pairs. |
| The Doorkeeper gem before 4.2.0 for Ruby might allow remote attackers to conduct replay attacks or revoke arbitrary tokens by leveraging failure to implement the OAuth 2.0 Token Revocation specification. |
| main/java/org/apache/directory/groovyldap/LDAP.java in the Groovy LDAP API in Apache allows attackers to conduct LDAP entry poisoning attacks by leveraging setting returnObjFlag to true for all search methods. |
| Vulnerability in the Oracle FLEXCUBE Private Banking component of Oracle Financial Services Applications (subcomponent: Product / Instrument Search). Supported versions that are affected are 2.0.1, 2.2.0 and 12.0.1. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle FLEXCUBE Private Banking. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle FLEXCUBE Private Banking accessible data as well as unauthorized read access to a subset of Oracle FLEXCUBE Private Banking accessible data. CVSS v3.0 Base Score 5.4 (Confidentiality and Integrity impacts). |
| Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: GUI). Supported versions that are affected are VirtualBox prior to 5.0.32 and prior to 5.1.14. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle VM VirtualBox. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle VM VirtualBox accessible data as well as unauthorized read access to a subset of Oracle VM VirtualBox accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle VM VirtualBox. CVSS v3.0 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). |
| discovery-debug in Foreman before 6.2 when the ssh service has been enabled on discovered nodes displays the root password in plaintext in the system journal when used to log in, which allows local users with access to the system journal to obtain the root password by reading the system journal, or by clicking Logs on the console. |
| ZOHO ManageEngine ServiceDesk Plus before 9.2 uses an insecure method for generating cookies, which makes it easier for attackers to obtain sensitive password information by leveraging access to a cookie. |
| An issue was discovered in certain Apple products. iOS before 10.2 is affected. The issue involves the "SpringBoard" component, which allows physically proximate attackers to bypass the passcode attempt counter and unlock a device via unspecified vectors. |
| A remote unauthenticated network based attacker with access to Junos Space may execute arbitrary code on Junos Space or gain access to devices managed by Junos Space using cross site request forgery (CSRF), default authentication credentials, information leak and command injection attack vectors. All versions of Juniper Networks Junos Space prior to 15.1R3 are affected. |
| ZyXEL PK5001Z devices have zyad5001 as the su password, which makes it easier for remote attackers to obtain root access if a non-root account password is known (or a non-root default account exists within an ISP's deployment of these devices). |
| In all Android releases from CAF using the Linux kernel, some regions of memory were not protected during boot. |
| In all Android releases from CAF using the Linux kernel, stack protection was not enabled for secure applications. |
| An issue was discovered in certain Apple products. iOS before 10.1 is affected. macOS before 10.12.1 is affected. The issue involves the "Security" component. It allows local users to discover lengths of arbitrary passwords by reading a log. |
| reseed seeds random numbers from an insecure HTTP request to random.org during installation, which makes it easier for remote attackers to defeat cryptographic protection mechanisms via a man-in-the-middle attack. |
| SeaWell Networks Spectrum SDC 02.05.00 has a default password of "admin" for the "admin" account. |
| Lenovo System Update (formerly ThinkVantage System Update) before 5.07.0019 allows local users to gain privileges by making a prediction of tvsu_tmp_xxxxxXXXXX account credentials that requires knowledge of the time that this account was created, aka a "temporary administrator account vulnerability." |
| The MWOAuthDataStore::lookup_token function in Extension:OAuth for MediaWiki 1.25.x before 1.25.3, 1.24.x before 1.24.4, and before 1.23.11 does not properly validate the signature when checking the authorization signature, which allows remote registered Consumers to use another Consumer's credentials by leveraging knowledge of the credentials. |
| The ntpq saveconfig command in NTP 4.1.2, 4.2.x before 4.2.8p6, 4.3, 4.3.25, 4.3.70, and 4.3.77 does not properly filter special characters, which allows attackers to cause unspecified impact via a crafted filename. |
| Huawei UAP2105 before V300R012C00SPC160(BootRom) does not require authentication to the serial port or the VxWorks shell. |
| The LDAP Authentication functionality in Foreman might allow remote attackers with knowledge of old passwords to gain access via vectors involving the password lifetime period in Active Directory. |
