1245 matches found
CVE-2019-12527
An issue was discovered in Squid 4.0.23 through 4.7. When checking Basic Authentication with HttpHeader::getAuth, Squid uses a global buffer to store the decoded data. Squid does not check that the decoded length isn't greater than the buffer, leading to a heap-based buffer overflow with user...
CVE-2019-12529
An issue was discovered in Squid 2.x through 2.7.STABLE9, 3.x through 3.5.28, and 4.x through 4.7. When Squid is configured to use Basic Authentication, the Proxy-Authorization header is parsed via uudecode. uudecode determines how many bytes will be decoded by iterating over the input and checki...
UBUNTU-CVE-2019-12529
An issue was discovered in Squid 2.x through 2.7.STABLE9, 3.x through 3.5.28, and 4.x through 4.7. When Squid is configured to use Basic Authentication, the Proxy-Authorization header is parsed via uudecode. uudecode determines how many bytes will be decoded by iterating over the input and checki...
CVE-2019-13337
In WESEEK GROWI before 3.5.0, the site-wide basic authentication can be bypassed by adding a URL parameter accesstoken this is the parameter used by the API. No valid token is required since it is not validated by the backend. The website can then be browsed as if no basic authentication is...
Authentication flaw
In WESEEK GROWI before 3.5.0, the site-wide basic authentication can be bypassed by adding a URL parameter accesstoken this is the parameter used by the API. No valid token is required since it is not validated by the backend. The website can then be browsed as if no basic authentication is...
CVE-2019-13337
WESEEK GROWI prior to 3.5.0 is affected. A flaw in site-wide basic authentication allows bypass by supplying the URL parameter access_token (the API parameter). No valid token is validated by the backend, enabling the website to be browsed as if authentication were not required. The core issue is...
Ewon Flexy IoT Router. A Deep dive
First off I would like to thank the techs at PTP for their insights and help during this process. I know what I know, and I don't know what I don’t know, so I asked for help sometimes. I've learned a lot from this project e.g. how XOR works, and how to use IDA to analyse ARM binaries better, so I...
CVE-2019-11367
An issue was discovered in AUO Solar Data Recorder before 1.3.0. The web portal uses HTTP Basic Authentication and provides the account and password in the WWW-Authenticate attribute. By using this account and password, anyone can login successfully...
Hardcoded credentials
An issue was discovered in AUO Solar Data Recorder before 1.3.0. The web portal uses HTTP Basic Authentication and provides the account and password in the WWW-Authenticate attribute. By using this account and password, anyone can login successfully...
CVE-2019-11367
An issue was discovered in AUO Solar Data Recorder before 1.3.0. The web portal uses HTTP Basic Authentication and provides the account and password in the WWW-Authenticate attribute. By using this account and password, anyone can login successfully...
Sql injection
A SQL Injection vulnerability exists in Ivanti LANDESK Management Suite LDMS, aka Endpoint Manager 10.0.1.168 Service Update 5 due to improper username sanitization in the Basic Authentication implementation in core/provisioning.secure/ProvisioningSecure.asmx in Provisioning.Secure.dll...
CVE-2019-12374
A SQL Injection vulnerability exists in Ivanti LANDESK Management Suite LDMS, aka Endpoint Manager 10.0.1.168 Service Update 5 due to improper username sanitization in the Basic Authentication implementation in core/provisioning.secure/ProvisioningSecure.asmx in Provisioning.Secure.dll...
CVE-2019-11367
An issue was discovered in AUO Solar Data Recorder before 1.3.0. The web portal uses HTTP Basic Authentication and provides the account and password in the WWW-Authenticate attribute. By using this account and password, anyone can login successfully...
CVE-2019-12374
A SQL Injection vulnerability exists in Ivanti LANDESK Management Suite LDMS, aka Endpoint Manager 10.0.1.168 Service Update 5 due to improper username sanitization in the Basic Authentication implementation in core/provisioning.secure/ProvisioningSecure.asmx in Provisioning.Secure.dll...
Basic Authentication Without HTTPS
The remote web server contains web pages that are protected by 'Basic' authentication over cleartext. An attacker eavesdropping the traffic might obtain logins and passwords of valid users. No source data...
AUO Solar Data Recorder Incorrect Access Control
Exploit Title: AUO Solar Data Recorder - Incorrect Access Control Date: 2019-04-16 Exploit Author: Luca.Chiou Vendor Homepage: https://www.auo.com/zh-TW Version: AUO Solar Data Recorder all versions prior to v1.3.0 Tested on: It is a proprietary devices:...
AUO Solar Data Recorder < 1.3.0 - Incorrect Access Control
Exploit Title: AUO Solar Data Recorder - Incorrect Access Control Date: 2019-04-16 Exploit Author: Luca.Chiou Vendor Homepage: https://www.auo.com/zh-TW Version: AUO Solar Data Recorder all versions prior to v1.3.0 Tested on: It is a proprietary devices:...
Security Bulletin: User passwords might be obtained by a brute force attack on IBM® Intelligent Operations Center (CVE-2019-4067)
Summary If your IBM® Intelligent Operations Center system is configured to use a Lightweight Directory Access Protocol LDAP user registry, user passwords might be obtained by a brute force attack that uses HTTP basic authentication requests to IBM Intelligent Operations Center. Vulnerability...
The vulnerability of the implementation of the Security Assertion Markup Language (SAML) in Cisco Adaptive Security Appliances and Cisco Firepower Threat Defense allows a perpetrator to bypass the authentication process.
The vulnerability of the Security Assertion Markup Language SAML implementation in Cisco Adaptive Security Appliances and Cisco Firepower Threat Defense is related to authentication errors when using NT LAN Manager NTLM or basic authentication. Exploiting this vulnerability allows a malicious act...
CVE-2019-1714
A vulnerability in the implementation of Security Assertion Markup Language SAML 2.0 Single Sign-On SSO for Clientless SSL VPN WebVPN and AnyConnect Remote Access VPN in Cisco Adaptive Security Appliance ASA Software and Cisco Firepower Threat Defense FTD Software could allow an unauthenticated,...