Login Bypass Vulnerability in Yunye CMS

Yunye CMS is an enterprise website building system developed by Luoyang Yunye Information Technology Co. A login bypass vulnerability exists in Yunye CMS. An attacker can use the vulnerability to bypass the account password authentication and directly log into the user account...

Authentication flaw

In Zulip Server versions from 1.7.0 to before 2.0.7, a bug in the new user signup process meant that users who registered their account using social authentication e.g., GitHub or Google SSO in an organization that also allows password authentication could have their personal API key stolen by an...

CVE-2019-18933

In Zulip Server versions from 1.7.0 to before 2.0.7, a bug in the new user signup process meant that users who registered their account using social authentication e.g., GitHub or Google SSO in an organization that also allows password authentication could have their personal API key stolen by an...

CVE-2019-18199

An issue was discovered on Fujitsu Wireless Keyboard Set LX390 GK381 devices. Because of the lack of proper encryption of 2.4 GHz communication, and because of password-based authentication, they are vulnerable to replay attacks...

CVE-2019-17216

An issue was discovered on V-Zug Combi-Steam MSLQ devices before Ethernet R07 and before WLAN R05. Password authentication uses MD5 to hash passwords. Cracking is possible with minimal effort...

Code injection

An issue was discovered on V-Zug Combi-Steam MSLQ devices before Ethernet R07 and before WLAN R05. There is no bruteforce protection e.g., lockout established. An attacker might be able to bruteforce the password to authenticate on the device...

Default credentials

An issue was discovered on V-Zug Combi-Steam MSLQ devices before Ethernet R07 and before WLAN R05. Password authentication uses MD5 to hash passwords. Cracking is possible with minimal effort...

CVE-2019-17216

CVE-2019-17216 affects the V-Zug Combi-Steam MSLQ family (before Ethernet R07 and WLAN R05). The root issue is that password authentication uses MD5 to hash passwords, which enables cracking with minimal effort. This leads to a high-severity, network-remote risk affecting authentication confident...

Authentication flaw

An issue was discovered on the ENTTEC Datagate MK2, Storm 24, Pixelator, and E-Streamer MK2 with firmware 70044update05032019-482. They allow high-privileged root access by www-data via sudo without requiring appropriate access control. Furthermore, the user account that controls the web...

CVE-2019-1859

A vulnerability in the Secure Shell SSH authentication process of Cisco Small Business Switches software could allow an attacker to bypass client-side certificate authentication and revert to password authentication. The vulnerability exists because OpenSSH mishandles the authentication process. ...

CVE-2019-1859

A vulnerability in the Secure Shell SSH authentication process of Cisco Small Business Switches software could allow an attacker to bypass client-side certificate authentication and revert to password authentication. The vulnerability exists because OpenSSH mishandles the authentication process. ...

Design/Logic Flaw

A vulnerability in the Secure Shell SSH authentication process of Cisco Small Business Switches software could allow an attacker to bypass client-side certificate authentication and revert to password authentication. The vulnerability exists because OpenSSH mishandles the authentication process. ...

CVE-2019-1859 Cisco Small Business Switches Secure Shell Certificate Authentication Bypass Vulnerability

A vulnerability in the Secure Shell SSH authentication process of Cisco Small Business Switches software could allow an attacker to bypass client-side certificate authentication and revert to password authentication. The vulnerability exists because OpenSSH mishandles the authentication process. ...

SUSE-SU-2019:1088-1 Security update for wpa_supplicant

This update for wpasupplicant fixes the following issues: This security issue was fixed: - CVE-2018-14526: Under certain conditions, the integrity of EAPOL-Key messages was not checked, leading to a decryption oracle. An attacker within range of the Access Point and client could have abused the...

DEBIAN-CVE-2019-9498

The implementations of EAP-PWD in hostapd EAP Server, when built against a crypto library missing explicit validation on imported elements, do not validate the scalar and element values in EAP-pwd-Commit. An attacker may be able to use invalid scalar/element values to complete authentication,...

Unprotected OSSEC/Wazuh ossec-authd (authd Protocol)

The remote OSSEC/Wazuh ossec-authd service is not protected by password authentication or client certificate verification. SPDX-FileCopyrightText: 2019 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders...

Nextcloud: Password authentication at newsletter.nextcloud.com discloses username list

summary: A vulnerability classified as problematic has been found in OpenSSH 7.2p2. check INFO.pngAffected is an unknown function of the component Authentication. The manipulation of the argument Password with an unknown input leads to a information disclosure vulnerability Username. CWE is...

SUSE-SU-2018:3480-1 Security update for wpa_supplicant

This update for wpasupplicant provides the following fixes: This security issues was fixe: - CVE-2018-14526: Under certain conditions, the integrity of EAPOL-Key messages was not checked, leading to a decryption oracle. An attacker within range of the Access Point and client could have abused the...

Java JMX Agent Insecure Configuration

A Java JMX agent running on the remote host is configured without SSL client and password authentication. An unauthenticated, remote attacker can connect to the JMX agent and monitor and manage the Java application that has enabled the agent. Moreover, this insecure configuration could allow the...

CVE-2018-5399

The Auto-Maskin DCU 210E firmware contains an undocumented Dropbear SSH server, v2015.55, configured to listen on Port 22 while the DCU is running. The Dropbear server is configured with a hard-coded user name and password combination of root / amroot. The server is configured to use password onl...