In jsonwebtoken node module before 4.2.2 it is possible for an attacker to bypass verification when a token digitally signed with an asymmetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm (HS* family).
An issue was discovered in the Login by Auth0 plugin before 4.0.0 for WordPress. It has numerous fields that can contain data that is pulled from different sources. One issue with this is that the data isn't sanitized, and no input validation is performed, before the exporting of the user data. This can lead to (at least) CSV injection if a crafted Excel document is uploaded.
Auth0 Auth0-WCF-Service-JWT before 1.0.4 leaks the expected JWT signature in an error message when it cannot successfully validate the JWT signature. If this error message is presented to an attacker, they can forge an arbitrary JWT token that will be accepted by the vulnerable application.
Auth0 Passport-SharePoint before 0.4.0 does not validate the JWT signature of an Access Token before processing. This allows attackers to forge tokens and bypass authentication and authorization mechanisms.
passport-wsfed-saml2 provides passport strategy for both WS-fed and SAML2 protocol. A vulnerability present starting in version 3.0.5 up to and including version 4.6.3 allows an attacker to impersonate any user during SAML authentication by tampering with a valid SAML response. This can be done by adding attributes to the response. Users are affected specifically when the service provider is using `passport-wsfed-saml2` and a valid SAML Response signed by the Identity Provider can be obtained. Version 4.6.4 contains a fix for the vulnerability.
Auth0-PHP provides the PHP SDK for Auth0 Authentication and Management APIs. Starting in version 8.0.0-BETA1 and prior to version 8.14.0, session cookies of applications using the Auth0-PHP SDK configured with CookieStore have authentication tags that can be brute forced, which may result in unauthorized access. Certain pre-conditions are required to be vulnerable to this issue: Applications using the Auth0-PHP SDK, or the Auth0/symfony, Auth0/laravel-auth0, and Auth0/wordpress SDKs that rely on the Auth0-PHP SDK; and session storage configured with CookieStore. Upgrade Auth0/Auth0-PHP to v8.14.0 to receive a patch. As an additional precautionary measure, rotating cookie encryption keys is recommended. Note that once updated, any previous session cookies will be rejected.
passport-wsfed-saml2 provides passport strategy for both WS-fed and SAML2 protocol. A vulnerability present starting in version 3.0.5 up to and including version 4.6.3 allows an attacker to impersonate any user during SAML authentication by crafting a SAMLResponse. This can be done by using a valid SAML object that was signed by the configured IdP. Users are affected specifically when the service provider is using passport-wsfed-saml2 and a valid SAML document signed by the Identity Provider can be obtained. Version 4.6.4 contains a fix for the vulnerability.
Passport-wsfed-saml2 is a ws-federation protocol and SAML2 tokens authentication provider for Passport. In versions prior to 4.6.3, a remote attacker may be able to bypass WSFed authentication on a website using passport-wsfed-saml2. A successful attack requires that the attacker is in possession of an arbitrary IDP signed assertion. Depending on the IDP used, fully unauthenticated attacks (e.g without access to a valid user) might also be feasible if generation of a signed message can be triggered. This issue is patched in version 4.6.3. Use of SAML2 authentication instead of WSFed is a workaround.
jsonwebtoken is an implementation of JSON Web Tokens. Versions `<= 8.5.1` of `jsonwebtoken` library can be misconfigured so that passing a poorly implemented key retrieval function referring to the `secretOrPublicKey` argument from the readme link will result in incorrect verification of tokens. There is a possibility of using a different algorithm and key combination in verification, other than the one that was used to sign the tokens. Specifically, tokens signed with an asymmetric public key could be verified with a symmetric HS256 algorithm. This can lead to successful validation of forged tokens. If your application is supporting usage of both symmetric key and asymmetric key in jwt.verify() implementation with the same key retrieval function. This issue has been patched, please update to version 9.0.0.
In versions `<=8.5.1` of `jsonwebtoken` library, lack of algorithm definition in the `jwt.verify()` function can lead to signature validation bypass due to defaulting to the `none` algorithm for signature verification. Users are affected if you do not specify algorithms in the `jwt.verify()` function. This issue has been fixed, please update to version 9.0.0 which removes the default support for the none algorithm in the `jwt.verify()` method. There will be no impact, if you update to version 9.0.0 and you don’t need to allow for the `none` algorithm. If you need 'none' algorithm, you have to explicitly specify that in `jwt.verify()` options.
Auth0 auth0.net before 6.5.4 has Incorrect Access Control because IdentityTokenValidator can be accidentally used to validate untrusted ID tokens.
omniauth-auth0 (rubygems) versions >= 2.3.0 and < 2.4.1 improperly validate the JWT token signature when using the `jwt_validator.verify` method. Improper validation of the JWT token signature can allow an attacker to bypass authentication and authorization. You are affected by this vulnerability if all of the following conditions apply: 1. You are using `omniauth-auth0`. 2. You are using `JWTValidator.verify` method directly OR you are not authenticating using the SDK’s default Authorization Code Flow. The issue is patched in version 2.4.1.
The authenticate function in LDAPUserFolder/LDAPUserFolder.py in zope-ldapuserfolder 2.9-1 does not verify the password for the emergency account, which allows remote attackers to gain privileges.
The check_password function in html/admin/login.php in PacketFence before 3.0.2 allows remote attackers to bypass authentication via an empty password.
A vulnerability has been found in Kehua Charging Pile Cloud Platform 1.0 and classified as critical. This vulnerability affects unknown code of the file /home. The manipulation leads to improper authentication. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Apache Pony Mail 0.6c through 0.8b allows remote attackers to bypass authentication.
Geyser is a bridge between Minecraft: Bedrock Edition and Minecraft: Java Edition. Versions of Geyser prior to 1.4.2-SNAPSHOT allow anyone that can connect to the server to forge a LoginPacket with manipulated JWT token allowing impersonation as any user. Version 1.4.2-SNAPSHOT contains a patch for the issue. There are no known workarounds aside from upgrading.
A flaw in the authentication mechanism in the Login Panel of router D-Link DSL-3782 (A1_WI_20170303 || SWVer="V100R001B012" FWVer="3.10.0.24" FirmVer="TT_77616E6771696F6E67") allows unauthenticated attackers to perform arbitrary modification (read, write) to passwords and configurations meanwhile an administrator is logged into the web panel.
Mahara before 1.0.15, 1.1.x before 1.1.9, and 1.2.x before 1.2.5 has improper configuration options for authentication plugins associated with logins that use the single sign-on (SSO) functionality, which allows remote attackers to bypass authentication via an empty password. NOTE: some of these details are obtained from third party information.
BMC BladeLogic Server Automation (BSA) before 8.7 Patch 3 allows remote attackers to bypass authentication and consequently read arbitrary files or possibly have unspecified other impact by leveraging a "logic flaw" in the authentication process.
In some cases, Service Pack 4 for Windows NT 4.0 can allow access to network shares using a blank password, through a problem with a null NT hash value.
The server components in Objectivity/DB 10.0 do not require authentication for administrative commands, which allows remote attackers to modify data, obtain sensitive information, or cause a denial of service by sending requests over TCP to (1) the Lock Server or (2) the Advanced Multithreaded Server, as demonstrated by commands that are ordinarily sent by the (a) ookillls and (b) oostopams applications. NOTE: some of these details are obtained from third party information.
Milesight IP security cameras through 2016-11-14 allow remote attackers to bypass authentication and access a protected resource by simultaneously making a request for the unprotected vb.htm resource.
Western Digital WD My Cloud v04.05.00-320 devices embed the session token (aka PHPSESSID) in filenames, which makes it easier for attackers to bypass authentication by listing a directory. NOTE: this can be exploited in conjunction with CVE-2018-7171 for remote authentication bypass within a product that uses My Cloud.
A vulnerability has been identified in SICLOCK TC100 (All versions) and SICLOCK TC400 (All versions). An attacker with network access to the device could potentially circumvent the authentication mechanism if he/she is able to obtain certain knowledge specific to the attacked device.
A remote code execution issue was discovered in the WooCommerce Products Filter (aka WOOF) plugin before 2.2.0 for WordPress, as demonstrated by the shortcode parameter in a woof_redraw_woof action. The plugin implemented a page redraw AJAX function accessible to anyone without any authentication. WordPress shortcode markup in the "shortcode" parameters would be evaluated. Normally unauthenticated users can't evaluate shortcodes as they are often sensitive.
Aruba ClearPass, all versions of 6.6.x prior to 6.6.9 are affected by an authentication bypass vulnerability, an attacker can leverage this vulnerability to gain administrator privileges on the system. The vulnerability is exposed only on ClearPass web interfaces, including administrative, guest captive portal, and API. Customers who do not expose ClearPass web interfaces to untrusted users are impacted to a lesser extent.
The TYPO3 Security - Salted user password hashes (t3sec_saltedpw) extension before 0.2.13 for TYPO3 allows remote attackers to bypass authentication via unspecified vectors.
Authentication Bypass vulnerability in the administrative user interface in McAfee Web Gateway 7.8.1.0 through 7.8.1.5 allows remote attackers to execute arbitrary code via Java management extensions (JMX).
The HTTP Authentication implementation in Geo++ GNCASTER 1.4.0.7 and earlier uses the same nonce for all authentication, which allows remote attackers to hijack web sessions or bypass authentication via a replay attack.
Cisco TelePresence Recording Server devices with software 1.6.x do not require authentication for an XML-RPC interface, which allows remote attackers to perform unspecified actions via a session on TCP port 8080, aka Bug ID CSCtg35833.
The GMP Plugin in strongSwan 4.2.0 through 4.6.3 allows remote attackers to bypass authentication via a (1) empty or (2) zeroed RSA signature, aka "RSA signature verification vulnerability."
Joomla! 2.5.x before 2.5.25, 3.x before 3.2.4, and 3.3.x before 3.3.4 allows remote attackers to authenticate and bypass intended access restrictions via vectors involving LDAP authentication.
An authorization bypass vulnerability exists in Schneider Electric's Modicon M340, Modicon Premium, Modicon Quantum PLC, BMXNOR0200. Requests to CGI functions allow malicious users to bypass authorization.
Cisco TelePresence Manager 1.2.x through 1.6.x allows remote attackers to bypass authentication and invoke arbitrary methods via a malformed SOAP request, aka Bug ID CSCtc59562.
ToutVirtual VirtualIQ Pro before 3.5 build 8691 does not require administrative authentication for JBoss console access, which allows remote attackers to execute arbitrary commands via requests to (1) the JMX Management Console or (2) the Web Console.
An authentication bypass vulnerability has been identified in Pulpcore when deployed with Gunicorn versions prior to 22.0, due to the puppet-pulpcore configuration. This issue arises from Apache's mod_proxy not properly unsetting headers because of restrictions on underscores in HTTP headers, allowing authentication through a malformed header. This flaw impacts all active Satellite deployments (6.13, 6.14 and 6.15) which are using Pulpcore version 3.0+ and could potentially enable unauthorized users to gain administrative access.
admin/header.php in Scripteen Free Image Hosting Script 2.3 allows remote attackers to bypass authentication and gain administrative access by setting the cookgid cookie value to 1, a different vector than CVE-2008-3211.
admin/save_user.asp in Digital Interchange Document Library 1.0.1 does not require administrative authentication, which allows remote attackers to read or modify the administrator's credentials via unspecified vectors. NOTE: some of these details are obtained from third party information.
WB News 2.1.2 allows remote attackers to bypass authentication and gain administrative access via a modified WBNEWS cookie, as demonstrated by setting this cookie to 1.
admin/manage_users.php in TotalCalendar 2.4 does not require administrative authentication, which allows remote attackers to change arbitrary passwords via the newPW1 and newPW2 parameters.
admin.php in dB Masters Multimedia Links Directory 3.1.3 allows remote attackers to bypass authentication and gain administrative access via a certain value of the admin_log cookie.
Symfony before 2.8.6 and 3.x before 3.0.6 allows remote attackers to bypass authentication by logging in with an empty password and valid username, which triggers an unauthenticated bind.
A vulnerability has been found in TOTOLINK T10 4.1.8cu.5241_B20210927. Affected is an unknown function of the file /formLoginAuth.htm. The manipulation of the argument authCode with the input 1 leads to improper authentication. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
CRE Loaded before 6.2.14 allows remote attackers to bypass authentication and gain administrator privileges via vectors related to a modified PHP_SELF variable, which is not properly handled by (1) includes/application_top.php and (2) admin/includes/application_top.php.
Properly formatted POST requests to multiple resources on the HTTP and HTTPS web servers of the Digi PortServer TS 16 Rack device do not require authentication or authentication tokens. This vulnerability could allow an attacker to enable the SNMP service and manipulate the community strings to achieve further control in.
admin/delitem.php in RoomPHPlanning 1.6 does not require authentication, which allows remote attackers to (1) delete arbitrary users via the user parameter or (2) delete arbitrary rooms via the room parameter.
A vulnerability has been found in WinterChenS my-site up to 1f7525f15934d9d6a278de967f6ec9f1757738d8. This vulnerability affects the function preHandle of the file /admin/ of the component Backend Interface. The manipulation of the argument uri leads to improper authentication. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The code maintainer responded to the issue that "[he] tried it, and using this link automatically redirects to the login page."
The administrator package for Xerver 4.32 does not require authentication, which allows remote attackers to alter application settings by connecting to the application on port 32123, as demonstrated by setting the action option to wizardStep1.
The client in OpenSSH before 7.2 mishandles failed cookie generation for untrusted X11 forwarding and relies on the local X11 server for access-control decisions, which allows remote X11 clients to trigger a fallback and obtain trusted X11 forwarding privileges by leveraging configuration issues on this X11 server, as demonstrated by lack of the SECURITY extension on this X11 server.