Common Weakness Enumeration
CWE-305
AllowedAuthentication Bypass by Primary Weakness
Abstraction: Base · Status: Draft
The authentication algorithm is sound, but the implemented mechanism can be bypassed as the result of a separate weakness that is primary to the authentication error.
281 vulnerabilities reference this CWE, most recent first.
CVE-2024-5957 (GCVE-0-2024-5957)
Vulnerability from cvelistv5 – Published: 2024-09-05 10:49 – Updated: 2024-09-05 13:11
VLAI
EPSS
VEX
Summary
This vulnerability allows unauthenticated remote attackers to bypass authentication and gain APIs access of the Manager.
Severity
6.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-305 - Authentication Bypass by Primary Weakness
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Trellix | Intrusion Prevention System (IPS) Manager |
Affected:
11.1.7.97
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-5957",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-05T13:10:58.158237Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-05T13:11:11.676Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows"
],
"product": "Intrusion Prevention System (IPS) Manager",
"vendor": "Trellix",
"versions": [
{
"status": "affected",
"version": "11.1.7.97"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Kentaro Kawane"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cb\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eThis vulnerability allows unauthenticated remote attackers to bypass authentication and gain APIs access of the Manager.\u003c/span\u003e\u003c/p\u003e\u003c/b\u003e"
}
],
"value": "This vulnerability allows unauthenticated remote attackers to bypass authentication and gain APIs access of the Manager."
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-305",
"description": "CWE-305: Authentication Bypass by Primary Weakness",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-05T10:49:38.276Z",
"orgId": "01626437-bf8f-4d1c-912a-893b5eb04808",
"shortName": "trellix"
},
"references": [
{
"url": "https://thrive.trellix.com/s/article/000013870"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "01626437-bf8f-4d1c-912a-893b5eb04808",
"assignerShortName": "trellix",
"cveId": "CVE-2024-5957",
"datePublished": "2024-09-05T10:49:38.276Z",
"dateReserved": "2024-06-13T06:47:31.425Z",
"dateUpdated": "2024-09-05T13:11:11.676Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-5956 (GCVE-0-2024-5956)
Vulnerability from cvelistv5 – Published: 2024-09-05 10:42 – Updated: 2024-09-05 13:13
VLAI
EPSS
VEX
Summary
This vulnerability allows unauthenticated remote attackers to bypass authentication and gain partial data access to the vulnerable Trellix IPS Manager with garbage data in response mostly
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-305 - Authentication Bypass by Primary Weakness
Assigner
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Trellix | Intrusion Prevention System (IPS) Manager |
Affected:
11.1.7.97
|
|
| trellix | intrusion_prevention_system_manager |
Affected:
11.1.7.97
cpe:2.3:a:trellix:intrusion_prevention_system_manager:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:trellix:intrusion_prevention_system_manager:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "intrusion_prevention_system_manager",
"vendor": "trellix",
"versions": [
{
"status": "affected",
"version": "11.1.7.97"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-5956",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-05T13:11:38.274777Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-05T13:13:04.061Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows",
"11.1.7.97"
],
"product": "Intrusion Prevention System (IPS) Manager",
"vendor": "Trellix",
"versions": [
{
"status": "affected",
"version": "11.1.7.97"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Kentaro Kawane"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cb\u003e\u003cspan style=\"background-color: transparent;\"\u003eThis vulnerability allows unauthenticated remote attackers to bypass authentication and gain partial data access to the vulnerable Trellix IPS Manager with garbage data in response mostly\u003c/span\u003e\u003c/b\u003e"
}
],
"value": "This vulnerability allows unauthenticated remote attackers to bypass authentication and gain partial data access to the vulnerable Trellix IPS Manager with garbage data in response mostly"
}
],
"impacts": [
{
"capecId": "CAPEC-114",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-114 Authentication Abuse"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-305",
"description": "CWE-305: Authentication Bypass by Primary Weakness",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-05T10:50:14.273Z",
"orgId": "01626437-bf8f-4d1c-912a-893b5eb04808",
"shortName": "trellix"
},
"references": [
{
"url": "https://thrive.trellix.com/s/article/000013870"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "01626437-bf8f-4d1c-912a-893b5eb04808",
"assignerShortName": "trellix",
"cveId": "CVE-2024-5956",
"datePublished": "2024-09-05T10:42:09.315Z",
"dateReserved": "2024-06-13T06:47:29.265Z",
"dateUpdated": "2024-09-05T13:13:04.061Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-4784 (GCVE-0-2024-4784)
Vulnerability from cvelistv5 – Published: 2024-08-08 10:02 – Updated: 2024-08-29 15:04
VLAI
EPSS
VEX
Title
Authentication Bypass by Primary Weakness in GitLab
Summary
An issue was discovered in GitLab EE starting from version 16.7 before 17.0.6, version 17.1 before 17.1.4 and 17.2 before 17.2.2 that allowed bypassing the password re-entry requirement to approve a policy.
Severity
4.2 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-305 - Authentication Bypass by Primary Weakness
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://gitlab.com/gitlab-org/gitlab/-/issues/461248 | issue-trackingpermissions-required |
| https://hackerone.com/reports/2486223 | technical-descriptionexploitpermissions-required |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-4784",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-08T14:12:19.684074Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-08T14:12:32.637Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "GitLab",
"repo": "git://git@gitlab.com:gitlab-org/gitlab.git",
"vendor": "GitLab",
"versions": [
{
"lessThan": "17.0.6",
"status": "affected",
"version": "16.7",
"versionType": "semver"
},
{
"lessThan": "17.1.4",
"status": "affected",
"version": "17.1",
"versionType": "semver"
},
{
"lessThan": "17.2.2",
"status": "affected",
"version": "17.2",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Thanks [vexin](https://hackerone.com/vexin) for reporting this vulnerability through our HackerOne bug bounty program"
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in GitLab EE starting from version 16.7 before 17.0.6, version 17.1 before 17.1.4 and 17.2 before 17.2.2 that allowed bypassing the password re-entry requirement to approve a policy."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-305",
"description": "CWE-305: Authentication Bypass by Primary Weakness",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-29T15:04:58.457Z",
"orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
"shortName": "GitLab"
},
"references": [
{
"name": "GitLab Issue #461248",
"tags": [
"issue-tracking",
"permissions-required"
],
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/461248"
},
{
"name": "HackerOne Bug Bounty Report #2486223",
"tags": [
"technical-description",
"exploit",
"permissions-required"
],
"url": "https://hackerone.com/reports/2486223"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to versions 17.2.2, 17.1.4, 17.0.6 or above."
}
],
"title": "Authentication Bypass by Primary Weakness in GitLab"
}
},
"cveMetadata": {
"assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
"assignerShortName": "GitLab",
"cveId": "CVE-2024-4784",
"datePublished": "2024-08-08T10:02:19.809Z",
"dateReserved": "2024-05-10T19:01:57.438Z",
"dateUpdated": "2024-08-29T15:04:58.457Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-1403 (GCVE-0-2024-1403)
Vulnerability from cvelistv5 – Published: 2024-02-27 15:39 – Updated: 2024-08-12 19:27
VLAI
EPSS
VEX
Title
Authentication Bypass in OpenEdge Authentication Gateway and AdminServer
Summary
In OpenEdge Authentication Gateway and AdminServer prior to 11.7.19, 12.2.14, 12.8.1 on all platforms supported by the OpenEdge product, an authentication bypass vulnerability has been identified. The
vulnerability is a bypass to authentication based on a failure to properly
handle username and password. Certain unexpected
content passed into the credentials can lead to unauthorized access without proper
authentication.
Severity
10 (Critical)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-305 - Authentication Bypass by Primary Weakness
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.progress.com/openedge | product |
| https://community.progress.com/s/article/Importan… | vendor-advisory |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Progress | OpenEdge |
Affected:
11.7.0 , < 11.7.19
(semver)
Affected: 12.2.0 , < 12.2.14 (semver) Affected: 12.8.0 , < 12.8.1 (semver) |
|
| progress | openedge |
Affected:
11.7.0 , < 11.7.19
(semver)
Affected: 12.2.0 , < 12.2.14 (semver) Affected: 12.8.0 , < 12.8.1 (semver) cpe:2.3:a:progress:openedge:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:40:21.248Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"product",
"x_transferred"
],
"url": "https://www.progress.com/openedge"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://community.progress.com/s/article/Important-Critical-Alert-for-OpenEdge-Authentication-Gateway-and-AdminServer"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:progress:openedge:*:*:*:*:*:*:*:*"
],
"defaultStatus": "affected",
"product": "openedge",
"vendor": "progress",
"versions": [
{
"lessThan": "11.7.19",
"status": "affected",
"version": "11.7.0",
"versionType": "semver"
},
{
"lessThan": "12.2.14",
"status": "affected",
"version": "12.2.0",
"versionType": "semver"
},
{
"lessThan": "12.8.1",
"status": "affected",
"version": "12.8.0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-1403",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-16T04:00:49.775339Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-12T19:27:43.016Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"modules": [
"OpenEdge Authentication Gateway",
"AdminServer"
],
"platforms": [
"Windows",
"Linux",
"x86",
"64 bit",
"32 bit"
],
"product": "OpenEdge",
"vendor": "Progress",
"versions": [
{
"lessThan": "11.7.19",
"status": "affected",
"version": "11.7.0",
"versionType": "semver"
},
{
"lessThan": "12.2.14",
"status": "affected",
"version": "12.2.0",
"versionType": "semver"
},
{
"lessThan": "12.8.1",
"status": "affected",
"version": "12.8.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In OpenEdge Authentication Gateway and AdminServer prior to 11.7.19, 12.2.14, 12.8.1 on all platforms supported by the OpenEdge product, an authentication bypass vulnerability has been identified.\u0026nbsp; The\nvulnerability is a bypass to authentication based on a failure to properly\nhandle username and password. Certain unexpected\ncontent passed into the credentials can lead to unauthorized access without proper\nauthentication. \u0026nbsp; \n\n\n\n\n\n\u003cbr\u003e"
}
],
"value": "In OpenEdge Authentication Gateway and AdminServer prior to 11.7.19, 12.2.14, 12.8.1 on all platforms supported by the OpenEdge product, an authentication bypass vulnerability has been identified.\u00a0 The\nvulnerability is a bypass to authentication based on a failure to properly\nhandle username and password. Certain unexpected\ncontent passed into the credentials can lead to unauthorized access without proper\nauthentication. \u00a0 \n\n\n\n\n\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-305",
"description": "CWE-305: Authentication Bypass by Primary Weakness",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-27T15:39:54.850Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"tags": [
"product"
],
"url": "https://www.progress.com/openedge"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://community.progress.com/s/article/Important-Critical-Alert-for-OpenEdge-Authentication-Gateway-and-AdminServer"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Authentication Bypass in OpenEdge Authentication Gateway and AdminServer",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2024-1403",
"datePublished": "2024-02-27T15:39:54.850Z",
"dateReserved": "2024-02-09T15:46:27.472Z",
"dateUpdated": "2024-08-12T19:27:43.016Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-1202 (GCVE-0-2024-1202)
Vulnerability from cvelistv5 – Published: 2024-03-05 14:41 – Updated: 2026-06-03 14:25 Unsupported When Assigned
VLAI
EPSS
VEX
Title
Authentication Bypass in XPodas' Octopod
Summary
Authentication Bypass by Primary Weakness vulnerability in XPodas Octopod allows Authentication Bypass.
This issue affects Octopod: before v1.
NOTE: The vendor was contacted and it was learned that the product is not supported.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-305 - Authentication Bypass by Primary Weakness
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.usom.gov.tr/bildirim/tr-24-0174 | government-resourcebroken-link |
| https://siberguvenlik.gov.tr/guvenlik-bildirimler… | government-resource |
Impacted products
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:xpodas:octoped:1:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "octoped",
"vendor": "xpodas",
"versions": [
{
"lessThan": "1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-1202",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-15T15:43:55.908419Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-06T13:09:42.039Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:33:24.697Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.usom.gov.tr/bildirim/tr-24-0174"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Octopod",
"vendor": "XPodas",
"versions": [
{
"lessThan": "v1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Efe \u00d6zel"
},
{
"lang": "en",
"type": "analyst",
"user": "00000000-0000-4000-9000-000000000000",
"value": "\u00d6mer Y\u0131lmaz"
},
{
"lang": "en",
"type": "analyst",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Cemil Sefa \u00d6zcan"
},
{
"lang": "en",
"type": "sponsor",
"user": "00000000-0000-4000-9000-000000000000",
"value": "fordefence.com"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Authentication Bypass by Primary Weakness vulnerability in XPodas Octopod allows Authentication Bypass.\u003cp\u003eThis issue affects Octopod: before v1.\u0026nbsp;\n\nNOTE:\u0026nbsp;The vendor was contacted and it was learned that the product is not supported.\u003c/p\u003e"
}
],
"value": "Authentication Bypass by Primary Weakness vulnerability in XPodas Octopod allows Authentication Bypass.\n\nThis issue affects Octopod: before v1.\u00a0\n\nNOTE:\u00a0The vendor was contacted and it was learned that the product is not supported."
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-305",
"description": "CWE-305 Authentication Bypass by Primary Weakness",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T14:25:47.350Z",
"orgId": "ca940d4e-fea4-4aa2-9a58-591a58b1ce21",
"shortName": "TR-CERT"
},
"references": [
{
"tags": [
"government-resource",
"broken-link"
],
"url": "https://www.usom.gov.tr/bildirim/tr-24-0174"
},
{
"tags": [
"government-resource"
],
"url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-24-0174"
}
],
"source": {
"advisory": "TR-24-0174",
"defect": [
"TR-24-0174"
],
"discovery": "UNKNOWN"
},
"tags": [
"unsupported-when-assigned"
],
"title": "Authentication Bypass in XPodas\u0027 Octopod",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "ca940d4e-fea4-4aa2-9a58-591a58b1ce21",
"assignerShortName": "TR-CERT",
"cveId": "CVE-2024-1202",
"datePublished": "2024-03-05T14:41:40.624Z",
"dateReserved": "2024-02-02T14:14:34.081Z",
"dateUpdated": "2026-06-03T14:25:47.350Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-46611 (GCVE-0-2023-46611)
Vulnerability from cvelistv5 – Published: 2025-01-02 12:00 – Updated: 2026-04-28 16:08
VLAI
EPSS
VEX
Title
WordPress YOP Poll plugin <= 6.5.28 - Vote Manipulation Due to Broken Captcha Control Vulnerability
Summary
Authentication Bypass by Primary Weakness vulnerability in yourownprogrammer YOP Poll allows Authentication Bypass.This issue affects YOP Poll: from n/a through 6.5.28.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-305 - Authentication Bypass by Primary Weakness
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/wordpress/plugin/… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| yourownprogrammer | YOP Poll |
Affected:
n/a , ≤ 6.5.28
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-46611",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-02T17:17:51.330023Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-02T17:17:59.853Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "yop-poll",
"product": "YOP Poll",
"vendor": "yourownprogrammer",
"versions": [
{
"changes": [
{
"at": "6.5.29",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.5.28",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "qilin_99 (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAuthentication Bypass by Primary Weakness vulnerability in yourownprogrammer YOP Poll allows Authentication Bypass.\u003c/p\u003e\u003cp\u003eThis issue affects YOP Poll: from n/a through 6.5.28.\u003c/p\u003e"
}
],
"value": "Authentication Bypass by Primary Weakness vulnerability in yourownprogrammer YOP Poll allows Authentication Bypass.This issue affects YOP Poll: from n/a through 6.5.28."
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-305",
"description": "CWE-305 Authentication Bypass by Primary Weakness",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:08:47.059Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/wordpress/plugin/yop-poll/vulnerability/wordpress-yop-poll-plugin-6-5-28-vote-manipulation-due-to-broken-captcha-control-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update the WordPress YOP Poll plugin to the latest available version (at least 6.5.29)."
}
],
"value": "Update the WordPress YOP Poll plugin to the latest available version (at least 6.5.29)."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress YOP Poll plugin \u003c= 6.5.28 - Vote Manipulation Due to Broken Captcha Control Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2023-46611",
"datePublished": "2025-01-02T12:00:22.156Z",
"dateReserved": "2023-10-24T13:09:53.768Z",
"dateUpdated": "2026-04-28T16:08:47.059Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-41920 (GCVE-0-2023-41920)
Vulnerability from cvelistv5 – Published: 2024-07-02 07:42 – Updated: 2024-08-02 19:09
VLAI
EPSS
VEX
Title
Authentication Bypass by Primary Weakness in Kiloview P1/P2 devices
Summary
The vulnerability allows attackers access to the root account without having to authenticate. Specifically, if the device is configured with the IP address of 10.10.10.10, the root user is automatically logged in.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-305 - Authentication Bypass by Primary Weakness
Assigner
References
1 reference
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| Kiloview | P1/P2 |
Affected:
All , ≤ 4.8.2605
(custom)
|
|
| kiloview | p1_4g_video_encoder_firmware |
Affected:
0 , ≤ *
(custom)
cpe:2.3:o:kiloview:p1_4g_video_encoder_firmware:-:*:*:*:*:*:*:* |
|
| kiloview | p2_4g_video_encoder_firmware |
Affected:
0 , ≤ *
(custom)
cpe:2.3:o:kiloview:p2_4g_video_encoder_firmware:-:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:o:kiloview:p1_4g_video_encoder_firmware:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "p1_4g_video_encoder_firmware",
"vendor": "kiloview",
"versions": [
{
"lessThanOrEqual": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:kiloview:p2_4g_video_encoder_firmware:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "p2_4g_video_encoder_firmware",
"vendor": "kiloview",
"versions": [
{
"lessThanOrEqual": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-41920",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-02T10:52:36.148784Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-02T10:52:42.017Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:09:49.386Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://advisories.ncsc.nl/advisory?id=NCSC-2024-0273"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "P1/P2",
"vendor": "Kiloview",
"versions": [
{
"lessThanOrEqual": "4.8.2605",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eThe vulnerability allows attackers access to the root account without having to authenticate. \u003c/span\u003e\u003cspan style=\"background-color: rgba(255, 255, 255, 0.7);\"\u003eSpecifically, if the device is configured with the IP address of 10.10.10.10, the root user is automatically logged in.\u003c/span\u003e\n\n"
}
],
"value": "The vulnerability allows attackers access to the root account without having to authenticate. Specifically, if the device is configured with the IP address of 10.10.10.10, the root user is automatically logged in."
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-305",
"description": "CWE-305 Authentication Bypass by Primary Weakness",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-02T08:20:30.865Z",
"orgId": "cf4a7ff5-dd38-4ede-a530-ffaa7ea59c39",
"shortName": "NCSC-NL"
},
"references": [
{
"url": "https://advisories.ncsc.nl/advisory?id=NCSC-2024-0273"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Authentication Bypass by Primary Weakness in Kiloview P1/P2 devices"
}
},
"cveMetadata": {
"assignerOrgId": "cf4a7ff5-dd38-4ede-a530-ffaa7ea59c39",
"assignerShortName": "NCSC-NL",
"cveId": "CVE-2023-41920",
"datePublished": "2024-07-02T07:42:24.484Z",
"dateReserved": "2023-09-05T10:14:50.216Z",
"dateUpdated": "2024-08-02T19:09:49.386Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-36497 (GCVE-0-2023-36497)
Vulnerability from cvelistv5 – Published: 2023-09-11 19:36 – Updated: 2025-01-16 21:29
VLAI
EPSS
VEX
Title
Dover Fueling Solutions MAGLINK LX Web Console Authentication Bypass by Primary Weakness
Summary
Dover Fueling Solutions MAGLINK LX Web Console Configuration versions 2.5.1, 2.5.2, 2.5.3, 2.6.1, 2.11, 3.0, 3.2, and 3.3
could allow a guest user to elevate to admin privileges.
Severity
8.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-305 - Authentication Bypass by Primary Weakness
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Dover Fueling Solutions | MAGLINK LX Web Console Configuration |
Affected:
2.5.1
Affected: 2.5.2 Affected: 2.5.3 Affected: 2.6.1 Affected: 2.11 Affected: 3.0 Affected: 3.2 Affected: 3.3 |
Date Public
2023-09-07 18:38
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T16:45:57.209Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-250-01"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-36497",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-16T21:20:25.054838Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-16T21:29:58.801Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MAGLINK LX Web Console Configuration",
"vendor": "Dover Fueling Solutions",
"versions": [
{
"status": "affected",
"version": "2.5.1"
},
{
"status": "affected",
"version": "2.5.2"
},
{
"status": "affected",
"version": "2.5.3"
},
{
"status": "affected",
"version": "2.6.1"
},
{
"status": "affected",
"version": "2.11"
},
{
"status": "affected",
"version": "3.0"
},
{
"status": "affected",
"version": "3.2"
},
{
"status": "affected",
"version": "3.3"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Soufian El Yadmani of Darktrace / CSIRT.global reported these vulnerabilities"
}
],
"datePublic": "2023-09-07T18:38:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Dover Fueling Solutions MAGLINK LX Web Console Configuration versions 2.5.1, 2.5.2, 2.5.3, 2.6.1, 2.11, 3.0, 3.2, and 3.3 \n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ecould allow a guest user to elevate to admin privileges\u003c/span\u003e."
}
],
"value": "Dover Fueling Solutions MAGLINK LX Web Console Configuration versions 2.5.1, 2.5.2, 2.5.3, 2.6.1, 2.11, 3.0, 3.2, and 3.3 \n\ncould allow a guest user to elevate to admin privileges."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-305",
"description": "CWE-305: Authentication Bypass by Primary Weakness",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-24T16:31:42.756Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-250-01"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In 2023, Dover Fueling Solutions announced end-of-life for MAGLINK LX 3 and released MAGLINK LX 4. However, MAGLINK LX 3 version 3.4.2.2.6 and MAGLINK LX 4 fixes these vulnerabilities.\u003cbr\u003e"
}
],
"value": "In 2023, Dover Fueling Solutions announced end-of-life for MAGLINK LX 3 and released MAGLINK LX 4. However, MAGLINK LX 3 version 3.4.2.2.6 and MAGLINK LX 4 fixes these vulnerabilities."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Dover Fueling Solutions MAGLINK LX Web Console Authentication Bypass by Primary Weakness",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2023-36497",
"datePublished": "2023-09-11T19:36:26.795Z",
"dateReserved": "2023-09-01T20:57:37.407Z",
"dateUpdated": "2025-01-16T21:29:58.801Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-34137 (GCVE-0-2023-34137)
Vulnerability from cvelistv5 – Published: 2023-07-13 02:43 – Updated: 2024-10-30 18:49
VLAI
EPSS
VEX
Summary
SonicWall GMS and Analytics CAS Web Services application use static values for authentication without proper checks leading to authentication bypass vulnerability. This issue affects GMS: 9.3.2-SP1 and earlier versions; Analytics: 2.5.0.4-R7 and earlier versions.
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-305 - Authentication Bypass by Primary Weakness
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://psirt.global.sonicwall.com/vuln-detail/SN… | vendor-advisory |
| https://www.sonicwall.com/support/notices/2307101… | related |
Impacted products
Date Public
2023-07-13 02:43
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T16:01:53.617Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0010"
},
{
"tags": [
"related",
"x_transferred"
],
"url": "https://www.sonicwall.com/support/notices/230710150218060"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-34137",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-30T18:49:13.419958Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-30T18:49:22.304Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "GMS",
"vendor": "SonicWall",
"versions": [
{
"status": "affected",
"version": "9.3.2-SP1 and earlier versions"
}
]
},
{
"defaultStatus": "unknown",
"product": "Analytics",
"vendor": "SonicWall",
"versions": [
{
"status": "affected",
"version": "2.5.0.4-R7 and earlier versions"
}
]
}
],
"datePublic": "2023-07-13T02:43:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "SonicWall GMS and Analytics CAS Web Services application use static values for authentication without proper checks leading to authentication bypass vulnerability. This issue affects GMS: 9.3.2-SP1 and earlier versions; Analytics: 2.5.0.4-R7 and earlier versions.\u003cp\u003e\u003c/p\u003e"
}
],
"value": "SonicWall GMS and Analytics CAS Web Services application use static values for authentication without proper checks leading to authentication bypass vulnerability. This issue affects GMS: 9.3.2-SP1 and earlier versions; Analytics: 2.5.0.4-R7 and earlier versions.\n\n"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-305",
"description": "CWE-305: Authentication Bypass by Primary Weakness",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-13T02:43:08.405Z",
"orgId": "44b2ff79-1416-4492-88bb-ed0da00c7315",
"shortName": "sonicwall"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0010"
},
{
"tags": [
"related"
],
"url": "https://www.sonicwall.com/support/notices/230710150218060"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "44b2ff79-1416-4492-88bb-ed0da00c7315",
"assignerShortName": "sonicwall",
"cveId": "CVE-2023-34137",
"datePublished": "2023-07-13T02:43:08.405Z",
"dateReserved": "2023-05-25T22:45:46.852Z",
"dateUpdated": "2024-10-30T18:49:22.304Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-34124 (GCVE-0-2023-34124)
Vulnerability from cvelistv5 – Published: 2023-07-13 00:14 – Updated: 2025-04-08 15:23
VLAI
EPSS
VEX
Summary
The authentication mechanism in SonicWall GMS and Analytics Web Services had insufficient checks, allowing authentication bypass. This issue affects GMS: 9.3.2-SP1 and earlier versions; Analytics: 2.5.0.4-R7 and earlier versions.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-305 - Authentication Bypass by Primary Weakness
Assigner
References
3 references
Impacted products
Date Public
2023-07-12 23:07
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T16:01:53.646Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0010"
},
{
"tags": [
"related",
"x_transferred"
],
"url": "https://www.sonicwall.com/support/notices/230710150218060"
},
{
"tags": [
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/174571/Sonicwall-GMS-9.9.9320-Remote-Code-Execution.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-34124",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-30T18:53:33.391833Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-08T15:23:32.589Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "GMS",
"vendor": "SonicWall",
"versions": [
{
"status": "affected",
"version": "9.3.2-SP1 and earlier versions"
}
]
},
{
"defaultStatus": "unknown",
"product": "Analytics",
"vendor": "SonicWall",
"versions": [
{
"status": "affected",
"version": "2.5.0.4-R7 and earlier versions"
}
]
}
],
"datePublic": "2023-07-12T23:07:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The authentication mechanism in SonicWall GMS and Analytics Web Services had insufficient checks, allowing authentication bypass. This issue affects GMS: 9.3.2-SP1 and earlier versions; Analytics: 2.5.0.4-R7 and earlier versions.\u003cp\u003e\u003c/p\u003e"
}
],
"value": "The authentication mechanism in SonicWall GMS and Analytics Web Services had insufficient checks, allowing authentication bypass. This issue affects GMS: 9.3.2-SP1 and earlier versions; Analytics: 2.5.0.4-R7 and earlier versions."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-305",
"description": "CWE-305 Authentication Bypass by Primary Weakness",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-08T22:06:25.270Z",
"orgId": "44b2ff79-1416-4492-88bb-ed0da00c7315",
"shortName": "sonicwall"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0010"
},
{
"tags": [
"related"
],
"url": "https://www.sonicwall.com/support/notices/230710150218060"
},
{
"url": "http://packetstormsecurity.com/files/174571/Sonicwall-GMS-9.9.9320-Remote-Code-Execution.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "44b2ff79-1416-4492-88bb-ed0da00c7315",
"assignerShortName": "sonicwall",
"cveId": "CVE-2023-34124",
"datePublished": "2023-07-13T00:14:16.861Z",
"dateReserved": "2023-05-25T22:45:46.851Z",
"dateUpdated": "2025-04-08T15:23:32.589Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.