CVE-2018-10847

HIGH Year: 2018
CVSS v3 Score
8.8
High
CVSS v2 Score
6.5
Medium
Weakness Type
CWE-592
View all →

Vulnerability Description

prosody before versions 0.10.2, 0.9.14 is vulnerable to an Authentication Bypass. Prosody did not verify that the virtual host associated with a user session remained the same across stream restarts. A user may authenticate to XMPP host A and migrate their authenticated session to XMPP host B of the same Prosody instance.

Related Vulnerabilities

CVE-2017-2684

CRITICAL
CVSS:9.0(Critical)

Siemens SIMATIC Logon prior to V1.5 SP3 Update 2 could allow an attacker with knowledge of a valid user name, and physical or network access to the affected system, to bypass the application-level aut...

CWE-5922017

CVE-2018-10933

CRITICAL
CVSS:9.1(Critical)

A vulnerability was found in libssh's server-side state machine before versions 0.7.6 and 0.8.4. A malicious client could create channels without first performing authentication, resulting in unauthor...

CWE-5922018

CVE-2017-2650

HIGH
CVSS:8.5(High)

It was found that the use of Pipeline: Classpath Step Jenkins plugin enables a bypass of the Script Security sandbox for users with SCM commit access, as well as users with e.g. Job/Configure permissi...

CWE-5922017

CVE-2019-10201

HIGH
CVSS:8.1(High)

It was found that Keycloak's SAML broker, versions up to 6.0.1, did not verify missing message signatures. If an attacker modifies the SAML Response and removes the <Signature> sections, the message i...

CWE-5922019

CVE-2014-5432

CRITICAL
CVSS:9.8(Critical)

Baxter SIGMA Spectrum Infusion System version 6.05 (model 35700BAX) with wireless battery module (WBM) version 16 is remotely accessible via Port 22/SSH without authentication. A remote attacker may b...

CWE-5922014

CVE-2018-1085

CRITICAL
CVSS:9.8(Critical)

openshift-ansible before versions 3.9.23, 3.7.46 deploys a misconfigured etcd file that causes the SSL client certificate authentication to be disabled. Quotations around the values of ETCD_CLIENT_CER...

CWE-5922018