CVE-2023-46850

>= 2.11.0 and <= 2.11.3

Use after free in OpenVPN version 2.6.0 to 2.6.6 may lead to undefined behavoir, leaking memory buffers or remote execution when s

9.8CRITICAL

CVE-2023-46849

>= 2.11.0 and <= 2.11.3

Using the --fragment option in certain configuration setups OpenVPN version 2.6.0 to 2.6.6 allows an attacker to trigger a divide

7.5HIGH

CVE-2021-4234

< 2.11.0

OpenVPN Access Server 2.10 and prior versions are susceptible to resending multiple packets in a response to a reset packet sent f

7.5HIGH

CVE-2022-33738

< 2.11.0

OpenVPN Access Server before 2.11 uses a weak random generator used to create user session token for the web portal

7.5HIGH

CVE-2022-33737

>= 2.10.0 and < 2.11.0

The OpenVPN Access Server installer creates a log file readable for everyone, which from version 2.10.0 and before 2.11.0 may cont

7.5HIGH

CVE-2021-3824

>= 2.9.0 and <= 2.9.4

OpenVPN Access Server 2.9.0 through 2.9.4 allow remote attackers to inject arbitrary web script or HTML via the web login page URL

6.1MEDIUM

CVE-2020-36382

>= 2.7.3 and <= 2.8.7

OpenVPN Access Server 2.7.3 to 2.8.7 allows remote attackers to trigger an assert during the user authentication phase via incorre

7.5HIGH

CVE-2020-15077

<= 2.8.7

OpenVPN Access Server 2.8.7 and earlier versions allows a remote attackers to bypass authentication and access control channel dat

5.3MEDIUM

CVE-2020-15074

< 2.8.4

OpenVPN Access Server older than version 2.8.4 and version 2.9.5 generates new user authentication tokens instead of reusing exiti

7.5HIGH

CVE-2020-11462

< 2.7.0

An issue was discovered in OpenVPN Access Server before 2.7.0 and 2.8.x before 2.8.3. With the full featured RPC2 interface enable

7.5HIGH

CVE-2020-8953

>= 2.8.0 and < 2.8.1

OpenVPN Access Server 2.8.x before 2.8.1 allows LDAP authentication bypass (except when a user is enrolled in two-factor authentic

9.8CRITICAL

CVE-2017-5868

all versions

CRLF injection vulnerability in the web interface in OpenVPN Access Server 2.1.4 allows remote attackers to inject arbitrary HTTP

6.1MEDIUM

CVE-2014-8104

all versions

OpenVPN 2.x before 2.0.11, 2.1.x, 2.2.x before 2.2.3, and 2.3.x before 2.3.6 allows remote authenticated users to cause a denial o

CVE-2014-9104

<= 1.5.6

Multiple cross-site request forgery (CSRF) vulnerabilities in the XML-RPC API in the Desktop Client in OpenVPN Access Server 1.5.6

CVE-2013-2692

<= 1.8.4

Cross-site request forgery (CSRF) vulnerability in the Admin web interface in OpenVPN Access Server before 1.8.5 allows remote att

CVE-2013-2061

all versions

The openvpn_decrypt function in crypto.c in OpenVPN 2.3.0 and earlier, when running in UDP mode, allows remote attackers to obtain

CVE-2006-2229

all versions

OpenVPN 2.0.7 and earlier, when configured to use the --management option with an IP that is not 127.0.0.1, uses a cleartext passw

CVE-2006-1629

all versions

OpenVPN 2.0 through 2.0.5 allows remote malicious servers to execute arbitrary code on the client by using setenv with the LD_PREL

CVE-2005-3409

all versions

OpenVPN 2.x before 2.0.4, when running in TCP mode, allows remote attackers to cause a denial of service (segmentation fault) by f

CVE-2005-3393

all versions

Format string vulnerability in the foreign_option function in options.c for OpenVPN 2.0.x allows remote clients to execute arbitra