CWE-1390
Weak Authentication
ClassIncomplete
Description
The product uses an authentication mechanism to restrict access to specific users or identities, but the mechanism does not sufficiently prove that the claimed identity is correct.
Hierarchy (View 1000)
CVEs mapped to this weakness (21)
page 1 of 2| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-6886 | Cri | 0.64 | 9.8 | 0.00 | Apr 23, 2026 | Borg SPM 2007 (Sales Ended in 2008) developed by BorG Technology Corporation has a Authentication Bypass vulnerability, allowing unauthenticated remote attackers to log into the system as any user. | |
| CVE-2025-39596 | Cri | 0.64 | 9.8 | 0.00 | Apr 17, 2025 | Weak Authentication vulnerability in Quentn.com GmbH Quentn WP quentn-wp allows Privilege Escalation.This issue affects Quentn WP: from n/a through <= 1.2.8. | |
| CVE-2024-54092 | Cri | 0.64 | 9.8 | 0.00 | Apr 8, 2025 | A vulnerability has been identified in Industrial Edge Device Kit - arm64 V1.17 (All versions), Industrial Edge Device Kit - arm64 V1.18 (All versions), Industrial Edge Device Kit - arm64 V1.19 (All versions), Industrial Edge Device Kit - arm64 V1.20 (All versions < V1.20.2-1), Industrial Edge Device Kit - arm64 V1.21 (All versions < V1.21.1-1), Industrial Edge Device Kit - x86-64 V1.17 (All versions), Industrial Edge Device Kit - x86-64 V1.18 (All versions), Industrial Edge Device Kit - x86-64 V1.19 (All versions), Industrial Edge Device Kit - x86-64 V1.20 (All versions < V1.20.2-1), Industrial Edge Device Kit - x86-64 V1.21 (All versions < V1.21.1-1), Industrial Edge Own Device (IEOD) (All versions < V1.21.1-1-a), Industrial Edge Virtual Device (All versions < V1.21.1-1-a), SCALANCE LPE9413 (6GK5998-3GS01-2AC2) (All versions < V2.1), SIMATIC IPC BX-39A Industrial Edge Device (All versions < V3.0), SIMATIC IPC BX-59A Industrial Edge Device (All versions < V3.0), SIMATIC IPC127E Industrial Edge Device (All versions < V3.0), SIMATIC IPC227E Industrial Edge Device (All versions < V3.0), SIMATIC IPC427E Industrial Edge Device (All versions < V3.0), SIMATIC IPC847E Industrial Edge Device (All versions < V3.0). Affected devices do not properly enforce user authentication on specific API endpoints when identity federation is used. This could facilitate an unauthenticated remote attacker to circumvent authentication and impersonate a legitimate user. Successful exploitation requires that identity federation is currently or has previously been used and the attacker has learned the identity of a legitimate user. | |
| CVE-2023-49340 | Cri | 0.64 | 9.8 | 0.00 | Mar 9, 2024 | An issue was discovered in Newland Nquire 1000 Interactive Kiosk version NQ1000-II_G_V1.00.011, allows remote attackers to escalate privileges and bypass authentication via incorrect access control in the web management portal. | |
| CVE-2024-45367 | Cri | 0.59 | 9.1 | 0.00 | Oct 3, 2024 | The web server for ONS-S8 - Spectra Aggregation Switch includes an incomplete authentication process, which can lead to an attacker authenticating without a password. | |
| CVE-2024-39848 | Cri | 0.59 | 9.1 | 0.00 | Jun 29, 2024 | Internet2 Grouper before 5.6 allows authentication bypass when LDAP authentication is used in certain ways. This is related to internet2.middleware.grouper.ws.security.WsGrouperLdapAuthentication and the use of the UyY29r password for the M3vwHr account. This also affects "Grouper for Web Services" before 4.13.1. | |
| CVE-2025-5484 | Hig | 0.54 | 8.3 | 0.00 | Jun 12, 2025 | A username and password are required to authenticate to the central SinoTrack device management interface. The username for all devices is an identifier printed on the receiver. The default password is well-known and common to all devices. Modification of the default password is not enforced during device setup. A malicious actor can retrieve device identifiers with either physical access or by capturing identifiers from pictures of the devices posted on publicly accessible websites such as eBay. | |
| CVE-2026-4924 | Hig | 0.53 | 8.2 | 0.00 | Apr 1, 2026 | Improper authentication in the two-factor authentication (2FA) feature in Devolutions Server 2026.1.11 and earlier allows a remote attacker with valid credentials to bypass multifactor authentication and gain unauthorized access to the victim account via reuse of a partially authenticated session token. | |
| CVE-2026-4828 | Hig | 0.53 | 8.2 | 0.00 | Apr 1, 2026 | Improper authentication in the OAuth login functionality in Devolutions Server 2026.1.11 and earlier allows a remote attacker with valid credentials to bypass multi-factor authentication via a crafted login request. | |
| CVE-2025-1727 | Hig | 0.53 | 8.1 | 0.00 | Jul 10, 2025 | The protocol used for remote linking over RF for End-of-Train and Head-of-Train (also known as a FRED) relies on a BCH checksum for packet creation. It is possible to create these EoT and HoT packets with a software defined radio and issue brake control commands to the EoT device, disrupting operations or potentially overwhelming the brake systems. | |
| CVE-2025-29994 | Hig | 0.53 | — | 0.01 | Mar 13, 2025 | This vulnerability exists in the CAP back office application due to improper authentication check at the API endpoint. An unauthenticated remote attacker with a valid login ID could exploit this vulnerability by manipulating API input parameters through API request URL/payload leading to unauthorized access to other user accounts. | |
| CVE-2026-0204 | Hig | 0.52 | 8.0 | 0.00 | Apr 29, 2026 | A vulnerability in the access control mechanism of SonicOS may allow certain management interface functions to be accessible under specific conditions. | |
| CVE-2025-11084 | Hig | 0.49 | — | 0.00 | Nov 11, 2025 | A security issue exists within DataMosaix™ Private Cloud, allowing attackers to bypass MFA during setup and obtain a valid login-token cookie without knowing the users password. This vulnerability occurs when MFA is enabled but not completed within a 7-day period. | |
| CVE-2024-47397 | Hig | 0.49 | 7.5 | 0.00 | Dec 18, 2024 | Weak authentication issue exists in AE1021 firmware versions 2.0.10 and earlier and AE1021PE firmware versions 2.0.10 and earlier. If this vulnerability is exploited, the authentication may be bypassed with an undocumented specific string. | |
| CVE-2025-70994 | Hig | 0.47 | 7.3 | 0.00 | Apr 23, 2026 | Yadea T5 Electric Bicycles (models manufactured in/after 2024) have a weak authentication mechanism in their keyless entry system. The system utilizes the EV1527 fixed-code RF protocol without implementing rolling codes or cryptographic challenge-response mechanisms. This is vulnerable to signal forgery after a local attacker intercepts any legitimate key fob transmission, allowing for complete unauthorized vehicle operation via a replay attack. | |
| CVE-2025-7326 | Hig | 0.46 | 7.0 | 0.01 | Jul 8, 2025 | Weak authentication in EOL ASP.NET Core allows an unauthorized attacker to elevate privileges over a network. NOTE: This CVE affects only End Of Life (EOL) software components. The vendor, Microsoft, has indicated there will be no future updates nor support provided upon inquiry. | |
| CVE-2025-62844 | Med | 0.36 | 5.5 | 0.00 | Mar 20, 2026 | A weak authentication vulnerability has been reported to affect QHora. If an attacker gains local network access, they can then exploit the vulnerability to gain sensitive information. We have already fixed the vulnerability in the following version: QuRouter 2.6.2.007 and later | |
| CVE-2026-32497 | Med | 0.34 | 5.3 | 0.00 | Mar 25, 2026 | Weak Authentication vulnerability in PickPlugins User Verification user-verification allows Authentication Abuse.This issue affects User Verification: from n/a through <= 2.0.45. | |
| CVE-2025-47479 | Med | 0.34 | 5.3 | 0.00 | Jul 4, 2025 | Weak Authentication vulnerability in AresIT WP Compress wp-compress-image-optimizer allows Authentication Abuse.This issue affects WP Compress: from n/a through <= 6.30.30. | |
| CVE-2023-41862 | Med | 0.34 | 5.3 | 0.00 | Dec 13, 2024 | Weak Authentication vulnerability in Guido VS Contact Form allows Authentication Abuse.This issue affects VS Contact Form: from n/a through 14.0. |