VYPR

CWE-287

Improper Authentication

ClassDraftLikelihood: High

Description

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-114 · CAPEC-115 · CAPEC-151 · CAPEC-194 · CAPEC-22 · CAPEC-57 · CAPEC-593 · CAPEC-633 · CAPEC-650 · CAPEC-94

CVEs mapped to this weakness (2,419)

page 105 of 121
  • CVE-2009-5083Aug 12, 2011
    risk 0.00cvss epss 0.01

    IBM Tivoli Federated Identity Manager (TFIM) 6.2.0 before 6.2.0.2, when configured as an OpenID relying party, does not perform the expected login rejection upon receiving an OP-Identifier from an OpenID provider, which allows remote attackers to bypass authentication via…

  • CVE-2011-2701Aug 4, 2011
    risk 0.00cvss epss 0.02

    The ocsp_check function in rlm_eap_tls.c in FreeRADIUS 2.1.11, when OCSP is enabled, does not properly parse replies from OCSP responders, which allows remote attackers to bypass authentication by using the EAP-TLS protocol with a revoked X.509 client certificate.

  • CVE-2011-2361Aug 3, 2011
    risk 0.00cvss epss 0.01

    The Basic Authentication dialog implementation in Google Chrome before 13.0.782.107 does not properly handle strings, which might make it easier for remote attackers to capture credentials via a crafted web site.

  • CVE-2011-2758Jul 17, 2011
    risk 0.00cvss epss 0.02

    IDSWebApp in the Web Administration Tool in IBM Tivoli Directory Server (TDS) 6.2 before 6.2.0.3-TIV-ITDS-IF0004 does not require authentication for access to LDAP Server log files, which allows remote attackers to obtain sensitive information via a crafted URL.

  • CVE-2011-2756Jul 17, 2011
    risk 0.00cvss epss 0.02

    FileDownload.jsp in ManageEngine ServiceDesk Plus 8.0 before Build 8012 does not require authentication, which allows remote attackers to read files from a specific directory via unspecified vectors.

  • CVE-2011-1409Jun 24, 2011
    risk 0.00cvss epss 0.02

    Frams's Fast File EXchange (F*EX, aka fex) 20100208, and possibly other versions before 20110610, allows remote attackers to bypass authentication and upload arbitrary files via a request that lacks an authentication ID.

  • CVE-2009-5077Jun 8, 2011
    risk 0.00cvss epss 0.01

    CRE Loaded before 6.2.14 allows remote attackers to bypass authentication and gain administrator privileges via vectors related to a modified PHP_SELF variable, which is not properly handled by (1) includes/application_top.php and (2) admin/includes/application_top.php.

  • CVE-2009-5076Jun 8, 2011
    risk 0.00cvss epss 0.01

    CRE Loaded before 6.2.14, and possibly other versions before 6.3.x, allows remote attackers to bypass authentication and gain administrator privileges via a request with (1) login.php or (2) password_forgotten.php appended as the PATH_INFO, which bypasses a check that uses…

  • CVE-2011-1758May 26, 2011
    risk 0.00cvss epss 0.00

    The krb5_save_ccname_done function in providers/krb5/krb5_auth.c in System Security Services Daemon (SSSD) 1.5.x before 1.5.7, when automatic ticket renewal and offline authentication are configured, uses a pathname string as a password, which allows local users to bypass…

  • CVE-2011-1766May 23, 2011
    risk 0.00cvss epss 0.02

    includes/User.php in MediaWiki before 1.16.5, when wgBlockDisablesLogin is enabled, does not clear certain cached data after verification of an auth token fails, which allows remote attackers to bypass authentication by creating crafted wikiUserID and wikiUserName cookies, or by…

  • CVE-2011-2155May 20, 2011
    risk 0.00cvss epss 0.04

    Login.aspx in the SmarterTools SmarterStats 6.0 web server generates a ctl00$MPH$txtPassword password form field without disabling the autocomplete feature, which makes it easier for remote attackers to bypass authentication by leveraging an unattended workstation.

  • CVE-2011-1901May 5, 2011
    risk 0.00cvss epss 0.02

    The mail-filter web interface in Proofpoint Messaging Security Gateway 6.2.0.263:6.2.0.237 and earlier in Proofpoint Protection Server 5.5.3, 5.5.4, 5.5.5, 6.0.2, 6.1.1, and 6.2.0 allows remote attackers to bypass authentication via unspecified vectors.

  • CVE-2011-1674Apr 10, 2011
    risk 0.00cvss epss 0.03

    The NetGear ProSafe WNAP210 with firmware 2.0.12 allows remote attackers to bypass authentication and obtain access to the configuration page by visiting recreate.php and then visiting index.php.

  • CVE-2011-1561Apr 5, 2011
    risk 0.00cvss epss 0.02

    The LDAP login feature in bos.rte.security 6.1.6.4 in IBM AIX 6.1, when ldap_auth is enabled in ldap.cfg, allows remote attackers to bypass authentication via a login attempt with an arbitrary password.

  • CVE-2011-1472Mar 29, 2011
    risk 0.00cvss epss 0.00

    The Nokia E75 phone with firmware before 211.12.01 allows physically proximate attackers to bypass the Device Lock code by entering an unspecified button sequence at boot time.

  • CVE-2011-1520Mar 25, 2011
    risk 0.00cvss epss 0.00

    The default configuration of the server console in IBM Lotus Domino does not require a password (aka Server_Console_Password), which allows physically proximate attackers to perform administrative changes or obtain sensitive information via a (1) Load, (2) Tell, or (3) Set…

  • CVE-2011-1025Mar 20, 2011
    risk 0.00cvss epss 0.04

    bind.cpp in back-ndb in OpenLDAP 2.4.x before 2.4.24 does not require authentication for the root Distinguished Name (DN), which allows remote attackers to bypass intended access restrictions via an arbitrary password.

  • CVE-2011-0438Mar 15, 2011
    risk 0.00cvss epss 0.02

    nslcd/pam.c in the nss-pam-ldapd 0.8.0 PAM module returns a success code when a user is not found in LDAP, which allows remote attackers to bypass authentication.

  • CVE-2011-0435Mar 7, 2011
    risk 0.00cvss epss 0.02

    Domain Technologie Control (DTC) before 0.32.9 does not require authentication for (1) admin/bw_per_month.php and (2) client/bw_per_month.php, which allows remote attackers to obtain potentially sensitive bandwidth information via a direct request.

  • CVE-2011-0279Mar 7, 2011
    risk 0.00cvss epss 0.01

    HP Multifunction Peripheral (MFP) Digital Sending Software (DSS) 4.91.00 does not properly configure authentication settings of managed devices within device templates, which allows attackers to access these devices via actions that were intended to require authentication.