VYPR

CWE-287

Improper Authentication

ClassDraftLikelihood: High

Description

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-114 · CAPEC-115 · CAPEC-151 · CAPEC-194 · CAPEC-22 · CAPEC-57 · CAPEC-593 · CAPEC-633 · CAPEC-650 · CAPEC-94

CVEs mapped to this weakness (2,419)

page 117 of 121
  • CVE-2008-0823Feb 19, 2008
    risk 0.00cvss epss 0.02

    Unspecified vulnerability in the Header Image Module before 5.x-1.1 for Drupal allows remote attackers to access the administration pages via unknown attack vectors.

  • CVE-2008-0640Feb 8, 2008
    risk 0.00cvss epss 0.03

    Symantec Ghost Solution Suite 1.1 before 1.1 patch 2, 2.0.0, and 2.0.1 does not authenticate connections between the console and the Ghost Management Agent, which allows remote attackers to execute arbitrary commands via unspecified RPC requests in conjunction with ARP spoofing.

  • CVE-2008-0476Jan 29, 2008
    risk 0.00cvss epss 0.01

    ManageEngine Applications Manager 8.1 build 8100 does not check authentication for monitorType.do and unspecified other pages, which allows remote attackers to obtain sensitive information and change settings via unspecified vectors. NOTE: the provenance of this information is…

  • CVE-2008-0407Jan 29, 2008
    risk 0.00cvss epss 0.02

    HTTP File Server (HFS) before 2.2c tags HTTP request log entries with the username sent during HTTP Basic Authentication, regardless of whether authentication succeeded, which might make it more difficult for an administrator to determine who made a remote request.

  • CVE-2008-0410Jan 29, 2008
    risk 0.00cvss epss 0.02

    HTTP File Server (HFS) before 2.2c allows remote attackers to obtain configuration and usage details by using an id element such as %version% in HTTP Basic Authentication instead of a username and password, as demonstrated by placing this id element in the userinfo…

  • CVE-2008-0408Jan 29, 2008
    risk 0.00cvss epss 0.02

    HTTP File Server (HFS) before 2.2c allows remote attackers to append arbitrary text to the log file by using the base64 representation of this text during HTTP Basic Authentication.

  • CVE-2008-0377Jan 22, 2008
    risk 0.00cvss epss 0.03

    MicroNews allows remote attackers to bypass authentication and gain administrative privileges via a direct request to admin.php.

  • CVE-2008-0330Jan 17, 2008
    risk 0.00cvss epss 0.02

    Open System Consultants (OSC) Radiator before 4.0 allows remote attackers to cause a denial of service (daemon crash) via malformed RADIUS requests, as demonstrated by packets sent by nmap.

  • CVE-2008-0229Jan 10, 2008
    risk 0.00cvss epss 0.03

    The telnet service in LevelOne WBR-3460 4-Port ADSL 2/2+ Wireless Modem Router with firmware 1.00.11 and 1.00.12 does not require authentication, which allows remote attackers on the local or wireless network to obtain administrative access.

  • CVE-2007-6601Jan 9, 2008
    risk 0.00cvss epss 0.02

    The DBLink module in PostgreSQL 8.2 before 8.2.6, 8.1 before 8.1.11, 8.0 before 8.0.15, 7.4 before 7.4.19, and 7.3 before 7.3.21, when local trust or ident authentication is used, allows remote attackers to gain privileges via unspecified vectors. NOTE: this issue exists…

  • CVE-2008-0150Jan 9, 2008
    risk 0.00cvss epss 0.01

    Unspecified vulnerability in the LDAP authentication feature in Aruba Mobility Controller 2.3.6.15, 2.5.2.11, 2.5.4.25, 2.5.5.7, 3.1.1.3, and 2.4.8.11-FIPS or earlier allows remote attackers to bypass authentication mechanisms and obtain management or VPN interface access.

  • CVE-2007-6430Dec 20, 2007
    risk 0.00cvss epss 0.02

    Asterisk Open Source 1.2.x before 1.2.26 and 1.4.x before 1.4.16, and Business Edition B.x.x before B.2.3.6 and C.x.x before C.1.0-beta8, when using database-based registrations ("realtime") and host-based authentication, does not check the IP address when the username is…

  • CVE-2007-5855Dec 19, 2007
    risk 0.00cvss epss 0.02

    Mail in Apple Mac OS X 10.4.11 and 10.5.1, when an SMTP account has been set up using Account Assistant, can use plaintext authentication even when MD5 Challenge-Response authentication is available, which makes it easier for remote attackers to sniff account activity.

  • CVE-2007-5862Dec 18, 2007
    risk 0.00cvss epss 0.03

    Java in Mac OS X 10.4 through 10.4.11 allows remote attackers to bypass Keychain access controls and add or delete arbitrary Keychain items via a crafted Java applet.

  • CVE-2007-6385Dec 15, 2007
    risk 0.00cvss epss 0.00

    The proxy server in Kerio WinRoute Firewall before 6.4.1 does not properly enforce authentication for HTTPS pages, which has unknown impact and attack vectors. NOTE: it is not clear whether this issue crosses privilege boundaries.

  • CVE-2007-6384Dec 15, 2007
    risk 0.00cvss epss 0.02

    Unspecified vulnerability in the Image Converter functionality in BEA WebLogic Mobility Server 3.3, 3.5, and 3.6 through 3.6 SP1 allows remote attackers to obtain application file and resource access via unspecified vectors.

  • CVE-2007-5614Dec 5, 2007
    risk 0.00cvss epss 0.04

    Mortbay Jetty before 6.1.6rc1 does not properly handle "certain quote sequences" in HTML cookie parameters, which allows remote attackers to hijack browser sessions via unspecified vectors.

  • CVE-2007-6226Dec 4, 2007
    risk 0.00cvss epss 0.02

    The American Power Conversion (APC) AP7932 0u 30amp Switched Rack Power Distribution Unit (PDU), with rpdu 3.5.5 and aos 3.5.6, allows remote attackers to bypass authentication and obtain login access by making a login attempt while a different client is logged in, and then…

  • CVE-2007-6145Nov 27, 2007
    risk 0.00cvss epss 0.02

    Unspecified vulnerability in Hitachi JP1/File Transmission Server/FTP 01-00 through 08-10-01 allows remote attackers to bypass authentication and "view files" via unspecified vectors.

  • CVE-2007-6130Nov 26, 2007
    risk 0.00cvss epss 0.01

    gnump3d 2.9final does not apply password protection to its plugins, which might allow remote attackers to bypass intended access restrictions.