CWE-287
Improper Authentication
Description
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-114 · CAPEC-115 · CAPEC-151 · CAPEC-194 · CAPEC-22 · CAPEC-57 · CAPEC-593 · CAPEC-633 · CAPEC-650 · CAPEC-94
CVEs mapped to this weakness (2,419)
page 13 of 121| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-15295 | Cri | 0.64 | 9.8 | 0.02 | Oct 16, 2017 | Xpress Server in SAP POS does not require authentication for read/write/delete file access. This is SAP Security Note 2520064. | ||
| CVE-2017-15293 | Cri | 0.64 | 9.8 | 0.04 | Oct 16, 2017 | Xpress Server in SAP POS does not require authentication for file read and erase operations, daemon shutdown, terminal read operations, or certain attacks on credentials. This is SAP Security Note 2520064. | ||
| CVE-2017-10622 | Cri | 0.64 | 9.8 | 0.05 | Oct 13, 2017 | An authentication bypass vulnerability in Juniper Networks Junos Space Network Management Platform may allow a remote unauthenticated network based attacker to login as any privileged user. This issue only affects Junos Space Network Management Platform 17.1R1 without Patch v1… | ||
| CVE-2016-5791 | Cri | 0.64 | 9.8 | 0.02 | Oct 13, 2017 | An Improper Authentication issue was discovered in JanTek JTC-200, all versions. The improper authentication could provide an undocumented BusyBox Linux shell accessible over the TELNET service without any authentication. | ||
| CVE-2017-14003 | Cri | 0.64 | 9.8 | 0.03 | Oct 11, 2017 | An Authentication Bypass by Spoofing issue was discovered in LAVA Ether-Serial Link (ESL) running firmware versions 6.01.00/29.03.2007 and prior versions. An improper authentication vulnerability has been identified, which, if exploited, would allow an attacker with the same IP… | ||
| CVE-2016-8937 | Cri | 0.64 | 9.8 | 0.02 | Oct 5, 2017 | The IBM Tivoli Storage Manager (IBM Spectrum Protect 7.1 and 8.1) default authentication protocol is vulnerable to a brute force attack due to disclosing too much information during authentication. An attacker could gain user or administrative access to the TSM server. IBM… | ||
| CVE-2017-12819 | Cri | 0.64 | 9.8 | 0.01 | Oct 4, 2017 | Remote manipulations with language pack updater lead to NTLM-relay attack for system user in Gemalto's HASP SRM, Sentinel HASP and Sentinel LDK products prior to Sentinel LDK RTE version 7.55. | ||
| CVE-2017-13983 | Cri | 0.64 | 9.8 | 0.06 | Sep 30, 2017 | An authentication vulnerability in HPE BSM Platform Application Performance Management System Health product versions 9.26, 9.30 and 9.40, allows remote users to bypass authentication. | ||
| CVE-2017-12236 | Cri | 0.64 | 9.8 | 0.03 | Sep 29, 2017 | A vulnerability in the implementation of the Locator/ID Separation Protocol (LISP) in Cisco IOS XE 3.2 through 16.5 could allow an unauthenticated, remote attacker using an x tunnel router to bypass authentication checks performed when registering an Endpoint Identifier (EID) to… | ||
| CVE-2017-12229 | Cri | 0.64 | 9.8 | 0.05 | Sep 29, 2017 | A vulnerability in the REST API of the web-based user interface (web UI) of Cisco IOS XE 3.1 through 16.5 could allow an unauthenticated, remote attacker to bypass authentication to the REST API of the web UI of the affected software. The vulnerability is due to insufficient… | ||
| CVE-2017-14080 | Cri | 0.64 | 9.8 | 0.03 | Sep 22, 2017 | Authentication bypass vulnerability in Trend Micro Mobile Security (Enterprise) versions before 9.7 Patch 3 allows attackers to access a specific part of the console using a blank password. | ||
| CVE-2017-7649 | Cri | 0.64 | 9.8 | 0.02 | Sep 11, 2017 | The network enabled distribution of Kura before 2.1.0 takes control over the device's firewall setup but does not allow IPv6 firewall rules to be configured. Still the Equinox console port 5002 is left open, allowing to log into Kura without any user credentials over unencrypted… | ||
| CVE-2015-3442 | Cri | 0.64 | 9.8 | 0.03 | Sep 7, 2017 | Soreco Xpert.Line 3.0 allows local users to spoof users and consequently gain privileges by intercepting a Windows API call. | ||
| CVE-2015-7746 | Cri | 0.64 | 9.8 | 0.02 | Sep 1, 2017 | NetApp Data ONTAP before 8.2.4, when operating in 7-Mode, allows remote attackers to bypass authentication and (1) obtain sensitive information from or (2) modify volumes via vectors related to UTF-8 in the volume language. | ||
| CVE-2017-12698 | Cri | 0.64 | 9.8 | 0.05 | Aug 30, 2017 | An Improper Authentication issue was discovered in Advantech WebAccess versions prior to V8.2_20170817. Specially crafted requests allow a possible authentication bypass that could allow remote code execution. | ||
| CVE-2015-1401 | Cri | 0.64 | 9.8 | 0.03 | Aug 28, 2017 | Improper Authentication vulnerability in the "LDAP / SSO Authentication" (ig_ldap_sso_auth) extension 2.0.0 for TYPO3. | ||
| CVE-2016-4460 | Cri | 0.64 | 9.8 | 0.06 | Aug 22, 2017 | Apache Pony Mail 0.6c through 0.8b allows remote attackers to bypass authentication. | ||
| CVE-2017-7420 | Cri | 0.64 | 9.8 | 0.02 | Aug 21, 2017 | An Authentication Bypass (CWE-287) vulnerability in ESMAC (aka Enterprise Server Monitor and Control) in Micro Focus Enterprise Developer and Enterprise Server 2.3 and earlier, 2.3 Update 1 before Hotfix 8, and 2.3 Update 2 before Hotfix 9 allows remote unauthenticated attackers… | ||
| CVE-2015-4464 | Cri | 0.64 | 9.8 | 0.05 | Aug 18, 2017 | Kguard Digital Video Recorder 104, 108, v2 does not have any authorization or authentication between an ActiveX client and the application server. | ||
| CVE-2015-6816 | Cri | 0.64 | 9.8 | 0.04 | Aug 9, 2017 | ganglia-web before 3.7.1 allows remote attackers to bypass authentication. |
- risk 0.64cvss 9.8epss 0.02
Xpress Server in SAP POS does not require authentication for read/write/delete file access. This is SAP Security Note 2520064.
- risk 0.64cvss 9.8epss 0.04
Xpress Server in SAP POS does not require authentication for file read and erase operations, daemon shutdown, terminal read operations, or certain attacks on credentials. This is SAP Security Note 2520064.
- risk 0.64cvss 9.8epss 0.05
An authentication bypass vulnerability in Juniper Networks Junos Space Network Management Platform may allow a remote unauthenticated network based attacker to login as any privileged user. This issue only affects Junos Space Network Management Platform 17.1R1 without Patch v1…
- risk 0.64cvss 9.8epss 0.02
An Improper Authentication issue was discovered in JanTek JTC-200, all versions. The improper authentication could provide an undocumented BusyBox Linux shell accessible over the TELNET service without any authentication.
- risk 0.64cvss 9.8epss 0.03
An Authentication Bypass by Spoofing issue was discovered in LAVA Ether-Serial Link (ESL) running firmware versions 6.01.00/29.03.2007 and prior versions. An improper authentication vulnerability has been identified, which, if exploited, would allow an attacker with the same IP…
- risk 0.64cvss 9.8epss 0.02
The IBM Tivoli Storage Manager (IBM Spectrum Protect 7.1 and 8.1) default authentication protocol is vulnerable to a brute force attack due to disclosing too much information during authentication. An attacker could gain user or administrative access to the TSM server. IBM…
- risk 0.64cvss 9.8epss 0.01
Remote manipulations with language pack updater lead to NTLM-relay attack for system user in Gemalto's HASP SRM, Sentinel HASP and Sentinel LDK products prior to Sentinel LDK RTE version 7.55.
- risk 0.64cvss 9.8epss 0.06
An authentication vulnerability in HPE BSM Platform Application Performance Management System Health product versions 9.26, 9.30 and 9.40, allows remote users to bypass authentication.
- risk 0.64cvss 9.8epss 0.03
A vulnerability in the implementation of the Locator/ID Separation Protocol (LISP) in Cisco IOS XE 3.2 through 16.5 could allow an unauthenticated, remote attacker using an x tunnel router to bypass authentication checks performed when registering an Endpoint Identifier (EID) to…
- risk 0.64cvss 9.8epss 0.05
A vulnerability in the REST API of the web-based user interface (web UI) of Cisco IOS XE 3.1 through 16.5 could allow an unauthenticated, remote attacker to bypass authentication to the REST API of the web UI of the affected software. The vulnerability is due to insufficient…
- risk 0.64cvss 9.8epss 0.03
Authentication bypass vulnerability in Trend Micro Mobile Security (Enterprise) versions before 9.7 Patch 3 allows attackers to access a specific part of the console using a blank password.
- risk 0.64cvss 9.8epss 0.02
The network enabled distribution of Kura before 2.1.0 takes control over the device's firewall setup but does not allow IPv6 firewall rules to be configured. Still the Equinox console port 5002 is left open, allowing to log into Kura without any user credentials over unencrypted…
- risk 0.64cvss 9.8epss 0.03
Soreco Xpert.Line 3.0 allows local users to spoof users and consequently gain privileges by intercepting a Windows API call.
- risk 0.64cvss 9.8epss 0.02
NetApp Data ONTAP before 8.2.4, when operating in 7-Mode, allows remote attackers to bypass authentication and (1) obtain sensitive information from or (2) modify volumes via vectors related to UTF-8 in the volume language.
- risk 0.64cvss 9.8epss 0.05
An Improper Authentication issue was discovered in Advantech WebAccess versions prior to V8.2_20170817. Specially crafted requests allow a possible authentication bypass that could allow remote code execution.
- risk 0.64cvss 9.8epss 0.03
Improper Authentication vulnerability in the "LDAP / SSO Authentication" (ig_ldap_sso_auth) extension 2.0.0 for TYPO3.
- risk 0.64cvss 9.8epss 0.06
Apache Pony Mail 0.6c through 0.8b allows remote attackers to bypass authentication.
- risk 0.64cvss 9.8epss 0.02
An Authentication Bypass (CWE-287) vulnerability in ESMAC (aka Enterprise Server Monitor and Control) in Micro Focus Enterprise Developer and Enterprise Server 2.3 and earlier, 2.3 Update 1 before Hotfix 8, and 2.3 Update 2 before Hotfix 9 allows remote unauthenticated attackers…
- risk 0.64cvss 9.8epss 0.05
Kguard Digital Video Recorder 104, 108, v2 does not have any authorization or authentication between an ActiveX client and the application server.
- risk 0.64cvss 9.8epss 0.04
ganglia-web before 3.7.1 allows remote attackers to bypass authentication.