VYPR

CWE-287

Improper Authentication

ClassDraftLikelihood: High

Description

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-114 · CAPEC-115 · CAPEC-151 · CAPEC-194 · CAPEC-22 · CAPEC-57 · CAPEC-593 · CAPEC-633 · CAPEC-650 · CAPEC-94

CVEs mapped to this weakness (2,419)

page 15 of 121
  • CVE-2017-9148CriMay 29, 2017
    risk 0.64cvss 9.8epss 0.04

    The TLS session cache in FreeRADIUS 2.1.1 through 2.1.7, 3.0.x before 3.0.14, 3.1.x before 2017-02-04, and 4.0.x before 2017-02-04 fails to reliably prevent resumption of an unauthenticated session, which allows remote attackers (such as malicious 802.1X supplicants) to bypass…

  • CVE-2017-9100HigMay 21, 2017
    risk 0.64cvss 8.8epss 0.85

    login.cgi on D-Link DIR-600M devices with firmware 3.04 allows remote attackers to bypass authentication by entering more than 20 blank spaces in the password field during an admin login attempt.

  • CVE-2017-7909CriMay 6, 2017
    risk 0.64cvss 9.8epss 0.03

    A Use of Client-Side Authentication issue was discovered in Advantech B+B SmartWorx MESR901 firmware versions 1.5.2 and prior. The web interface uses JavaScript to check client authentication and redirect unauthorized users. Attackers may intercept requests and bypass…

  • CVE-2016-1219CriApr 20, 2017
    risk 0.64cvss 9.8epss 0.03

    Cybozu Garoon before 4.2.2 allows remote attackers to bypass login authentication via vectors related to API use.

  • CVE-2016-5068CriApr 10, 2017
    risk 0.64cvss 9.8epss 0.02

    Sierra Wireless GX 440 devices with ALEOS firmware 4.3.2 do not require authentication for Embedded_Ace_Get_Task.cgi requests.

  • CVE-2007-6760CriApr 7, 2017
    risk 0.64cvss 9.8epss 0.02

    Dataprobe iBootBar (with 2007-09-20 and possibly later beta firmware) allows remote attackers to bypass authentication, and conduct power-cycle attacks on connected devices, via a DCCOOKIE cookie.

  • CVE-2007-6759CriApr 7, 2017
    risk 0.64cvss 9.8epss 0.02

    Dataprobe iBootBar (with 2007-09-20 and possibly later released firmware) allows remote attackers to bypass authentication, and conduct power-cycle attacks on connected devices, via a DCRABBIT cookie.

  • CVE-2017-7450CriApr 5, 2017
    risk 0.64cvss 9.8epss 0.01

    AIRTAME HDMI dongle with firmware before 2.2.0 allows unauthenticated access to a big part of the management interface. It is possible to extract all information including the Wi-Fi password, reboot, or force a software update at an arbitrary time.

  • CVE-2016-10309CriMar 30, 2017
    risk 0.64cvss 9.8epss 0.02

    In the GUI of Ceragon FibeAir IP-10 (before 7.2.0) devices, a remote attacker can bypass authentication by adding an ALBATROSS cookie with the value 0-4-11 to their browser.

  • CVE-2016-9124CriMar 28, 2017
    risk 0.64cvss 9.8epss 0.02

    Revive Adserver before 3.2.3 suffers from Improper Restriction of Excessive Authentication Attempts. The login page of Revive Adserver is vulnerable to password-guessing attacks. An account lockdown feature was considered, but rejected to avoid introducing service disruptions to…

  • CVE-2016-4926CriMar 20, 2017
    risk 0.64cvss 9.8epss 0.02

    Insufficient authentication vulnerability in Junos Space before 15.2R2 allows remote network based users with access to Junos Space web interface to perform certain administrative tasks without authentication.

  • CVE-2017-3831CriMar 15, 2017
    risk 0.64cvss 9.8epss 0.05

    A vulnerability in the web-based GUI of Cisco Mobility Express 1800 Series Access Points could allow an unauthenticated, remote attacker to bypass authentication. The attacker could be granted full administrator privileges. The vulnerability is due to improper implementation of…

  • CVE-2017-5619CriMar 13, 2017
    risk 0.64cvss 9.8epss 0.02

    An issue was discovered in Zammad before 1.0.4, 1.1.x before 1.1.3, and 1.2.x before 1.2.1. Attackers can login with the hashed password itself (e.g., from the DB) instead of the valid password string.

  • CVE-2016-7145CriMar 7, 2017
    risk 0.64cvss 9.8epss 0.01

    The m_authenticate function in ircd/m_authenticate.c in nefarious2 allows remote attackers to spoof certificate fingerprints and consequently log in as another user via a crafted AUTHENTICATE parameter.

  • CVE-2016-9369CriFeb 13, 2017
    risk 0.64cvss 9.8epss 0.07

    An issue was discovered in Moxa NPort 5110 versions prior to 2.6, NPort 5130/5150 Series versions prior to 3.6, NPort 5200 Series versions prior to 2.8, NPort 5400 Series versions prior to 3.11, NPort 5600 Series versions prior to 3.7, NPort 5100A Series & NPort P5150A versions…

  • CVE-2016-8347CriFeb 13, 2017
    risk 0.64cvss 9.8epss 0.02

    An issue was discovered in Kabona AB WebDatorCentral (WDC) application prior to Version 3.4.0. WDC does not limit authentication attempts that may allow a brute force attack method.

  • CVE-2017-2765CriFeb 8, 2017
    risk 0.64cvss 9.8epss 0.03

    EMC Isilon InsightIQ 4.1.0, 4.0.1, 4.0.0, 3.2.2, 3.2.1, 3.2.0, 3.1.1, 3.1.0, 3.0.1, 3.0.0 is affected by an authentication bypass vulnerability that could potentially be exploited by attackers to compromise the affected system.

  • CVE-2016-2403CriFeb 7, 2017
    risk 0.64cvss 9.8epss 0.03

    Symfony before 2.8.6 and 3.x before 3.0.6 allows remote attackers to bypass authentication by logging in with an empty password and valid username, which triggers an unauthenticated bind.

  • CVE-2017-2768CriFeb 3, 2017
    risk 0.64cvss 9.8epss 0.04

    EMC Network Configuration Manager (NCM) 9.3.x, EMC Network Configuration Manager (NCM) 9.4.0.x, EMC Network Configuration Manager (NCM) 9.4.1.x, EMC Network Configuration Manager (NCM) 9.4.2.x contains an Improper Authentication vulnerability that could potentially be exploited…

  • CVE-2017-2767CriFeb 3, 2017
    risk 0.64cvss 9.8epss 0.06

    EMC Network Configuration Manager (NCM) 9.3.x, EMC Network Configuration Manager (NCM) 9.4.0.x, EMC Network Configuration Manager (NCM) 9.4.1.x, EMC Network Configuration Manager (NCM) 9.4.2.x contains a Java RMI Remote Code Execution vulnerability that could potentially be…