VYPR

CWE-287

Improper Authentication

ClassDraftLikelihood: High

Description

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-114 · CAPEC-115 · CAPEC-151 · CAPEC-194 · CAPEC-22 · CAPEC-57 · CAPEC-593 · CAPEC-633 · CAPEC-650 · CAPEC-94

CVEs mapped to this weakness (2,419)

page 17 of 121
  • CVE-2015-7938CriJan 9, 2016
    risk 0.64cvss 9.8epss 0.04

    Advantech EKI-132x devices with firmware before 2015-12-31 allow remote attackers to bypass authentication via unspecified vectors.

  • CVE-2012-6437CriJan 24, 2013
    risk 0.64cvss 9.8epss 0.10

    The device does not properly authenticate users and the potential exists for a remote user to upload a new firmware image to the Ethernet card, whether it is a corrupt or legitimate firmware image. Successful exploitation of this vulnerability could cause loss of availability,…

  • CVE-2012-0931CriJan 28, 2012
    risk 0.64cvss 9.8epss 0.05

    Schneider Electric Modicon Quantum PLC does not perform authentication between the Unity software and PLC, which allows remote attackers to cause a denial of service or possibly execute arbitrary code via unspecified vectors.

  • CVE-2010-4478CriDec 6, 2010
    risk 0.64cvss 9.8epss 0.04

    OpenSSH 5.6 and earlier, when J-PAKE is enabled, does not properly validate the public parameters in the J-PAKE protocol, which allows remote attackers to bypass the need for knowledge of the shared secret, and successfully authenticate, by sending crafted values in each round…

  • CVE-2009-2422CriJul 10, 2009
    risk 0.64cvss 9.8epss 0.03

    The example code for the digest authentication functionality (http_authentication.rb) in Ruby on Rails before 2.3.3 defines an authenticate_or_request_with_http_digest block that returns nil instead of false when the user does not exist, which allows context-dependent attackers…

  • CVE-2007-4043CriJul 27, 2007
    risk 0.64cvss 9.8epss 0.02

    file.cgi in Secure Computing SecurityReporter (aka Network Security Analyzer) before 4.6.3 allows remote attackers to bypass authentication via a name parameter ending with a "%00.gif" sequence. NOTE: a separate traversal vulnerability could be leveraged to download arbitrary…

  • CVE-2024-22245CriFeb 20, 2024
    risk 0.63cvss 9.6epss 0.01

    Arbitrary Authentication Relay and Session Hijack vulnerabilities in the deprecated VMware Enhanced Authentication Plug-in (EAP) could allow a malicious actor that could trick a target domain user with EAP installed in their web browser into requesting and relaying service…

  • CVE-2026-1568CriFeb 3, 2026
    risk 0.62cvss 9.6epss 0.00

    Rapid7 InsightVM versions before 8.34.0 contain a signature verification issue on the Assertion Consumer Service (ACS) cloud endpoint that could allow an attacker to gain unauthorized access to InsightVM accounts setup via "Security Console" installations, resulting in full…

  • CVE-2025-62376CriOct 14, 2025
    risk 0.62cvss epss 0.01

    pwn.college DOJO is an education platform for learning cybersecurity. Prior to commit 467db0b9ea0d9a929dc89b41f6eb59f7cfc68bef, the /workspace endpoint contains an improper authentication vulnerability that allows an attacker to access any active Windows VM without proper…

  • CVE-2025-3621CriJul 15, 2025
    risk 0.62cvss 9.6epss 0.01

    Vulnerabilities* in ActADUR local server product, developed and maintained by ProTNS, allows Remote Code Inclusion on host systems.  * vulnerabilities: * Improper Neutralization of Special Elements used in a Command ('Command Injection') * Use of Hard-coded…

  • CVE-2024-45347CriJun 23, 2025
    risk 0.62cvss 9.6epss 0.00

    An unauthorized access vulnerability exists in the Xiaomi Mi Connect Service APP. The vulnerability is caused by the validation logic is flawed and can be exploited by attackers to Unauthorized access to the victim’s device.

  • CVE-2025-23116CriMar 1, 2025
    risk 0.62cvss 9.6epss 0.01

    An Authentication Bypass vulnerability on UniFi Protect Application with Auto-Adopt Bridge Devices enabled could allow a malicious actor with access to UniFi Protect Cameras adjacent network to take control of UniFi Protect Cameras.

  • CVE-2018-7750CriMar 13, 2018
    risk 0.62cvss 9.8epss 0.27

    transport.py in the SSH server implementation of Paramiko before 1.17.6, 1.18.x before 1.18.5, 2.0.x before 2.0.8, 2.1.x before 2.1.5, 2.2.x before 2.2.3, 2.3.x before 2.3.2, and 2.4.x before 2.4.1 does not properly check whether authentication is completed before processing…

  • CVE-2025-3659CriMay 12, 2025
    risk 0.61cvss epss 0.00

    Improper authentication handling was identified in a set of HTTP POST requests affecting the following product families: * Digi PortServer TS - prior to and including 82000747_AA, build date 06/17/2022 * Digi One SP/Digi One SP IA/Digi One IA - prior to and including…

  • CVE-2024-43240CriAug 19, 2024
    risk 0.61cvss 9.4epss 0.01

    Improper Authentication vulnerability in azzaroco Ultimate Membership Pro indeed-membership-pro.This issue affects Ultimate Membership Pro: from n/a through <= 12.7.

  • CVE-2024-7395CriAug 5, 2024
    risk 0.61cvss epss 0.01

    An authentication bypass vulnerability in Korenix JetPort 5601v3 allows an attacker to access functionality on the device without specifying a password.This issue affects JetPort 5601v3: through 1.2.

  • CVE-2021-43116HigJul 5, 2022
    risk 0.61cvss 8.8epss 0.07

    An Access Control vulnerability exists in Nacos 2.0.3 in the access prompt page; enter username and password, click on login to capture packets and then change the returned package, which lets a malicious user login.

  • CVE-2018-14786CriAug 23, 2018
    risk 0.61cvss 9.4epss 0.03

    Becton, Dickinson and Company (BD) Alaris Plus medical syringe pumps (models Alaris GS, Alaris GH, Alaris CC, and Alaris TIVA) versions 2.3.6 and prior are affected by an improper authentication vulnerability where the software does not perform authentication for functionality…

  • CVE-2017-14000CriOct 5, 2017
    risk 0.61cvss 9.4epss 0.02

    An Improper Authentication issue was discovered in Ctek SkyRouter Series 4200 and 4400, all versions prior to V6.00.11. By accessing a specific uniform resource locator (URL) on the web server, a malicious user is able to access the application without authenticating.

  • CVE-2017-9630CriAug 7, 2017
    risk 0.61cvss 9.4epss 0.01

    An Improper Authentication issue was discovered in PDQ Manufacturing LaserWash G5 and G5 S Series all versions, LaserWash M5, all versions, LaserWash 360 and 360 Plus, all versions, LaserWash AutoXpress and AutoExpress Plus, all versions, LaserJet, all versions, ProTouch Tandem,…