VYPR

CWE-287

Improper Authentication

ClassDraftLikelihood: High

Description

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-114 · CAPEC-115 · CAPEC-151 · CAPEC-194 · CAPEC-22 · CAPEC-57 · CAPEC-593 · CAPEC-633 · CAPEC-650 · CAPEC-94

CVEs mapped to this weakness (2,419)

page 2 of 121
  • CVE-2017-14147CriSep 7, 2017
    risk 0.72cvss 9.8epss 0.66

    An issue was discovered on FiberHome User End Routers Bearing Model Number AN1020-25 which could allow an attacker to easily restore a router to its factory settings by simply browsing to the link http://[Default-Router-IP]/restoreinfo.cgi & execute it. Due to improper…

  • CVE-2017-12477CriAug 7, 2017
    risk 0.72cvss 9.8epss 0.68

    It was discovered that the bpserverd proprietary protocol in Unitrends Backup (UB) before 10.0.0, as invoked through xinetd, has an issue in which its authentication can be bypassed. A remote attacker could use this issue to execute arbitrary commands with root privilege on the…

  • CVE-2018-8096CriMar 14, 2018
    risk 0.71cvss 9.8epss 0.50

    Datalust Seq before 4.2.605 is vulnerable to Authentication Bypass (with the attacker obtaining admin access) via '"Name":"isauthenticationenabled","Value":false' in an api/settings/setting-isauthenticationenabled PUT request.

  • CVE-2017-6526CriMar 9, 2017
    risk 0.71cvss 9.8epss 0.57

    An issue was discovered in dnaTools dnaLIMS 4-2015s13. dnaLIMS is vulnerable to unauthenticated command execution through an improperly protected administrative web shell (cgi-bin/dna/sysAdmin.cgi POST requests).

  • CVE-2022-25369CriJan 23, 2026
    risk 0.70cvss 9.8epss 0.41

    An issue was discovered in Dynamicweb before 9.12.8. An attacker can add a new administrator user without authentication. This flaw exists due to a logic issue when determining if the setup phases of the product can be run again. Once an attacker is authenticated as the new…

  • CVE-2021-41303CriSep 17, 2021
    risk 0.70cvss 9.8epss 0.76

    Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass. Users should update to Apache Shiro 1.8.0.

  • CVE-2014-6436CriJan 12, 2018
    risk 0.70cvss 9.8epss 0.42

    Aztech ADSL DSL5018EN (1T1R), DSL705E, and DSL705EU devices improperly manage sessions, which allows remote attackers to bypass authentication in opportunistic circumstances and execute arbitrary commands with administrator privileges by leveraging an existing web portal login.

  • CVE-2017-14322CriOct 18, 2017
    risk 0.70cvss 9.8epss 0.37

    The function in charge to check whether the user is already logged in init.php in Interspire Email Marketer (IEM) prior to 6.1.6 allows remote attackers to bypass authentication and obtain administrative access by using the IEM_CookieLogin cookie with a specially crafted value.

  • CVE-2012-6710CriOct 7, 2018
    risk 0.69cvss 9.8epss 0.25

    ext_find_user in eXtplorer through 2.1.2 allows remote attackers to bypass authentication via a password[]= (aka an empty array) in an action=login request to index.php.

  • CVE-2018-9032CriMar 27, 2018
    risk 0.69cvss 9.8epss 0.29

    An authentication bypass vulnerability on D-Link DIR-850L Wireless AC1200 Dual Band Gigabit Cloud Router (Hardware Version : A1, B1; Firmware Version : 1.02-2.06) devices potentially allows attackers to bypass SharePort Web Access Portal by directly visiting /category_view.php…

  • CVE-2017-16562CriNov 10, 2017
    risk 0.69cvss 9.8epss 0.27

    The UserPro plugin before 4.9.17.1 for WordPress, when used on a site with the "admin" username, allows remote attackers to bypass authentication and obtain administrative access via a "true" value for the up_auto_log parameter in the QUERY_STRING to the default URI.

  • CVE-2017-5791CriOct 11, 2017
    risk 0.69cvss 9.8epss 0.69

    The doFilter method in UrlAccessController in HPE Intelligent Management Center (iMC) PLAT 7.2 E0403P06 allows remote bypass of authentication via unspecified strings in a URI.

  • CVE-2017-14706CriSep 22, 2017
    risk 0.69cvss 9.8epss 0.28

    DenyAll WAF before 6.4.1 allows unauthenticated remote attackers to obtain authentication information by making a typeOf=debug request to /webservices/download/index.php, and then reading the iToken field in the reply. This affects DenyAll i-Suite LTS 5.5.0 through 5.5.12,…

  • CVE-2017-7546CriAug 16, 2017
    risk 0.69cvss 9.8epss 0.62

    PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are vulnerable to incorrect authentication flaw allowing remote attackers to gain access to database accounts with an empty password.

  • CVE-2017-11151CriAug 8, 2017
    risk 0.69cvss 9.8epss 0.25

    A vulnerability in synotheme_upload.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers to upload arbitrary files without authentication via the logo_upload action.

  • CVE-2017-7588CriApr 12, 2017
    risk 0.69cvss 9.8epss 0.34

    On certain Brother devices, authorization is mishandled by including a valid AuthCookie cookie in the HTTP response to a failed login attempt. Affected models are: MFC-J6973CDW MFC-J4420DW MFC-8710DW MFC-J4620DW MFC-L8850CDW MFC-J3720 MFC-J6520DW MFC-L2740DW MFC-J5910DW…

  • CVE-2024-48445CriFeb 4, 2025
    risk 0.68cvss 9.8epss 0.02

    An issue in compop.ca ONLINE MALL v.3.5.3 allows a remote attacker to execute arbitrary code via the rid, tid, et, and ts parameters.

  • CVE-2024-3080CriJun 14, 2024
    risk 0.68cvss 9.8epss 0.43

    Certain ASUS router models have authentication bypass vulnerability, allowing unauthenticated remote attackers to log in the device.

  • CVE-2022-45933CriNov 27, 2022
    risk 0.68cvss 9.8epss 0.52

    KubeView through 0.1.31 allows attackers to obtain control of a Kubernetes cluster because api/scrape/kube-system does not require authentication, and retrieves certificate files that can be used for authentication as kube-admin. NOTE: the vendor's position is that KubeView was…

  • CVE-2018-12613HigJun 21, 2018
    risk 0.68cvss 8.8epss 0.98

    An issue was discovered in phpMyAdmin 4.8.x before 4.8.2, in which an attacker can include (view and potentially execute) files on the server. The vulnerability comes from a portion of code where pages are redirected and loaded within phpMyAdmin, and an improper test for…