VYPR

CWE-287

Improper Authentication

ClassDraftLikelihood: High

Description

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-114 · CAPEC-115 · CAPEC-151 · CAPEC-194 · CAPEC-22 · CAPEC-57 · CAPEC-593 · CAPEC-633 · CAPEC-650 · CAPEC-94

CVEs mapped to this weakness (2,419)

page 29 of 121
  • CVE-2025-20160HigSep 24, 2025
    risk 0.53cvss 8.1epss 0.00

    A vulnerability in the implementation of the TACACS+ protocol in Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to view sensitive data or bypass authentication. This vulnerability exists because the system does not properly check…

  • CVE-2024-50641HigAug 21, 2025
    risk 0.53cvss 8.1epss 0.00

    An authentication bypass vulnerability in PandoraNext-TokensTool v0.6.8 and before. An attacker can exploit this vulnerability to access API without any token.

  • CVE-2025-54369CriJul 24, 2025
    risk 0.53cvss epss 0.00

    Node-SAML is a SAML library not dependent on any frameworks that runs in Node. In versions 5.0.1 and below, Node-SAML loads the assertion from the (unsigned) original response document. This is different than the parts that are verified when checking signature. This allows an…

  • CVE-2025-22236HigJun 13, 2025
    risk 0.53cvss 8.1epss 0.00

    Minion event bus authorization bypass. An attacker with access to a minion key can craft a message which may be able to execute a job on other minions (>= 3007.0).

  • CVE-2025-46572CriMay 6, 2025
    risk 0.53cvss epss 0.00

    passport-wsfed-saml2 provides passport strategy for both WS-fed and SAML2 protocol. A vulnerability present starting in version 3.0.5 up to and including version 4.6.3 allows an attacker to impersonate any user during SAML authentication by crafting a SAMLResponse. This can be…

  • CVE-2024-11917HigApr 25, 2025
    risk 0.53cvss 8.1epss 0.00

    The JobSearch WP Job Board plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.9.2. This is due to improper configurations in the 'jobsearch_xing_response_data_callback', 'set_access_tokes', and 'google_callback' functions. This…

  • CVE-2024-8053HigMar 20, 2025
    risk 0.53cvss 8.2epss 0.01

    In version v0.3.10 of open-webui/open-webui, the `api/v1/utils/pdf` endpoint lacks authentication mechanisms, allowing unauthenticated attackers to access the PDF generation service. This vulnerability can be exploited by sending a POST request with an excessively large payload,…

  • CVE-2025-24032CriFeb 10, 2025
    risk 0.53cvss epss 0.01

    PAM-PKCS#11 is a Linux-PAM login module that allows a X.509 certificate based user login. Prior to version 0.6.13, if cert_policy is set to none (the default value), then pam_pkcs11 will only check if the user is capable of logging into the token. An attacker may create a…

  • CVE-2023-31279HigDec 21, 2024
    risk 0.53cvss 8.1epss 0.00

    The AirVantage platform is vulnerable to an unauthorized attacker registering previously unregistered devices on the AirVantage platform when the owner has not disabled the AirVantage Management Service on the devices or registered the device. This could enable an attacker to…

  • CVE-2024-10111HigDec 12, 2024
    risk 0.53cvss 8.1epss 0.01

    The OAuth Single Sign On – SSO (OAuth Client) plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 6.26.3. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for…

  • CVE-2024-11293HigDec 4, 2024
    risk 0.53cvss 8.1epss 0.01

    The Registration Forms – User Registration Forms, Invitation-Based Registrations, Front-end User Profile, Login Form & Content Restriction Social Sites Login plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.7.9. This is due…

  • CVE-2024-53990CriDec 2, 2024
    risk 0.53cvss epss 0.01

    The AsyncHttpClient (AHC) library allows Java applications to easily execute HTTP requests and asynchronously process HTTP responses. When making any HTTP request, the automatically enabled and self-managed CookieStore (aka cookie jar) will silently replace explicitly defined…

  • CVE-2024-45369HigNov 22, 2024
    risk 0.53cvss 8.1epss 0.01

    The web application uses a weak authentication mechanism to verify that a request is coming from an authenticated and authorized resource.

  • CVE-2024-10327HigOct 24, 2024
    risk 0.53cvss 8.1epss 0.01

    A vulnerability in Okta Verify for iOS versions 9.25.1 (beta) and 9.27.0 (including beta) allows push notification responses through the iOS ContextExtension feature allowing the authentication to proceed regardless of the user’s selection. When a user long-presses the…

  • CVE-2024-47807HigOct 2, 2024
    risk 0.53cvss 8.1epss 0.01

    Jenkins OpenId Connect Authentication Plugin 4.354.v321ce67a_1de8 and earlier does not check the `iss` (Issuer) claim of an ID Token, allowing attackers to subvert the authentication flow, potentially gaining administrator access to Jenkins.

  • CVE-2024-47806HigOct 2, 2024
    risk 0.53cvss 8.1epss 0.01

    Jenkins OpenId Connect Authentication Plugin 4.354.v321ce67a_1de8 and earlier does not check the `aud` (Audience) claim of an ID Token, allowing attackers to subvert the authentication flow, potentially gaining administrator access to Jenkins.

  • CVE-2024-36444HigAug 22, 2024
    risk 0.53cvss 8.1epss 0.01

    cgi-bin/fdmcgiwebv2.cgi on Swissphone DiCal-RED 4009 devices allows an unauthenticated attacker to gain access to device logs.

  • CVE-2024-26331HigApr 30, 2024
    risk 0.53cvss 7.5epss 0.49

    ReCrystallize Server 5.10.0.0 uses a authorization mechanism that relies on the value of a cookie, but it does not bind the cookie value to a session ID. Attackers can easily modify the cookie value, within a browser or by implementing client-side code outside of a browser.…

  • CVE-2023-51471HigApr 24, 2024
    risk 0.53cvss 8.2epss 0.01

    Improper Authentication vulnerability in Mestres do WP Checkout Mestres WP allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Checkout Mestres WP: from n/a through 7.1.9.7.

  • CVE-2023-51405HigApr 24, 2024
    risk 0.53cvss 8.2epss 0.01

    Improper Authentication vulnerability in Repute Infosystems BookingPress allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects BookingPress: from n/a through 1.0.74.