VYPR

CWE-287

Improper Authentication

ClassDraftLikelihood: High

Description

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-114 · CAPEC-115 · CAPEC-151 · CAPEC-194 · CAPEC-22 · CAPEC-57 · CAPEC-593 · CAPEC-633 · CAPEC-650 · CAPEC-94

CVEs mapped to this weakness (2,419)

page 3 of 121
  • CVE-2018-8898CriMay 23, 2018
    risk 0.68cvss 9.8epss 0.13

    A flaw in the authentication mechanism in the Login Panel of router D-Link DSL-3782 (A1_WI_20170303 || SWVer="V100R001B012" FWVer="3.10.0.24" FirmVer="TT_77616E6771696F6E67") allows unauthenticated attackers to perform arbitrary modification (read, write) to passwords and…

  • CVE-2018-6546CriApr 13, 2018
    risk 0.68cvss 9.8epss 0.18

    plays_service.exe in the plays.tv service before 1.27.7.0, as distributed in AMD driver-installation packages and Gaming Evolved products, executes code at a user-defined (local or SMB) path as SYSTEM when the execute_installer parameter is used in an HTTP message. This occurs…

  • CVE-2018-9248CriApr 4, 2018
    risk 0.68cvss 9.8epss 0.15

    FiberHome VDSL2 Modem HG 150-UB devices allow authentication bypass via a "Cookie: Name=0admin" header.

  • CVE-2014-9611CriSep 19, 2017
    risk 0.68cvss 9.8epss 0.13

    Netsweeper before 4.0.5 allows remote attackers to bypass authentication and create arbitrary accounts and policies via a request to webadmin/nslam/index.php.

  • CVE-2017-14243CriSep 17, 2017
    risk 0.68cvss 9.8epss 0.15

    An authentication bypass vulnerability on UTStar WA3002G4 ADSL Broadband Modem WA3002G4-0021.01 devices allows attackers to directly access administrative settings and obtain cleartext credentials from HTML source, as demonstrated by info.cgi, upload.cgi, backupsettings.cgi,…

  • CVE-2016-9361CriFeb 13, 2017
    risk 0.68cvss 9.8epss 0.20

    An issue was discovered in Moxa NPort 5110 versions prior to 2.6, NPort 5130/5150 Series versions prior to 3.6, NPort 5200 Series versions prior to 2.8, NPort 5400 Series versions prior to 3.11, NPort 5600 Series versions prior to 3.7, NPort 5100A Series & NPort P5150A versions…

  • CVE-2016-9796CriDec 3, 2016
    risk 0.68cvss 9.8epss 0.13

    Alcatel-Lucent OmniVista 8770 2.0 through 3.0 exposes different ORBs interfaces, which can be queried using the GIOP protocol on TCP port 30024. An attacker can bypass authentication, and OmniVista invokes methods (AddJobSet, AddJob, and ExecuteNow) that can be used to run…

  • CVE-2009-2168CriJun 22, 2009
    risk 0.68cvss 9.8epss 0.12

    cpanel/login.php in EgyPlus 7ammel (aka 7ml) 1.0.1 and earlier sends a redirect to the web browser but does not exit when the supplied credentials are incorrect, which allows remote attackers to bypass authentication by providing arbitrary username and password parameters.

  • CVE-2018-6180CriFeb 8, 2018
    risk 0.67cvss 9.8epss 0.04

    A flaw in the profile section of Online Voting System 1.0 allows an unauthenticated user to set an arbitrary password for other accounts.

  • CVE-2009-3421CriSep 25, 2009
    risk 0.67cvss 9.8epss 0.05

    login.php in Zenas PaoBacheca Guestbook 2.1, when register_globals is enabled, allows remote attackers to bypass authentication and gain administrative access by setting the login_ok parameter to 1.

  • CVE-2009-2382CriJul 8, 2009
    risk 0.67cvss 9.8epss 0.06

    admin.php in phpMyBlockchecker 1.0.0055 allows remote attackers to bypass authentication and gain administrative access by setting the PHPMYBCAdmin cookie to LOGGEDIN.

  • CVE-2024-50478CriOct 28, 2024
    risk 0.66cvss 9.8epss 0.01

    Authentication Bypass by Primary Weakness vulnerability in Swoop 1-Click Login: Passwordless Authentication allows Authentication Bypass.This issue affects 1-Click Login: Passwordless Authentication: 1.4.5.

  • CVE-2020-9480CriJun 23, 2020
    risk 0.66cvss 9.8epss 0.29

    In Apache Spark 2.4.5 and earlier, a standalone resource manager's master may be configured to require authentication (spark.authenticate) via a shared secret. When enabled, however, a specially-crafted RPC to the master can succeed in starting an application's resources on the…

  • CVE-2020-11989CriJun 22, 2020
    risk 0.66cvss 9.8epss 0.24

    Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.

  • CVE-2020-1957CriMar 25, 2020
    risk 0.66cvss 9.8epss 0.24

    Apache Shiro before 1.5.2, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.

  • CVE-2026-46389CriJun 5, 2026
    risk 0.65cvss 10.0epss 0.00

    UDS Identity Config builds the Keycloak configuration image (realm, plugins, theme, truststore, JARs) consumed by UDS Core's Identity deployment. In versions 0.11.0 through 0.26.0, a logic error in the `client-kubernetes-secret` Keycloak client authenticator (shipped by…

  • CVE-2026-46840CriMay 28, 2026
    risk 0.65cvss 10.0epss 0.01

    Vulnerability in Oracle REST Data Services (component: Backend-as-a-Service). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle REST Data Services. While…

  • CVE-2026-47280CriMay 22, 2026
    risk 0.65cvss 10.0epss 0.00

    Improper authentication in Azure Resource Manager (ARM) allows an unauthorized attacker to elevate privileges over a network.

  • CVE-2026-42822CriMay 18, 2026
    risk 0.65cvss 10.0epss 0.00

    Improper authentication in Azure Local Disconnected Operations allows an unauthorized attacker to elevate privileges over a network.

  • CVE-2025-9265CriOct 13, 2025
    risk 0.65cvss epss 0.00

    A broken authorization vulnerability in Kiloview NDI N30 allows a remote unauthenticated attacker to deactivate user verification, giving them access to state changing actions that should only be initiated by administratorsThis issue affects Kiloview NDI N30 and was fixed in…