VYPR

CWE-287

Improper Authentication

ClassDraftLikelihood: High

Description

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-114 · CAPEC-115 · CAPEC-151 · CAPEC-194 · CAPEC-22 · CAPEC-57 · CAPEC-593 · CAPEC-633 · CAPEC-650 · CAPEC-94

CVEs mapped to this weakness (2,419)

page 36 of 121
  • CVE-2025-46573HigMay 6, 2025
    risk 0.49cvss epss 0.00

    passport-wsfed-saml2 provides passport strategy for both WS-fed and SAML2 protocol. A vulnerability present starting in version 3.0.5 up to and including version 4.6.3 allows an attacker to impersonate any user during SAML authentication by tampering with a valid SAML response.…

  • CVE-2025-29906HigApr 29, 2025
    risk 0.49cvss 8.6epss 0.00

    Finit is a fast init for Linux systems. Versions starting from 3.0-rc1 and prior to version 4.11 bundle an implementation of getty for the `tty` configuration directive that can bypass `/bin/login`, i.e., a user can log in as any user without authentication. This issue has been…

  • CVE-2025-25227HigApr 8, 2025
    risk 0.49cvss 7.5epss 0.00

    Insufficient state checks lead to a vector that allows to bypass 2FA checks.

  • CVE-2024-11322HigJan 15, 2025
    risk 0.49cvss 7.5epss 0.01

    A denial-of-service vulnerability exists in CyberPower PowerPanel Business (PPB) 4.11.0. An unauthenticated remote attacker can restart the ppbd.exe process via the PowerPanel Business Service Watchdog service listening on TCP port 2003. The attacker can repeatedly restart…

  • CVE-2024-46943HigSep 15, 2024
    risk 0.49cvss 7.5epss 0.01

    An issue was discovered in OpenDaylight Authentication, Authorization and Accounting (AAA) through 0.19.3. A rogue controller can join a cluster to impersonate an offline peer, even if this rogue controller does not possess the complete cluster configuration information.

  • CVE-2023-46630HigJun 4, 2024
    risk 0.49cvss 7.5epss 0.00

    Improper Authentication vulnerability in wpase Admin and Site Enhancements (ASE) allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Admin and Site Enhancements (ASE): from n/a through 5.7.1.

  • CVE-2023-48703HigMar 6, 2024
    risk 0.49cvss 7.5epss 0.01

    RobotsAndPencils go-saml, a SAML client library written in Go, contains an authentication bypass vulnerability in all known versions. This is due to how the `xmlsec1` command line tool is called internally to verify the signature of SAML assertions. When `xmlsec1` is used…

  • CVE-2024-21632HigJan 2, 2024
    risk 0.49cvss 8.6epss 0.01

    omniauth-microsoft_graph provides an Omniauth strategy for the Microsoft Graph API. Prior to versions 2.0.0, the implementation did not validate the legitimacy of the `email` attribute of the user nor did it give/document an option to do so, making it susceptible to nOAuth…

  • CVE-2023-51442HigDec 21, 2023
    risk 0.49cvss 8.6epss 0.01

    Navidrome is an open source web-based music collection server and streamer. A security vulnerability has been identified in navidrome's subsonic endpoint, allowing for authentication bypass. This exploit enables unauthorized access to any known account by utilizing a JSON Web…

  • CVE-2023-39345HigNov 6, 2023
    risk 0.49cvss 7.6epss 0.01

    strapi is an open-source headless CMS. Versions prior to 4.13.1 did not properly restrict write access to fielded marked as private in the user registration endpoint. As such malicious users may be able to errantly modify their user records. This issue has been addressed in…

  • CVE-2023-2959HigJul 17, 2023
    risk 0.49cvss 7.5epss 0.01

    Authentication Bypass by Primary Weakness vulnerability in Oliva Expertise Oliva Expertise EKS allows Collect Data as Provided by Users. This issue affects Oliva Expertise EKS: before 1.2.

  • CVE-2023-24830HigJan 30, 2023
    risk 0.49cvss 7.5epss 0.01

    Improper Authentication vulnerability in Apache Software Foundation Apache IoTDB.This issue affects iotdb-web-workbench component: from 0.13.0 before 0.13.3.

  • CVE-2022-46170HigDec 22, 2022
    risk 0.49cvss 8.6epss 0.01

    CodeIgniter is a PHP full-stack web framework. When an application uses (1) multiple session cookies (e.g., one for user pages and one for admin pages) and (2) a session handler is set to `DatabaseHandler`, `MemcachedHandler`, or `RedisHandler`, then if an attacker gets one…

  • CVE-2022-39254HigSep 29, 2022
    risk 0.49cvss 8.6epss 0.01

    matrix-nio is a Python Matrix client library, designed according to sans I/O principles. Prior to version 0.20, when a users requests a room key from their devices, the software correctly remember the request. Once they receive a forwarded room key, they accept it without…

  • CVE-2022-39252HigSep 29, 2022
    risk 0.49cvss 8.6epss 0.00

    matrix-rust-sdk is an implementation of a Matrix client-server library in Rust, and matrix-sdk-crypto is the Matrix encryption library. Prior to version 0.6, when a user requests a room key from their devices, the software correctly remembers the request. When the user receives…

  • CVE-2022-39250HigSep 29, 2022
    risk 0.49cvss 8.6epss 0.01

    Matrix JavaScript SDK is the Matrix Client-Server software development kit (SDK) for JavaScript. Prior to version 19.7.0, an attacker cooperating with a malicious homeserver could interfere with the verification flow between two users, injecting its own cross-signing user…

  • CVE-2022-39251HigSep 28, 2022
    risk 0.49cvss 8.6epss 0.01

    Matrix Javascript SDK is the Matrix Client-Server SDK for JavaScript. Prior to version 19.7.0, an attacker cooperating with a malicious homeserver can construct messages that legitimately appear to have come from another person, without any indication such as a grey shield.…

  • CVE-2022-39248HigSep 28, 2022
    risk 0.49cvss 8.6epss 0.01

    matrix-android-sdk2 is the Matrix SDK for Android. Prior to version 1.5.1, an attacker cooperating with a malicious homeserver can construct messages that legitimately appear to have come from another person, without any indication such as a grey shield. Additionally, a…

  • CVE-2022-31083HigJun 17, 2022
    risk 0.49cvss 8.6epss 0.01

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 4.10.11 and 5.2.2, the certificate in the Parse Server Apple Game Center auth adapter not validated. As a result, authentication could potentially be…

  • CVE-2022-29865HigJun 16, 2022
    risk 0.49cvss 7.5epss 0.01

    OPC UA .NET Standard Stack allows a remote attacker to bypass the application authentication check via crafted fake credentials.