VYPR

CWE-287

Improper Authentication

ClassDraftLikelihood: High

Description

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-114 · CAPEC-115 · CAPEC-151 · CAPEC-194 · CAPEC-22 · CAPEC-57 · CAPEC-593 · CAPEC-633 · CAPEC-650 · CAPEC-94

CVEs mapped to this weakness (2,419)

page 4 of 121
  • CVE-2025-52572CriJun 24, 2025
    risk 0.65cvss 10.0epss 0.01

    Hikka, a Telegram userbot, has vulnerability affects all users on all versions of Hikka. Two scenarios are possible. 1. Web interface does not have an authenticated session: attacker can use his own Telegram account to gain RCE to the server by authorizing in the dangling web…

  • CVE-2025-5597CriJun 4, 2025
    risk 0.65cvss epss 0.00

    Improper Authentication vulnerability in WF Steuerungstechnik GmbH airleader MASTER allows Authentication Bypass.This issue affects airleader MASTER: 3.00571.

  • CVE-2024-11186CriMay 8, 2025
    risk 0.65cvss 10.0epss 0.01

    On affected versions of the CloudVision Portal, improper access controls could enable a malicious authenticated user to take broader actions on managed EOS devices than intended. This advisory impacts the Arista CloudVision Portal products when run on-premise. It does not impact…

  • CVE-2018-16286CriSep 14, 2018
    risk 0.65cvss 9.8epss 0.22

    LG SuperSign CMS allows authentication bypass because the CAPTCHA requirement is skipped if a captcha:pass cookie is sent, and because the PIN is limited to four digits.

  • CVE-2018-10630CriAug 10, 2018
    risk 0.65cvss 9.8epss 0.11

    For Crestron TSW-X60 version prior to 2.001.0037.001 and MC3 version prior to 1.502.0047.001, The devices are shipped with authentication disabled, and there is no indication to users that they need to take steps to enable it. When compromised, the access to the CTP console is…

  • CVE-2018-12804CriJul 20, 2018
    risk 0.65cvss 9.8epss 0.11

    Adobe Connect versions 9.7.5 and earlier have an Authentication Bypass vulnerability. Successful exploitation could lead to session hijacking.

  • CVE-2018-6667CriJun 26, 2018
    risk 0.65cvss 10.0epss 0.04

    Authentication Bypass vulnerability in the administrative user interface in McAfee Web Gateway 7.8.1.0 through 7.8.1.5 allows remote attackers to execute arbitrary code via Java management extensions (JMX).

  • CVE-2018-0238CriApr 19, 2018
    risk 0.65cvss 9.9epss 0.05

    A vulnerability in the role-based resource checking functionality of the Cisco Unified Computing System (UCS) Director could allow an authenticated, remote attacker to view unauthorized information for any virtual machine in the UCS Director end-user portal and perform any…

  • CVE-2018-1312CriMar 26, 2018
    risk 0.65cvss 9.8epss 0.16

    In Apache httpd 2.2.0 to 2.4.29, when generating an HTTP Digest authentication challenge, the nonce sent to prevent reply attacks was not correctly generated using a pseudo-random seed. In a cluster of servers using a common Digest authentication configuration, HTTP requests…

  • CVE-2018-1163CriFeb 8, 2018
    risk 0.65cvss 9.8epss 0.16

    This vulnerability allows remote attackers to bypass authentication on vulnerable installations of Quest NetVault Backup 11.2.0.13. The specific flaw exists within JSON RPC Request handling. By setting the checksession parameter to a specific value, it is possible to bypass…

  • CVE-2017-12251CriOct 19, 2017
    risk 0.65cvss 9.9epss 0.02

    A vulnerability in the web console of the Cisco Cloud Services Platform (CSP) 2100 could allow an authenticated, remote attacker to interact maliciously with the services or virtual machines (VMs) operating remotely on an affected CSP device. The vulnerability is due to…

  • CVE-2017-13995CriOct 5, 2017
    risk 0.65cvss 10.0epss 0.02

    An Improper Authentication issue was discovered in iniNet Solutions iniNet Webserver, all versions prior to V2.02.0100. The webserver does not properly authenticate users, which may allow a malicious attacker to access sensitive information such as HMI pages or modify PLC…

  • CVE-2014-7858CriAug 25, 2017
    risk 0.65cvss 9.8epss 0.15

    The check_login function in D-Link DNR-326 before 2.10 build 03 allows remote attackers to bypass authentication and log in by setting the username cookie parameter to an arbitrary string.

  • CVE-2014-7857CriAug 25, 2017
    risk 0.65cvss 9.8epss 0.15

    D-Link DNS-320L firmware before 1.04b12, DNS-327L before 1.03b04 Build0119, DNR-326 1.40b03, DNS-320B 1.02b01, DNS-345 1.03b06, DNS-325 1.05b03, and DNS-322L 2.00b07 allow remote attackers to bypass authentication and log in with administrator permissions by passing the…

  • CVE-2017-3167CriJun 20, 2017
    risk 0.65cvss 9.8epss 0.20

    In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, use of the ap_get_basic_auth_pw() by third-party modules outside of the authentication phase may lead to authentication requirements being bypassed.

  • CVE-2016-1908CriApr 11, 2017
    risk 0.65cvss 9.8epss 0.14

    The client in OpenSSH before 7.2 mishandles failed cookie generation for untrusted X11 forwarding and relies on the local X11 server for access-control decisions, which allows remote X11 clients to trigger a fallback and obtain trusted X11 forwarding privileges by leveraging…

  • CVE-2017-3791CriFeb 1, 2017
    risk 0.65cvss 10.0epss 0.04

    A vulnerability in the web-based GUI of Cisco Prime Home could allow an unauthenticated, remote attacker to bypass authentication and execute actions with administrator privileges. The vulnerability is due to a processing error in the role-based access control (RBAC) of URLs. An…

  • CVE-2026-12183CriJun 13, 2026
    risk 0.64cvss 9.8epss 0.01

    Nefteprodukttekhnika BUK TS-G Gas Station Automation System 2.9.1 through 2.10.2 on Linux contains an Improper Authentication vulnerability (CWE-287) in the system configuration module. The /php/ajax-login.php endpoint returns userid=1 (administrator) in response to any HTTP…

  • CVE-2026-48611CriJun 12, 2026
    risk 0.64cvss 9.8epss 0.01

    Improper authentication checks in the OAuth implementation allow account hijacking even when OAuth is not configured or enabled leading to unauthorized access in default installations.

  • CVE-2026-6274CriJun 5, 2026
    risk 0.64cvss 9.8epss 0.00

    Improper Authentication, Missing authentication for critical function, Weak Authentication vulnerability in DTS Electronics Industry and Trade Ltd. Co. Redline WR3200 allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Redline WR3200: from 7.1.3…