VYPR

CWE-287

Improper Authentication

ClassDraftLikelihood: High

Description

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-114 · CAPEC-115 · CAPEC-151 · CAPEC-194 · CAPEC-22 · CAPEC-57 · CAPEC-593 · CAPEC-633 · CAPEC-650 · CAPEC-94

CVEs mapped to this weakness (2,419)

page 48 of 121
  • CVE-2025-27422HigMar 3, 2025
    risk 0.42cvss 7.5epss 0.00

    FACTION is a PenTesting Report Generation and Collaboration Framework. Authentication is bypassed when an attacker registers a new user with admin privileges. This is possible at any time without any authorization. The request must follow the validation rules (no missing…

  • CVE-2025-21618HigJan 6, 2025
    risk 0.42cvss 7.5epss 0.00

    NiceGUI is an easy-to-use, Python-based UI framework. Prior to 2.9.1, authenticating with NiceGUI logged in the user for all browsers, including browsers in incognito mode. This vulnerability is fixed in 2.9.1.

  • CVE-2024-36611HigNov 29, 2024
    risk 0.42cvss 7.5epss 0.01

    In Symfony v7.07, a security vulnerability was identified in the FormLoginAuthenticator component, where it failed to adequately handle cases where the username or password field of a login request is empty. This flaw could lead to various security risks, including improper…

  • CVE-2024-51996HigNov 13, 2024
    risk 0.42cvss 7.5epss 0.01

    Symphony process is a module for the Symphony PHP framework which executes commands in sub-processes. When consuming a persisted remember-me cookie, Symfony does not check if the username persisted in the database matches the username attached with the cookie, leading to…

  • CVE-2024-49757HigOct 25, 2024
    risk 0.42cvss 7.5epss 0.03

    The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. Due to a missing security check in versions prior to 2.64.0, 2.63.5, 2.62.7, 2.61.4, 2.60.4, 2.59.5, and 2.58.7, disabling the "User Registration allowed" option…

  • CVE-2024-38810MedAug 20, 2024
    risk 0.42cvss 6.5epss 0.00

    Missing Authorization When Using @AuthorizeReturnObject in Spring Security 6.3.0 and 6.3.1 allows attacker to render security annotations inaffective.

  • CVE-2024-38523HigJun 27, 2024
    risk 0.42cvss 7.5epss 0.01

    Hush Line is a free and open-source, anonymous-tip-line-as-a-service for organizations or individuals. The TOTP authentication flow has multiple issues that weakens its one-time nature. Specifically, the lack of 2FA for changing security settings allows attacker with CSRF or XSS…

  • CVE-2023-6787MedApr 25, 2024
    risk 0.42cvss 6.5epss 0.01

    A flaw was found in Keycloak that occurs from an error in the re-authentication mechanism within org.keycloak.authentication. This flaw allows hijacking an active Keycloak session by triggering a new authentication process with the query parameter "prompt=login," prompting the…

  • CVE-2023-47504MedApr 24, 2024
    risk 0.42cvss 6.5epss 0.01

    Improper Authentication vulnerability in Elementor Elementor Website Builder allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Elementor Website Builder: from n/a through 3.16.4.

  • CVE-2023-46942HigJan 13, 2024
    risk 0.42cvss 7.5epss 0.01

    Lack of authentication in NPM's package @evershop/evershop before version 1.0.0-rc.8, allows remote attackers to obtain sensitive information via improper authorization in GraphQL endpoints.

  • CVE-2023-37544HigDec 20, 2023
    risk 0.42cvss 7.5epss 0.01

    Improper Authentication vulnerability in Apache Pulsar WebSocket Proxy allows an attacker to connect to the /pingpong endpoint without authentication. This issue affects Apache Pulsar WebSocket Proxy: from 2.8.0 through 2.8.*, from 2.9.0 through 2.9.*, from 2.10.0 through…

  • CVE-2023-43809HigOct 4, 2023
    risk 0.42cvss 7.5epss 0.01

    Soft Serve is a self-hostable Git server for the command line. Prior to version 0.6.2, a security vulnerability in Soft Serve could allow an unauthenticated, remote attacker to bypass public key authentication when keyboard-interactive SSH authentication is active, through the…

  • CVE-2023-39531MedAug 9, 2023
    risk 0.42cvss 6.5epss 0.00

    Sentry is an error tracking and performance monitoring platform. Starting in version 10.0.0 and prior to version 23.7.2, an attacker with sufficient client-side exploits could retrieve a valid access token for another user during the OAuth token exchange due to incorrect…

  • CVE-2022-23554MedDec 28, 2022
    risk 0.42cvss 6.5epss 0.01

    Alpine is a scaffolding library in Java. Alpine prior to version 1.10.4 allows Authentication Filter bypass. The AuthenticationFilter relies on the request URI to evaluate if the user is accessing the swagger endpoint. By accessing a URL with a path such as…

  • CVE-2021-40693MedSep 29, 2022
    risk 0.42cvss 6.5epss 0.01

    An authentication bypass risk was identified in the external database authentication functionality, due to a type juggling vulnerability.

  • CVE-2022-39249HigSep 28, 2022
    risk 0.42cvss 7.5epss 0.01

    Matrix Javascript SDK is the Matrix Client-Server SDK for JavaScript. Prior to version 19.7.0, an attacker cooperating with a malicious homeserver can construct messages appearing to have come from another person. Such messages will be marked with a grey shield on some…

  • CVE-2022-39246HigSep 28, 2022
    risk 0.42cvss 7.5epss 0.01

    matrix-android-sdk2 is the Matrix SDK for Android. Prior to version 1.5.1, an attacker cooperating with a malicious homeserver can construct messages appearing to have come from another person. Such messages will be marked with a grey shield on some platforms, but this may be…

  • CVE-2022-36092HigSep 8, 2022
    risk 0.42cvss 7.5epss 0.01

    XWiki Platform Old Core is a core package for XWiki Platform, a generic wiki platform. Prior to versions 14.2 and 13.10.4, all rights checks that would normally prevent a user from viewing a document on a wiki can be bypassed using the login action and directly specified…

  • CVE-2021-3632HigAug 26, 2022
    risk 0.42cvss 7.5epss 0.01

    A flaw was found in Keycloak. This vulnerability allows anyone to register a new security device or key when there is not a device already registered for any user by using the WebAuthn password-less login flow.

  • CVE-2022-35142HigAug 4, 2022
    risk 0.42cvss 7.5epss 0.01

    An issue in Renato v0.17.0 allows attackers to cause a Denial of Service (DoS) via a crafted payload injected into the Search parameter.