VYPR

CWE-287

Improper Authentication

ClassDraftLikelihood: High

Description

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-114 · CAPEC-115 · CAPEC-151 · CAPEC-194 · CAPEC-22 · CAPEC-57 · CAPEC-593 · CAPEC-633 · CAPEC-650 · CAPEC-94

CVEs mapped to this weakness (2,419)

page 51 of 121
  • CVE-2017-1258MedJul 5, 2017
    risk 0.42cvss 6.5epss 0.01

    IBM Security Guardium 10.0 and 10.1 does not perform an authentication check for a critical resource or functionality allowing anonymous users access to protected areas. IBM X-Force ID: 124685

  • CVE-2017-10796MedJul 2, 2017
    risk 0.42cvss 6.5epss 0.01

    On TP-Link NC250 devices with firmware through 1.2.1 build 170515, anyone can view video and audio without authentication via an rtsp://admin@yourip:554/h264_hd.sdp URL.

  • CVE-2014-0229MedMar 23, 2017
    risk 0.42cvss 6.5epss 0.02

    Apache Hadoop 0.23.x before 0.23.11 and 2.x before 2.4.1, as used in Cloudera CDH 5.0.x before 5.0.2, do not check authorization for the (1) refreshNamenodes, (2) deleteBlockPool, and (3) shutdownDatanode HDFS admin commands, which allows remote authenticated users to cause a…

  • CVE-2017-3880MedMar 17, 2017
    risk 0.42cvss 6.5epss 0.01

    An Authentication Bypass vulnerability in Cisco WebEx Meetings Server could allow an unauthenticated, remote attacker to access limited meeting information on the Cisco WebEx Meetings Server. More Information: CSCvd50728. Known Affected Releases: 2.6 2.7 2.8 CWMS-2.5MR1…

  • CVE-2016-9729MedMar 7, 2017
    risk 0.42cvss 6.5epss 0.01

    IBM QRadar 7.2 does not perform an authentication check for a critical resource or functionality allowing anonymous users access to protected areas. IBM Reference #: 1999545.

  • CVE-2016-8362MedFeb 13, 2017
    risk 0.42cvss 6.5epss 0.01

    An issue was discovered in Moxa OnCell OnCellG3470A-LTE, AWK-1131A/3131A/4131A Series, AWK-3191 Series, AWK-5232/6232 Series, AWK-1121/1127 Series, WAC-1001 V2 Series, WAC-2004 Series, AWK-3121-M12-RTG Series, AWK-3131-M12-RCC Series, AWK-5232-M12-RCC Series, TAP-6226 Series,…

  • CVE-2016-4966MedSep 21, 2016
    risk 0.42cvss 6.5epss 0.02

    The diagnosis_control.php page in Fortinet FortiWan (formerly AscernLink) before 4.2.5 allows remote authenticated users to download PCAP files via vectors related to the UserName GET parameter.

  • CVE-2016-3085MedJun 10, 2016
    risk 0.42cvss 6.5epss 0.03

    Apache CloudStack 4.5.x before 4.5.2.1, 4.6.x before 4.6.2.1, 4.7.x before 4.7.1.1, and 4.8.x before 4.8.0.1, when SAML-based authentication is enabled and used, allow remote attackers to bypass authentication and access the user interface via vectors related to the SAML plugin.

  • CVE-2016-2012MedMay 7, 2016
    risk 0.42cvss 6.5epss 0.02

    HPE Network Node Manager i (NNMi) 9.20, 9.23, 9.24, 9.25, 10.00, and 10.01 allows remote attackers to bypass authentication via unspecified vectors.

  • CVE-2016-2300MedApr 22, 2016
    risk 0.42cvss 6.5epss 0.01

    Ecava IntegraXor before 5.0 build 4522 allows remote attackers to bypass authentication and access unspecified web pages via unknown vectors.

  • CVE-2009-1596MedMay 11, 2009
    risk 0.42cvss 6.5epss 0.01

    Ignite Realtime Openfire before 3.6.5 does not properly implement the register.password (aka canChangePassword) console configuration setting, which allows remote authenticated users to bypass intended policy and change their own passwords via a passwd_change IQ packet.

  • CVE-2026-48526HigMay 28, 2026
    risk 0.41cvss 7.4epss 0.00

    PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, when the verifier is decoding JSON Web Tokens, while supporting both asymmetric and HMAC algorithms, the library does not validate use of JSON Web Keys in HMAC algorithm, allowing attacker to use the issuer…

  • CVE-2026-44460HigMay 27, 2026
    risk 0.41cvss 7.4epss 0.00

    FileRise is a self-hosted web-based file manager with multi-file upload, editing, and batch operations. Prior to 3.12.0, /api/totp_setup.php is callable from a session that has only passed the password check (state pending_login_user). When the target account already has TOTP…

  • CVE-2026-8185MedMay 9, 2026
    risk 0.41cvss 6.3epss 0.00

    A security vulnerability has been detected in UGREEN CM933 1.1.59.4319. The impacted element is an unknown function of the component Administrative Interface. Such manipulation leads to missing authentication. The attack requires being on the local network. You should upgrade…

  • CVE-2026-7844MedMay 5, 2026
    risk 0.41cvss 6.3epss 0.00

    A vulnerability was detected in chatchat-space Langchain-Chatchat up to 0.3.1.3. This vulnerability affects the function files/list_files/retrieve_file/retrieve_file_content/delete_file of the file libs/chatchat-server/chatchat/server/api_server/openai_routes.py of the component…

  • CVE-2026-34727HigApr 10, 2026
    risk 0.41cvss 7.4epss 0.00

    Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the OIDC callback handler issues a full JWT token without checking whether the matched user has TOTP two-factor authentication enabled. When a local user with TOTP enrolled is matched via the OIDC…

  • CVE-2026-5557MedApr 5, 2026
    risk 0.41cvss 6.3epss 0.00

    A vulnerability was detected in badlogic pi-mono up to 0.58.4. This issue affects some unknown processing of the file packages/mom/src/slack.ts of the component pi-mom Slack Bot. The manipulation results in authentication bypass using alternate channel. The attack can be…

  • CVE-2026-27856HigMar 27, 2026
    risk 0.41cvss 7.4epss 0.00

    Doveadm credentials are verified using direct comparison which is susceptible to timing oracle attack. An attacker can use this to determine the configured credentials. Figuring out the credential will lead into full access to the affected component. Limit access to the doveadm…

  • CVE-2026-4476MedMar 20, 2026
    risk 0.41cvss 6.3epss 0.00

    A vulnerability was found in Yi Technology YI Home Camera 2 2.1.1_20171024151200. The impacted element is an unknown function of the file home/web/ipc of the component CGI Endpoint. Performing a manipulation results in missing authentication. Access to the local network is…

  • CVE-2026-3739MedMar 8, 2026
    risk 0.41cvss 6.3epss 0.00

    A security flaw has been discovered in suitenumerique messages 0.2.0. This issue affects the function ThreadAccessSerializer of the file src/backend/core/api/serializers.py of the component ThreadAccess. The manipulation results in improper authentication. The attack can be…