VYPR

CWE-287

Improper Authentication

ClassDraftLikelihood: High

Description

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-114 · CAPEC-115 · CAPEC-151 · CAPEC-194 · CAPEC-22 · CAPEC-57 · CAPEC-593 · CAPEC-633 · CAPEC-650 · CAPEC-94

CVEs mapped to this weakness (2,419)

page 53 of 121
  • CVE-2026-6635HigApr 20, 2026
    risk 0.40cvss 7.3epss 0.00

    A security vulnerability has been detected in rowboatlabs rowboat up to 0.1.67. This impacts the function tool_call of the file apps/experimental/tools_webhook/app.py of the component tools_webhook. Such manipulation of the argument X-Tools-JWE leads to improper authentication.…

  • CVE-2026-32072MedApr 14, 2026
    risk 0.40cvss 6.2epss 0.00

    Improper authentication in Windows Active Directory allows an unauthorized attacker to perform spoofing locally.

  • CVE-2026-6129HigApr 12, 2026
    risk 0.40cvss 7.3epss 0.00

    A vulnerability was detected in zhayujie chatgpt-on-wechat CowAgent up to 2.0.4. This affects an unknown function of the component Agent Mode Service. Performing a manipulation results in missing authentication. The attack can be initiated remotely. The exploit is now public and…

  • CVE-2026-5616HigApr 6, 2026
    risk 0.40cvss 7.3epss 0.00

    A security vulnerability has been detected in JeecgBoot 3.9.0/3.9.1. The impacted element is an unknown function of the file jeecg-boot/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/airag/JeecgBizToolsProvider.java of the component AI Chat Module. Such…

  • CVE-2026-2991HigMar 18, 2026
    risk 0.40cvss 7.3epss 0.00

    The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 4.1.2. This is due to the `patientSocialLogin()` function not verifying the social provider access token before…

  • CVE-2025-15099HigDec 26, 2025
    risk 0.40cvss 7.3epss 0.01

    A vulnerability was identified in simstudioai sim up to 0.5.27. This vulnerability affects unknown code of the file apps/sim/lib/auth/internal.ts of the component CRON Secret Handler. The manipulation of the argument INTERNAL_API_SECRET leads to improper authentication. It is…

  • CVE-2025-11529HigOct 9, 2025
    risk 0.40cvss 7.3epss 0.01

    A security flaw has been discovered in ChurchCRM up to 5.18.0. This impacts the function AuthMiddleware of the file src/ChurchCRM/Slim/Middleware/AuthMiddleware.php of the component API Endpoint. The manipulation results in missing authentication. The attack can be executed…

  • CVE-2025-27403HigMar 11, 2025
    risk 0.40cvss epss 0.00

    Ratify is a verification engine as a binary executable and on Kubernetes which enables verification of artifact security metadata and admits for deployment only those that comply with policies the user creates. In a Kubernetes environment, Ratify can be configured to…

  • CVE-2024-23219MedJan 23, 2024
    risk 0.40cvss 6.2epss 0.00

    The issue was addressed with improved authentication. This issue is fixed in iOS 17.3 and iPadOS 17.3. Stolen Device Protection may be unexpectedly disabled.

  • CVE-2023-5844HigOct 30, 2023
    risk 0.40cvss 7.2epss 0.01

    Unverified Password Change in GitHub repository pimcore/admin-ui-classic-bundle prior to 1.2.0.

  • CVE-2023-23450MedMay 15, 2023
    risk 0.40cvss 6.2epss 0.01

    Use of Password Hash Instead of Password for Authentication in SICK FTMg AIR FLOW SENSOR with Partnumbers 1100214, 1100215, 1100216, 1120114, 1120116, 1122524, 1122526 allows an unprivileged remote attacker to use a password hash instead of an actual password to login to a valid…

  • CVE-2022-4722HigDec 27, 2022
    risk 0.40cvss 7.2epss 0.01

    Authentication Bypass by Primary Weakness in GitHub repository ikus060/rdiffweb prior to 2.5.5.

  • CVE-2018-7940MedMay 10, 2018
    risk 0.40cvss 6.2epss 0.00

    Huawei smart phones Mate 10 and Mate 10 Pro with earlier versions than 8.0.0.129(SP2C00) and earlier versions than 8.0.0.129(SP2C01) have an authentication bypass vulnerability. An attacker with high privilege obtains the smart phone and bypass the activation function by some…

  • CVE-2018-0008MedJan 10, 2018
    risk 0.40cvss 6.2epss 0.00

    An unauthenticated root login may allow upon reboot when a commit script is used. A commit script allows a device administrator to execute certain instructions during commit, which is configured under the [system scripts commit] stanza. Certain commit scripts that work without a…

  • CVE-2017-8214MedNov 22, 2017
    risk 0.40cvss 6.2epss 0.00

    Honor 8,Honor V8,Honor 9,Honor V9,Nova 2,Nova 2 Plus,P9,P10 Plus,Toronto Huawei smart phones with software of versions earlier than FRD-AL00C00B391, versions earlier than FRD-DL00C00B391, versions earlier than KNT-AL10C00B391, versions earlier than KNT-AL20C00B391, versions…

  • CVE-2017-6722MedJul 4, 2017
    risk 0.40cvss 6.1epss 0.01

    A vulnerability in the Extensible Messaging and Presence Protocol (XMPP) service of Cisco Unified Contact Center Express (UCCx) could allow an unauthenticated, remote attacker to masquerade as a legitimate user, aka a Clear Text Authentication Vulnerability. More Information:…

  • CVE-2017-2329MedApr 24, 2017
    risk 0.40cvss 6.2epss 0.00

    An insufficient authentication vulnerability in Juniper Networks NorthStar Controller Application prior to version 2.1.0 Service Pack 1 may allow an unprivileged, authenticated, user to execute certain specific unprivileged system files capable of causing widespread denials of…

  • CVE-2026-47272HigMay 27, 2026
    risk 0.39cvss 7.1epss 0.00

    pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.0, the pusb_pad_compare() function in src/pad.c only verified that the user-side pad (~/.pamusb/device.pad) could be read, but did not enforce that the system-side pad (the pad file…

  • CVE-2026-45363higMay 18, 2026
    risk 0.39cvss epss 0.00

    `JWT.decode(token, '', true, algorithm: 'HS256')` accepts an attacker-forged token. `OpenSSL::HMAC.digest('SHA256', '', payload)` returns a valid digest under an empty key, and no `raise InvalidKeyError if key.empty?` precondition exists in the HMAC algorithm. ```…

  • CVE-2026-39976HigApr 9, 2026
    risk 0.39cvss 7.1epss 0.00

    Laravel Passport provides OAuth2 server support to Laravel. From 13.0.0 to before 13.7.1, there is an Authentication Bypass for client_credentials tokens. the league/oauth2-server library sets the JWT sub claim to the client identifier (since there's no user). The token guard…