VYPR

CWE-287

Improper Authentication

ClassDraftLikelihood: High

Description

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-114 · CAPEC-115 · CAPEC-151 · CAPEC-194 · CAPEC-22 · CAPEC-57 · CAPEC-593 · CAPEC-633 · CAPEC-650 · CAPEC-94

CVEs mapped to this weakness (2,419)

page 58 of 121
  • CVE-2023-7079MedDec 29, 2023
    risk 0.35cvss 6.4epss 0.01

    Sending specially crafted HTTP requests and inspector messages to Wrangler's dev server could result in any file on the user's computer being accessible over the local network. An attacker that could trick any user on the local network into opening a malicious website could also…

  • CVE-2023-26150MedOct 3, 2023
    risk 0.35cvss 6.5epss 0.00

    Versions of the package asyncua before 0.9.96 are vulnerable to Improper Authentication such that it is possible to access Address Space without encryption and authentication. **Note:** This issue is a result of missing checks for services that require an active session.

  • CVE-2023-32081MedMay 12, 2023
    risk 0.35cvss 6.5epss 0.01

    Vert.x STOMP is a vert.x implementation of the STOMP specification that provides a STOMP server and client. From versions 3.1.0 until 3.9.16 and 4.0.0 until 4.4.2, a Vert.x STOMP server processes client STOMP frames without checking that the client send an initial CONNECT frame…

  • CVE-2023-1784MedMar 31, 2023
    risk 0.35cvss 5.3epss 0.01

    A vulnerability was found in jeecg-boot 3.5.0 and classified as critical. This issue affects some unknown processing of the component API Documentation. The manipulation leads to improper authentication. The attack may be initiated remotely. The exploit has been disclosed to the…

  • CVE-2023-0105MedJan 13, 2023
    risk 0.35cvss 6.5epss 0.01

    A flaw was found in Keycloak. This flaw allows impersonation and lockout due to the email trust not being handled correctly in Keycloak. An attacker can shadow other users with the same email and lockout or impersonate them.

  • CVE-2022-4799MedDec 28, 2022
    risk 0.35cvss 6.5epss 0.01

    Authorization Bypass Through User-Controlled Key in GitHub repository usememos/memos prior to 0.9.1.

  • CVE-2022-23540MedDec 22, 2022
    risk 0.35cvss 6.4epss 0.01

    In versions `<=8.5.1` of `jsonwebtoken` library, lack of algorithm definition in the `jwt.verify()` function can lead to signature validation bypass due to defaulting to the `none` algorithm for signature verification. Users are affected if you do not specify algorithms in the…

  • CVE-2022-21618MedOct 18, 2022
    risk 0.35cvss 5.3epss 0.02

    Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JGSS). Supported versions that are affected are Oracle Java SE: 17.0.4.1, 19; Oracle GraalVM Enterprise Edition: 21.3.3 and 22.2.0. Easily exploitable vulnerability…

  • CVE-2015-5298MedJul 7, 2022
    risk 0.35cvss 6.5epss 0.01

    The Google Login Plugin (versions 1.0 and 1.1) allows malicious anonymous users to authenticate successfully against Jenkins instances that are supposed to be locked down to a particular Google Apps domain through client-side request modification.

  • CVE-2021-32738MedJul 2, 2021
    risk 0.35cvss 6.5epss 0.01

    js-stellar-sdk is a Javascript library for communicating with a Stellar Horizon server. The `Utils.readChallengeTx` function used in SEP-10 Stellar Web Authentication states in its function documentation that it reads and validates the challenge transaction including verifying…

  • CVE-2021-22764MedJun 11, 2021
    risk 0.35cvss 5.3epss 0.02

    A CWE-287: Improper Authentication vulnerability exists in PowerLogic PM55xx, PowerLogic PM8ECC, PowerLogic EGX100 and PowerLogic EGX300 (see security notification for version infromation) that could cause loss of connectivity to the device via Modbus TCP protocol when an…

  • CVE-2021-3424MedJun 1, 2021
    risk 0.35cvss 5.3epss 0.01

    A flaw was found in keycloak as shipped in Red Hat Single Sign-On 7.4 where IDN homograph attacks are possible. A malicious user can register himself with a name already registered and trick admin to grant him extra privileges.

  • CVE-2021-20278MedMay 28, 2021
    risk 0.35cvss 6.5epss 0.01

    An authentication bypass vulnerability was found in Kiali in versions before 1.31.0 when the authentication strategy `OpenID` is used. When RBAC is enabled, Kiali assumes that some of the token validation is handled by the underlying cluster. When OpenID `implicit flow` is used…

  • CVE-2020-26139MedMay 11, 2021
    risk 0.35cvss 5.3epss 0.06

    An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. This might be abused in projected Wi-Fi networks to launch denial-of-service attacks against…

  • CVE-2020-5224MedJan 24, 2020
    risk 0.35cvss 6.5epss 0.00

    In Django User Sessions (django-user-sessions) before 1.7.1, the views provided allow users to terminate specific sessions. The session key is used to identify sessions, and thus included in the rendered HTML. In itself this is not a problem. However if the website has an XSS…

  • CVE-2019-19507MedDec 2, 2019
    risk 0.35cvss 5.3epss 0.01

    In jpv (aka Json Pattern Validator) before 2.1.1, compareCommon() can be bypassed because certain internal attributes can be overwritten via a conflicting name, as demonstrated by 'constructor': {'name':'Array'}. This affects validate(). Hence, a crafted payload can overwrite…

  • CVE-2019-14856MedNov 26, 2019
    risk 0.35cvss 6.5epss 0.02

    ansible before versions 2.8.6, 2.7.14, 2.6.20 is vulnerable to a None

  • CVE-2019-8108MedNov 5, 2019
    risk 0.35cvss 6.5epss 0.01

    Insecure authentication and session management vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can manipulate session validation setting for a storefront that leads to insecure authentication and session…

  • CVE-2018-1539MedSep 25, 2018
    risk 0.35cvss 5.4epss 0.01

    IBM Rational Engineering Lifecycle Manager 5.0 through 5.02 and 6.0 through 6.0.6 could allow remote attackers to bypass authentication via a direct request or forced browsing to a page other than URL intended. IBM X-Force ID: 142561.

  • CVE-2018-16668MedSep 18, 2018
    risk 0.35cvss 5.3epss 0.09

    An issue was discovered in CIRCONTROL CirCarLife before 4.3. There is internal installation path disclosure due to the lack of authentication for /html/repository.