VYPR

CWE-287

Improper Authentication

ClassDraftLikelihood: High

Description

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-114 · CAPEC-115 · CAPEC-151 · CAPEC-194 · CAPEC-22 · CAPEC-57 · CAPEC-593 · CAPEC-633 · CAPEC-650 · CAPEC-94

CVEs mapped to this weakness (2,419)

page 6 of 121
  • CVE-2025-12374CriDec 5, 2025
    risk 0.64cvss 9.8epss 0.00

    The Email Verification, Email OTP, Block Spam Email, Passwordless login, Hide Login, Magic Login – User Verification plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.0.44. This is due to the plugin not properly validating that…

  • CVE-2025-56447CriOct 22, 2025
    risk 0.64cvss 9.8epss 0.00

    TM2 Monitoring v3.04 contains an authentication bypass and plaintext credential disclosure.

  • CVE-2025-60772CriOct 21, 2025
    risk 0.64cvss 9.8epss 0.01

    Improper authentication in the web-based management interface of NETLINK HG322G V1.0.00-231017, allows a remote unauthenticated attacker to escalate privileges and lock out the legitimate administrator via crafted HTTP requests.

  • CVE-2025-34186CriSep 16, 2025
    risk 0.64cvss 9.8epss 0.01

    Ilevia EVE X1/X5 Server version ≤ 4.7.18.0.eden contains a vulnerability in its authentication mechanism. Unsanitized input is passed to a system() call for authentication, allowing attackers to inject special characters and manipulate command parsing. Because the binary…

  • CVE-2025-9994CriSep 9, 2025
    risk 0.64cvss 9.8epss 0.01

    The Amp’ed RF BT-AP 111 Bluetooth access point's HTTP admin interface does not have an authentication feature, allowing unauthorized access to anyone with network access.

  • CVE-2024-52786CriAug 22, 2025
    risk 0.64cvss 9.8epss 0.01

    An authentication bypass vulnerability in anji-plus AJ-Report up to v1.4.2 allows unauthenticated attackers to execute arbitrary code via a crafted URL.

  • CVE-2024-50645CriAug 22, 2025
    risk 0.64cvss 9.8epss 0.01

    MallChat v1.0-SNAPSHOT has an authentication bypass vulnerability. An attacker can exploit this vulnerability to access API without any token.

  • CVE-2024-50644CriAug 22, 2025
    risk 0.64cvss 9.8epss 0.00

    zhisheng17 blog 3.0.1-SNAPSHOT has an authentication bypass vulnerability. An attacker can exploit this vulnerability to access API without any token.

  • CVE-2025-52395CriAug 21, 2025
    risk 0.64cvss 9.8epss 0.01

    An issue in Roadcute API v.1 allows a remote attacker to execute arbitrary code via the application exposing a password reset API endpoint that fails to validate the identity of the requester properly

  • CVE-2024-50640CriAug 20, 2025
    risk 0.64cvss 9.8epss 0.00

    jeewx-boot 1.3 has an authentication bypass vulnerability in the preHandle function

  • CVE-2025-52376CriJul 15, 2025
    risk 0.64cvss 9.8epss 0.09

    An authentication bypass vulnerability in the /web/um_open_telnet.cgi endpoint in Nexxt Solutions NCM-X1800 Mesh Router firmware UV1.2.7 and below, allowing an attacker to remotely enable the Telnet service without authentication, bypassing security controls. The Telnet server…

  • CVE-2025-7574CriJul 14, 2025
    risk 0.64cvss 9.8epss 0.01

    A vulnerability, which was classified as critical, was found in LB-LINK BL-AC1900, BL-AC2100_AZ3, BL-AC3600, BL-AX1800, BL-AX5400P and BL-WR9000 up to 20250702. Affected is the function reboot/restore of the file /cgi-bin/lighttpd.cgi of the component Web Interface. The…

  • CVE-2025-6172CriJun 16, 2025
    risk 0.64cvss 9.8epss 0.00

    Permission vulnerability in the mobile application (com.afmobi.boomplayer) may lead to the risk of unauthorized operation.

  • CVE-2025-30430CriMar 31, 2025
    risk 0.64cvss 9.8epss 0.01

    This issue was addressed through improved state management. This issue is fixed in iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4, visionOS 2.4, watchOS 11.4. Password autofill may fill in passwords after failing authentication.

  • CVE-2024-13804CriMar 30, 2025
    risk 0.64cvss 9.8epss 0.00

    Unauthenticated RCE in HPE Insight Cluster Management Utility

  • CVE-2024-56336CriMar 11, 2025
    risk 0.64cvss 9.8epss 0.01

    A vulnerability has been identified in SINAMICS S200 (All versions with serial number beginning with SZVS8, SZVS9, SZVS0 or SZVSN and the FS number is 02). The affected device contains an unlocked bootloader. This security oversight enables attackers to inject malicious code, or…

  • CVE-2025-0637CriJan 23, 2025
    risk 0.64cvss 9.8epss 0.00

    It has been found that the Beta10 software does not provide for proper authorisation control in multiple areas of the application. This deficiency could allow a malicious actor, without authentication, to access private areas and/or areas intended for other roles. The…

  • CVE-2025-0070CriJan 14, 2025
    risk 0.64cvss 9.9epss 0.01

    SAP NetWeaver Application Server for ABAP and ABAP Platform allows an authenticated attacker to obtain illegitimate access to the system by exploiting improper authentication checks, resulting in privilege escalation. On successful exploitation, this can result in potential…

  • CVE-2024-12264CriJan 7, 2025
    risk 0.64cvss 9.8epss 0.01

    The PayU CommercePro Plugin plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 3.8.3. This is due to /wp-json/payu/v1/generate-user-token and /wp-json/payu/v1/get-shipping-cost REST API endpoints not properly verifying a user's…

  • CVE-2024-1610CriDec 18, 2024
    risk 0.64cvss 9.8epss 0.01

    In OPPO Store APP, there's a possible escalation of privilege due to improper input validation.