CWE-287
Improper Authentication
ClassDraftLikelihood: High
Description
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-114 · CAPEC-115 · CAPEC-151 · CAPEC-194 · CAPEC-22 · CAPEC-57 · CAPEC-593 · CAPEC-633 · CAPEC-650 · CAPEC-94
CVEs mapped to this weakness (1,670)
page 6 of 84| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2023-51484 | Cri | 0.64 | 9.8 | 0.00 | Apr 25, 2024 | Improper Authentication vulnerability in wp-buy Login as User or Customer (User Switching) allows Privilege Escalation.This issue affects Login as User or Customer (User Switching): from n/a through 3.8. | |
| CVE-2023-51482 | Cri | 0.64 | 9.9 | 0.00 | Apr 25, 2024 | Improper Authentication vulnerability in EazyPlugins Eazy Plugin Manager allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Eazy Plugin Manager: from n/a through 4.1.2. | |
| CVE-2023-51478 | Cri | 0.64 | 9.8 | 0.00 | Apr 25, 2024 | Improper Authentication vulnerability in Abdul Hakeem Build App Online allows Privilege Escalation.This issue affects Build App Online: from n/a through 1.0.19. | |
| CVE-2023-51477 | Cri | 0.64 | 9.8 | 0.00 | Apr 24, 2024 | Improper Authentication vulnerability in BUDDYBOSS DMCC BuddyBoss Theme allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects BuddyBoss Theme: from n/a through 2.4.60. | |
| CVE-2023-51472 | Cri | 0.64 | 9.8 | 0.00 | Apr 24, 2024 | Improper Authentication vulnerability in Mestres do WP Checkout Mestres WP allows Privilege Escalation.This issue affects Checkout Mestres WP: from n/a through 7.1.9.7. | |
| CVE-2024-1148 | Cri | 0.64 | 9.8 | 0.00 | Mar 21, 2024 | Weak access control in OpenText PVCS Version Manager allows potential bypassing of authentication and uploading of files. | |
| CVE-2024-1147 | Cri | 0.64 | 9.8 | 0.00 | Mar 21, 2024 | Weak access control in OpenText PVCS Version Manager allows potential bypassing of authentication and download of files. | |
| CVE-2023-49340 | Cri | 0.64 | 9.8 | 0.00 | Mar 9, 2024 | An issue was discovered in Newland Nquire 1000 Interactive Kiosk version NQ1000-II_G_V1.00.011, allows remote attackers to escalate privileges and bypass authentication via incorrect access control in the web management portal. | |
| CVE-2023-2499 | Cri | 0.64 | 9.8 | 0.01 | May 16, 2023 | The RegistrationMagic plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 5.2.1.0. This is due to insufficient verification on the user being supplied during a Google social login through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email. | |
| CVE-2023-2297 | Cri | 0.64 | 9.8 | 0.01 | Apr 27, 2023 | The Profile Builder – User Profile & User Registration Forms plugin for WordPress is vulnerable to unauthorized password resets in versions up to, and including 3.9.0. This is due to the plugin using native password reset functionality, with insufficient validation on the password reset function (wppb_front_end_password_recovery). The function uses the plaintext value of a password reset key instead of a hashed value which means it can easily be retrieved and subsequently used. An attacker can leverage CVE-2023-0814, or another vulnerability like SQL Injection in another plugin or theme installed on the site to successfully exploit this vulnerability. | |
| CVE-2023-2027 | Cri | 0.64 | 9.8 | 0.00 | Apr 15, 2023 | The ZM Ajax Login & Register plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.0.2. This is due to insufficient verification on the user being supplied during a Facebook login through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username. | |
| CVE-2014-0121 | Cri | 0.64 | 9.8 | 0.02 | Dec 29, 2017 | The admin terminal in Hawt.io does not require authentication, which allows remote attackers to execute arbitrary commands via the k parameter. | |
| CVE-2015-6237 | Cri | 0.64 | 9.8 | 0.01 | Dec 27, 2017 | The RPC service in Tripwire (formerly nCircle) IP360 VnE Manager 7.2.2 before 7.2.6 allows remote attackers to bypass authentication and (1) enumerate users, (2) reset passwords, or (3) manipulate IP filter restrictions via crafted "privileged commands." | |
| CVE-2015-7224 | Cri | 0.64 | 9.8 | 0.01 | Dec 21, 2017 | puppetlabs-mysql 3.1.0 through 3.6.0 allow remote attackers to bypass authentication by leveraging creation of a database account without a password when a 'mysql_user' user parameter contains a host with a netmask. | |
| CVE-2017-17777 | Cri | 0.64 | 9.8 | 0.01 | Dec 20, 2017 | Paid To Read Script 2.0.5 has authentication bypass in the admin panel via a direct request, as demonstrated by the admin/viewvisitcamp.php fn parameter and the admin/userview.php uid parameter. | |
| CVE-2017-16684 | Cri | 0.64 | 9.8 | 0.01 | Dec 12, 2017 | SAP Business Intelligence Promotion Management Application, Enterprise 4.10, 4.20, and 4.30, does not perform authentication checks for functionalities that require user identity. | |
| CVE-2017-17430 | Cri | 0.64 | 9.8 | 0.01 | Dec 7, 2017 | Sangoma NetBorder / Vega Session Controller before 2.3.12-80-GA allows remote attackers to execute arbitrary commands via the web interface. | |
| CVE-2017-10903 | Cri | 0.64 | 9.8 | 0.04 | Dec 1, 2017 | Improper authentication issue in PTW-WMS1 firmware version 2.000.012 allows remote attackers to log in to the device with root privileges and conduct arbitrary operations via unspecified vectors. | |
| CVE-2017-14377 | Cri | 0.64 | 9.8 | 0.03 | Nov 29, 2017 | EMC RSA Authentication Agent for Web: Apache Web Server version 8.0 and RSA Authentication Agent for Web: Apache Web Server version 8.0.1 prior to Build 618 have a security vulnerability that could potentially lead to authentication bypass. | |
| CVE-2017-2738 | Cri | 0.64 | 9.8 | 0.01 | Nov 22, 2017 | VCM5010 with software versions earlier before V100R002C50SPC100 has an authentication bypass vulnerability. This is due to improper implementation of authentication for accessing web pages. An unauthenticated attacker could bypass the authentication by sending a crafted HTTP request. 5010 with software versions earlier before V100R002C50SPC100 has an arbitrary file upload vulnerability. The software does not validate the files that uploaded. An authenticated attacker could upload arbitrary files to the system. |