VYPR

CWE-287

Improper Authentication

ClassDraftLikelihood: High

Description

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-114 · CAPEC-115 · CAPEC-151 · CAPEC-194 · CAPEC-22 · CAPEC-57 · CAPEC-593 · CAPEC-633 · CAPEC-650 · CAPEC-94

CVEs mapped to this weakness (2,419)

page 60 of 121
  • CVE-2016-1307MedFeb 7, 2016
    risk 0.35cvss 5.4epss 0.01

    The Openfire server in Cisco Finesse Desktop 10.5(1) and 11.0(1) and Unified Contact Center Express 10.6(1) has a hardcoded account, which makes it easier for remote attackers to obtain access via an XMPP session, aka Bug ID CSCuw79085.

  • CVE-2026-45289MedJun 2, 2026
    risk 0.34cvss 5.3epss 0.00

    CloudburstMC Protocol is a protocol library for Minecraft Bedrock Edition. Prior to version 3.0.0.Beta12-20260420.182526-15, CloudburstMC Protocol is partially missing validation for FULL type authentication tokens (Cloudburst/Protocol). This vulnerability impacts publicly…

  • CVE-2026-10548MedJun 2, 2026
    risk 0.34cvss 5.3epss 0.00

    A security flaw has been discovered in NousResearch hermes-agent up to 2026.4.23. This affects the function _sync_anthropic_entry_from_credentials_file of the file agent/credential_pool.py of the component Credential Pool Synchronization. The manipulation results in improper…

  • CVE-2026-45283MedJun 1, 2026
    risk 0.34cvss 6.3epss 0.00

    Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.2, and 33.0.0 to before 33.0.1, the files_lock app did not properly validate the ownership of files when processing DAV lock and unlock requests. An authenticated…

  • CVE-2026-10283MedJun 1, 2026
    risk 0.34cvss 6.3epss 0.00

    A vulnerability was detected in Bottelet DaybydayCRM up to 2.2.1. Affected is an unknown function of the component Setting Handler. Performing a manipulation results in missing authentication. Remote exploitation of the attack is possible. It is recommended to apply a patch to…

  • CVE-2026-2812MedMay 20, 2026
    risk 0.34cvss 5.3epss 0.00

    ArcGIS Server contains an improper authentication vulnerability in an undocumented administrative endpoint. An unauthenticated attacker could exploit this issue by sending a crafted request to the endpoint. Successful exploitation may result in disruption of the web-based…

  • CVE-2026-31387MedMay 19, 2026
    risk 0.34cvss 5.3epss 0.01

    Improper Authentication vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.

  • CVE-2026-8737MedMay 17, 2026
    risk 0.34cvss 5.3epss 0.00

    A weakness has been identified in Sanluan PublicCMS 5.202506.d. This issue affects the function execute of the file publiccms-trade/src/main/java/com/publiccms/views/directive/trade/TradeAddressListDirective.java of the component Trade Address Query Handler. Executing a…

  • CVE-2026-8244MedMay 10, 2026
    risk 0.34cvss 5.3epss 0.00

    A vulnerability was identified in Industrial Application Software IAS Canias ERP 8.03. This impacts an unknown function of the component Login RMI Interface. The manipulation of the argument clientVersion leads to improper authentication. It is possible to initiate the attack…

  • CVE-2026-8214MedMay 10, 2026
    risk 0.34cvss 5.3epss 0.00

    A vulnerability was found in Industrial Application Software IAS Canias ERP 8.03. This affects the function doAction of the component RMI Interface. The manipulation of the argument sessionId results in improper authentication. It is possible to launch the attack remotely. The…

  • CVE-2026-8031MedMay 6, 2026
    risk 0.34cvss 5.3epss 0.00

    A vulnerability was detected in PicoTronica e-Clinic Healthcare System ECHS 5.7. The affected element is an unknown function of the file /cdemos/echs/api/v2/patient-records of the component API Endpoint. The manipulation results in missing authentication. The attack can be…

  • CVE-2026-6729MedApr 20, 2026
    risk 0.34cvss 6.3epss 0.00

    HKUDS OpenHarness prior to PR #159 remediation contains a session key derivation vulnerability that allows authenticated participants in shared chats or threads to hijack other users' sessions by exploiting a shared ohmo session key that lacks sender identity verification.…

  • CVE-2026-4664MedApr 10, 2026
    risk 0.34cvss 5.3epss 0.01

    The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 5.103.0. This is due to the `create_review_permissions_check()` function comparing the user-supplied `key` parameter against the order's…

  • CVE-2026-4187MedMar 16, 2026
    risk 0.34cvss 5.3epss 0.01

    A vulnerability was identified in Tiandy Easy7 Integrated Management Platform 7.17.0. Impacted is an unknown function of the file /WebService/UpdateLocalDevInfo.jsp of the component Device Identifier Handler. Such manipulation of the argument username/password leads to missing…

  • CVE-2026-28428MedMar 6, 2026
    risk 0.34cvss 5.3epss 0.00

    Talishar is a fan-made Flesh and Blood project. Prior to commit a9c218e, an authentication bypass vulnerability in Talishar's game endpoint validation logic allows any unauthenticated attacker to perform authenticated game actions — including sending chat messages and…

  • CVE-2025-7630MedFeb 18, 2026
    risk 0.34cvss 5.3epss 0.00

    Improper Restriction of Excessive Authentication Attempts, Improper Authentication vulnerability in Doruk Communication and Automation Industry and Trade Inc. Wispotter allows Password Brute Forcing, Brute Force. This issue affects Wispotter: from 1.0 before v2025.10.08.1.

  • CVE-2025-15135MedDec 28, 2025
    risk 0.34cvss 6.3epss 0.00

    A weakness has been identified in joey-zhou xiaozhi-esp32-server-java up to 3.0.0. This impacts the function tryAuthenticateWithCookies of the file AuthenticationInterceptor.java of the component Cookie Handler. Executing manipulation can lead to improper authentication. The…

  • CVE-2023-52210MedDec 23, 2025
    risk 0.34cvss 5.3epss 0.00

    Vulnerability in Tyche softwares Product Delivery Date for WooCommerce – Lite.This issue affects Product Delivery Date for WooCommerce – Lite: from n/a through 2.7.0.

  • CVE-2025-14908MedDec 19, 2025
    risk 0.34cvss 6.3epss 0.00

    A security flaw has been discovered in JeecgBoot up to 3.9.0. The affected element is an unknown function of the file jeecg-boot/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/SysTenantController.java of the component Multi-Tenant…

  • CVE-2025-11852MedOct 16, 2025
    risk 0.34cvss 5.3epss 0.01

    A vulnerability was found in Apeman ID71 218.53.203.117. The impacted element is an unknown function of the file /onvif/device_service of the component ONVIF Service. Performing manipulation results in missing authentication. The attack is possible to be carried out remotely.…