VYPR

CWE-287

Improper Authentication

ClassDraftLikelihood: High

Description

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-114 · CAPEC-115 · CAPEC-151 · CAPEC-194 · CAPEC-22 · CAPEC-57 · CAPEC-593 · CAPEC-633 · CAPEC-650 · CAPEC-94

CVEs mapped to this weakness (2,419)

page 62 of 121
  • CVE-2026-4582MedMar 23, 2026
    risk 0.33cvss 5.0epss 0.00

    A security vulnerability has been detected in Shenzhen HCC Technology MPOS M6 PLUS 1V.31-N. Affected by this vulnerability is an unknown functionality of the component Bluetooth. Such manipulation leads to missing authentication. The attack must be carried out from within the…

  • CVE-2026-2756MedMar 21, 2026
    risk 0.33cvss 5.0epss 0.00

    A security vulnerability has been detected in OmniPEMF NeoRhythm up to 20260308. This affects an unknown function of the component BLE Interface. Such manipulation leads to missing authentication. The attack can only be initiated within the local network. This attack is…

  • CVE-2025-62349MedJan 30, 2026
    risk 0.33cvss 6.2epss 0.00

    Salt contains an authentication protocol version downgrade weakness that can allow a malicious minion to bypass newer authentication/security features by using an older request payload format, enabling minion impersonation and circumventing protections introduced in response to…

  • CVE-2025-67859MedJan 14, 2026
    risk 0.33cvss epss 0.00

    A Improper Authentication vulnerability in TLP allows local users to arbitrarily control the power profile in use as well as the daemon’s log settings.This issue affects TLP: from 1.9 before 1.9.1.

  • CVE-2024-22258MedMar 20, 2024
    risk 0.33cvss 6.1epss 0.01

    Spring Authorization Server versions 1.0.0 - 1.0.5, 1.1.0 - 1.1.5, 1.2.0 - 1.2.2 and older unsupported versions are susceptible to a PKCE Downgrade Attack for Confidential Clients. Specifically, an application is vulnerable when a Confidential Client uses PKCE for the…

  • CVE-2022-46146MedNov 29, 2022
    risk 0.33cvss 6.2epss 0.01

    Prometheus Exporter Toolkit is a utility package to build exporters. Prior to versions 0.7.2 and 0.8.2, if someone has access to a Prometheus web.yml file and users' bcrypted passwords, they can bypass security by poisoning the built-in authentication cache. Versions 0.7.2 and…

  • CVE-2018-14637MedNov 30, 2018
    risk 0.33cvss 6.1epss 0.01

    The SAML broker consumer endpoint in Keycloak before version 4.6.0.Final ignores expiration conditions on SAML assertions. An attacker can exploit this vulnerability to perform a replay attack.

  • CVE-2018-1672MedOct 1, 2018
    risk 0.33cvss 5.0epss 0.01

    IBM WebSphere Portal 7.0, 8.0, 8.5, and 9.0 may fail to set the correct user context in certain impersonation scenarios, which can allow a user to act with the identity of a different user. IBM X-Force ID: 144958.

  • CVE-2026-9084MedMay 20, 2026
    risk 0.32cvss epss 0.00

    MISP’s OIDC authentication plugin allowed automatic linking of an OIDC identity to an existing local user account based on the email claim when the local account had no stored sub value. Under insecure or untrusted IdP configurations where email ownership is not enforced, an…

  • CVE-2018-4856MedJul 3, 2018
    risk 0.32cvss 4.9epss 0.01

    A vulnerability has been identified in SICLOCK TC100 (All versions) and SICLOCK TC400 (All versions). An attacker with administrative access to the device's management interface could lock out legitimate users. Manual interaction is required to restore the access of legitimate…

  • CVE-2017-16025MedJun 4, 2018
    risk 0.32cvss 5.9epss 0.02

    Nes is a websocket extension library for hapi. Hapi is a webserver framework. Versions below and including 6.4.0 have a denial of service vulnerability via an invalid Cookie header. This is only present when websocket authentication is set to `cookie`. Submitting an invalid…

  • CVE-2016-4043MedFeb 24, 2017
    risk 0.32cvss 4.9epss 0.01

    Chameleon (five.pt) in Plone 5.0rc1 through 5.1a1 allows remote authenticated users to bypass Restricted Python by leveraging permissions to create or edit templates.

  • CVE-2016-3094MedJun 1, 2016
    risk 0.32cvss 5.9epss 0.08

    PlainSaslServer.java in Apache Qpid Java before 6.0.3, when the broker is configured to allow plaintext passwords, allows remote attackers to cause a denial of service (broker termination) via a crafted authentication attempt, which triggers an uncaught exception.

  • CVE-2012-6440MedJan 24, 2013
    risk 0.32cvss 4.8epss 0.08

    The Web server password authentication mechanism used by the products is vulnerable to a MitM and Replay attack. Successful exploitation of this vulnerability will allow unauthorized access of the product’s Web server to view and alter product configuration and diagnostics…

  • CVE-2026-50623MedJun 12, 2026
    risk 0.31cvss 4.8epss 0.00

    An authentication bypass vulnerability exists in the OAuth2 TokenIntrospectionService in Apache CXF. Due to a missing 'throw' keyword in the security context check, the introspection endpoint (/services/oauth2/introspect) can be accessed by any unauthenticated network attacker.…

  • CVE-2026-45691MedJun 1, 2026
    risk 0.31cvss 5.9epss 0.00

    Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, a pre-2FA session cookie (created after successful password authentication but before TOTP completion) could be reused as a Bearer…

  • CVE-2026-45690MedJun 1, 2026
    risk 0.31cvss 5.9epss 0.00

    Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, an authentication bypass vulnerability allowed attackers with knowledge of a user's password to circumvent two-factor…

  • CVE-2025-15581MedFeb 18, 2026
    risk 0.31cvss epss 0.00

    Orthanc versions before 1.12.10 are affected by an authorisation logic flaw in the application's HTTP Basic Authentication implementation. Successful exploitation could result in Privilege Escalation, potentially allowing full administrative access.

  • CVE-2025-29773MedMar 13, 2025
    risk 0.31cvss 5.8epss 0.00

    Froxlor is open-source server administration software. A vulnerability in versions prior to 2.2.6 allows users (such as resellers or customers) to create accounts with the same email address as an existing account. This creates potential issues with account identification and…

  • CVE-2024-47174MedSep 26, 2024
    risk 0.31cvss 5.9epss 0.00

    Nix is a package manager for Linux and other Unix systems. Starting in version 1.11 and prior to versions 2.18.8 and 2.24.8, `<nix/fetchurl.nix>` did not verify TLS certificates on HTTPS connections. This could lead to connection details such as full URLs or credentials leaking…