VYPR

CWE-287

Improper Authentication

ClassDraftLikelihood: High

Description

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-114 · CAPEC-115 · CAPEC-151 · CAPEC-194 · CAPEC-22 · CAPEC-57 · CAPEC-593 · CAPEC-633 · CAPEC-650 · CAPEC-94

CVEs mapped to this weakness (2,419)

page 63 of 121
  • CVE-2024-37893MedJun 17, 2024
    risk 0.31cvss 5.9epss 0.01

    Firefly III is a free and open source personal finance manager. In affected versions an MFA bypass in the Firefly III OAuth flow may allow malicious users to bypass the MFA-check. This allows malicious users to use password spraying to gain access to Firefly III data using…

  • CVE-2024-22247MedApr 2, 2024
    risk 0.31cvss 4.8epss 0.00

    VMware SD-WAN Edge contains a missing authentication and protection mechanism vulnerability. A malicious actor with physical access to the SD-WAN Edge appliance during activation can potentially exploit this vulnerability to access the BIOS configuration. In addition, the…

  • CVE-2022-23501MedDec 14, 2022
    risk 0.31cvss 5.9epss 0.00

    TYPO3 is an open source PHP based web content management system. In versions prior to 8.7.49, 9.5.38, 10.4.33, 11.5.20, and 12.1.1 TYPO3 is vulnerable to Improper Authentication. Restricting frontend login to specific users, organized in different storage folders (partitions),…

  • CVE-2018-0247MedMay 2, 2018
    risk 0.31cvss 4.7epss 0.01

    A vulnerability in Web Authentication (WebAuth) clients for the Cisco Wireless LAN Controller (WLC) and Aironet Access Points running Cisco IOS Software could allow an unauthenticated, adjacent attacker to bypass authentication and pass traffic. The vulnerability is due to…

  • CVE-2017-14018MedDec 5, 2017
    risk 0.31cvss 4.8epss 0.00

    An improper authentication issue was discovered in Johnson & Johnson Ethicon Endo-Surgery Generator Gen11, all versions released before November 29, 2017. The security authentication mechanism used between the Ethicon Endo-Surgery Generator Gen11 and single-patient use products…

  • CVE-2025-31264MedMay 29, 2025
    risk 0.30cvss 4.6epss 0.00

    An authentication issue was addressed with improved state management. This issue is fixed in macOS Sequoia 15.4, macOS Sonoma 14.7.5, macOS Ventura 13.7.5. An attacker with physical access to a locked device may be able to view sensitive user information.

  • CVE-2024-43784MedNov 26, 2024
    risk 0.30cvss 5.7epss 0.00

    lakeFS is an open-source tool that transforms object storage into a Git-like repository. Existing lakeFS users who have issued credentials to users who have been deleted are affected by this vulnerability. When creating a new user with the same username as a deleted user, that…

  • CVE-2024-23251MedJun 10, 2024
    risk 0.30cvss 4.6epss 0.00

    An authentication issue was addressed with improved state management. This issue is fixed in iOS 16.7.8 and iPadOS 16.7.8, iOS 17.5 and iPadOS 17.5, macOS Sonoma 14.5, watchOS 10.5. An attacker with physical access may be able to leak Mail account credentials.

  • CVE-2017-2721MedNov 22, 2017
    risk 0.30cvss 4.6epss 0.00

    Some Huawei smart phones with software Berlin-L21C10B130,Berlin-L21C185B133,Berlin-L21HNC10B131,Berlin-L21HNC185B140,Berlin-L21HNC432B151,Berlin-L22C636B160,Berlin-L22HNC636B130,Berlin-L22HNC675B150CUSTC675D001,Berlin-L23C605B131,Berlin-L24HNC567B110,FRD-L02C432B120,FRD-L02C635B1…

  • CVE-2026-7113MedApr 27, 2026
    risk 0.29cvss 5.6epss 0.00

    A vulnerability was found in NousResearch hermes-agent 0.8.0. Affected by this issue is some unknown functionality of the file gateway/platforms/webhook.py of the component Webhooks Endpoint. The manipulation of the argument _INSECURE_NO_AUTH results in missing authentication.…

  • CVE-2026-3194MedFeb 25, 2026
    risk 0.29cvss 4.5epss 0.00

    A flaw has been found in Chia Blockchain 2.1.0. The affected element is the function send_transaction/get_private_key of the component RPC Server Master Passphrase Handler. This manipulation causes missing authentication. The attack can only be executed locally. The attack's…

  • CVE-2024-35184MedMay 15, 2024
    risk 0.29cvss 5.5epss 0.00

    Paperless-ngx is a document management system that transforms physical documents into a searchable online archive. Starting in version 2.5.0 and prior to version 2.8.6, remote user authentication allows API access even if API access is explicitly disabled. Version 2.8.6 contains…

  • CVE-2017-3912MedSep 18, 2018
    risk 0.29cvss 4.4epss 0.00

    Bypassing password security vulnerability in McAfee Application and Change Control (MACC) 7.0.1 and 6.2.0 allows authenticated users to perform arbitrary command execution via a command-line utility.

  • CVE-2025-14746MedDec 16, 2025
    risk 0.28cvss 4.3epss 0.01

    A vulnerability has been found in Ningyuanda TC155 57.0.2.0. The affected element is an unknown function of the component RTSP Live Video Stream Endpoint. Such manipulation leads to improper authentication. The attack must be carried out from within the local network. The…

  • CVE-2025-10684MedDec 12, 2025
    risk 0.28cvss 4.3epss 0.00

    The Construction Light WordPress theme before 1.6.8 does not have authorisation and CSRF when activating via an AJAX action, allowing any authenticated users, such as subscriber to activate arbitrary .

  • CVE-2025-62398MedOct 23, 2025
    risk 0.28cvss 5.4epss 0.00

    A serious authentication flaw allowed attackers with valid credentials to bypass multi-factor authentication under certain conditions, potentially compromising user accounts.

  • CVE-2025-6528MedJun 23, 2025
    risk 0.28cvss 4.3epss 0.01

    A vulnerability has been found in 70mai M300 up to 20250611 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /livestream/12 of the component RTSP Live Video Stream Endpoint. The manipulation leads to improper authentication.…

  • CVE-2025-49012MedJun 5, 2025
    risk 0.28cvss 5.4epss 0.00

    Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. Himmelblau versions 0.9.0 through 0.9.14 and 1.00-alpha are vulnerable to a privilege escalation issue when Entra ID group-based access restrictions are configured using group display names instead…

  • CVE-2025-3627MedApr 25, 2025
    risk 0.28cvss 4.3epss 0.00

    A security vulnerability was discovered in Moodle that allows some users to access sensitive information about other students before they finish verifying their identities using two-factor authentication (2FA).

  • CVE-2025-27425MedMar 4, 2025
    risk 0.28cvss 4.3epss 0.00

    Scanning certain QR codes that included text with a website URL could allow the URL to be opened without presenting the user with a confirmation alert first. This vulnerability was fixed in Firefox for iOS 136.