VYPR

CWE-287

Improper Authentication

ClassDraftLikelihood: High

Description

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-114 · CAPEC-115 · CAPEC-151 · CAPEC-194 · CAPEC-22 · CAPEC-57 · CAPEC-593 · CAPEC-633 · CAPEC-650 · CAPEC-94

CVEs mapped to this weakness (2,419)

page 66 of 121
  • CVE-2023-3597MedApr 25, 2024
    risk 0.26cvss 5.0epss 0.01

    A flaw was found in Keycloak, where it does not correctly validate its client step-up authentication in org.keycloak.authentication. This flaw allows a remote user authenticated with a password to register a false second authentication factor along with an existing one and…

  • CVE-2023-0264MedAug 4, 2023
    risk 0.26cvss 5.0epss 0.01

    A flaw was found in Keycloaks OpenID Connect user authentication, which may incorrectly authenticate requests. An authenticated attacker who could obtain information from a user request within the same realm could use that data to impersonate the victim and generate new session…

  • CVE-2023-38691MedAug 4, 2023
    risk 0.26cvss 5.0epss 0.00

    matrix-appservice-bridge provides an API for setting up bridges. Starting in version 4.0.0 and prior to versions 8.1.2 and 9.0.1, a malicious Matrix server can use a foreign user's MXID in an OpenID exchange, allowing a bad actor to impersonate users when using the provisioning…

  • CVE-2022-23541MedDec 22, 2022
    risk 0.26cvss 5.0epss 0.01

    jsonwebtoken is an implementation of JSON Web Tokens. Versions `<= 8.5.1` of `jsonwebtoken` library can be misconfigured so that passing a poorly implemented key retrieval function referring to the `secretOrPublicKey` argument from the readme link will result in incorrect…

  • CVE-2017-1783MedJan 29, 2018
    risk 0.26cvss 4.0epss 0.00

    IBM Cognos Analytics 11.0 could allow a local user to change parameters set from the Cognos Analytics menus without proper authentication. IBM X-Force ID: 136857.

  • CVE-2017-7937MedMay 19, 2017
    risk 0.26cvss 4.0epss 0.01

    An Improper Authentication issue was discovered in Phoenix Contact GmbH mGuard firmware versions 8.3.0 to 8.4.2. An attacker may be able to gain unauthorized access to the user firewall when RADIUS servers are unreachable.

  • CVE-2018-7947LowJul 31, 2018
    risk 0.25cvss 3.9epss 0.00

    Huawei mobile phones with versions earlier before Emily-AL00A 8.1.0.153(C00) have an authentication bypass vulnerability. An attacker could trick the user to connect to a malicious device. In the debug mode, the malicious software in the device may exploit the vulnerability to…

  • CVE-2026-9373LowMay 24, 2026
    risk 0.24cvss 3.7epss 0.00

    A vulnerability has been found in JeecgBoot 3.9.1. This issue affects some unknown processing of the file /openapi/call/ of the component OpenAPI Endpoint. Such manipulation leads to improper authentication. The attack can be executed remotely. A high complexity level is…

  • CVE-2026-40243MedMay 6, 2026
    risk 0.24cvss 4.8epss 0.00

    Incus is a system container and virtual machine manager. In versions before 7.0.0, broken TLS validation logic in the OVN database connection logic can allow connections to an attacker's OVN database. The OVN client implementations disable Go standard TLS server verification and…

  • CVE-2026-42041MedApr 24, 2026
    risk 0.24cvss 4.8epss 0.01

    Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, the Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution to silently suppress all HTTP error responses (401, 403, 500, etc.),…

  • CVE-2026-4831LowMar 26, 2026
    risk 0.24cvss 3.7epss 0.00

    A security flaw has been discovered in kalcaddle kodbox 1.64. Impacted is the function can of the file /workspace/source-code/app/controller/explorer/auth.class.php of the component Password-protected Share Handler. Performing a manipulation results in improper authentication.…

  • CVE-2026-4587LowMar 23, 2026
    risk 0.24cvss 3.7epss 0.00

    A vulnerability was found in HybridAuth up to 3.12.2. This issue affects some unknown processing of the file src/HttpClient/Curl.php of the component SSL Handler. The manipulation of the argument curlOptions results in improper certificate validation. The attack can be launched…

  • CVE-2025-64434MedNov 7, 2025
    risk 0.24cvss 4.7epss 0.00

    KubeVirt is a virtual machine management add-on for Kubernetes. Prior to 1.5.3 and 1.6.1, due to the peer verification logic in virt-handler (via verifyPeerCert), an attacker who compromises a virt-handler instance, could exploit these shared credentials to impersonate virt-api…

  • CVE-2025-64432MedNov 7, 2025
    risk 0.24cvss 4.7epss 0.00

    KubeVirt is a virtual machine management add-on for Kubernetes. Versions 1.5.3 and below, and 1.6.0 contained a flawed implementation of the Kubernetes aggregation layer's authentication flow which could enable bypass of RBAC controls. It was discovered that the virt-api…

  • CVE-2025-10423LowSep 15, 2025
    risk 0.24cvss 3.7epss 0.00

    A vulnerability was found in newbee-mall 1.0. Impacted is the function mallKaptcha of the file /common/mall/kaptcha. The manipulation results in guessable captcha. The attack can be executed remotely. A high complexity level is associated with this attack. The exploitability is…

  • CVE-2024-41800MedJul 25, 2024
    risk 0.24cvss 4.8epss 0.00

    Craft is a content management system (CMS). Craft CMS 5 allows reuse of TOTP tokens multiple times within the validity period. An attacker is able to re-submit a valid TOTP token to establish an authenticated session. This requires that the attacker has knowledge of the victim's…

  • CVE-2024-5658MedJun 6, 2024
    risk 0.24cvss 4.8epss 0.01

    The CraftCMS plugin Two-Factor Authentication through 3.3.3 allows reuse of TOTP tokens multiple times within the validity period.

  • CVE-2023-45669MedOct 16, 2023
    risk 0.24cvss 4.8epss 0.01

    WebAuthn4J Spring Security provides Web Authentication specification support for Spring applications. Affected versions are subject to improper signature counter value handling. A flaw was found in webauthn4j-spring-security-core. When an authneticator returns an incremented…

  • CVE-2023-23612MedJan 26, 2023
    risk 0.24cvss 4.7epss 0.01

    OpenSearch is an open source distributed and RESTful search engine. OpenSearch uses JWTs to store role claims obtained from the Identity Provider (IdP) when the authentication backend is SAML or OpenID Connect. There is an issue in how those claims are processed from the JWTs…

  • CVE-2022-22935LowMar 29, 2022
    risk 0.24cvss 3.7epss 0.02

    An issue was discovered in SaltStack Salt in versions before 3002.8, 3003.4, 3004.1. A minion authentication denial of service can cause a MiTM attacker to force a minion process to stop by impersonating a master.