CWE-287
Improper Authentication
Description
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-114 · CAPEC-115 · CAPEC-151 · CAPEC-194 · CAPEC-22 · CAPEC-57 · CAPEC-593 · CAPEC-633 · CAPEC-650 · CAPEC-94
CVEs mapped to this weakness (2,419)
page 68 of 121| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-25601 | Med | 0.21 | 4.3 | 0.01 | Apr 20, 2023 | On version 3.0.0 through 3.1.1, Apache DolphinScheduler's python gateway suffered from improper authentication: an attacker could use a socket bytes attack without authentication. This issue has been fixed from version 3.1.2 onwards. For users who use version 3.0.0 to 3.1.1, you… | ||
| CVE-2022-39229 | Med | 0.21 | 4.3 | 0.01 | Oct 13, 2022 | Grafana is an open source data visualization platform for metrics, logs, and traces. Versions prior to 9.1.8 and 8.5.14 allow one user to block another user's login attempt by registering someone else'e email address as a username. A Grafana user’s username and email address… | ||
| CVE-2022-3173 | Med | 0.21 | 4.3 | 0.01 | Sep 17, 2022 | Improper Authentication in GitHub repository snipe/snipe-it prior to 6.0.10. | ||
| CVE-2022-29858 | — | Med | 0.21 | 4.3 | 0.01 | Jun 28, 2022 | Silverstripe silverstripe/assets through 1.10 is vulnerable to improper access control that allows protected images to be published by changing an existing image short code on website content. | |
| CVE-2022-0985 | Med | 0.21 | 4.3 | 0.01 | Apr 29, 2022 | Insufficient capability checks could allow users with the moodle/site:uploadusers capability to delete users, without having the necessary moodle/user:delete capability. | ||
| CVE-2022-23807 | Med | 0.21 | 4.3 | 0.01 | Jan 22, 2022 | An issue was discovered in phpMyAdmin 4.9 before 4.9.8 and 5.1 before 5.1.2. A valid user who is already authenticated to phpMyAdmin can manipulate their account to bypass two-factor authentication for future login instances. | ||
| CVE-2017-2604 | — | Med | 0.21 | 4.3 | 0.01 | May 15, 2018 | In Jenkins before versions 2.44, 2.32.2 low privilege users were able to act on administrative monitors due to them not being consistently protected by permission checks (SECURITY-371). | |
| CVE-2026-9398 | Low | 0.20 | 3.1 | 0.00 | May 24, 2026 | A security vulnerability has been detected in Besen BS20 EV Charging Station up to 20260426. This affects an unknown part of the component BLE/WiFi. Such manipulation leads to authentication bypass by capture-replay. The attack must be carried out from within the local network.… | ||
| CVE-2026-1743 | Low | 0.20 | 3.1 | 0.00 | Feb 2, 2026 | A vulnerability has been found in DJI Mavic Mini, Air, Spark and Mini SE up to 01.00.0500. Affected by this vulnerability is an unknown functionality of the component Enhanced Wi-Fi Pairing. The manipulation leads to authentication bypass by capture-replay. The attack must be… | ||
| CVE-2025-7703 | Low | 0.20 | 3.1 | 0.00 | Jul 16, 2025 | Authentication vulnerability in the mobile application(tech.palm.id)may lead to the risk of information leakage. | ||
| CVE-2025-6524 | Low | 0.20 | 3.1 | 0.00 | Jun 23, 2025 | A vulnerability classified as problematic has been found in 70mai 1S up to 20250611. This affects an unknown part of the component Video Services. The manipulation leads to improper authentication. Access to the local network is required for this attack to succeed. The… | ||
| CVE-2024-23637 | Med | 0.20 | 4.2 | 0.01 | Jan 31, 2024 | OctoPrint is a web interface for 3D printer.s OctoPrint versions up until and including 1.9.3 contain a vulnerability that allows malicious admins to change the password of other admin accounts, including their own, without having to repeat their password. An attacker who… | ||
| CVE-2023-47127 | Med | 0.20 | 4.2 | 0.01 | Nov 14, 2023 | TYPO3 is an open source PHP based web content management system released under the GNU GPL. In typo3 installations there are always at least two different sites. Eg. first.example.org and second.example.com. In affected versions a session cookie generated for the first site can… | ||
| CVE-2023-34246 | — | Med | 0.20 | 4.2 | 0.01 | Jun 12, 2023 | Doorkeeper is an OAuth 2 provider for Ruby on Rails / Grape. Prior to version 5.6.6, Doorkeeper automatically processes authorization requests without user consent for public clients that have been previous approved. Public clients are inherently vulnerable to impersonation,… | |
| CVE-2018-12445 | — | Low | 0.20 | 3.1 | 0.00 | Jun 20, 2018 | An issue was discovered in the com.dropbox.android application 98.2.2 for Android. The FingerprintManager class for Biometric validation allows authentication bypass through the callback method from onAuthenticationFailed to onAuthenticationSucceeded with null, because the… | |
| CVE-2018-8862 | Low | 0.20 | 3.1 | 0.01 | May 25, 2018 | In ATI Systems Emergency Mass Notification Systems (HPSS16, HPSS32, MHPSS, and ALERT4000) devices, an improper authentication vulnerability caused by specially crafted malicious radio transmissions may allow an attacker to remotely trigger false alarms. | ||
| CVE-2025-25201 | Med | 0.19 | 4.0 | 0.00 | Feb 12, 2025 | Nitrokey 3 Firmware is the the firmware of Nitrokey 3 USB keys. For release 1.8.0, and test releases with PIV enabled prior to 1.8.0, the PIV application could accept invalid keys for authentication of the admin key. This could lead to compromise of the integrity of the data… | ||
| CVE-2023-45023 | med | 0.19 | — | 0.01 | Oct 4, 2023 | femanager fails to check access permissions for the invitation component. Depending on the configuration of the plugin, a remote user can create frontend user accounts with access to configured frontend groups. | ||
| CVE-2024-38822 | Low | 0.18 | 2.7 | 0.00 | Jun 13, 2025 | Multiple methods in the salt master skip minion token validation. Therefore a misbehaving minion can impersonate another minion. | ||
| CVE-2024-6219 | Low | 0.18 | 3.8 | 0.00 | Dec 6, 2024 | Mark Laing discovered in LXD's PKI mode, until version 5.21.1, that a restricted certificate could be added to the trust store with its restrictions not honoured. |
- risk 0.21cvss 4.3epss 0.01
On version 3.0.0 through 3.1.1, Apache DolphinScheduler's python gateway suffered from improper authentication: an attacker could use a socket bytes attack without authentication. This issue has been fixed from version 3.1.2 onwards. For users who use version 3.0.0 to 3.1.1, you…
- risk 0.21cvss 4.3epss 0.01
Grafana is an open source data visualization platform for metrics, logs, and traces. Versions prior to 9.1.8 and 8.5.14 allow one user to block another user's login attempt by registering someone else'e email address as a username. A Grafana user’s username and email address…
- risk 0.21cvss 4.3epss 0.01
Improper Authentication in GitHub repository snipe/snipe-it prior to 6.0.10.
- risk 0.21cvss 4.3epss 0.01
Silverstripe silverstripe/assets through 1.10 is vulnerable to improper access control that allows protected images to be published by changing an existing image short code on website content.
- risk 0.21cvss 4.3epss 0.01
Insufficient capability checks could allow users with the moodle/site:uploadusers capability to delete users, without having the necessary moodle/user:delete capability.
- risk 0.21cvss 4.3epss 0.01
An issue was discovered in phpMyAdmin 4.9 before 4.9.8 and 5.1 before 5.1.2. A valid user who is already authenticated to phpMyAdmin can manipulate their account to bypass two-factor authentication for future login instances.
- risk 0.21cvss 4.3epss 0.01
In Jenkins before versions 2.44, 2.32.2 low privilege users were able to act on administrative monitors due to them not being consistently protected by permission checks (SECURITY-371).
- risk 0.20cvss 3.1epss 0.00
A security vulnerability has been detected in Besen BS20 EV Charging Station up to 20260426. This affects an unknown part of the component BLE/WiFi. Such manipulation leads to authentication bypass by capture-replay. The attack must be carried out from within the local network.…
- risk 0.20cvss 3.1epss 0.00
A vulnerability has been found in DJI Mavic Mini, Air, Spark and Mini SE up to 01.00.0500. Affected by this vulnerability is an unknown functionality of the component Enhanced Wi-Fi Pairing. The manipulation leads to authentication bypass by capture-replay. The attack must be…
- risk 0.20cvss 3.1epss 0.00
Authentication vulnerability in the mobile application(tech.palm.id)may lead to the risk of information leakage.
- risk 0.20cvss 3.1epss 0.00
A vulnerability classified as problematic has been found in 70mai 1S up to 20250611. This affects an unknown part of the component Video Services. The manipulation leads to improper authentication. Access to the local network is required for this attack to succeed. The…
- risk 0.20cvss 4.2epss 0.01
OctoPrint is a web interface for 3D printer.s OctoPrint versions up until and including 1.9.3 contain a vulnerability that allows malicious admins to change the password of other admin accounts, including their own, without having to repeat their password. An attacker who…
- risk 0.20cvss 4.2epss 0.01
TYPO3 is an open source PHP based web content management system released under the GNU GPL. In typo3 installations there are always at least two different sites. Eg. first.example.org and second.example.com. In affected versions a session cookie generated for the first site can…
- risk 0.20cvss 4.2epss 0.01
Doorkeeper is an OAuth 2 provider for Ruby on Rails / Grape. Prior to version 5.6.6, Doorkeeper automatically processes authorization requests without user consent for public clients that have been previous approved. Public clients are inherently vulnerable to impersonation,…
- risk 0.20cvss 3.1epss 0.00
An issue was discovered in the com.dropbox.android application 98.2.2 for Android. The FingerprintManager class for Biometric validation allows authentication bypass through the callback method from onAuthenticationFailed to onAuthenticationSucceeded with null, because the…
- risk 0.20cvss 3.1epss 0.01
In ATI Systems Emergency Mass Notification Systems (HPSS16, HPSS32, MHPSS, and ALERT4000) devices, an improper authentication vulnerability caused by specially crafted malicious radio transmissions may allow an attacker to remotely trigger false alarms.
- risk 0.19cvss 4.0epss 0.00
Nitrokey 3 Firmware is the the firmware of Nitrokey 3 USB keys. For release 1.8.0, and test releases with PIV enabled prior to 1.8.0, the PIV application could accept invalid keys for authentication of the admin key. This could lead to compromise of the integrity of the data…
- risk 0.19cvss —epss 0.01
femanager fails to check access permissions for the invitation component. Depending on the configuration of the plugin, a remote user can create frontend user accounts with access to configured frontend groups.
- risk 0.18cvss 2.7epss 0.00
Multiple methods in the salt master skip minion token validation. Therefore a misbehaving minion can impersonate another minion.
- risk 0.18cvss 3.8epss 0.00
Mark Laing discovered in LXD's PKI mode, until version 5.21.1, that a restricted certificate could be added to the trust store with its restrictions not honoured.