VYPR

CWE-287

Improper Authentication

ClassDraftLikelihood: High

Description

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-114 · CAPEC-115 · CAPEC-151 · CAPEC-194 · CAPEC-22 · CAPEC-57 · CAPEC-593 · CAPEC-633 · CAPEC-650 · CAPEC-94

CVEs mapped to this weakness (2,419)

page 68 of 121
  • CVE-2023-25601MedApr 20, 2023
    risk 0.21cvss 4.3epss 0.01

    On version 3.0.0 through 3.1.1, Apache DolphinScheduler's python gateway suffered from improper authentication: an attacker could use a socket bytes attack without authentication. This issue has been fixed from version 3.1.2 onwards. For users who use version 3.0.0 to 3.1.1, you…

  • CVE-2022-39229MedOct 13, 2022
    risk 0.21cvss 4.3epss 0.01

    Grafana is an open source data visualization platform for metrics, logs, and traces. Versions prior to 9.1.8 and 8.5.14 allow one user to block another user's login attempt by registering someone else'e email address as a username. A Grafana user’s username and email address…

  • CVE-2022-3173MedSep 17, 2022
    risk 0.21cvss 4.3epss 0.01

    Improper Authentication in GitHub repository snipe/snipe-it prior to 6.0.10.

  • CVE-2022-29858MedJun 28, 2022
    risk 0.21cvss 4.3epss 0.01

    Silverstripe silverstripe/assets through 1.10 is vulnerable to improper access control that allows protected images to be published by changing an existing image short code on website content.

  • CVE-2022-0985MedApr 29, 2022
    risk 0.21cvss 4.3epss 0.01

    Insufficient capability checks could allow users with the moodle/site:uploadusers capability to delete users, without having the necessary moodle/user:delete capability.

  • CVE-2022-23807MedJan 22, 2022
    risk 0.21cvss 4.3epss 0.01

    An issue was discovered in phpMyAdmin 4.9 before 4.9.8 and 5.1 before 5.1.2. A valid user who is already authenticated to phpMyAdmin can manipulate their account to bypass two-factor authentication for future login instances.

  • CVE-2017-2604MedMay 15, 2018
    risk 0.21cvss 4.3epss 0.01

    In Jenkins before versions 2.44, 2.32.2 low privilege users were able to act on administrative monitors due to them not being consistently protected by permission checks (SECURITY-371).

  • CVE-2026-9398LowMay 24, 2026
    risk 0.20cvss 3.1epss 0.00

    A security vulnerability has been detected in Besen BS20 EV Charging Station up to 20260426. This affects an unknown part of the component BLE/WiFi. Such manipulation leads to authentication bypass by capture-replay. The attack must be carried out from within the local network.…

  • CVE-2026-1743LowFeb 2, 2026
    risk 0.20cvss 3.1epss 0.00

    A vulnerability has been found in DJI Mavic Mini, Air, Spark and Mini SE up to 01.00.0500. Affected by this vulnerability is an unknown functionality of the component Enhanced Wi-Fi Pairing. The manipulation leads to authentication bypass by capture-replay. The attack must be…

  • CVE-2025-7703LowJul 16, 2025
    risk 0.20cvss 3.1epss 0.00

    Authentication vulnerability in the mobile application(tech.palm.id)may lead to the risk of information leakage.

  • CVE-2025-6524LowJun 23, 2025
    risk 0.20cvss 3.1epss 0.00

    A vulnerability classified as problematic has been found in 70mai 1S up to 20250611. This affects an unknown part of the component Video Services. The manipulation leads to improper authentication. Access to the local network is required for this attack to succeed. The…

  • CVE-2024-23637MedJan 31, 2024
    risk 0.20cvss 4.2epss 0.01

    OctoPrint is a web interface for 3D printer.s OctoPrint versions up until and including 1.9.3 contain a vulnerability that allows malicious admins to change the password of other admin accounts, including their own, without having to repeat their password. An attacker who…

  • CVE-2023-47127MedNov 14, 2023
    risk 0.20cvss 4.2epss 0.01

    TYPO3 is an open source PHP based web content management system released under the GNU GPL. In typo3 installations there are always at least two different sites. Eg. first.example.org and second.example.com. In affected versions a session cookie generated for the first site can…

  • CVE-2023-34246MedJun 12, 2023
    risk 0.20cvss 4.2epss 0.01

    Doorkeeper is an OAuth 2 provider for Ruby on Rails / Grape. Prior to version 5.6.6, Doorkeeper automatically processes authorization requests without user consent for public clients that have been previous approved. Public clients are inherently vulnerable to impersonation,…

  • CVE-2018-12445LowJun 20, 2018
    risk 0.20cvss 3.1epss 0.00

    An issue was discovered in the com.dropbox.android application 98.2.2 for Android. The FingerprintManager class for Biometric validation allows authentication bypass through the callback method from onAuthenticationFailed to onAuthenticationSucceeded with null, because the…

  • CVE-2018-8862LowMay 25, 2018
    risk 0.20cvss 3.1epss 0.01

    In ATI Systems Emergency Mass Notification Systems (HPSS16, HPSS32, MHPSS, and ALERT4000) devices, an improper authentication vulnerability caused by specially crafted malicious radio transmissions may allow an attacker to remotely trigger false alarms.

  • CVE-2025-25201MedFeb 12, 2025
    risk 0.19cvss 4.0epss 0.00

    Nitrokey 3 Firmware is the the firmware of Nitrokey 3 USB keys. For release 1.8.0, and test releases with PIV enabled prior to 1.8.0, the PIV application could accept invalid keys for authentication of the admin key. This could lead to compromise of the integrity of the data…

  • CVE-2023-45023medOct 4, 2023
    risk 0.19cvss epss 0.01

    femanager fails to check access permissions for the invitation component. Depending on the configuration of the plugin, a remote user can create frontend user accounts with access to configured frontend groups.

  • CVE-2024-38822LowJun 13, 2025
    risk 0.18cvss 2.7epss 0.00

    Multiple methods in the salt master skip minion token validation. Therefore a misbehaving minion can impersonate another minion.

  • CVE-2024-6219LowDec 6, 2024
    risk 0.18cvss 3.8epss 0.00

    Mark Laing discovered in LXD's PKI mode, until version 5.21.1, that a restricted certificate could be added to the trust store with its restrictions not honoured.