VYPR

CWE-287

Improper Authentication

ClassDraftLikelihood: High

Description

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-114 · CAPEC-115 · CAPEC-151 · CAPEC-194 · CAPEC-22 · CAPEC-57 · CAPEC-593 · CAPEC-633 · CAPEC-650 · CAPEC-94

CVEs mapped to this weakness (2,419)

page 69 of 121
  • CVE-2026-0633LowJan 24, 2026
    risk 0.17cvss 3.7epss 0.00

    The MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 4.1.0. This is due to the use of a forgeable cookie value derived only from the entry ID and…

  • CVE-2022-39231LowSep 23, 2022
    risk 0.17cvss 3.7epss 0.00

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 4.10.16, or from 5.0.0 to 5.2.6, validation of the authentication adapter app ID for _Facebook_ and _Spotify_ may be circumvented. Configurations which…

  • CVE-2016-8609LowAug 1, 2018
    risk 0.17cvss 3.7epss 0.02

    It was found that the keycloak before 2.3.0 did not implement authentication flow correctly. An attacker could use this flaw to construct a phishing URL, from which he could hijack the user's session. This could lead to information disclosure, or permit further possible attacks.

  • CVE-2024-27835LowMay 14, 2024
    risk 0.16cvss 2.4epss 0.00

    This issue was addressed through improved state management. This issue is fixed in iOS 17.5 and iPadOS 17.5. An attacker with physical access to an iOS device may be able to access notes from the lock screen.

  • CVE-2024-23255LowMar 8, 2024
    risk 0.16cvss 2.4epss 0.01

    An authentication issue was addressed with improved state management. This issue is fixed in iOS 17.4 and iPadOS 17.4, macOS Sonoma 14.4. Photos in the Hidden Photos Album may be viewed without authentication.

  • CVE-2023-41900LowSep 15, 2023
    risk 0.16cvss 3.5epss 0.01

    Jetty is a Java based web server and servlet engine. Versions 9.4.21 through 9.4.51, 10.0.15, and 11.0.15 are vulnerable to weak authentication. If a Jetty `OpenIdAuthenticator` uses the optional nested `LoginService`, and that `LoginService` decides to revoke an already…

  • CVE-2020-13927CriKEVNov 10, 2020
    risk 0.16cvss 9.8epss 1.00

    The previous default setting for Airflow's Experimental API was to allow all API requests without authentication, but this poses security risks to users who miss this fact. From Airflow 1.10.11 the default has been changed to deny all requests by default and is documented at…

  • CVE-2023-28473LowApr 28, 2023
    risk 0.15cvss 3.3epss 0.01

    Concrete CMS (previously concrete5) versions 8.5.12 and below, and 9.0 through 9.1.3 is vulnerable to possible Auth bypass in the jobs section.

  • CVE-2024-2213LowJun 6, 2024
    risk 0.14cvss 3.3epss 0.00

    An issue was discovered in zenml-io/zenml versions up to and including 0.55.4. Due to improper authentication mechanisms, an attacker with access to an active user session can change the account password without needing to know the current password. This vulnerability allows for…

  • CVE-2026-40109LowApr 9, 2026
    risk 0.13cvss 3.1epss 0.00

    Flux notification-controller is the event forwarder and notification dispatcher for the GitOps Toolkit controllers. Prior to 1.8.3, the gcr Receiver type in Flux notification-controller does not validate the email claim of Google OIDC tokens used for Pub/Sub push authentication.…

  • CVE-2024-50341LowNov 6, 2024
    risk 0.13cvss 3.1epss 0.00

    symfony/security-bundle is a module for the Symphony PHP framework which provides a tight integration of the Security component into the Symfony full-stack framework. The custom `user_checker` defined on a firewall is not called when Login Programmaticaly with the…

  • CVE-2024-49755LowOct 28, 2024
    risk 0.13cvss 3.1epss 0.00

    Duende IdentityServer is an OpenID Connect and OAuth 2.x framework for ASP.NET Core. IdentityServer's local API authentication handler performs insufficient validation of the cnf claim in DPoP access tokens. This allows an attacker to use leaked DPoP access tokens at local api…

  • CVE-2021-39226CriKEVOct 5, 2021
    risk 0.13cvss 9.8epss 1.00

    Grafana is an open source data visualization platform. In affected versions unauthenticated and authenticated users are able to view the snapshot with the lowest database key by accessing the literal paths: /dashboard/snapshot/:key, or /api/snapshots/:key. If the snapshot…

  • CVE-2021-32729LowJul 1, 2021
    risk 0.13cvss 2.0epss 0.01

    XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. A vulnerability exists in versions prior to 12.6.88, 12.10.4, and 13.0. The script service method used to reset the authentication failures record can be executed by any user…

  • CVE-2021-32648HigKEVAug 26, 2021
    risk 0.12cvss 8.2epss 0.90

    octobercms in a CMS platform based on the Laravel PHP Framework. In affected versions of the october/system package an attacker can request an account password reset and then gain access to the account using a specially crafted request. The issue has been patched in Build 472…

  • CVE-2025-48370LowMay 27, 2025
    risk 0.11cvss epss 0.01

    auth-js is an isomorphic Javascript library for Supabase Auth. Prior to version 2.70.0, the library functions getUserById, deleteUser, updateUserById, listFactors and deleteFactor did not require the user supplied values to be valid UUIDs. This could lead to a URL path…

  • CVE-2012-2122Jun 26, 2012
    risk 0.11cvss epss 0.96

    sql/password.c in Oracle MySQL 5.1.x before 5.1.63, 5.5.x before 5.5.24, and 5.6.x before 5.6.6, and MariaDB 5.1.x before 5.1.62, 5.2.x before 5.2.12, 5.3.x before 5.3.6, and 5.5.x before 5.5.23, when running in certain environments with certain implementations of the memcmp…

  • CVE-2009-1122Jun 10, 2009
    risk 0.11cvss epss 0.98

    The WebDAV extension in Microsoft Internet Information Services (IIS) 5.0 on Windows 2000 SP4 does not properly decode URLs, which allows remote attackers to bypass authentication, and possibly read or create files, via a crafted HTTP request, aka "IIS 5.0 WebDAV Authentication…

  • CVE-2009-1535Jun 10, 2009
    risk 0.11cvss epss 0.98

    The WebDAV extension in Microsoft Internet Information Services (IIS) 5.1 and 6.0 allows remote attackers to bypass URI-based protection mechanisms, and list folders or read, create, or modify files, via a %c0%af (Unicode / character) at an arbitrary position in the URI, as…

  • CVE-2013-6117Jul 11, 2014
    risk 0.09cvss epss 0.71

    Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perform other actions via a request to TCP port 37777.