VYPR

CWE-287

Improper Authentication

ClassDraftLikelihood: High

Description

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-114 · CAPEC-115 · CAPEC-151 · CAPEC-194 · CAPEC-22 · CAPEC-57 · CAPEC-593 · CAPEC-633 · CAPEC-650 · CAPEC-94

CVEs mapped to this weakness (2,419)

page 71 of 121
  • CVE-2011-3478Jan 25, 2012
    risk 0.06cvss epss 0.39

    The host-services component in Symantec pcAnywhere 12.5.x through 12.5.3, and IT Management Suite pcAnywhere Solution 7.0 (aka 12.5.x) and 7.1 (aka 12.6.x), does not properly filter login and authentication data, which allows remote attackers to execute arbitrary code via a…

  • CVE-2024-51746LowNov 5, 2024
    risk 0.05cvss epss 0.00

    Gitsign is a keyless Sigstore to signing tool for Git commits with your a GitHub / OIDC identity. gitsign may select the wrong Rekor entry to use during online verification when multiple entries are returned by the log. gitsign uses Rekor's search API to fetch entries that apply…

  • CVE-2013-4824Oct 13, 2013
    risk 0.05cvss epss 0.24

    Unspecified vulnerability in HP Intelligent Management Center (iMC) and HP IMC Service Operation Management Software Module allows remote attackers to bypass authentication via unknown vectors, aka ZDI-CAN-1644.

  • CVE-2013-4782Jul 8, 2013
    risk 0.05cvss epss 0.26

    The Supermicro BMC implementation allows remote attackers to bypass authentication and execute arbitrary IPMI commands by using cipher suite 0 (aka cipher zero) and an arbitrary password.

  • CVE-2010-2731Sep 15, 2010
    risk 0.05cvss epss 0.31

    Unspecified vulnerability in Microsoft Internet Information Services (IIS) 5.1 on Windows XP SP3, when directory-based Basic Authentication is enabled, allows remote attackers to bypass intended access restrictions and execute ASP files via a crafted request, aka "Directory…

  • CVE-2010-2620Jul 2, 2010
    risk 0.05cvss epss 0.29

    Open&Compact FTP Server (Open-FTPD) 1.2 and earlier allows remote attackers to bypass authentication by sending (1) LIST, (2) RETR, (3) STOR, or other commands without performing the required login steps first.

  • CVE-2009-2255Jun 30, 2009
    risk 0.05cvss epss 0.31

    Zen Cart 1.3.8a, 1.3.8, and earlier does not require administrative authentication for admin/record_company.php, which allows remote attackers to execute arbitrary code by uploading a .php file via the record_company_image parameter in conjunction with a PATH_INFO of…

  • CVE-2015-6401Dec 14, 2015
    risk 0.04cvss epss 0.08

    Cisco EPC3928 devices with EDVA 5.5.10, 5.5.11, and 5.7.1 allow remote attackers to bypass an intended authentication requirement and execute unspecified administrative functions via a crafted HTTP request, aka Bug ID CSCux24941.

  • CVE-2014-2927Oct 15, 2014
    risk 0.04cvss epss 0.08

    The rsync daemon in F5 BIG-IP 11.6 before 11.6.0, 11.5.1 before HF3, 11.5.0 before HF4, 11.4.1 before HF4, 11.4.0 before HF7, 11.3.0 before HF9, and 11.2.1 before HF11 and Enterprise Manager 3.x before 3.1.1 HF2, when configured in failover mode, does not require authentication,…

  • CVE-2014-5300Oct 8, 2014
    risk 0.04cvss epss 0.07

    Adaptive Computing Moab before 7.2.9 and 8 before 8.0.0 allows remote attackers to bypass the signature check, impersonate arbitrary users, and execute commands via a message without a signature.

  • CVE-2013-3977May 26, 2014
    risk 0.04cvss epss 0.09

    The Meeting Server in IBM Sametime 8.x through 8.5.2.1 and 9.x through 9.0.0.1 allows remote attackers to determine which meeting rooms are owned by a user by leveraging knowledge of valid user names.

  • CVE-2013-6765May 19, 2014
    risk 0.04cvss epss 0.07

    OpenVAS Manager 3.0 before 3.0.7 and 4.0 before 4.0.4 allows remote attackers to bypass the OMP authentication restrictions and execute OMP commands via a crafted OMP request for version information, which causes the state to be set to CLIENT_AUTHENTIC, as demonstrated by the…

  • CVE-2014-1982Mar 31, 2014
    risk 0.04cvss epss 0.10

    The administrative interface in Allied Telesis AT-RG634A ADSL Broadband router 3.3+, iMG624A firmware 3.5, iMG616LH firmware 2.4, and iMG646BD firmware 3.5 allows remote attackers to gain privileges and execute arbitrary commands via a direct request to cli.html.

  • CVE-2013-7282Jan 10, 2014
    risk 0.04cvss epss 0.10

    The management web interface on the Nisuta NS-WIR150NE router with firmware 5.07.41 and Nisuta NS-WIR300N router with firmware 5.07.36_NIS01 allows remote attackers to bypass authentication via a "Cookie: :language=en" HTTP header.

  • CVE-2013-6890Dec 23, 2013
    risk 0.04cvss epss 0.09

    denyhosts 2.6 uses an incorrect regular expression when analyzing authentication logs, which allows remote attackers to cause a denial of service (incorrect block of IP addresses) via crafted login names.

  • CVE-2013-3613Sep 17, 2013
    risk 0.04cvss epss 0.07

    Dahua DVR appliances do not properly restrict UPnP requests, which makes it easier for remote attackers to obtain access via vectors involving a replay attack against the TELNET port.

  • CVE-2013-3586Aug 28, 2013
    risk 0.04cvss epss 0.12

    Samsung Web Viewer for Samsung DVR devices allows remote attackers to bypass authentication via an arbitrary SessionID value in a cookie.

  • CVE-2013-3431Jul 25, 2013
    risk 0.04cvss epss 0.09

    Cisco Video Surveillance Manager (VSM) before 7.0.0 does not require authentication for access to VSMC monitoring pages, which allows remote attackers to obtain sensitive configuration, archive, and log information via unspecified vectors, related to the Cisco_VSBWT (aka…

  • CVE-2013-3430Jul 25, 2013
    risk 0.04cvss epss 0.08

    Cisco Video Surveillance Manager (VSM) before 7.0.0 allows remote attackers to obtain sensitive configuration, archive, and log information via unspecified vectors, related to the Cisco_VSBWT (aka Broadware sample code) package, aka Bug ID CSCsv37288.

  • CVE-2013-4784Jul 8, 2013
    risk 0.04cvss epss 0.50

    The HP Integrated Lights-Out (iLO) BMC implementation allows remote attackers to bypass authentication and execute arbitrary IPMI commands by using cipher suite 0 (aka cipher zero) and an arbitrary password.