CWE-287
Improper Authentication
Description
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-114 · CAPEC-115 · CAPEC-151 · CAPEC-194 · CAPEC-22 · CAPEC-57 · CAPEC-593 · CAPEC-633 · CAPEC-650 · CAPEC-94
CVEs mapped to this weakness (2,419)
page 72 of 121| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2012-0874 | 0.04 | — | 0.16 | Feb 5, 2013 | The (1) JMXInvokerHAServlet and (2) EJBInvokerHAServlet invoker servlets in JBoss Enterprise Application Platform (EAP) before 5.2.0, Web Platform (EWP) before 5.2.0, BRMS Platform before 5.3.1, and SOA Platform before 5.3.1 do not require authentication by default in certain… | |||
| CVE-2012-5930 | 0.04 | — | 0.07 | Dec 24, 2012 | The pa_modify_accounts function in auth.dll in unifid.exe in NetIQ Privileged User Manager 2.3.x before 2.3.1 HF2 does not require authentication for the modifyAccounts method, which allows remote attackers to change the passwords of administrative accounts via a crafted… | |||
| CVE-2011-4644 | 0.04 | — | 0.08 | Jan 3, 2012 | Splunk 4.2.5 and earlier, when a Free license is selected, enables potentially undesirable functionality within an environment that intentionally does not support authentication, which allows remote attackers to (1) read arbitrary files via a management-console session that… | |||
| CVE-2011-2963 | 0.04 | — | 0.08 | Jul 29, 2011 | TCPUploadServer.exe in Progea Movicon 11.2 before Build 1084 does not require authentication for critical functions, which allows remote attackers to obtain sensitive information, delete files, execute arbitrary programs, or cause a denial of service (crash) via a crafted packet… | |||
| CVE-2011-2956 | 0.04 | — | 0.07 | Jul 28, 2011 | AzeoTech DAQFactory before 5.85 (Build 1842) does not perform authentication for certain signals, which allows remote attackers to cause a denial of service (system reboot or shutdown) via a signal. | |||
| CVE-2011-1519 | 0.04 | — | 0.09 | Mar 25, 2011 | The remote console in the Server Controller in IBM Lotus Domino 7.x and 8.x verifies credentials against a file located at a UNC share pathname specified by the client, which allows remote attackers to bypass authentication, and consequently execute arbitrary code, by placing… | |||
| CVE-2011-0920 | 0.04 | — | 0.10 | Feb 8, 2011 | The Remote Console in IBM Lotus Domino, when a certain unsupported configuration involving UNC share pathnames is used, allows remote attackers to bypass authentication and execute arbitrary code via unspecified vectors, aka SPR PRAD89WGRS. | |||
| CVE-2011-0489 | 0.04 | — | 0.13 | Jan 18, 2011 | The server components in Objectivity/DB 10.0 do not require authentication for administrative commands, which allows remote attackers to modify data, obtain sensitive information, or cause a denial of service by sending requests over TCP to (1) the Lock Server or (2) the… | |||
| CVE-2010-4333 | 0.04 | — | 0.07 | Dec 22, 2010 | Pointter PHP Micro-Blogging Social Network 1.8 allows remote attackers to bypass authentication and obtain administrative privileges via arbitrary values of the auser and apass cookies. | |||
| CVE-2010-4332 | 0.04 | — | 0.07 | Dec 22, 2010 | Pointter PHP Content Management System 1.0 allows remote attackers to bypass authentication and obtain administrative privileges via arbitrary values of the auser and apass cookies. | |||
| CVE-2009-4987 | 0.04 | — | 0.06 | Aug 25, 2010 | admin/header.php in Scripteen Free Image Hosting Script 2.3 allows remote attackers to bypass authentication and gain administrative access by setting the cookgid cookie value to 1, a different vector than CVE-2008-3211. | |||
| CVE-2009-4089 | 0.04 | — | 0.07 | Nov 29, 2009 | telepark.wiki 2.4.23 and earlier allows remote attackers to bypass authorization and (1) delete arbitrary pages via a modified pageID parameter to ajax/deletePage.php or (2) delete arbitrary comments via a modified pageID parameter to ajax/deleteComment.php. | |||
| CVE-2008-7124 | 0.04 | — | 0.09 | Aug 31, 2009 | zKup CMS 2.0 through 2.3 does not require administrative authentication for admin/configuration/modifier.php, which allows remote attackers to gain administrator privileges via a direct request, as demonstrated by adding a new administrator. | |||
| CVE-2008-7086 | 0.04 | — | 0.07 | Aug 26, 2009 | Maian Greetings 2.1 allows remote attackers to bypass authentication and gain administrative privileges by setting the mecard_admin_cookie cookie to admin. | |||
| CVE-2008-7006 | 0.04 | — | 0.07 | Aug 19, 2009 | Free PHP VX Guestbook 1.06 allows remote attackers to bypass authentication and download a backup of the database via a direct request to admin/backupdb.php. | |||
| CVE-2008-6947 | 0.04 | — | 0.08 | Aug 12, 2009 | Collabtive 0.4.8 allows remote attackers to bypass authentication and create new users, including administrators, via unspecified vectors associated with the added mode in a users action to admin.php. | |||
| CVE-2008-6912 | 0.04 | — | 0.07 | Aug 7, 2009 | Zeeways SHAADICLONE 2.0 allows remote attackers to bypass authentication and gain administrative privileges via a direct request to admin/home.php. | |||
| CVE-2009-2334 | 0.04 | — | 0.06 | Jul 10, 2009 | wp-admin/admin.php in WordPress and WordPress MU before 2.8.1 does not require administrative authentication to access the configuration of a plugin, which allows remote attackers to specify a configuration file in the page parameter to obtain sensitive information or modify… | |||
| CVE-2009-2257 | 0.04 | — | 0.07 | Jun 30, 2009 | The administrative web interface on the Netgear DG632 with firmware 3.4.0_ap allows remote attackers to bypass authentication via a direct request to (1) gateway/commands/saveconfig.html, and (2) stattbl.htm, (3) modemmenu.htm, (4) onload.htm, (5) form.css, (6) utility.js, and… | |||
| CVE-2009-1670 | 0.04 | — | 0.07 | May 18, 2009 | user/index.php in TCPDB 3.8 does not require administrative authentication, which allows remote attackers to add admin accounts via unspecified vectors. NOTE: some of these details are obtained from third party information. |
- CVE-2012-0874Feb 5, 2013risk 0.04cvss —epss 0.16
The (1) JMXInvokerHAServlet and (2) EJBInvokerHAServlet invoker servlets in JBoss Enterprise Application Platform (EAP) before 5.2.0, Web Platform (EWP) before 5.2.0, BRMS Platform before 5.3.1, and SOA Platform before 5.3.1 do not require authentication by default in certain…
- CVE-2012-5930Dec 24, 2012risk 0.04cvss —epss 0.07
The pa_modify_accounts function in auth.dll in unifid.exe in NetIQ Privileged User Manager 2.3.x before 2.3.1 HF2 does not require authentication for the modifyAccounts method, which allows remote attackers to change the passwords of administrative accounts via a crafted…
- CVE-2011-4644Jan 3, 2012risk 0.04cvss —epss 0.08
Splunk 4.2.5 and earlier, when a Free license is selected, enables potentially undesirable functionality within an environment that intentionally does not support authentication, which allows remote attackers to (1) read arbitrary files via a management-console session that…
- CVE-2011-2963Jul 29, 2011risk 0.04cvss —epss 0.08
TCPUploadServer.exe in Progea Movicon 11.2 before Build 1084 does not require authentication for critical functions, which allows remote attackers to obtain sensitive information, delete files, execute arbitrary programs, or cause a denial of service (crash) via a crafted packet…
- CVE-2011-2956Jul 28, 2011risk 0.04cvss —epss 0.07
AzeoTech DAQFactory before 5.85 (Build 1842) does not perform authentication for certain signals, which allows remote attackers to cause a denial of service (system reboot or shutdown) via a signal.
- CVE-2011-1519Mar 25, 2011risk 0.04cvss —epss 0.09
The remote console in the Server Controller in IBM Lotus Domino 7.x and 8.x verifies credentials against a file located at a UNC share pathname specified by the client, which allows remote attackers to bypass authentication, and consequently execute arbitrary code, by placing…
- CVE-2011-0920Feb 8, 2011risk 0.04cvss —epss 0.10
The Remote Console in IBM Lotus Domino, when a certain unsupported configuration involving UNC share pathnames is used, allows remote attackers to bypass authentication and execute arbitrary code via unspecified vectors, aka SPR PRAD89WGRS.
- CVE-2011-0489Jan 18, 2011risk 0.04cvss —epss 0.13
The server components in Objectivity/DB 10.0 do not require authentication for administrative commands, which allows remote attackers to modify data, obtain sensitive information, or cause a denial of service by sending requests over TCP to (1) the Lock Server or (2) the…
- CVE-2010-4333Dec 22, 2010risk 0.04cvss —epss 0.07
Pointter PHP Micro-Blogging Social Network 1.8 allows remote attackers to bypass authentication and obtain administrative privileges via arbitrary values of the auser and apass cookies.
- CVE-2010-4332Dec 22, 2010risk 0.04cvss —epss 0.07
Pointter PHP Content Management System 1.0 allows remote attackers to bypass authentication and obtain administrative privileges via arbitrary values of the auser and apass cookies.
- CVE-2009-4987Aug 25, 2010risk 0.04cvss —epss 0.06
admin/header.php in Scripteen Free Image Hosting Script 2.3 allows remote attackers to bypass authentication and gain administrative access by setting the cookgid cookie value to 1, a different vector than CVE-2008-3211.
- CVE-2009-4089Nov 29, 2009risk 0.04cvss —epss 0.07
telepark.wiki 2.4.23 and earlier allows remote attackers to bypass authorization and (1) delete arbitrary pages via a modified pageID parameter to ajax/deletePage.php or (2) delete arbitrary comments via a modified pageID parameter to ajax/deleteComment.php.
- CVE-2008-7124Aug 31, 2009risk 0.04cvss —epss 0.09
zKup CMS 2.0 through 2.3 does not require administrative authentication for admin/configuration/modifier.php, which allows remote attackers to gain administrator privileges via a direct request, as demonstrated by adding a new administrator.
- CVE-2008-7086Aug 26, 2009risk 0.04cvss —epss 0.07
Maian Greetings 2.1 allows remote attackers to bypass authentication and gain administrative privileges by setting the mecard_admin_cookie cookie to admin.
- CVE-2008-7006Aug 19, 2009risk 0.04cvss —epss 0.07
Free PHP VX Guestbook 1.06 allows remote attackers to bypass authentication and download a backup of the database via a direct request to admin/backupdb.php.
- CVE-2008-6947Aug 12, 2009risk 0.04cvss —epss 0.08
Collabtive 0.4.8 allows remote attackers to bypass authentication and create new users, including administrators, via unspecified vectors associated with the added mode in a users action to admin.php.
- CVE-2008-6912Aug 7, 2009risk 0.04cvss —epss 0.07
Zeeways SHAADICLONE 2.0 allows remote attackers to bypass authentication and gain administrative privileges via a direct request to admin/home.php.
- CVE-2009-2334Jul 10, 2009risk 0.04cvss —epss 0.06
wp-admin/admin.php in WordPress and WordPress MU before 2.8.1 does not require administrative authentication to access the configuration of a plugin, which allows remote attackers to specify a configuration file in the page parameter to obtain sensitive information or modify…
- CVE-2009-2257Jun 30, 2009risk 0.04cvss —epss 0.07
The administrative web interface on the Netgear DG632 with firmware 3.4.0_ap allows remote attackers to bypass authentication via a direct request to (1) gateway/commands/saveconfig.html, and (2) stattbl.htm, (3) modemmenu.htm, (4) onload.htm, (5) form.css, (6) utility.js, and…
- CVE-2009-1670May 18, 2009risk 0.04cvss —epss 0.07
user/index.php in TCPDB 3.8 does not require administrative authentication, which allows remote attackers to add admin accounts via unspecified vectors. NOTE: some of these details are obtained from third party information.