VYPR

CWE-287

Improper Authentication

ClassDraftLikelihood: High

Description

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-114 · CAPEC-115 · CAPEC-151 · CAPEC-194 · CAPEC-22 · CAPEC-57 · CAPEC-593 · CAPEC-633 · CAPEC-650 · CAPEC-94

CVEs mapped to this weakness (2,419)

page 72 of 121
  • CVE-2012-0874Feb 5, 2013
    risk 0.04cvss epss 0.16

    The (1) JMXInvokerHAServlet and (2) EJBInvokerHAServlet invoker servlets in JBoss Enterprise Application Platform (EAP) before 5.2.0, Web Platform (EWP) before 5.2.0, BRMS Platform before 5.3.1, and SOA Platform before 5.3.1 do not require authentication by default in certain…

  • CVE-2012-5930Dec 24, 2012
    risk 0.04cvss epss 0.07

    The pa_modify_accounts function in auth.dll in unifid.exe in NetIQ Privileged User Manager 2.3.x before 2.3.1 HF2 does not require authentication for the modifyAccounts method, which allows remote attackers to change the passwords of administrative accounts via a crafted…

  • CVE-2011-4644Jan 3, 2012
    risk 0.04cvss epss 0.08

    Splunk 4.2.5 and earlier, when a Free license is selected, enables potentially undesirable functionality within an environment that intentionally does not support authentication, which allows remote attackers to (1) read arbitrary files via a management-console session that…

  • CVE-2011-2963Jul 29, 2011
    risk 0.04cvss epss 0.08

    TCPUploadServer.exe in Progea Movicon 11.2 before Build 1084 does not require authentication for critical functions, which allows remote attackers to obtain sensitive information, delete files, execute arbitrary programs, or cause a denial of service (crash) via a crafted packet…

  • CVE-2011-2956Jul 28, 2011
    risk 0.04cvss epss 0.07

    AzeoTech DAQFactory before 5.85 (Build 1842) does not perform authentication for certain signals, which allows remote attackers to cause a denial of service (system reboot or shutdown) via a signal.

  • CVE-2011-1519Mar 25, 2011
    risk 0.04cvss epss 0.09

    The remote console in the Server Controller in IBM Lotus Domino 7.x and 8.x verifies credentials against a file located at a UNC share pathname specified by the client, which allows remote attackers to bypass authentication, and consequently execute arbitrary code, by placing…

  • CVE-2011-0920Feb 8, 2011
    risk 0.04cvss epss 0.10

    The Remote Console in IBM Lotus Domino, when a certain unsupported configuration involving UNC share pathnames is used, allows remote attackers to bypass authentication and execute arbitrary code via unspecified vectors, aka SPR PRAD89WGRS.

  • CVE-2011-0489Jan 18, 2011
    risk 0.04cvss epss 0.13

    The server components in Objectivity/DB 10.0 do not require authentication for administrative commands, which allows remote attackers to modify data, obtain sensitive information, or cause a denial of service by sending requests over TCP to (1) the Lock Server or (2) the…

  • CVE-2010-4333Dec 22, 2010
    risk 0.04cvss epss 0.07

    Pointter PHP Micro-Blogging Social Network 1.8 allows remote attackers to bypass authentication and obtain administrative privileges via arbitrary values of the auser and apass cookies.

  • CVE-2010-4332Dec 22, 2010
    risk 0.04cvss epss 0.07

    Pointter PHP Content Management System 1.0 allows remote attackers to bypass authentication and obtain administrative privileges via arbitrary values of the auser and apass cookies.

  • CVE-2009-4987Aug 25, 2010
    risk 0.04cvss epss 0.06

    admin/header.php in Scripteen Free Image Hosting Script 2.3 allows remote attackers to bypass authentication and gain administrative access by setting the cookgid cookie value to 1, a different vector than CVE-2008-3211.

  • CVE-2009-4089Nov 29, 2009
    risk 0.04cvss epss 0.07

    telepark.wiki 2.4.23 and earlier allows remote attackers to bypass authorization and (1) delete arbitrary pages via a modified pageID parameter to ajax/deletePage.php or (2) delete arbitrary comments via a modified pageID parameter to ajax/deleteComment.php.

  • CVE-2008-7124Aug 31, 2009
    risk 0.04cvss epss 0.09

    zKup CMS 2.0 through 2.3 does not require administrative authentication for admin/configuration/modifier.php, which allows remote attackers to gain administrator privileges via a direct request, as demonstrated by adding a new administrator.

  • CVE-2008-7086Aug 26, 2009
    risk 0.04cvss epss 0.07

    Maian Greetings 2.1 allows remote attackers to bypass authentication and gain administrative privileges by setting the mecard_admin_cookie cookie to admin.

  • CVE-2008-7006Aug 19, 2009
    risk 0.04cvss epss 0.07

    Free PHP VX Guestbook 1.06 allows remote attackers to bypass authentication and download a backup of the database via a direct request to admin/backupdb.php.

  • CVE-2008-6947Aug 12, 2009
    risk 0.04cvss epss 0.08

    Collabtive 0.4.8 allows remote attackers to bypass authentication and create new users, including administrators, via unspecified vectors associated with the added mode in a users action to admin.php.

  • CVE-2008-6912Aug 7, 2009
    risk 0.04cvss epss 0.07

    Zeeways SHAADICLONE 2.0 allows remote attackers to bypass authentication and gain administrative privileges via a direct request to admin/home.php.

  • CVE-2009-2334Jul 10, 2009
    risk 0.04cvss epss 0.06

    wp-admin/admin.php in WordPress and WordPress MU before 2.8.1 does not require administrative authentication to access the configuration of a plugin, which allows remote attackers to specify a configuration file in the page parameter to obtain sensitive information or modify…

  • CVE-2009-2257Jun 30, 2009
    risk 0.04cvss epss 0.07

    The administrative web interface on the Netgear DG632 with firmware 3.4.0_ap allows remote attackers to bypass authentication via a direct request to (1) gateway/commands/saveconfig.html, and (2) stattbl.htm, (3) modemmenu.htm, (4) onload.htm, (5) form.css, (6) utility.js, and…

  • CVE-2009-1670May 18, 2009
    risk 0.04cvss epss 0.07

    user/index.php in TCPDB 3.8 does not require administrative authentication, which allows remote attackers to add admin accounts via unspecified vectors. NOTE: some of these details are obtained from third party information.