VYPR

CWE-287

Improper Authentication

ClassDraftLikelihood: High

Description

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-114 · CAPEC-115 · CAPEC-151 · CAPEC-194 · CAPEC-22 · CAPEC-57 · CAPEC-593 · CAPEC-633 · CAPEC-650 · CAPEC-94

CVEs mapped to this weakness (2,419)

page 73 of 121
  • CVE-2009-1549May 6, 2009
    risk 0.04cvss epss 0.09

    AGTC MyShop 3.2b allows remote attackers to bypass authentication and obtain administrative access setting the log_accept cookie to "correcto."

  • CVE-2008-6763Apr 28, 2009
    risk 0.04cvss epss 0.07

    login2.php in Silentum LoginSys 1.0.0 allows remote attackers to bypass authentication and obtain access to an arbitrary account by setting the logged_in cookie to that account's username.

  • CVE-2008-6714Apr 10, 2009
    risk 0.04cvss epss 0.12

    admin.php in xeCMS 1.0.0 RC2 and earlier allows remote attackers to bypass authentication and access the admin panel by setting the xecms_username cookie.

  • CVE-2008-5692Dec 19, 2008
    risk 0.04cvss epss 0.08

    Ipswitch WS_FTP Server Manager before 6.1.1, and possibly other Ipswitch products, allows remote attackers to bypass authentication and read logs via a logLogout action to FTPLogServer/login.asp followed by a request to FTPLogServer/LogViewer.asp with the localhostnull account…

  • CVE-2008-4032Dec 10, 2008
    risk 0.04cvss epss 0.48

    Microsoft Office SharePoint Server 2007 Gold and SP1 and Microsoft Search Server 2008 do not properly perform authentication and authorization for administrative functions, which allows remote attackers to cause a denial of service (server load), obtain sensitive information,…

  • CVE-2008-5219Nov 25, 2008
    risk 0.04cvss epss 0.07

    The password change feature (admin/cp.php) in VideoScript 4.0.1.50 and earlier does not check for administrative authentication and does not require knowledge of the original password, which allows remote attackers to change the admin account password via modified npass and…

  • CVE-2008-3322Jul 25, 2008
    risk 0.04cvss epss 0.07

    admin/index.php in Maian Recipe 1.2 and earlier allows remote attackers to bypass authentication and gain administrative access by sending an arbitrary recipe_cookie cookie.

  • CVE-2008-3321Jul 25, 2008
    risk 0.04cvss epss 0.08

    admin/index.php in Maian Uploader 4.0 and earlier allows remote attackers to bypass authentication and gain administrative access by sending an arbitrary uploader_cookie cookie.

  • CVE-2008-3320Jul 25, 2008
    risk 0.04cvss epss 0.07

    admin/index.php in Maian Guestbook 3.2 and earlier allows remote attackers to bypass authentication and gain administrative access by sending an arbitrary gbook_cookie cookie.

  • CVE-2008-3318Jul 25, 2008
    risk 0.04cvss epss 0.08

    admin/index.php in Maian Weblog 4.0 and earlier allows remote attackers to bypass authentication and gain administrative access by sending an arbitrary weblog_cookie cookie.

  • CVE-2008-3319Jul 25, 2008
    risk 0.04cvss epss 0.08

    admin/index.php in Maian Links 3.1 and earlier allows remote attackers to bypass authentication and gain administrative access by sending an arbitrary links_cookie cookie.

  • CVE-2008-3317Jul 25, 2008
    risk 0.04cvss epss 0.08

    admin/index.php in Maian Search 1.1 and earlier allows remote attackers to bypass authentication and gain administrative access by sending an arbitrary search_cookie cookie.

  • CVE-2008-3292Jul 24, 2008
    risk 0.04cvss epss 0.07

    constants.inc in EZWebAlbum 1.0 allows remote attackers to bypass authentication and gain administrator privileges by setting the photoalbumadmin cookie, as demonstrated via addpage.php.

  • CVE-2008-1727Apr 11, 2008
    risk 0.04cvss epss 0.07

    KnowledgeQuest 2.5 and 2.6 does not require authentication for access to admincheck.php, which allows remote attackers to create arbitrary admin accounts.

  • CVE-2008-1321Mar 13, 2008
    risk 0.04cvss epss 0.08

    The FxIAList service in ASG-Sentry Network Manager 7.0.0 and earlier does require authentication, which allows remote attackers to cause a denial of service (service termination) via the exit command to TCP port 6162, or have other impacts via other commands.

  • CVE-2008-1262Mar 10, 2008
    risk 0.04cvss epss 0.09

    The administration panel on the Airspan WiMax ProST 4.1 antenna with 6.5.38.0 software does not verify authentication credentials, which allows remote attackers to (1) upload malformed firmware or (2) bind the antenna to a different WiMAX base station via unspecified requests to…

  • CVE-2007-5913Nov 10, 2007
    risk 0.04cvss epss 0.07

    dirsys/modules/auth.php in JBC Explorer 7.20 RC1 and earlier does not require authentication, which allows remote attackers to (1) delete auth.inc.php via the suppr parameter, and (2) re-create the auth.inc.php file with contents that specify a new account name and password for…

  • CVE-2006-2224May 5, 2006
    risk 0.04cvss epss 0.10

    RIPd in Quagga 0.98 and 0.99 before 20060503 does not properly enforce RIPv2 authentication requirements, which allows remote attackers to modify routing state via RIPv1 RESPONSE packets.

  • CVE-2002-0563Jul 3, 2002
    risk 0.04cvss epss 0.51

    The default configuration of Oracle 9i Application Server 1.0.2.x allows remote anonymous users to access sensitive services without authentication, including Dynamic Monitoring Services (1) dms0, (2) dms/DMSDump, (3) servlet/DMSDump, (4) servlet/Spy, (5) soap/servlet/Spy, and…

  • CVE-2014-9605Sep 4, 2015
    risk 0.03cvss epss 0.04

    WebUpgrade in Netsweeper before 3.1.10, 4.0.x before 4.0.9, and 4.1.x before 4.1.2 allows remote attackers to bypass authentication and create a system backup tarball, restart the server, or stop the filters on the server via a ' (single quote) character in the login and…