CWE-287
Improper Authentication
Description
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-114 · CAPEC-115 · CAPEC-151 · CAPEC-194 · CAPEC-22 · CAPEC-57 · CAPEC-593 · CAPEC-633 · CAPEC-650 · CAPEC-94
CVEs mapped to this weakness (2,419)
page 73 of 121| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2009-1549 | 0.04 | — | 0.09 | May 6, 2009 | AGTC MyShop 3.2b allows remote attackers to bypass authentication and obtain administrative access setting the log_accept cookie to "correcto." | |||
| CVE-2008-6763 | 0.04 | — | 0.07 | Apr 28, 2009 | login2.php in Silentum LoginSys 1.0.0 allows remote attackers to bypass authentication and obtain access to an arbitrary account by setting the logged_in cookie to that account's username. | |||
| CVE-2008-6714 | 0.04 | — | 0.12 | Apr 10, 2009 | admin.php in xeCMS 1.0.0 RC2 and earlier allows remote attackers to bypass authentication and access the admin panel by setting the xecms_username cookie. | |||
| CVE-2008-5692 | 0.04 | — | 0.08 | Dec 19, 2008 | Ipswitch WS_FTP Server Manager before 6.1.1, and possibly other Ipswitch products, allows remote attackers to bypass authentication and read logs via a logLogout action to FTPLogServer/login.asp followed by a request to FTPLogServer/LogViewer.asp with the localhostnull account… | |||
| CVE-2008-4032 | 0.04 | — | 0.48 | Dec 10, 2008 | Microsoft Office SharePoint Server 2007 Gold and SP1 and Microsoft Search Server 2008 do not properly perform authentication and authorization for administrative functions, which allows remote attackers to cause a denial of service (server load), obtain sensitive information,… | |||
| CVE-2008-5219 | 0.04 | — | 0.07 | Nov 25, 2008 | The password change feature (admin/cp.php) in VideoScript 4.0.1.50 and earlier does not check for administrative authentication and does not require knowledge of the original password, which allows remote attackers to change the admin account password via modified npass and… | |||
| CVE-2008-3322 | 0.04 | — | 0.07 | Jul 25, 2008 | admin/index.php in Maian Recipe 1.2 and earlier allows remote attackers to bypass authentication and gain administrative access by sending an arbitrary recipe_cookie cookie. | |||
| CVE-2008-3321 | 0.04 | — | 0.08 | Jul 25, 2008 | admin/index.php in Maian Uploader 4.0 and earlier allows remote attackers to bypass authentication and gain administrative access by sending an arbitrary uploader_cookie cookie. | |||
| CVE-2008-3320 | 0.04 | — | 0.07 | Jul 25, 2008 | admin/index.php in Maian Guestbook 3.2 and earlier allows remote attackers to bypass authentication and gain administrative access by sending an arbitrary gbook_cookie cookie. | |||
| CVE-2008-3318 | 0.04 | — | 0.08 | Jul 25, 2008 | admin/index.php in Maian Weblog 4.0 and earlier allows remote attackers to bypass authentication and gain administrative access by sending an arbitrary weblog_cookie cookie. | |||
| CVE-2008-3319 | 0.04 | — | 0.08 | Jul 25, 2008 | admin/index.php in Maian Links 3.1 and earlier allows remote attackers to bypass authentication and gain administrative access by sending an arbitrary links_cookie cookie. | |||
| CVE-2008-3317 | 0.04 | — | 0.08 | Jul 25, 2008 | admin/index.php in Maian Search 1.1 and earlier allows remote attackers to bypass authentication and gain administrative access by sending an arbitrary search_cookie cookie. | |||
| CVE-2008-3292 | 0.04 | — | 0.07 | Jul 24, 2008 | constants.inc in EZWebAlbum 1.0 allows remote attackers to bypass authentication and gain administrator privileges by setting the photoalbumadmin cookie, as demonstrated via addpage.php. | |||
| CVE-2008-1727 | 0.04 | — | 0.07 | Apr 11, 2008 | KnowledgeQuest 2.5 and 2.6 does not require authentication for access to admincheck.php, which allows remote attackers to create arbitrary admin accounts. | |||
| CVE-2008-1321 | 0.04 | — | 0.08 | Mar 13, 2008 | The FxIAList service in ASG-Sentry Network Manager 7.0.0 and earlier does require authentication, which allows remote attackers to cause a denial of service (service termination) via the exit command to TCP port 6162, or have other impacts via other commands. | |||
| CVE-2008-1262 | 0.04 | — | 0.09 | Mar 10, 2008 | The administration panel on the Airspan WiMax ProST 4.1 antenna with 6.5.38.0 software does not verify authentication credentials, which allows remote attackers to (1) upload malformed firmware or (2) bind the antenna to a different WiMAX base station via unspecified requests to… | |||
| CVE-2007-5913 | 0.04 | — | 0.07 | Nov 10, 2007 | dirsys/modules/auth.php in JBC Explorer 7.20 RC1 and earlier does not require authentication, which allows remote attackers to (1) delete auth.inc.php via the suppr parameter, and (2) re-create the auth.inc.php file with contents that specify a new account name and password for… | |||
| CVE-2006-2224 | 0.04 | — | 0.10 | May 5, 2006 | RIPd in Quagga 0.98 and 0.99 before 20060503 does not properly enforce RIPv2 authentication requirements, which allows remote attackers to modify routing state via RIPv1 RESPONSE packets. | |||
| CVE-2002-0563 | 0.04 | — | 0.51 | Jul 3, 2002 | The default configuration of Oracle 9i Application Server 1.0.2.x allows remote anonymous users to access sensitive services without authentication, including Dynamic Monitoring Services (1) dms0, (2) dms/DMSDump, (3) servlet/DMSDump, (4) servlet/Spy, (5) soap/servlet/Spy, and… | |||
| CVE-2014-9605 | 0.03 | — | 0.04 | Sep 4, 2015 | WebUpgrade in Netsweeper before 3.1.10, 4.0.x before 4.0.9, and 4.1.x before 4.1.2 allows remote attackers to bypass authentication and create a system backup tarball, restart the server, or stop the filters on the server via a ' (single quote) character in the login and… |
- CVE-2009-1549May 6, 2009risk 0.04cvss —epss 0.09
AGTC MyShop 3.2b allows remote attackers to bypass authentication and obtain administrative access setting the log_accept cookie to "correcto."
- CVE-2008-6763Apr 28, 2009risk 0.04cvss —epss 0.07
login2.php in Silentum LoginSys 1.0.0 allows remote attackers to bypass authentication and obtain access to an arbitrary account by setting the logged_in cookie to that account's username.
- CVE-2008-6714Apr 10, 2009risk 0.04cvss —epss 0.12
admin.php in xeCMS 1.0.0 RC2 and earlier allows remote attackers to bypass authentication and access the admin panel by setting the xecms_username cookie.
- CVE-2008-5692Dec 19, 2008risk 0.04cvss —epss 0.08
Ipswitch WS_FTP Server Manager before 6.1.1, and possibly other Ipswitch products, allows remote attackers to bypass authentication and read logs via a logLogout action to FTPLogServer/login.asp followed by a request to FTPLogServer/LogViewer.asp with the localhostnull account…
- CVE-2008-4032Dec 10, 2008risk 0.04cvss —epss 0.48
Microsoft Office SharePoint Server 2007 Gold and SP1 and Microsoft Search Server 2008 do not properly perform authentication and authorization for administrative functions, which allows remote attackers to cause a denial of service (server load), obtain sensitive information,…
- CVE-2008-5219Nov 25, 2008risk 0.04cvss —epss 0.07
The password change feature (admin/cp.php) in VideoScript 4.0.1.50 and earlier does not check for administrative authentication and does not require knowledge of the original password, which allows remote attackers to change the admin account password via modified npass and…
- CVE-2008-3322Jul 25, 2008risk 0.04cvss —epss 0.07
admin/index.php in Maian Recipe 1.2 and earlier allows remote attackers to bypass authentication and gain administrative access by sending an arbitrary recipe_cookie cookie.
- CVE-2008-3321Jul 25, 2008risk 0.04cvss —epss 0.08
admin/index.php in Maian Uploader 4.0 and earlier allows remote attackers to bypass authentication and gain administrative access by sending an arbitrary uploader_cookie cookie.
- CVE-2008-3320Jul 25, 2008risk 0.04cvss —epss 0.07
admin/index.php in Maian Guestbook 3.2 and earlier allows remote attackers to bypass authentication and gain administrative access by sending an arbitrary gbook_cookie cookie.
- CVE-2008-3318Jul 25, 2008risk 0.04cvss —epss 0.08
admin/index.php in Maian Weblog 4.0 and earlier allows remote attackers to bypass authentication and gain administrative access by sending an arbitrary weblog_cookie cookie.
- CVE-2008-3319Jul 25, 2008risk 0.04cvss —epss 0.08
admin/index.php in Maian Links 3.1 and earlier allows remote attackers to bypass authentication and gain administrative access by sending an arbitrary links_cookie cookie.
- CVE-2008-3317Jul 25, 2008risk 0.04cvss —epss 0.08
admin/index.php in Maian Search 1.1 and earlier allows remote attackers to bypass authentication and gain administrative access by sending an arbitrary search_cookie cookie.
- CVE-2008-3292Jul 24, 2008risk 0.04cvss —epss 0.07
constants.inc in EZWebAlbum 1.0 allows remote attackers to bypass authentication and gain administrator privileges by setting the photoalbumadmin cookie, as demonstrated via addpage.php.
- CVE-2008-1727Apr 11, 2008risk 0.04cvss —epss 0.07
KnowledgeQuest 2.5 and 2.6 does not require authentication for access to admincheck.php, which allows remote attackers to create arbitrary admin accounts.
- CVE-2008-1321Mar 13, 2008risk 0.04cvss —epss 0.08
The FxIAList service in ASG-Sentry Network Manager 7.0.0 and earlier does require authentication, which allows remote attackers to cause a denial of service (service termination) via the exit command to TCP port 6162, or have other impacts via other commands.
- CVE-2008-1262Mar 10, 2008risk 0.04cvss —epss 0.09
The administration panel on the Airspan WiMax ProST 4.1 antenna with 6.5.38.0 software does not verify authentication credentials, which allows remote attackers to (1) upload malformed firmware or (2) bind the antenna to a different WiMAX base station via unspecified requests to…
- CVE-2007-5913Nov 10, 2007risk 0.04cvss —epss 0.07
dirsys/modules/auth.php in JBC Explorer 7.20 RC1 and earlier does not require authentication, which allows remote attackers to (1) delete auth.inc.php via the suppr parameter, and (2) re-create the auth.inc.php file with contents that specify a new account name and password for…
- CVE-2006-2224May 5, 2006risk 0.04cvss —epss 0.10
RIPd in Quagga 0.98 and 0.99 before 20060503 does not properly enforce RIPv2 authentication requirements, which allows remote attackers to modify routing state via RIPv1 RESPONSE packets.
- CVE-2002-0563Jul 3, 2002risk 0.04cvss —epss 0.51
The default configuration of Oracle 9i Application Server 1.0.2.x allows remote anonymous users to access sensitive services without authentication, including Dynamic Monitoring Services (1) dms0, (2) dms/DMSDump, (3) servlet/DMSDump, (4) servlet/Spy, (5) soap/servlet/Spy, and…
- CVE-2014-9605Sep 4, 2015risk 0.03cvss —epss 0.04
WebUpgrade in Netsweeper before 3.1.10, 4.0.x before 4.0.9, and 4.1.x before 4.1.2 allows remote attackers to bypass authentication and create a system backup tarball, restart the server, or stop the filters on the server via a ' (single quote) character in the login and…