CWE-287
Improper Authentication
Description
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-114 · CAPEC-115 · CAPEC-151 · CAPEC-194 · CAPEC-22 · CAPEC-57 · CAPEC-593 · CAPEC-633 · CAPEC-650 · CAPEC-94
CVEs mapped to this weakness (2,419)
page 74 of 121| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2014-3139 | 0.03 | — | 0.03 | May 2, 2014 | recoveryconsole/bpl/snmpd.php in Unitrends Enterprise Backup 7.3.0 allows remote attackers to bypass authentication by setting the auth parameter to a certain string. | |||
| CVE-2014-2341 | 0.03 | — | 0.06 | Apr 22, 2014 | Session fixation vulnerability in CubeCart before 5.2.9 allows remote attackers to hijack web sessions via the PHPSESSID parameter. | |||
| CVE-2013-6031 | 0.03 | — | 0.06 | Mar 11, 2014 | The Huawei E355 adapter with firmware 21.157.37.01.910 does not require authentication for API pages, which allows remote attackers to change passwords and settings, or obtain sensitive information, via a direct request to (1) api/wlan/security-settings, (2)… | |||
| CVE-2013-7183 | 0.03 | — | 0.03 | Feb 4, 2014 | cgi-bin/reboot.cgi on Seowon Intech SWC-9100 routers allows remote attackers to (1) cause a denial of service (reboot) via a default_reboot action or (2) reset all configuration values via a factory_default action. | |||
| CVE-2013-5038 | 0.03 | — | 0.03 | Dec 30, 2013 | The HOT HOTBOX router with software 2.1.11 allows remote attackers to bypass authentication by configuring a source IP address that had previously been used for an authenticated session. | |||
| CVE-2012-5858 | 0.03 | — | 0.04 | Dec 3, 2012 | Samsung Kies Air 2.1.207051 and 2.1.210161 relies on the IP address for authentication, which allows remote man-in-the-middle attackers to read arbitrary phone contents by spoofing or controlling the IP address. | |||
| CVE-2012-2437 | 0.03 | — | 0.02 | Nov 26, 2012 | cookie_gen.php in ar web content manager (AWCM) 2.2 does not require authentication, which allows remote attackers to generate arbitrary cookies via the name parameter in conjunction with the content parameter. | |||
| CVE-2012-5864 | 0.03 | — | 0.05 | Nov 23, 2012 | These Sinapsi devices do not check if users that visit pages within the device have properly authenticated. By directly visiting the pages within the device, attackers can gain unauthorized access with administrative privileges. | |||
| CVE-2012-4926 | 0.03 | — | 0.02 | Sep 15, 2012 | approve.php in Img Pals Photo Host 1.0 does not authenticate requests, which allows remote attackers to change the activation of administrators via the u parameter in an (1) app0 (disable) or (2) app1 (enable) action. | |||
| CVE-2011-5053 | 0.03 | — | 0.03 | Jan 6, 2012 | The Wi-Fi Protected Setup (WPS) protocol, when the "external registrar" authentication method is used, does not properly inform clients about failed PIN authentication, which makes it easier for remote attackers to discover the PIN value, and consequently discover the Wi-Fi… | |||
| CVE-2010-4232 | 0.03 | — | 0.04 | Nov 17, 2010 | The web-based administration interface on the Camtron CMNC-200 Full HD IP Camera and TecVoz CMNC-200 Megapixel IP Camera with firmware 1.102A-008 allows remote attackers to bypass authentication via a // (slash slash) at the beginning of a URI, as demonstrated by the… | |||
| CVE-2009-4929 | 0.03 | — | 0.02 | Jul 12, 2010 | admin/manage_users.php in TotalCalendar 2.4 does not require administrative authentication, which allows remote attackers to change arbitrary passwords via the newPW1 and newPW2 parameters. | |||
| CVE-2009-4927 | 0.03 | — | 0.02 | Jul 12, 2010 | WB News 2.1.2 allows remote attackers to bypass authentication and gain administrative access via a modified WBNEWS cookie, as demonstrated by setting this cookie to 1. | |||
| CVE-2009-4808 | 0.03 | — | 0.03 | Apr 23, 2010 | admin.php in Graugon PHP Article Publisher 1.0 allows remote attackers to bypass authentication and obtain administrative access by setting the g_admin cookie to 1. | |||
| CVE-2009-4806 | 0.03 | — | 0.03 | Apr 23, 2010 | admin/save_user.asp in Digital Interchange Document Library 1.0.1 does not require administrative authentication, which allows remote attackers to read or modify the administrator's credentials via unspecified vectors. NOTE: some of these details are obtained from third party… | |||
| CVE-2009-4801 | 0.03 | — | 0.02 | Apr 23, 2010 | EZ-Blog Beta 1 does not require authentication, which allows remote attackers to create or delete arbitrary posts via requests to PHP scripts. | |||
| CVE-2009-4675 | 0.03 | — | 0.03 | Mar 5, 2010 | admin/admin_info/index.php in the Mole Group Gastro Portal (Restaurant Directory) Script does not require administrative authentication, which allows remote attackers to change the admin password via an unspecified form submission. | |||
| CVE-2009-4671 | 0.03 | — | 0.02 | Mar 5, 2010 | Login.php in RoomPHPlanning 1.6 allows remote attackers to bypass authentication and obtain administrative access by setting the room_phplanning cookie to a value associated with the admin account. | |||
| CVE-2009-4670 | 0.03 | — | 0.02 | Mar 5, 2010 | admin/delitem.php in RoomPHPlanning 1.6 does not require authentication, which allows remote attackers to (1) delete arbitrary users via the user parameter or (2) delete arbitrary rooms via the room parameter. | |||
| CVE-2009-4657 | 0.03 | — | 0.02 | Mar 3, 2010 | The administrator package for Xerver 4.32 does not require authentication, which allows remote attackers to alter application settings by connecting to the application on port 32123, as demonstrated by setting the action option to wizardStep1. |
- CVE-2014-3139May 2, 2014risk 0.03cvss —epss 0.03
recoveryconsole/bpl/snmpd.php in Unitrends Enterprise Backup 7.3.0 allows remote attackers to bypass authentication by setting the auth parameter to a certain string.
- CVE-2014-2341Apr 22, 2014risk 0.03cvss —epss 0.06
Session fixation vulnerability in CubeCart before 5.2.9 allows remote attackers to hijack web sessions via the PHPSESSID parameter.
- CVE-2013-6031Mar 11, 2014risk 0.03cvss —epss 0.06
The Huawei E355 adapter with firmware 21.157.37.01.910 does not require authentication for API pages, which allows remote attackers to change passwords and settings, or obtain sensitive information, via a direct request to (1) api/wlan/security-settings, (2)…
- CVE-2013-7183Feb 4, 2014risk 0.03cvss —epss 0.03
cgi-bin/reboot.cgi on Seowon Intech SWC-9100 routers allows remote attackers to (1) cause a denial of service (reboot) via a default_reboot action or (2) reset all configuration values via a factory_default action.
- CVE-2013-5038Dec 30, 2013risk 0.03cvss —epss 0.03
The HOT HOTBOX router with software 2.1.11 allows remote attackers to bypass authentication by configuring a source IP address that had previously been used for an authenticated session.
- CVE-2012-5858Dec 3, 2012risk 0.03cvss —epss 0.04
Samsung Kies Air 2.1.207051 and 2.1.210161 relies on the IP address for authentication, which allows remote man-in-the-middle attackers to read arbitrary phone contents by spoofing or controlling the IP address.
- CVE-2012-2437Nov 26, 2012risk 0.03cvss —epss 0.02
cookie_gen.php in ar web content manager (AWCM) 2.2 does not require authentication, which allows remote attackers to generate arbitrary cookies via the name parameter in conjunction with the content parameter.
- CVE-2012-5864Nov 23, 2012risk 0.03cvss —epss 0.05
These Sinapsi devices do not check if users that visit pages within the device have properly authenticated. By directly visiting the pages within the device, attackers can gain unauthorized access with administrative privileges.
- CVE-2012-4926Sep 15, 2012risk 0.03cvss —epss 0.02
approve.php in Img Pals Photo Host 1.0 does not authenticate requests, which allows remote attackers to change the activation of administrators via the u parameter in an (1) app0 (disable) or (2) app1 (enable) action.
- CVE-2011-5053Jan 6, 2012risk 0.03cvss —epss 0.03
The Wi-Fi Protected Setup (WPS) protocol, when the "external registrar" authentication method is used, does not properly inform clients about failed PIN authentication, which makes it easier for remote attackers to discover the PIN value, and consequently discover the Wi-Fi…
- CVE-2010-4232Nov 17, 2010risk 0.03cvss —epss 0.04
The web-based administration interface on the Camtron CMNC-200 Full HD IP Camera and TecVoz CMNC-200 Megapixel IP Camera with firmware 1.102A-008 allows remote attackers to bypass authentication via a // (slash slash) at the beginning of a URI, as demonstrated by the…
- CVE-2009-4929Jul 12, 2010risk 0.03cvss —epss 0.02
admin/manage_users.php in TotalCalendar 2.4 does not require administrative authentication, which allows remote attackers to change arbitrary passwords via the newPW1 and newPW2 parameters.
- CVE-2009-4927Jul 12, 2010risk 0.03cvss —epss 0.02
WB News 2.1.2 allows remote attackers to bypass authentication and gain administrative access via a modified WBNEWS cookie, as demonstrated by setting this cookie to 1.
- CVE-2009-4808Apr 23, 2010risk 0.03cvss —epss 0.03
admin.php in Graugon PHP Article Publisher 1.0 allows remote attackers to bypass authentication and obtain administrative access by setting the g_admin cookie to 1.
- CVE-2009-4806Apr 23, 2010risk 0.03cvss —epss 0.03
admin/save_user.asp in Digital Interchange Document Library 1.0.1 does not require administrative authentication, which allows remote attackers to read or modify the administrator's credentials via unspecified vectors. NOTE: some of these details are obtained from third party…
- CVE-2009-4801Apr 23, 2010risk 0.03cvss —epss 0.02
EZ-Blog Beta 1 does not require authentication, which allows remote attackers to create or delete arbitrary posts via requests to PHP scripts.
- CVE-2009-4675Mar 5, 2010risk 0.03cvss —epss 0.03
admin/admin_info/index.php in the Mole Group Gastro Portal (Restaurant Directory) Script does not require administrative authentication, which allows remote attackers to change the admin password via an unspecified form submission.
- CVE-2009-4671Mar 5, 2010risk 0.03cvss —epss 0.02
Login.php in RoomPHPlanning 1.6 allows remote attackers to bypass authentication and obtain administrative access by setting the room_phplanning cookie to a value associated with the admin account.
- CVE-2009-4670Mar 5, 2010risk 0.03cvss —epss 0.02
admin/delitem.php in RoomPHPlanning 1.6 does not require authentication, which allows remote attackers to (1) delete arbitrary users via the user parameter or (2) delete arbitrary rooms via the room parameter.
- CVE-2009-4657Mar 3, 2010risk 0.03cvss —epss 0.02
The administrator package for Xerver 4.32 does not require authentication, which allows remote attackers to alter application settings by connecting to the application on port 32123, as demonstrated by setting the action option to wizardStep1.