VYPR

CWE-287

Improper Authentication

ClassDraftLikelihood: High

Description

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-114 · CAPEC-115 · CAPEC-151 · CAPEC-194 · CAPEC-22 · CAPEC-57 · CAPEC-593 · CAPEC-633 · CAPEC-650 · CAPEC-94

CVEs mapped to this weakness (2,419)

page 75 of 121
  • CVE-2010-0756Feb 27, 2010
    risk 0.03cvss epss 0.02

    Session fixation vulnerability in WikyBlog 1.7.3 rc2 allows remote attackers to hijack web sessions by setting the jsessionid parameter to (1) index.php/Comment/Main, (2) index.php/Comment/Main/Home_Wiky, or (3) index.php/Edit/Main.

  • CVE-2009-4447Dec 29, 2009
    risk 0.03cvss epss 0.03

    Jax Guestbook 3.5.0 allows remote attackers to bypass authentication and modify administrator settings via a direct request to admin/guestbook.admin.php.

  • CVE-2009-4367Dec 21, 2009
    risk 0.03cvss epss 0.06

    The Staging Webservice ("sitecore modules/staging/service/api.asmx") in Sitecore Staging Module 5.4.0 rev.080625 and earlier allows remote attackers to bypass authentication and (1) upload files, (2) download files, (3) list directories, and (4) clear the server cache via…

  • CVE-2009-2505Dec 9, 2009
    risk 0.03cvss epss 0.32

    The Internet Authentication Service (IAS) in Microsoft Windows Vista SP2 and Server 2008 SP2 does not properly validate MS-CHAP v2 Protected Extensible Authentication Protocol (PEAP) authentication requests, which allows remote attackers to execute arbitrary code via crafted…

  • CVE-2009-3966Nov 18, 2009
    risk 0.03cvss epss 0.02

    Arcade Trade Script 1.0 allows remote attackers to bypass authentication and gain administrative access by setting the adminLoggedIn cookie to true.

  • CVE-2009-3828Oct 30, 2009
    risk 0.03cvss epss 0.03

    The web interface for Everfocus EDR1600 DVR allows remote attackers to bypass authentication and access live cams via certain vectors.

  • CVE-2009-3423Sep 25, 2009
    risk 0.03cvss epss 0.03

    login.php in Zenas PaoLink 1.0, when register_globals is enabled, allows remote attackers to bypass authentication and gain administrative access by setting the login_ok parameter to 1.

  • CVE-2009-3422Sep 25, 2009
    risk 0.03cvss epss 0.03

    login.php in Zenas PaoLiber 1.1, when register_globals is enabled, allows remote attackers to bypass authentication and gain administrative access by setting the login_ok parameter to 1.

  • CVE-2009-3158Sep 10, 2009
    risk 0.03cvss epss 0.03

    admin/files.php in simplePHPWeb 0.2 does not require authentication, which allows remote attackers to perform unspecified administrative actions via unknown vectors. NOTE: some of these details are obtained from third party information.

  • CVE-2008-7179Sep 8, 2009
    risk 0.03cvss epss 0.02

    OTManager CMS 2.4 allows remote attackers to bypass authentication and gain administrator privileges by setting the ADMIN_Hora, ADMIN_Logado, and ADMIN_Nome cookies to certain values, as reachable in Admin/index.php.

  • CVE-2008-7156Sep 2, 2009
    risk 0.03cvss epss 0.02

    EkinBoard 1.1.0 and earlier, when register_globals is enabled, allows remote attackers to bypass authorization and gain administrator privileges by setting the _groups[] parameter to 2, as demonstrated via backup.php.

  • CVE-2008-7051Aug 24, 2009
    risk 0.03cvss epss 0.03

    AJ Square AJ Article allows remote attackers to bypass authentication and access administrator functionality via a direct request to (1) user.php, (2) articles.php, (3) articlesuspend.php, (4) site.php, (5) statistics.php, (6) mail.php, (7) category.php, (8) subcategory.php, (9)…

  • CVE-2008-7047Aug 24, 2009
    risk 0.03cvss epss 0.03

    NatterChat 1.1 allows remote attackers to bypass authentication and gain administrator privileges to read or delete rooms and messages via a direct request to admin/home.asp.

  • CVE-2008-7046Aug 24, 2009
    risk 0.03cvss epss 0.02

    AJ Square Free Polling Script (AJPoll) allows remote attackers to bypass authentication and create new polls via a direct request to admin/include/newpoll.php, a different vector than CVE-2008-7045. NOTE: the provenance of this information is unknown; the details are obtained…

  • CVE-2008-7045Aug 24, 2009
    risk 0.03cvss epss 0.03

    AJ Square Free Polling Script (AJPoll) Database version allows remote attackers to bypass authentication and reset poll votes via a direct request to admin/resetvote.php.

  • CVE-2008-7041Aug 24, 2009
    risk 0.03cvss epss 0.03

    AJ Classifieds allows remote attackers to bypass authentication and gain administrator privileges via a direct request to admin/home.php.

  • CVE-2008-7028Aug 21, 2009
    risk 0.03cvss epss 0.03

    RPG.Board 0.8 Beta2 and earlier allows remote attackers to bypass authentication and gain privileges by setting the keep4u cookie to a certain value.

  • CVE-2008-7027Aug 21, 2009
    risk 0.03cvss epss 0.02

    Libra File Manager 1.18 and earlier allows remote attackers to bypass authentication and gain privileges by setting the user and pass cookies to 1.

  • CVE-2008-7019Aug 21, 2009
    risk 0.03cvss epss 0.03

    Esqlanelapse 2.6.1 and 2.6.2 allows remote attackers to bypass authentication and gain privileges via modified (1) enombre and (2) euri cookies.

  • CVE-2008-7008Aug 19, 2009
    risk 0.03cvss epss 0.03

    HyperStop Web Host Directory 1.2 allows remote attackers to bypass authentication and download a database backup via a direct request to admin/backup/db.