CWE-287
Improper Authentication
Description
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-114 · CAPEC-115 · CAPEC-151 · CAPEC-194 · CAPEC-22 · CAPEC-57 · CAPEC-593 · CAPEC-633 · CAPEC-650 · CAPEC-94
CVEs mapped to this weakness (2,419)
page 75 of 121| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2010-0756 | 0.03 | — | 0.02 | Feb 27, 2010 | Session fixation vulnerability in WikyBlog 1.7.3 rc2 allows remote attackers to hijack web sessions by setting the jsessionid parameter to (1) index.php/Comment/Main, (2) index.php/Comment/Main/Home_Wiky, or (3) index.php/Edit/Main. | |||
| CVE-2009-4447 | 0.03 | — | 0.03 | Dec 29, 2009 | Jax Guestbook 3.5.0 allows remote attackers to bypass authentication and modify administrator settings via a direct request to admin/guestbook.admin.php. | |||
| CVE-2009-4367 | 0.03 | — | 0.06 | Dec 21, 2009 | The Staging Webservice ("sitecore modules/staging/service/api.asmx") in Sitecore Staging Module 5.4.0 rev.080625 and earlier allows remote attackers to bypass authentication and (1) upload files, (2) download files, (3) list directories, and (4) clear the server cache via… | |||
| CVE-2009-2505 | 0.03 | — | 0.32 | Dec 9, 2009 | The Internet Authentication Service (IAS) in Microsoft Windows Vista SP2 and Server 2008 SP2 does not properly validate MS-CHAP v2 Protected Extensible Authentication Protocol (PEAP) authentication requests, which allows remote attackers to execute arbitrary code via crafted… | |||
| CVE-2009-3966 | 0.03 | — | 0.02 | Nov 18, 2009 | Arcade Trade Script 1.0 allows remote attackers to bypass authentication and gain administrative access by setting the adminLoggedIn cookie to true. | |||
| CVE-2009-3828 | 0.03 | — | 0.03 | Oct 30, 2009 | The web interface for Everfocus EDR1600 DVR allows remote attackers to bypass authentication and access live cams via certain vectors. | |||
| CVE-2009-3423 | 0.03 | — | 0.03 | Sep 25, 2009 | login.php in Zenas PaoLink 1.0, when register_globals is enabled, allows remote attackers to bypass authentication and gain administrative access by setting the login_ok parameter to 1. | |||
| CVE-2009-3422 | 0.03 | — | 0.03 | Sep 25, 2009 | login.php in Zenas PaoLiber 1.1, when register_globals is enabled, allows remote attackers to bypass authentication and gain administrative access by setting the login_ok parameter to 1. | |||
| CVE-2009-3158 | 0.03 | — | 0.03 | Sep 10, 2009 | admin/files.php in simplePHPWeb 0.2 does not require authentication, which allows remote attackers to perform unspecified administrative actions via unknown vectors. NOTE: some of these details are obtained from third party information. | |||
| CVE-2008-7179 | 0.03 | — | 0.02 | Sep 8, 2009 | OTManager CMS 2.4 allows remote attackers to bypass authentication and gain administrator privileges by setting the ADMIN_Hora, ADMIN_Logado, and ADMIN_Nome cookies to certain values, as reachable in Admin/index.php. | |||
| CVE-2008-7156 | 0.03 | — | 0.02 | Sep 2, 2009 | EkinBoard 1.1.0 and earlier, when register_globals is enabled, allows remote attackers to bypass authorization and gain administrator privileges by setting the _groups[] parameter to 2, as demonstrated via backup.php. | |||
| CVE-2008-7051 | 0.03 | — | 0.03 | Aug 24, 2009 | AJ Square AJ Article allows remote attackers to bypass authentication and access administrator functionality via a direct request to (1) user.php, (2) articles.php, (3) articlesuspend.php, (4) site.php, (5) statistics.php, (6) mail.php, (7) category.php, (8) subcategory.php, (9)… | |||
| CVE-2008-7047 | 0.03 | — | 0.03 | Aug 24, 2009 | NatterChat 1.1 allows remote attackers to bypass authentication and gain administrator privileges to read or delete rooms and messages via a direct request to admin/home.asp. | |||
| CVE-2008-7046 | 0.03 | — | 0.02 | Aug 24, 2009 | AJ Square Free Polling Script (AJPoll) allows remote attackers to bypass authentication and create new polls via a direct request to admin/include/newpoll.php, a different vector than CVE-2008-7045. NOTE: the provenance of this information is unknown; the details are obtained… | |||
| CVE-2008-7045 | 0.03 | — | 0.03 | Aug 24, 2009 | AJ Square Free Polling Script (AJPoll) Database version allows remote attackers to bypass authentication and reset poll votes via a direct request to admin/resetvote.php. | |||
| CVE-2008-7041 | 0.03 | — | 0.03 | Aug 24, 2009 | AJ Classifieds allows remote attackers to bypass authentication and gain administrator privileges via a direct request to admin/home.php. | |||
| CVE-2008-7028 | 0.03 | — | 0.03 | Aug 21, 2009 | RPG.Board 0.8 Beta2 and earlier allows remote attackers to bypass authentication and gain privileges by setting the keep4u cookie to a certain value. | |||
| CVE-2008-7027 | 0.03 | — | 0.02 | Aug 21, 2009 | Libra File Manager 1.18 and earlier allows remote attackers to bypass authentication and gain privileges by setting the user and pass cookies to 1. | |||
| CVE-2008-7019 | 0.03 | — | 0.03 | Aug 21, 2009 | Esqlanelapse 2.6.1 and 2.6.2 allows remote attackers to bypass authentication and gain privileges via modified (1) enombre and (2) euri cookies. | |||
| CVE-2008-7008 | 0.03 | — | 0.03 | Aug 19, 2009 | HyperStop Web Host Directory 1.2 allows remote attackers to bypass authentication and download a database backup via a direct request to admin/backup/db. |
- CVE-2010-0756Feb 27, 2010risk 0.03cvss —epss 0.02
Session fixation vulnerability in WikyBlog 1.7.3 rc2 allows remote attackers to hijack web sessions by setting the jsessionid parameter to (1) index.php/Comment/Main, (2) index.php/Comment/Main/Home_Wiky, or (3) index.php/Edit/Main.
- CVE-2009-4447Dec 29, 2009risk 0.03cvss —epss 0.03
Jax Guestbook 3.5.0 allows remote attackers to bypass authentication and modify administrator settings via a direct request to admin/guestbook.admin.php.
- CVE-2009-4367Dec 21, 2009risk 0.03cvss —epss 0.06
The Staging Webservice ("sitecore modules/staging/service/api.asmx") in Sitecore Staging Module 5.4.0 rev.080625 and earlier allows remote attackers to bypass authentication and (1) upload files, (2) download files, (3) list directories, and (4) clear the server cache via…
- CVE-2009-2505Dec 9, 2009risk 0.03cvss —epss 0.32
The Internet Authentication Service (IAS) in Microsoft Windows Vista SP2 and Server 2008 SP2 does not properly validate MS-CHAP v2 Protected Extensible Authentication Protocol (PEAP) authentication requests, which allows remote attackers to execute arbitrary code via crafted…
- CVE-2009-3966Nov 18, 2009risk 0.03cvss —epss 0.02
Arcade Trade Script 1.0 allows remote attackers to bypass authentication and gain administrative access by setting the adminLoggedIn cookie to true.
- CVE-2009-3828Oct 30, 2009risk 0.03cvss —epss 0.03
The web interface for Everfocus EDR1600 DVR allows remote attackers to bypass authentication and access live cams via certain vectors.
- CVE-2009-3423Sep 25, 2009risk 0.03cvss —epss 0.03
login.php in Zenas PaoLink 1.0, when register_globals is enabled, allows remote attackers to bypass authentication and gain administrative access by setting the login_ok parameter to 1.
- CVE-2009-3422Sep 25, 2009risk 0.03cvss —epss 0.03
login.php in Zenas PaoLiber 1.1, when register_globals is enabled, allows remote attackers to bypass authentication and gain administrative access by setting the login_ok parameter to 1.
- CVE-2009-3158Sep 10, 2009risk 0.03cvss —epss 0.03
admin/files.php in simplePHPWeb 0.2 does not require authentication, which allows remote attackers to perform unspecified administrative actions via unknown vectors. NOTE: some of these details are obtained from third party information.
- CVE-2008-7179Sep 8, 2009risk 0.03cvss —epss 0.02
OTManager CMS 2.4 allows remote attackers to bypass authentication and gain administrator privileges by setting the ADMIN_Hora, ADMIN_Logado, and ADMIN_Nome cookies to certain values, as reachable in Admin/index.php.
- CVE-2008-7156Sep 2, 2009risk 0.03cvss —epss 0.02
EkinBoard 1.1.0 and earlier, when register_globals is enabled, allows remote attackers to bypass authorization and gain administrator privileges by setting the _groups[] parameter to 2, as demonstrated via backup.php.
- CVE-2008-7051Aug 24, 2009risk 0.03cvss —epss 0.03
AJ Square AJ Article allows remote attackers to bypass authentication and access administrator functionality via a direct request to (1) user.php, (2) articles.php, (3) articlesuspend.php, (4) site.php, (5) statistics.php, (6) mail.php, (7) category.php, (8) subcategory.php, (9)…
- CVE-2008-7047Aug 24, 2009risk 0.03cvss —epss 0.03
NatterChat 1.1 allows remote attackers to bypass authentication and gain administrator privileges to read or delete rooms and messages via a direct request to admin/home.asp.
- CVE-2008-7046Aug 24, 2009risk 0.03cvss —epss 0.02
AJ Square Free Polling Script (AJPoll) allows remote attackers to bypass authentication and create new polls via a direct request to admin/include/newpoll.php, a different vector than CVE-2008-7045. NOTE: the provenance of this information is unknown; the details are obtained…
- CVE-2008-7045Aug 24, 2009risk 0.03cvss —epss 0.03
AJ Square Free Polling Script (AJPoll) Database version allows remote attackers to bypass authentication and reset poll votes via a direct request to admin/resetvote.php.
- CVE-2008-7041Aug 24, 2009risk 0.03cvss —epss 0.03
AJ Classifieds allows remote attackers to bypass authentication and gain administrator privileges via a direct request to admin/home.php.
- CVE-2008-7028Aug 21, 2009risk 0.03cvss —epss 0.03
RPG.Board 0.8 Beta2 and earlier allows remote attackers to bypass authentication and gain privileges by setting the keep4u cookie to a certain value.
- CVE-2008-7027Aug 21, 2009risk 0.03cvss —epss 0.02
Libra File Manager 1.18 and earlier allows remote attackers to bypass authentication and gain privileges by setting the user and pass cookies to 1.
- CVE-2008-7019Aug 21, 2009risk 0.03cvss —epss 0.03
Esqlanelapse 2.6.1 and 2.6.2 allows remote attackers to bypass authentication and gain privileges via modified (1) enombre and (2) euri cookies.
- CVE-2008-7008Aug 19, 2009risk 0.03cvss —epss 0.03
HyperStop Web Host Directory 1.2 allows remote attackers to bypass authentication and download a database backup via a direct request to admin/backup/db.