VYPR

CWE-287

Improper Authentication

ClassDraftLikelihood: High

Description

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-114 · CAPEC-115 · CAPEC-151 · CAPEC-194 · CAPEC-22 · CAPEC-57 · CAPEC-593 · CAPEC-633 · CAPEC-650 · CAPEC-94

CVEs mapped to this weakness (2,419)

page 77 of 121
  • CVE-2009-2159Jun 22, 2009
    risk 0.03cvss epss 0.03

    backup-database.php in TorrentTrader Classic 1.09 does not require administrative authentication, which allows remote attackers to create and download a backup database by making a direct request and then retrieving a .gz file from backups/.

  • CVE-2009-2117Jun 18, 2009
    risk 0.03cvss epss 0.02

    uye_paneli.php in phPortal 1.0 allows remote attackers to bypass authentication and obtain administrative access by setting the kulladi cookie to a valid username.

  • CVE-2009-2040Jun 12, 2009
    risk 0.03cvss epss 0.03

    admin/options.php in Grestul 1.2 does not properly restrict access, which allows remote attackers to bypass authentication and create administrative accounts via a manage_admin action in a direct request.

  • CVE-2009-2003Jun 8, 2009
    risk 0.03cvss epss 0.03

    Ascad Networks Password Protector SD 1.3.1 allows remote attackers to bypass authentication and gain administrative access by setting the (1) c7portal and (2) cookname cookies to "admin."

  • CVE-2009-1854Jun 1, 2009
    risk 0.03cvss epss 0.02

    Million Dollar Text Links 1.0 allows remote attackers to bypass authentication and gain administrative access by setting the userid cookie to 1.

  • CVE-2009-1826May 29, 2009
    risk 0.03cvss epss 0.02

    modules/admuser.php in myGesuad 0.9.14 (aka 0.9) does not require administrative authentication, which allows remote authenticated users to list user accounts via a Find action.

  • CVE-2009-1825May 29, 2009
    risk 0.03cvss epss 0.02

    modules/admuser.php in myColex 1.4.2 does not require administrative authentication, which allows remote authenticated users to list user accounts via a Find action.

  • CVE-2008-6815May 28, 2009
    risk 0.03cvss epss 0.03

    mykdownload.php in MyKtools 2.4 does not require administrative authentication, which allows remote attackers to read a database backup by making a direct request, and then sending an unspecified request to the download page for the backup.

  • CVE-2009-1664May 18, 2009
    risk 0.03cvss epss 0.02

    myaccount.php in Easy Scripts Answer and Question Script does not verify the original password before changing passwords, which allows remote attackers to change the password of other users and gain privileges via modified userid, txtpassword, and txtRpassword parameters.

  • CVE-2009-1638May 15, 2009
    risk 0.03cvss epss 0.03

    Techno Dreams Job Career Package 3.0 allows remote attackers to bypass authentication and obtain administrative access by setting the JobCareerAdmin cookie to Login.

  • CVE-2009-1619May 12, 2009
    risk 0.03cvss epss 0.03

    Teraway FileStream 1.0 allows remote attackers to bypass authentication and gain administrative access by setting the twFSadmin cookie to 1.

  • CVE-2009-1618May 12, 2009
    risk 0.03cvss epss 0.03

    Teraway LiveHelp 2.0 allows remote attackers to bypass authentication and gain administrative access via a pwd=&lvl=1&usr=&alias=admin&userid=1 value for the TWLHadmin cookie.

  • CVE-2009-1617May 12, 2009
    risk 0.03cvss epss 0.03

    Teraway LinkTracker 1.0 allows remote attackers to bypass authentication and gain administrative access via a userid=1&lvl=1 value for the twLTadmin cookie.

  • CVE-2008-6804May 11, 2009
    risk 0.03cvss epss 0.03

    Tribiq CMS 5.0.9a beta allows remote attackers to bypass authentication and gain administrative access by setting the COOKIE_LAST_ADMIN_USER and COOKIE_LAST_ADMIN_LANG cookies. NOTE: a third party reports that the vendor disputes the existence of this issue

  • CVE-2009-1587May 7, 2009
    risk 0.03cvss epss 0.03

    index.php in PHP Site Lock 2.0 allows remote attackers to bypass authentication and obtain administrative access by setting the login_id, group_id, login_name, user_id, and user_type cookies to certain values.

  • CVE-2009-1504May 1, 2009
    risk 0.03cvss epss 0.02

    Absolute Form Processor XE 1.5 allows remote attackers to bypass authentication and gain administrative access by setting the xlaAFPadmin cookie to "lvl=1&userid=1."

  • CVE-2009-1489Apr 29, 2009
    risk 0.03cvss epss 0.03

    includes/user.php in Fungamez RC1 allows remote attackers to bypass authentication and gain administrative access by setting the user cookie parameter.

  • CVE-2008-6743Apr 22, 2009
    risk 0.03cvss epss 0.03

    RSMScript 1.21 allows remote attackers to bypass authentication and gain administrative privileges by setting the verified cookie to an arbitrary value and performing a direct request to (1) delete.php, (2) edit-submit.php, (3) edit.php, (4) submit.php, and (5) update.php, which…

  • CVE-2008-6739Apr 21, 2009
    risk 0.03cvss epss 0.02

    Todd Woolums ASP Download management script 1.03 does not require authentication for setupdownload.asp, which allows remote attackers to gain administrator privileges via a direct request.

  • CVE-2008-6738Apr 21, 2009
    risk 0.03cvss epss 0.03

    MyShoutPro 1.2 allows remote attackers to bypass authentication and gain administrative access by setting the admin_access cookie to 1.