CWE-287
Improper Authentication
Description
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-114 · CAPEC-115 · CAPEC-151 · CAPEC-194 · CAPEC-22 · CAPEC-57 · CAPEC-593 · CAPEC-633 · CAPEC-650 · CAPEC-94
CVEs mapped to this weakness (2,419)
page 77 of 121| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2009-2159 | 0.03 | — | 0.03 | Jun 22, 2009 | backup-database.php in TorrentTrader Classic 1.09 does not require administrative authentication, which allows remote attackers to create and download a backup database by making a direct request and then retrieving a .gz file from backups/. | |||
| CVE-2009-2117 | 0.03 | — | 0.02 | Jun 18, 2009 | uye_paneli.php in phPortal 1.0 allows remote attackers to bypass authentication and obtain administrative access by setting the kulladi cookie to a valid username. | |||
| CVE-2009-2040 | 0.03 | — | 0.03 | Jun 12, 2009 | admin/options.php in Grestul 1.2 does not properly restrict access, which allows remote attackers to bypass authentication and create administrative accounts via a manage_admin action in a direct request. | |||
| CVE-2009-2003 | 0.03 | — | 0.03 | Jun 8, 2009 | Ascad Networks Password Protector SD 1.3.1 allows remote attackers to bypass authentication and gain administrative access by setting the (1) c7portal and (2) cookname cookies to "admin." | |||
| CVE-2009-1854 | 0.03 | — | 0.02 | Jun 1, 2009 | Million Dollar Text Links 1.0 allows remote attackers to bypass authentication and gain administrative access by setting the userid cookie to 1. | |||
| CVE-2009-1826 | 0.03 | — | 0.02 | May 29, 2009 | modules/admuser.php in myGesuad 0.9.14 (aka 0.9) does not require administrative authentication, which allows remote authenticated users to list user accounts via a Find action. | |||
| CVE-2009-1825 | 0.03 | — | 0.02 | May 29, 2009 | modules/admuser.php in myColex 1.4.2 does not require administrative authentication, which allows remote authenticated users to list user accounts via a Find action. | |||
| CVE-2008-6815 | 0.03 | — | 0.03 | May 28, 2009 | mykdownload.php in MyKtools 2.4 does not require administrative authentication, which allows remote attackers to read a database backup by making a direct request, and then sending an unspecified request to the download page for the backup. | |||
| CVE-2009-1664 | 0.03 | — | 0.02 | May 18, 2009 | myaccount.php in Easy Scripts Answer and Question Script does not verify the original password before changing passwords, which allows remote attackers to change the password of other users and gain privileges via modified userid, txtpassword, and txtRpassword parameters. | |||
| CVE-2009-1638 | 0.03 | — | 0.03 | May 15, 2009 | Techno Dreams Job Career Package 3.0 allows remote attackers to bypass authentication and obtain administrative access by setting the JobCareerAdmin cookie to Login. | |||
| CVE-2009-1619 | 0.03 | — | 0.03 | May 12, 2009 | Teraway FileStream 1.0 allows remote attackers to bypass authentication and gain administrative access by setting the twFSadmin cookie to 1. | |||
| CVE-2009-1618 | 0.03 | — | 0.03 | May 12, 2009 | Teraway LiveHelp 2.0 allows remote attackers to bypass authentication and gain administrative access via a pwd=&lvl=1&usr=&alias=admin&userid=1 value for the TWLHadmin cookie. | |||
| CVE-2009-1617 | 0.03 | — | 0.03 | May 12, 2009 | Teraway LinkTracker 1.0 allows remote attackers to bypass authentication and gain administrative access via a userid=1&lvl=1 value for the twLTadmin cookie. | |||
| CVE-2008-6804 | 0.03 | — | 0.03 | May 11, 2009 | Tribiq CMS 5.0.9a beta allows remote attackers to bypass authentication and gain administrative access by setting the COOKIE_LAST_ADMIN_USER and COOKIE_LAST_ADMIN_LANG cookies. NOTE: a third party reports that the vendor disputes the existence of this issue | |||
| CVE-2009-1587 | 0.03 | — | 0.03 | May 7, 2009 | index.php in PHP Site Lock 2.0 allows remote attackers to bypass authentication and obtain administrative access by setting the login_id, group_id, login_name, user_id, and user_type cookies to certain values. | |||
| CVE-2009-1504 | 0.03 | — | 0.02 | May 1, 2009 | Absolute Form Processor XE 1.5 allows remote attackers to bypass authentication and gain administrative access by setting the xlaAFPadmin cookie to "lvl=1&userid=1." | |||
| CVE-2009-1489 | 0.03 | — | 0.03 | Apr 29, 2009 | includes/user.php in Fungamez RC1 allows remote attackers to bypass authentication and gain administrative access by setting the user cookie parameter. | |||
| CVE-2008-6743 | 0.03 | — | 0.03 | Apr 22, 2009 | RSMScript 1.21 allows remote attackers to bypass authentication and gain administrative privileges by setting the verified cookie to an arbitrary value and performing a direct request to (1) delete.php, (2) edit-submit.php, (3) edit.php, (4) submit.php, and (5) update.php, which… | |||
| CVE-2008-6739 | 0.03 | — | 0.02 | Apr 21, 2009 | Todd Woolums ASP Download management script 1.03 does not require authentication for setupdownload.asp, which allows remote attackers to gain administrator privileges via a direct request. | |||
| CVE-2008-6738 | 0.03 | — | 0.03 | Apr 21, 2009 | MyShoutPro 1.2 allows remote attackers to bypass authentication and gain administrative access by setting the admin_access cookie to 1. |
- CVE-2009-2159Jun 22, 2009risk 0.03cvss —epss 0.03
backup-database.php in TorrentTrader Classic 1.09 does not require administrative authentication, which allows remote attackers to create and download a backup database by making a direct request and then retrieving a .gz file from backups/.
- CVE-2009-2117Jun 18, 2009risk 0.03cvss —epss 0.02
uye_paneli.php in phPortal 1.0 allows remote attackers to bypass authentication and obtain administrative access by setting the kulladi cookie to a valid username.
- CVE-2009-2040Jun 12, 2009risk 0.03cvss —epss 0.03
admin/options.php in Grestul 1.2 does not properly restrict access, which allows remote attackers to bypass authentication and create administrative accounts via a manage_admin action in a direct request.
- CVE-2009-2003Jun 8, 2009risk 0.03cvss —epss 0.03
Ascad Networks Password Protector SD 1.3.1 allows remote attackers to bypass authentication and gain administrative access by setting the (1) c7portal and (2) cookname cookies to "admin."
- CVE-2009-1854Jun 1, 2009risk 0.03cvss —epss 0.02
Million Dollar Text Links 1.0 allows remote attackers to bypass authentication and gain administrative access by setting the userid cookie to 1.
- CVE-2009-1826May 29, 2009risk 0.03cvss —epss 0.02
modules/admuser.php in myGesuad 0.9.14 (aka 0.9) does not require administrative authentication, which allows remote authenticated users to list user accounts via a Find action.
- CVE-2009-1825May 29, 2009risk 0.03cvss —epss 0.02
modules/admuser.php in myColex 1.4.2 does not require administrative authentication, which allows remote authenticated users to list user accounts via a Find action.
- CVE-2008-6815May 28, 2009risk 0.03cvss —epss 0.03
mykdownload.php in MyKtools 2.4 does not require administrative authentication, which allows remote attackers to read a database backup by making a direct request, and then sending an unspecified request to the download page for the backup.
- CVE-2009-1664May 18, 2009risk 0.03cvss —epss 0.02
myaccount.php in Easy Scripts Answer and Question Script does not verify the original password before changing passwords, which allows remote attackers to change the password of other users and gain privileges via modified userid, txtpassword, and txtRpassword parameters.
- CVE-2009-1638May 15, 2009risk 0.03cvss —epss 0.03
Techno Dreams Job Career Package 3.0 allows remote attackers to bypass authentication and obtain administrative access by setting the JobCareerAdmin cookie to Login.
- CVE-2009-1619May 12, 2009risk 0.03cvss —epss 0.03
Teraway FileStream 1.0 allows remote attackers to bypass authentication and gain administrative access by setting the twFSadmin cookie to 1.
- CVE-2009-1618May 12, 2009risk 0.03cvss —epss 0.03
Teraway LiveHelp 2.0 allows remote attackers to bypass authentication and gain administrative access via a pwd=&lvl=1&usr=&alias=admin&userid=1 value for the TWLHadmin cookie.
- CVE-2009-1617May 12, 2009risk 0.03cvss —epss 0.03
Teraway LinkTracker 1.0 allows remote attackers to bypass authentication and gain administrative access via a userid=1&lvl=1 value for the twLTadmin cookie.
- CVE-2008-6804May 11, 2009risk 0.03cvss —epss 0.03
Tribiq CMS 5.0.9a beta allows remote attackers to bypass authentication and gain administrative access by setting the COOKIE_LAST_ADMIN_USER and COOKIE_LAST_ADMIN_LANG cookies. NOTE: a third party reports that the vendor disputes the existence of this issue
- CVE-2009-1587May 7, 2009risk 0.03cvss —epss 0.03
index.php in PHP Site Lock 2.0 allows remote attackers to bypass authentication and obtain administrative access by setting the login_id, group_id, login_name, user_id, and user_type cookies to certain values.
- CVE-2009-1504May 1, 2009risk 0.03cvss —epss 0.02
Absolute Form Processor XE 1.5 allows remote attackers to bypass authentication and gain administrative access by setting the xlaAFPadmin cookie to "lvl=1&userid=1."
- CVE-2009-1489Apr 29, 2009risk 0.03cvss —epss 0.03
includes/user.php in Fungamez RC1 allows remote attackers to bypass authentication and gain administrative access by setting the user cookie parameter.
- CVE-2008-6743Apr 22, 2009risk 0.03cvss —epss 0.03
RSMScript 1.21 allows remote attackers to bypass authentication and gain administrative privileges by setting the verified cookie to an arbitrary value and performing a direct request to (1) delete.php, (2) edit-submit.php, (3) edit.php, (4) submit.php, and (5) update.php, which…
- CVE-2008-6739Apr 21, 2009risk 0.03cvss —epss 0.02
Todd Woolums ASP Download management script 1.03 does not require authentication for setupdownload.asp, which allows remote attackers to gain administrator privileges via a direct request.
- CVE-2008-6738Apr 21, 2009risk 0.03cvss —epss 0.03
MyShoutPro 1.2 allows remote attackers to bypass authentication and gain administrative access by setting the admin_access cookie to 1.