CWE-287
Improper Authentication
Description
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-114 · CAPEC-115 · CAPEC-151 · CAPEC-194 · CAPEC-22 · CAPEC-57 · CAPEC-593 · CAPEC-633 · CAPEC-650 · CAPEC-94
CVEs mapped to this weakness (2,419)
page 78 of 121| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2008-6723 | 0.03 | — | 0.03 | Apr 14, 2009 | TurnkeyForms Entertainment Portal 2.0 allows remote attackers to bypass authentication and gain administrative access by setting the adminLogged cookie to Administrator. | |||
| CVE-2008-6719 | 0.03 | — | 0.02 | Apr 13, 2009 | U&M Software Event Lister (aka JustListIt) 1.0 does not require administrative authentication for all scripts in the admin/ directory, which allows remote attackers to have an unspecified impact via a direct request to (1) start.php, (2) aktivitet.php, (3) prop_aktivitet.php,… | |||
| CVE-2008-6718 | 0.03 | — | 0.02 | Apr 13, 2009 | U&M Software JustBookIt 1.0 does not require administrative authentication for all scripts in the admin/ directory, which allows remote attackers to have an unspecified impact via a direct request to (1) user_manual.php, (2) user_config.php, (3) user_kundnamn.php, (4)… | |||
| CVE-2008-6717 | 0.03 | — | 0.02 | Apr 13, 2009 | U&M Software Signup 1.0 and 1.1 does not require administrative authentication for all scripts in the admin/ directory, which allows remote attackers to have an unspecified impact via a direct request to (1) adminstart.php, (2) admineventtype.php, (3) admineventdetails.php, (4)… | |||
| CVE-2008-6716 | 0.03 | — | 0.02 | Apr 13, 2009 | homeadmin/adminhome.php in Pre ADS Portal 2.0 and earlier does not require administrative authentication, which allows remote attackers to have an unspecified impact via a direct request. | |||
| CVE-2008-6667 | 0.03 | — | 0.03 | Apr 8, 2009 | A+ PHP Scripts News Management System (NMS) allows remote attackers to bypass authentication and gain administrator privileges by setting the mobsuser and mobspass cookies to 1. | |||
| CVE-2008-6664 | 0.03 | — | 0.03 | Apr 8, 2009 | action.php in SH-News 3.0 allows remote attackers to bypass authentication and gain administrator privileges by setting the shuser and shpass cookies to non-zero values. | |||
| CVE-2008-6581 | 0.03 | — | 0.03 | Apr 2, 2009 | login.php in PhpAddEdit 1.3 allows remote attackers to bypass authentication and gain administrative access by setting the addedit cookie parameter. | |||
| CVE-2008-6553 | 0.03 | — | 0.02 | Mar 30, 2009 | microcms-admin-home.php in Implied by Design Micro CMS (Micro-CMS) 3.5 (aka 0.3.5) does not require authentication as an administrator, which allows remote attackers to (1) create administrative accounts via an add_admin action, (2) remove administrative accounts via a… | |||
| CVE-2008-6523 | 0.03 | — | 0.03 | Mar 25, 2009 | auth.php in openInvoice 0.90 beta and earlier allows remote attackers to bypass authentication and gain privileges by setting the oiauth cookie. NOTE: this can be leveraged with a separate vulnerability in resetpass.php to modify passwords for arbitrary users. | |||
| CVE-2009-1050 | 0.03 | — | 0.03 | Mar 24, 2009 | Bloginator 1A allows remote attackers to bypass authentication and gain administrative access by setting the identifyYourself cookie. | |||
| CVE-2009-0864 | 0.03 | — | 0.03 | Mar 10, 2009 | S-Cms 1.1 Stable allows remote attackers to bypass authentication and obtain administrative access via an OK value for the login cookie. | |||
| CVE-2009-0853 | 0.03 | — | 0.02 | Mar 9, 2009 | login.php in CelerBB 0.0.2, when magic_quotes_gpc is disabled, allows remote attackers to bypass authentication and obtain administrative access via special characters in the Username parameter, as demonstrated by an admin'# parameter value. | |||
| CVE-2008-6411 | 0.03 | — | 0.03 | Mar 6, 2009 | Explay CMS 2.1 and earlier allows remote attackers to bypass authentication and gain administrative access by setting the login cookie to 1. | |||
| CVE-2008-6307 | 0.03 | — | 0.03 | Feb 26, 2009 | E-topbiz Link Back Checker 1 allows remote attackers to bypass authentication and gain administrative access by setting the auth cookie to "admin." | |||
| CVE-2008-6300 | 0.03 | — | 0.03 | Feb 26, 2009 | Galatolo WebManager 1.3a allows remote attackers to bypass authentication and gain administrative access by setting the (1) gwm_user and (2) gwm_pass cookies to admin. NOTE: the provenance of this information is unknown; the details are obtained solely from third party… | |||
| CVE-2008-6269 | 0.03 | — | 0.03 | Feb 25, 2009 | Joovili 3.1.4 allows remote attackers to bypass authentication and gain privileges as other users, including the administrator, by setting the (1) session_id, session_logged_in, and session_username cookies for user privileges; (2) session_admin_id, session_admin_username, and… | |||
| CVE-2008-6162 | 0.03 | — | 0.03 | Feb 20, 2009 | Bux.to Clone script allows remote attackers to bypass authentication and gain administrative access by setting the loggedin cookie to 1 and the usNick cookie to admin. | |||
| CVE-2008-6143 | 0.03 | — | 0.06 | Feb 16, 2009 | OwenPoll 1.0 allows remote attackers to bypass authentication and obtain administrative access via a modified account name in the username cookie. | |||
| CVE-2009-0360 | 0.03 | — | 0.01 | Feb 13, 2009 | Russ Allbery pam-krb5 before 3.13, when linked against MIT Kerberos, does not properly initialize the Kerberos libraries for setuid use, which allows local users to gain privileges by pointing an environment variable to a modified Kerberos configuration file, and then launching… |
- CVE-2008-6723Apr 14, 2009risk 0.03cvss —epss 0.03
TurnkeyForms Entertainment Portal 2.0 allows remote attackers to bypass authentication and gain administrative access by setting the adminLogged cookie to Administrator.
- CVE-2008-6719Apr 13, 2009risk 0.03cvss —epss 0.02
U&M Software Event Lister (aka JustListIt) 1.0 does not require administrative authentication for all scripts in the admin/ directory, which allows remote attackers to have an unspecified impact via a direct request to (1) start.php, (2) aktivitet.php, (3) prop_aktivitet.php,…
- CVE-2008-6718Apr 13, 2009risk 0.03cvss —epss 0.02
U&M Software JustBookIt 1.0 does not require administrative authentication for all scripts in the admin/ directory, which allows remote attackers to have an unspecified impact via a direct request to (1) user_manual.php, (2) user_config.php, (3) user_kundnamn.php, (4)…
- CVE-2008-6717Apr 13, 2009risk 0.03cvss —epss 0.02
U&M Software Signup 1.0 and 1.1 does not require administrative authentication for all scripts in the admin/ directory, which allows remote attackers to have an unspecified impact via a direct request to (1) adminstart.php, (2) admineventtype.php, (3) admineventdetails.php, (4)…
- CVE-2008-6716Apr 13, 2009risk 0.03cvss —epss 0.02
homeadmin/adminhome.php in Pre ADS Portal 2.0 and earlier does not require administrative authentication, which allows remote attackers to have an unspecified impact via a direct request.
- CVE-2008-6667Apr 8, 2009risk 0.03cvss —epss 0.03
A+ PHP Scripts News Management System (NMS) allows remote attackers to bypass authentication and gain administrator privileges by setting the mobsuser and mobspass cookies to 1.
- CVE-2008-6664Apr 8, 2009risk 0.03cvss —epss 0.03
action.php in SH-News 3.0 allows remote attackers to bypass authentication and gain administrator privileges by setting the shuser and shpass cookies to non-zero values.
- CVE-2008-6581Apr 2, 2009risk 0.03cvss —epss 0.03
login.php in PhpAddEdit 1.3 allows remote attackers to bypass authentication and gain administrative access by setting the addedit cookie parameter.
- CVE-2008-6553Mar 30, 2009risk 0.03cvss —epss 0.02
microcms-admin-home.php in Implied by Design Micro CMS (Micro-CMS) 3.5 (aka 0.3.5) does not require authentication as an administrator, which allows remote attackers to (1) create administrative accounts via an add_admin action, (2) remove administrative accounts via a…
- CVE-2008-6523Mar 25, 2009risk 0.03cvss —epss 0.03
auth.php in openInvoice 0.90 beta and earlier allows remote attackers to bypass authentication and gain privileges by setting the oiauth cookie. NOTE: this can be leveraged with a separate vulnerability in resetpass.php to modify passwords for arbitrary users.
- CVE-2009-1050Mar 24, 2009risk 0.03cvss —epss 0.03
Bloginator 1A allows remote attackers to bypass authentication and gain administrative access by setting the identifyYourself cookie.
- CVE-2009-0864Mar 10, 2009risk 0.03cvss —epss 0.03
S-Cms 1.1 Stable allows remote attackers to bypass authentication and obtain administrative access via an OK value for the login cookie.
- CVE-2009-0853Mar 9, 2009risk 0.03cvss —epss 0.02
login.php in CelerBB 0.0.2, when magic_quotes_gpc is disabled, allows remote attackers to bypass authentication and obtain administrative access via special characters in the Username parameter, as demonstrated by an admin'# parameter value.
- CVE-2008-6411Mar 6, 2009risk 0.03cvss —epss 0.03
Explay CMS 2.1 and earlier allows remote attackers to bypass authentication and gain administrative access by setting the login cookie to 1.
- CVE-2008-6307Feb 26, 2009risk 0.03cvss —epss 0.03
E-topbiz Link Back Checker 1 allows remote attackers to bypass authentication and gain administrative access by setting the auth cookie to "admin."
- CVE-2008-6300Feb 26, 2009risk 0.03cvss —epss 0.03
Galatolo WebManager 1.3a allows remote attackers to bypass authentication and gain administrative access by setting the (1) gwm_user and (2) gwm_pass cookies to admin. NOTE: the provenance of this information is unknown; the details are obtained solely from third party…
- CVE-2008-6269Feb 25, 2009risk 0.03cvss —epss 0.03
Joovili 3.1.4 allows remote attackers to bypass authentication and gain privileges as other users, including the administrator, by setting the (1) session_id, session_logged_in, and session_username cookies for user privileges; (2) session_admin_id, session_admin_username, and…
- CVE-2008-6162Feb 20, 2009risk 0.03cvss —epss 0.03
Bux.to Clone script allows remote attackers to bypass authentication and gain administrative access by setting the loggedin cookie to 1 and the usNick cookie to admin.
- CVE-2008-6143Feb 16, 2009risk 0.03cvss —epss 0.06
OwenPoll 1.0 allows remote attackers to bypass authentication and obtain administrative access via a modified account name in the username cookie.
- CVE-2009-0360Feb 13, 2009risk 0.03cvss —epss 0.01
Russ Allbery pam-krb5 before 3.13, when linked against MIT Kerberos, does not properly initialize the Kerberos libraries for setuid use, which allows local users to gain privileges by pointing an environment variable to a modified Kerberos configuration file, and then launching…