VYPR

CWE-287

Improper Authentication

ClassDraftLikelihood: High

Description

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-114 · CAPEC-115 · CAPEC-151 · CAPEC-194 · CAPEC-22 · CAPEC-57 · CAPEC-593 · CAPEC-633 · CAPEC-650 · CAPEC-94

CVEs mapped to this weakness (2,419)

page 78 of 121
  • CVE-2008-6723Apr 14, 2009
    risk 0.03cvss epss 0.03

    TurnkeyForms Entertainment Portal 2.0 allows remote attackers to bypass authentication and gain administrative access by setting the adminLogged cookie to Administrator.

  • CVE-2008-6719Apr 13, 2009
    risk 0.03cvss epss 0.02

    U&M Software Event Lister (aka JustListIt) 1.0 does not require administrative authentication for all scripts in the admin/ directory, which allows remote attackers to have an unspecified impact via a direct request to (1) start.php, (2) aktivitet.php, (3) prop_aktivitet.php,…

  • CVE-2008-6718Apr 13, 2009
    risk 0.03cvss epss 0.02

    U&M Software JustBookIt 1.0 does not require administrative authentication for all scripts in the admin/ directory, which allows remote attackers to have an unspecified impact via a direct request to (1) user_manual.php, (2) user_config.php, (3) user_kundnamn.php, (4)…

  • CVE-2008-6717Apr 13, 2009
    risk 0.03cvss epss 0.02

    U&M Software Signup 1.0 and 1.1 does not require administrative authentication for all scripts in the admin/ directory, which allows remote attackers to have an unspecified impact via a direct request to (1) adminstart.php, (2) admineventtype.php, (3) admineventdetails.php, (4)…

  • CVE-2008-6716Apr 13, 2009
    risk 0.03cvss epss 0.02

    homeadmin/adminhome.php in Pre ADS Portal 2.0 and earlier does not require administrative authentication, which allows remote attackers to have an unspecified impact via a direct request.

  • CVE-2008-6667Apr 8, 2009
    risk 0.03cvss epss 0.03

    A+ PHP Scripts News Management System (NMS) allows remote attackers to bypass authentication and gain administrator privileges by setting the mobsuser and mobspass cookies to 1.

  • CVE-2008-6664Apr 8, 2009
    risk 0.03cvss epss 0.03

    action.php in SH-News 3.0 allows remote attackers to bypass authentication and gain administrator privileges by setting the shuser and shpass cookies to non-zero values.

  • CVE-2008-6581Apr 2, 2009
    risk 0.03cvss epss 0.03

    login.php in PhpAddEdit 1.3 allows remote attackers to bypass authentication and gain administrative access by setting the addedit cookie parameter.

  • CVE-2008-6553Mar 30, 2009
    risk 0.03cvss epss 0.02

    microcms-admin-home.php in Implied by Design Micro CMS (Micro-CMS) 3.5 (aka 0.3.5) does not require authentication as an administrator, which allows remote attackers to (1) create administrative accounts via an add_admin action, (2) remove administrative accounts via a…

  • CVE-2008-6523Mar 25, 2009
    risk 0.03cvss epss 0.03

    auth.php in openInvoice 0.90 beta and earlier allows remote attackers to bypass authentication and gain privileges by setting the oiauth cookie. NOTE: this can be leveraged with a separate vulnerability in resetpass.php to modify passwords for arbitrary users.

  • CVE-2009-1050Mar 24, 2009
    risk 0.03cvss epss 0.03

    Bloginator 1A allows remote attackers to bypass authentication and gain administrative access by setting the identifyYourself cookie.

  • CVE-2009-0864Mar 10, 2009
    risk 0.03cvss epss 0.03

    S-Cms 1.1 Stable allows remote attackers to bypass authentication and obtain administrative access via an OK value for the login cookie.

  • CVE-2009-0853Mar 9, 2009
    risk 0.03cvss epss 0.02

    login.php in CelerBB 0.0.2, when magic_quotes_gpc is disabled, allows remote attackers to bypass authentication and obtain administrative access via special characters in the Username parameter, as demonstrated by an admin'# parameter value.

  • CVE-2008-6411Mar 6, 2009
    risk 0.03cvss epss 0.03

    Explay CMS 2.1 and earlier allows remote attackers to bypass authentication and gain administrative access by setting the login cookie to 1.

  • CVE-2008-6307Feb 26, 2009
    risk 0.03cvss epss 0.03

    E-topbiz Link Back Checker 1 allows remote attackers to bypass authentication and gain administrative access by setting the auth cookie to "admin."

  • CVE-2008-6300Feb 26, 2009
    risk 0.03cvss epss 0.03

    Galatolo WebManager 1.3a allows remote attackers to bypass authentication and gain administrative access by setting the (1) gwm_user and (2) gwm_pass cookies to admin. NOTE: the provenance of this information is unknown; the details are obtained solely from third party…

  • CVE-2008-6269Feb 25, 2009
    risk 0.03cvss epss 0.03

    Joovili 3.1.4 allows remote attackers to bypass authentication and gain privileges as other users, including the administrator, by setting the (1) session_id, session_logged_in, and session_username cookies for user privileges; (2) session_admin_id, session_admin_username, and…

  • CVE-2008-6162Feb 20, 2009
    risk 0.03cvss epss 0.03

    Bux.to Clone script allows remote attackers to bypass authentication and gain administrative access by setting the loggedin cookie to 1 and the usNick cookie to admin.

  • CVE-2008-6143Feb 16, 2009
    risk 0.03cvss epss 0.06

    OwenPoll 1.0 allows remote attackers to bypass authentication and obtain administrative access via a modified account name in the username cookie.

  • CVE-2009-0360Feb 13, 2009
    risk 0.03cvss epss 0.01

    Russ Allbery pam-krb5 before 3.13, when linked against MIT Kerberos, does not properly initialize the Kerberos libraries for setuid use, which allows local users to gain privileges by pointing an environment variable to a modified Kerberos configuration file, and then launching…