VYPR

CWE-287

Improper Authentication

ClassDraftLikelihood: High

Description

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-114 · CAPEC-115 · CAPEC-151 · CAPEC-194 · CAPEC-22 · CAPEC-57 · CAPEC-593 · CAPEC-633 · CAPEC-650 · CAPEC-94

CVEs mapped to this weakness (2,419)

page 79 of 121
  • CVE-2008-6118Feb 11, 2009
    risk 0.03cvss epss 0.03

    win/content/upload.php in Goople CMS 1.7 allows remote attackers to bypass authentication and gain administrative access by setting the loggedin cookie to 1.

  • CVE-2009-0461Feb 10, 2009
    risk 0.03cvss epss 0.03

    Whole Hog Password Protect: Enhanced 1.x allows remote attackers to bypass authentication and obtain administrative access via an integer value in the adminid cookie.

  • CVE-2009-0460Feb 10, 2009
    risk 0.03cvss epss 0.03

    Whole Hog Ware Support 1.x allows remote attackers to bypass authentication and obtain administrative access via an integer value in the adminid cookie.

  • CVE-2008-6092Feb 9, 2009
    risk 0.03cvss epss 0.03

    phpscripts Ranking Script allows remote attackers to bypass authentication and gain administrative access by sending an admin=ja cookie.

  • CVE-2008-6045Feb 3, 2009
    risk 0.03cvss epss 0.03

    Session fixation vulnerability in shopping_cart.php in xt:Commerce 3.0.4 and earlier allows remote attackers to hijack web sessions by setting the XTCsid parameter.

  • CVE-2008-6039Feb 3, 2009
    risk 0.03cvss epss 0.02

    Session fixation vulnerability in BLUEPAGE CMS 2.5 and earlier allows remote attackers to hijack web sessions by setting the PHPSESSID parameter.

  • CVE-2008-6009Jan 30, 2009
    risk 0.03cvss epss 0.03

    SG Real Estate Portal 2.0 allows remote attackers to bypass authentication and gain administrative access by setting the Auth cookie to 1.

  • CVE-2009-0280Jan 27, 2009
    risk 0.03cvss epss 0.03

    Asp Project Management 1.0 allows remote attackers to bypass authentication and gain administrative access by setting the crypt cookie to 1.

  • CVE-2008-5967Jan 26, 2009
    risk 0.03cvss epss 0.03

    admin/index.php in PHP iCalendar 2.3.4, 2.24, and earlier does not require administrative authentication for an addupdate action, which allows remote attackers to upload a calendar (aka .ics) file with arbitrary content to the calendars/ directory outside the web root.

  • CVE-2008-5945Jan 22, 2009
    risk 0.03cvss epss 0.02

    Nukeviet 2.0 Beta allows remote attackers to bypass authentication and gain administrative access by setting the admf cookie to 1. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

  • CVE-2008-5880Jan 8, 2009
    risk 0.03cvss epss 0.03

    admin/auth.php in Gobbl CMS 1.0 allows remote attackers to bypass authentication and gain administrative access by setting the auth cookie to "ok".

  • CVE-2008-5783Dec 31, 2008
    risk 0.03cvss epss 0.03

    admin/index.php in V3 Chat Live Support 3.0.4 allows remote attackers to bypass authentication and gain administrative access by setting the admin cookie to 1.

  • CVE-2008-5708Dec 24, 2008
    risk 0.03cvss epss 0.03

    redirect.php in SlimCMS 1.0.0 does not require authentication, which allows remote attackers to create administrative users by using the newusername and newpassword parameters and setting the newisadmin parameter to 1.

  • CVE-2008-5576Dec 15, 2008
    risk 0.03cvss epss 0.03

    admin/forums.php in sCssBoard 1.0, 1.1, 1.11, and 1.12 allows remote attackers to bypass authentication and gain administrative access via a large value of the current_user[users_level] parameter.

  • CVE-2008-5497Dec 12, 2008
    risk 0.03cvss epss 0.03

    BandSite CMS 1.1.4 allows remote attackers to bypass authentication and gain administrative access by setting the login_auth cookie to true.

  • CVE-2008-5221Nov 25, 2008
    risk 0.03cvss epss 0.03

    The account_save action in admin/userinfo.php in wPortfolio 0.3 and earlier does not require authentication and does not require knowledge of the original password, which allows remote attackers to change the admin account password via modified password and password_retype…

  • CVE-2008-5125Nov 18, 2008
    risk 0.03cvss epss 0.02

    admin.php in CCleague Pro 1.2 allows remote attackers to bypass authentication by setting the type cookie value to admin.

  • CVE-2008-5065Nov 13, 2008
    risk 0.03cvss epss 0.03

    TlGuestBook 1.2 allows remote attackers to bypass authentication and gain administrative access by setting the tlGuestBook_login cookie to admin.

  • CVE-2008-5042Nov 12, 2008
    risk 0.03cvss epss 0.03

    Zeeways PhotoVideoTube 1.1 and earlier allows remote attackers to bypass authentication and perform administrative tasks via a direct request to admin/home.php.

  • CVE-2008-5040Nov 12, 2008
    risk 0.03cvss epss 0.03

    Graphiks MyForum 1.3 allows remote attackers to bypass authentication and gain administrative access by setting the (1) myforum_login and (2) myforum_pass cookies to 1.