VYPR

CWE-287

Improper Authentication

ClassDraftLikelihood: High

Description

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-114 · CAPEC-115 · CAPEC-151 · CAPEC-194 · CAPEC-22 · CAPEC-57 · CAPEC-593 · CAPEC-633 · CAPEC-650 · CAPEC-94

CVEs mapped to this weakness (2,419)

page 80 of 121
  • CVE-2008-4784Oct 29, 2008
    risk 0.03cvss epss 0.03

    aflog 1.01 allows remote attackers to bypass authentication and gain administrative access by setting the aflog_auth_a cookie to "A" or "O" in (1) edit_delete.php, (2) edit_cat.php, (3) edit_lock.php, and (4) edit_form.php.

  • CVE-2008-4783Oct 29, 2008
    risk 0.03cvss epss 0.03

    tlAds 1.0 allows remote attackers to bypass authentication and gain administrative access by setting the tlAds_login cookie to "admin."

  • CVE-2008-4752Oct 27, 2008
    risk 0.03cvss epss 0.03

    TlNews 2.2 allows remote attackers to bypass authentication and gain administrative access by setting the tlNews_login cookie to admin.

  • CVE-2008-4721Oct 23, 2008
    risk 0.03cvss epss 0.03

    PHP Jabbers Post Comment 3.0 allows remote attackers to bypass authentication and gain administrative access by setting the PostCommentsAdmin cookie to "logged."

  • CVE-2008-4714Oct 23, 2008
    risk 0.03cvss epss 0.03

    Atomic Photo Album 1.1.0 pre4 does not properly handle the apa_cookie_login and apa_cookie_password cookies, which probably allows remote attackers to bypass authentication and gain administrative access via modified cookies.

  • CVE-2008-4708Oct 23, 2008
    risk 0.03cvss epss 0.03

    BbZL.PhP 0.92 allows remote attackers to bypass authentication and gain administrative access by setting the phorum_admin_session cookie to 1.

  • CVE-2008-4649Oct 22, 2008
    risk 0.03cvss epss 0.02

    Session fixation vulnerability in Elxis CMS 2008.1 revision 2204 allows remote attackers to hijack web sessions by setting the PHPSESSID parameter.

  • CVE-2008-4622Oct 21, 2008
    risk 0.03cvss epss 0.03

    The isLoggedIn function in fastnews-code.php in phpFastNews 1.0.0 allows remote attackers to bypass authentication and gain administrative access by setting the fn-loggedin cookie to 1.

  • CVE-2008-4614Oct 20, 2008
    risk 0.03cvss epss 0.03

    PortalApp 4.0 does not require authentication for (1) forums.asp and (2) content.asp, which allows remote attackers to create and delete forums, topics, and replies.

  • CVE-2008-4427Oct 3, 2008
    risk 0.03cvss epss 0.03

    changepassword.php in Phlatline's Personal Information Manager (pPIM) 1.0 and earlier does not require administrative authentication, which allows remote attackers to change arbitrary passwords.

  • CVE-2008-4319Sep 29, 2008
    risk 0.03cvss epss 0.02

    fileadmin.php in Libra File Manager (aka Libra PHP File Manager) 1.18 and earlier allows remote attackers to bypass authentication, and read arbitrary files, modify arbitrary files, and list arbitrary directories, by inserting certain user and isadmin parameters in the query…

  • CVE-2008-4244Sep 25, 2008
    risk 0.03cvss epss 0.03

    Rianxosencabos CMS 0.9 allows remote attackers to bypass authentication and gain administrative access by setting the usuario and pass cookies to 1.

  • CVE-2008-4146Sep 24, 2008
    risk 0.03cvss epss 0.02

    Addalink 1.0 beta 4 and earlier allows remote attackers to (1) approve web-site additions via a modified approved field and (2) change the visit-counter value via a modified counter field.

  • CVE-2008-4167Sep 22, 2008
    risk 0.03cvss epss 0.03

    useradmin.php in Easy Photo Gallery (aka Ezphotogallery) 2.1 does not require administrative authentication, which allows remote attackers to (1) add or (2) remove an Administrator account.

  • CVE-2008-4081Sep 15, 2008
    risk 0.03cvss epss 0.03

    admin/login.php in Stash 1.0.3 allows remote attackers to bypass authentication and gain administrative access by setting a bsm cookie.

  • CVE-2008-3407Jul 31, 2008
    risk 0.03cvss epss 0.03

    phpLinkat 0.1 allows remote attackers to bypass authentication and access unspecified pages under admin/ by sending a login=right cookie.

  • CVE-2008-3375Jul 30, 2008
    risk 0.03cvss epss 0.04

    The jrCookie function in includes/jamroom-misc.inc.php in JamRoom before 3.4.0 allows remote attackers to bypass authentication and gain administrative access via a boolean value within serialized data in a JMU_Cookie cookie.

  • CVE-2008-3299Jul 25, 2008
    risk 0.03cvss epss 0.06

    eSyndiCat 1.6 allows remote attackers to bypass authentication and gain administrative access by setting the admin_lng cookie value to 1. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

  • CVE-2008-3211Jul 18, 2008
    risk 0.03cvss epss 0.03

    Scripteen Free Image Hosting Script 1.2 and 1.2.1 allows remote attackers to bypass authentication and gain administrative access by setting the cookid cookie value to 1.

  • CVE-2008-3203Jul 17, 2008
    risk 0.03cvss epss 0.03

    js/pages/pages_data.php in AuraCMS 2.2 through 2.2.2 does not perform authentication, which allows remote attackers to add, edit, and delete web content via a modified id parameter.