CWE-287
Improper Authentication
Description
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-114 · CAPEC-115 · CAPEC-151 · CAPEC-194 · CAPEC-22 · CAPEC-57 · CAPEC-593 · CAPEC-633 · CAPEC-650 · CAPEC-94
CVEs mapped to this weakness (2,419)
page 80 of 121| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2008-4784 | 0.03 | — | 0.03 | Oct 29, 2008 | aflog 1.01 allows remote attackers to bypass authentication and gain administrative access by setting the aflog_auth_a cookie to "A" or "O" in (1) edit_delete.php, (2) edit_cat.php, (3) edit_lock.php, and (4) edit_form.php. | |||
| CVE-2008-4783 | 0.03 | — | 0.03 | Oct 29, 2008 | tlAds 1.0 allows remote attackers to bypass authentication and gain administrative access by setting the tlAds_login cookie to "admin." | |||
| CVE-2008-4752 | 0.03 | — | 0.03 | Oct 27, 2008 | TlNews 2.2 allows remote attackers to bypass authentication and gain administrative access by setting the tlNews_login cookie to admin. | |||
| CVE-2008-4721 | 0.03 | — | 0.03 | Oct 23, 2008 | PHP Jabbers Post Comment 3.0 allows remote attackers to bypass authentication and gain administrative access by setting the PostCommentsAdmin cookie to "logged." | |||
| CVE-2008-4714 | 0.03 | — | 0.03 | Oct 23, 2008 | Atomic Photo Album 1.1.0 pre4 does not properly handle the apa_cookie_login and apa_cookie_password cookies, which probably allows remote attackers to bypass authentication and gain administrative access via modified cookies. | |||
| CVE-2008-4708 | 0.03 | — | 0.03 | Oct 23, 2008 | BbZL.PhP 0.92 allows remote attackers to bypass authentication and gain administrative access by setting the phorum_admin_session cookie to 1. | |||
| CVE-2008-4649 | 0.03 | — | 0.02 | Oct 22, 2008 | Session fixation vulnerability in Elxis CMS 2008.1 revision 2204 allows remote attackers to hijack web sessions by setting the PHPSESSID parameter. | |||
| CVE-2008-4622 | 0.03 | — | 0.03 | Oct 21, 2008 | The isLoggedIn function in fastnews-code.php in phpFastNews 1.0.0 allows remote attackers to bypass authentication and gain administrative access by setting the fn-loggedin cookie to 1. | |||
| CVE-2008-4614 | 0.03 | — | 0.03 | Oct 20, 2008 | PortalApp 4.0 does not require authentication for (1) forums.asp and (2) content.asp, which allows remote attackers to create and delete forums, topics, and replies. | |||
| CVE-2008-4427 | 0.03 | — | 0.03 | Oct 3, 2008 | changepassword.php in Phlatline's Personal Information Manager (pPIM) 1.0 and earlier does not require administrative authentication, which allows remote attackers to change arbitrary passwords. | |||
| CVE-2008-4319 | 0.03 | — | 0.02 | Sep 29, 2008 | fileadmin.php in Libra File Manager (aka Libra PHP File Manager) 1.18 and earlier allows remote attackers to bypass authentication, and read arbitrary files, modify arbitrary files, and list arbitrary directories, by inserting certain user and isadmin parameters in the query… | |||
| CVE-2008-4244 | 0.03 | — | 0.03 | Sep 25, 2008 | Rianxosencabos CMS 0.9 allows remote attackers to bypass authentication and gain administrative access by setting the usuario and pass cookies to 1. | |||
| CVE-2008-4146 | 0.03 | — | 0.02 | Sep 24, 2008 | Addalink 1.0 beta 4 and earlier allows remote attackers to (1) approve web-site additions via a modified approved field and (2) change the visit-counter value via a modified counter field. | |||
| CVE-2008-4167 | 0.03 | — | 0.03 | Sep 22, 2008 | useradmin.php in Easy Photo Gallery (aka Ezphotogallery) 2.1 does not require administrative authentication, which allows remote attackers to (1) add or (2) remove an Administrator account. | |||
| CVE-2008-4081 | 0.03 | — | 0.03 | Sep 15, 2008 | admin/login.php in Stash 1.0.3 allows remote attackers to bypass authentication and gain administrative access by setting a bsm cookie. | |||
| CVE-2008-3407 | 0.03 | — | 0.03 | Jul 31, 2008 | phpLinkat 0.1 allows remote attackers to bypass authentication and access unspecified pages under admin/ by sending a login=right cookie. | |||
| CVE-2008-3375 | 0.03 | — | 0.04 | Jul 30, 2008 | The jrCookie function in includes/jamroom-misc.inc.php in JamRoom before 3.4.0 allows remote attackers to bypass authentication and gain administrative access via a boolean value within serialized data in a JMU_Cookie cookie. | |||
| CVE-2008-3299 | 0.03 | — | 0.06 | Jul 25, 2008 | eSyndiCat 1.6 allows remote attackers to bypass authentication and gain administrative access by setting the admin_lng cookie value to 1. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. | |||
| CVE-2008-3211 | 0.03 | — | 0.03 | Jul 18, 2008 | Scripteen Free Image Hosting Script 1.2 and 1.2.1 allows remote attackers to bypass authentication and gain administrative access by setting the cookid cookie value to 1. | |||
| CVE-2008-3203 | 0.03 | — | 0.03 | Jul 17, 2008 | js/pages/pages_data.php in AuraCMS 2.2 through 2.2.2 does not perform authentication, which allows remote attackers to add, edit, and delete web content via a modified id parameter. |
- CVE-2008-4784Oct 29, 2008risk 0.03cvss —epss 0.03
aflog 1.01 allows remote attackers to bypass authentication and gain administrative access by setting the aflog_auth_a cookie to "A" or "O" in (1) edit_delete.php, (2) edit_cat.php, (3) edit_lock.php, and (4) edit_form.php.
- CVE-2008-4783Oct 29, 2008risk 0.03cvss —epss 0.03
tlAds 1.0 allows remote attackers to bypass authentication and gain administrative access by setting the tlAds_login cookie to "admin."
- CVE-2008-4752Oct 27, 2008risk 0.03cvss —epss 0.03
TlNews 2.2 allows remote attackers to bypass authentication and gain administrative access by setting the tlNews_login cookie to admin.
- CVE-2008-4721Oct 23, 2008risk 0.03cvss —epss 0.03
PHP Jabbers Post Comment 3.0 allows remote attackers to bypass authentication and gain administrative access by setting the PostCommentsAdmin cookie to "logged."
- CVE-2008-4714Oct 23, 2008risk 0.03cvss —epss 0.03
Atomic Photo Album 1.1.0 pre4 does not properly handle the apa_cookie_login and apa_cookie_password cookies, which probably allows remote attackers to bypass authentication and gain administrative access via modified cookies.
- CVE-2008-4708Oct 23, 2008risk 0.03cvss —epss 0.03
BbZL.PhP 0.92 allows remote attackers to bypass authentication and gain administrative access by setting the phorum_admin_session cookie to 1.
- CVE-2008-4649Oct 22, 2008risk 0.03cvss —epss 0.02
Session fixation vulnerability in Elxis CMS 2008.1 revision 2204 allows remote attackers to hijack web sessions by setting the PHPSESSID parameter.
- CVE-2008-4622Oct 21, 2008risk 0.03cvss —epss 0.03
The isLoggedIn function in fastnews-code.php in phpFastNews 1.0.0 allows remote attackers to bypass authentication and gain administrative access by setting the fn-loggedin cookie to 1.
- CVE-2008-4614Oct 20, 2008risk 0.03cvss —epss 0.03
PortalApp 4.0 does not require authentication for (1) forums.asp and (2) content.asp, which allows remote attackers to create and delete forums, topics, and replies.
- CVE-2008-4427Oct 3, 2008risk 0.03cvss —epss 0.03
changepassword.php in Phlatline's Personal Information Manager (pPIM) 1.0 and earlier does not require administrative authentication, which allows remote attackers to change arbitrary passwords.
- CVE-2008-4319Sep 29, 2008risk 0.03cvss —epss 0.02
fileadmin.php in Libra File Manager (aka Libra PHP File Manager) 1.18 and earlier allows remote attackers to bypass authentication, and read arbitrary files, modify arbitrary files, and list arbitrary directories, by inserting certain user and isadmin parameters in the query…
- CVE-2008-4244Sep 25, 2008risk 0.03cvss —epss 0.03
Rianxosencabos CMS 0.9 allows remote attackers to bypass authentication and gain administrative access by setting the usuario and pass cookies to 1.
- CVE-2008-4146Sep 24, 2008risk 0.03cvss —epss 0.02
Addalink 1.0 beta 4 and earlier allows remote attackers to (1) approve web-site additions via a modified approved field and (2) change the visit-counter value via a modified counter field.
- CVE-2008-4167Sep 22, 2008risk 0.03cvss —epss 0.03
useradmin.php in Easy Photo Gallery (aka Ezphotogallery) 2.1 does not require administrative authentication, which allows remote attackers to (1) add or (2) remove an Administrator account.
- CVE-2008-4081Sep 15, 2008risk 0.03cvss —epss 0.03
admin/login.php in Stash 1.0.3 allows remote attackers to bypass authentication and gain administrative access by setting a bsm cookie.
- CVE-2008-3407Jul 31, 2008risk 0.03cvss —epss 0.03
phpLinkat 0.1 allows remote attackers to bypass authentication and access unspecified pages under admin/ by sending a login=right cookie.
- CVE-2008-3375Jul 30, 2008risk 0.03cvss —epss 0.04
The jrCookie function in includes/jamroom-misc.inc.php in JamRoom before 3.4.0 allows remote attackers to bypass authentication and gain administrative access via a boolean value within serialized data in a JMU_Cookie cookie.
- CVE-2008-3299Jul 25, 2008risk 0.03cvss —epss 0.06
eSyndiCat 1.6 allows remote attackers to bypass authentication and gain administrative access by setting the admin_lng cookie value to 1. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
- CVE-2008-3211Jul 18, 2008risk 0.03cvss —epss 0.03
Scripteen Free Image Hosting Script 1.2 and 1.2.1 allows remote attackers to bypass authentication and gain administrative access by setting the cookid cookie value to 1.
- CVE-2008-3203Jul 17, 2008risk 0.03cvss —epss 0.03
js/pages/pages_data.php in AuraCMS 2.2 through 2.2.2 does not perform authentication, which allows remote attackers to add, edit, and delete web content via a modified id parameter.