CWE-287
Improper Authentication
ClassDraftLikelihood: High
Description
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-114 · CAPEC-115 · CAPEC-151 · CAPEC-194 · CAPEC-22 · CAPEC-57 · CAPEC-593 · CAPEC-633 · CAPEC-650 · CAPEC-94
CVEs mapped to this weakness (1,669)
page 82 of 84| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2007-4203 | 0.00 | — | 0.01 | Aug 8, 2007 | Session fixation vulnerability in Mambo 4.6.2 CMS allows remote attackers to hijack web sessions by setting the Cookie parameter. | ||
| CVE-2007-3988 | 0.00 | — | 0.01 | Jul 25, 2007 | Session fixation vulnerability in Virtual Hosting Control System (VHCS) 2.4.7.1 and earlier allows remote attackers to hijack web sessions by setting the PHPSESSID parameter. | ||
| CVE-2007-3597 | 0.00 | — | 0.02 | Jul 6, 2007 | Session fixation vulnerability in Zen Cart 1.3.7 and earlier allows remote attackers to hijack web sessions by setting the Cookie parameter. | ||
| CVE-2007-3184 | 0.00 | — | 0.00 | Jun 12, 2007 | Cisco Trust Agent (CTA) before 2.1.104.0, when running on MacOS X, allows attackers with physical access to bypass authentication and modify System Preferences, including passwords, by invoking the Apple Menu when the Access Control Server (ACS) produces a user notification message after posture validation. | ||
| CVE-2007-3177 | 0.00 | — | 0.01 | Jun 11, 2007 | Ingate Firewall and SIParator before 4.5.2 allow remote attackers to bypass SIP authentication via a certain maddr parameter. | ||
| CVE-2007-3050 | 0.00 | — | 0.01 | Jun 6, 2007 | Session fixation vulnerability in chameleon cms 3.0 and earlier allows remote attackers to hijack web sessions by setting the PHPSESSID parameter. | ||
| CVE-2007-2555 | 0.00 | — | 0.00 | May 9, 2007 | Unspecified vulnerability in Default.aspx in Podium CMS allows remote attackers to have an unknown impact, possibly session fixation, via a META HTTP-EQUIV Set-cookie expression in the id parameter, related to "cookie manipulation." NOTE: this issue might be cross-site scripting (XSS). | ||
| CVE-2007-2546 | 0.00 | — | 0.01 | May 9, 2007 | Session fixation vulnerability in Simple Machines Forum (SMF) 1.1.2 and earlier allows remote attackers to hijack web sessions by setting the PHPSESSID parameter. | ||
| CVE-2007-1859 | 0.00 | — | 0.00 | May 2, 2007 | XScreenSaver 4.10, when using a remote directory service for credentials, does not properly handle the results from the getpwuid function in drivers/lock.c when there is no network connectivity, which causes XScreenSaver to crash and unlock the screen and allows local users to bypass authentication. | ||
| CVE-2007-2277 | 0.00 | — | 0.01 | Apr 25, 2007 | Session fixation vulnerability in Plogger allows remote attackers to hijack web sessions by setting the PHPSESSID parameter. | ||
| CVE-2007-2243 | 0.00 | — | 0.00 | Apr 25, 2007 | OpenSSH 4.6 and earlier, when ChallengeResponseAuthentication is enabled, allows remote attackers to determine the existence of user accounts by attempting to authenticate via S/KEY, which displays a different response if the user account exists, a similar issue to CVE-2001-1483. | ||
| CVE-2007-1951 | 0.00 | — | 0.01 | Apr 11, 2007 | Session fixation vulnerability in onelook obo Shop allows remote attackers to hijack web sessions by setting a PHPSESSID cookie. | ||
| CVE-2007-1949 | 0.00 | — | 0.01 | Apr 11, 2007 | Session fixation vulnerability in WebBlizzard CMS allows remote attackers to hijack web sessions by setting a PHPSESSID cookie. | ||
| CVE-2007-1953 | 0.00 | — | 0.01 | Apr 11, 2007 | Session fixation vulnerability in onelook courts on-line allows remote attackers to hijack web sessions by setting a PHPSESSID cookie. | ||
| CVE-2007-1952 | 0.00 | — | 0.01 | Apr 11, 2007 | Session fixation vulnerability in onelook onebyone CMS allows remote attackers to hijack web sessions by setting a PHPSESSID cookie. | ||
| CVE-2007-1228 | 0.00 | — | 0.00 | Mar 2, 2007 | IBM DB2 UDB 8.2 before Fixpak 7 (aka fixpack 14), and DB2 9 before Fix Pack 2, on UNIX allows the "fenced" user to access certain unauthorized directories. | ||
| CVE-2007-1160 | 0.00 | — | 0.01 | Mar 2, 2007 | webSPELL 4.0, and possibly later versions, allows remote attackers to bypass authentication via a ws_auth cookie, a different vulnerability than CVE-2006-4782. | ||
| CVE-2006-6997 | 0.00 | — | 0.01 | Feb 12, 2007 | Unspecified vulnerability in a cryptographic feature in MailEnable Standard Edition before 1.93, Professional Edition before 1.73, and Enterprise Edition before 1.21 leads to "weakened authentication security" with unknown impact and attack vectors. NOTE: due to lack of details, it is not clear whether this is the same as CVE-2006-1792. | ||
| CVE-2007-0435 | 0.00 | — | 0.01 | Jan 23, 2007 | T-Com Speedport 500V routers with firmware 1.31 allow remote attackers to bypass authentication and reconfigure the device via a LOGINKEY=TECOM cookie value. | ||
| CVE-2006-6783 | 0.00 | — | 0.01 | Dec 28, 2006 | logahead UNU 1.0 before 20061226 allows remote attackers to upload arbitrary files via unspecified vectors related to plugins/widged/_widged.php (aka the WidgEd plugin), possibly because of an authentication bypass. NOTE: some of these details are obtained from third party information. |