VYPR

CWE-287

Improper Authentication

ClassDraftLikelihood: High

Description

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-114 · CAPEC-115 · CAPEC-151 · CAPEC-194 · CAPEC-22 · CAPEC-57 · CAPEC-593 · CAPEC-633 · CAPEC-650 · CAPEC-94

CVEs mapped to this weakness (2,419)

page 9 of 121
  • CVE-2018-13821CriAug 30, 2018
    risk 0.64cvss 9.8epss 0.03

    A lack of authentication, in CA Unified Infrastructure Management 8.5.1, 8.5, and 8.4.7, allows remote attackers to conduct a variety of attacks, including file reading/writing.

  • CVE-2018-7791CriAug 29, 2018
    risk 0.64cvss 9.8epss 0.02

    A Permissions, Privileges, and Access Control vulnerability exists in Schneider Electric's Modicon M221 product (all references, all versions prior to firmware V1.6.2.0). The vulnerability allows unauthorized users to overwrite the original password with their password. If an…

  • CVE-2018-14805CriAug 29, 2018
    risk 0.64cvss 9.8epss 0.05

    ABB eSOMS version 6.0.2 may allow unauthorized access to the system when LDAP is set to allow anonymous authentication, and specific key values within the eSOMS web.config file are present. Both conditions are required to exploit this vulnerability.

  • CVE-2017-9820CriAug 24, 2018
    risk 0.64cvss 9.8epss 0.02

    The National Payments Corporation of India BHIM application 1.3 for Android uses a custom keypad for which the input element is available to the Accessibility service, which makes it easier for attackers to bypass authentication.

  • CVE-2017-9819CriAug 24, 2018
    risk 0.64cvss 9.8epss 0.02

    The National Payments Corporation of India BHIM application 1.3 for Android does not properly restrict use of the OTP feature, which makes it easier for attackers to bypass authentication.

  • CVE-2017-16748CriAug 20, 2018
    risk 0.64cvss 9.8epss 0.05

    An attacker can log into the local Niagara platform (Niagara AX Framework Versions 3.8 and prior or Niagara 4 Framework Versions 4.4 and prior) using a disabled account name and a blank password, granting the attacker administrator access to the Niagara system.

  • CVE-2018-14078CriAug 20, 2018
    risk 0.64cvss 9.8epss 0.02

    Wi2be SMART HP WMT R1.2.20_201400922 allows unauthorized remote attackers to reset the admin password via the /ConfigWizard/ChangePwd.esp?2admin URL (Attackers can login using the "admin" username with password "admin" after a successful attack).

  • CVE-2018-7058CriAug 6, 2018
    risk 0.64cvss 9.8epss 0.04

    Aruba ClearPass, all versions of 6.6.x prior to 6.6.9 are affected by an authentication bypass vulnerability, an attacker can leverage this vulnerability to gain administrator privileges on the system. The vulnerability is exposed only on ClearPass web interfaces, including…

  • CVE-2018-10603CriJul 31, 2018
    risk 0.64cvss 9.8epss 0.03

    Martem TELEM GW6 and GWM devices with firmware 2018.04.18-linux_4-01-601cb47 and prior do not perform authentication of IEC-104 control commands, which may allow a rogue node a remote control of the industrial process.

  • CVE-2018-11491CriJul 25, 2018
    risk 0.64cvss 9.8epss 0.07

    ASUS HG100 devices with firmware before 1.05.12 allow unauthenticated access, leading to remote command execution.

  • CVE-2018-8859CriJul 24, 2018
    risk 0.64cvss 9.8epss 0.02

    Echelon SmartServer 1 all versions, SmartServer 2 all versions prior to release 4.11.007, i.LON 100 all versions, and i.LON 600 all versions. An attacker can bypass the required authentication specified in the security configuration file by including extra characters in the…

  • CVE-2016-9482CriJul 13, 2018
    risk 0.64cvss 9.8epss 0.05

    Code generated by PHP FormMail Generator may allow a remote unauthenticated user to bypass authentication in the to access the administrator panel by navigating directly to /admin.php?mod=admin&func=panel

  • CVE-2018-11052CriJul 3, 2018
    risk 0.64cvss 9.8epss 0.04

    Dell EMC ECS versions 3.2.0.0 and 3.2.0.1 contain an authentication bypass vulnerability. A remote unauthenticated attacker could exploit this vulnerability to read and modify S3 objects by supplying specially crafted S3 requests.

  • CVE-2018-4852CriJul 3, 2018
    risk 0.64cvss 9.8epss 0.03

    A vulnerability has been identified in SICLOCK TC100 (All versions) and SICLOCK TC400 (All versions). An attacker with network access to the device could potentially circumvent the authentication mechanism if he/she is able to obtain certain knowledge specific to the attacked…

  • CVE-2018-12575CriJul 2, 2018
    risk 0.64cvss 9.8epss 0.03

    On TP-Link TL-WR841N v13 00000001 0.9.1 4.16 v0001.0 Build 171019 Rel.55346n devices, all actions in the web interface are affected by bypass of authentication via an HTTP request.

  • CVE-2018-12984CriJun 29, 2018
    risk 0.64cvss 9.8epss 0.03

    Hycus CMS 1.0.4 allows Authentication Bypass via "'=' 'OR'" credentials.

  • CVE-2018-12049CriJun 8, 2018
    risk 0.64cvss 9.8epss 0.05

    A remote attacker can bypass the System Manager Mode on the Canon LBP6030w web interface without a PIN for /checkLogin.cgi via vectors involving /portal_top.html to get full access to the device. NOTE: the vendor reportedly responded that this issue occurs when a customer keeps…

  • CVE-2018-12048CriJun 8, 2018
    risk 0.64cvss 9.8epss 0.05

    A remote attacker can bypass the Management Mode on the Canon LBP7110Cw web interface without a PIN for /checkLogin.cgi via vectors involving /portal_top.html to get full access to the device. NOTE: the vendor reportedly responded that this issue occurs when a customer keeps the…

  • CVE-2018-0321CriJun 7, 2018
    risk 0.64cvss 9.8epss 0.04

    A vulnerability in Cisco Prime Collaboration Provisioning (PCP) could allow an unauthenticated, remote attacker to access the Java Remote Method Invocation (RMI) system. The vulnerability is due to an open port in the Network Interface and Configuration Engine (NICE) service. An…

  • CVE-2018-0319CriJun 7, 2018
    risk 0.64cvss 9.8epss 0.03

    A vulnerability in the password recovery function of Cisco Prime Collaboration Provisioning (PCP) could allow an unauthenticated, remote attacker to gain unauthorized access to an affected device. The vulnerability is due to insufficient validation of a password recovery…