VYPR

CWE-287

Improper Authentication

ClassDraftLikelihood: High

Description

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-114 · CAPEC-115 · CAPEC-151 · CAPEC-194 · CAPEC-22 · CAPEC-57 · CAPEC-593 · CAPEC-633 · CAPEC-650 · CAPEC-94

CVEs mapped to this weakness (2,419)

page 95 of 121
  • CVE-2013-5009Jan 10, 2014
    risk 0.00cvss epss 0.01

    The Management Console in Symantec Endpoint Protection (SEP) 11.x before 11.0.7.4 and 12.x before 12.1.2 RU2 and Endpoint Protection Small Business Edition 12.x before 12.1.2 RU2 does not properly perform authentication, which allows remote authenticated users to gain privileges…

  • CVE-2013-6006Dec 28, 2013
    risk 0.00cvss epss 0.02

    Cybozu Garoon 3.5 through 3.7 SP2 allows remote attackers to bypass Keitai authentication via a modified user ID in a request.

  • CVE-2013-6979Dec 23, 2013
    risk 0.00cvss epss 0.04

    The VTY authentication implementation in Cisco IOS XE 03.02.xxSE and 03.03.xxSE incorrectly relies on the Linux-IOS internal-network configuration, which allows remote attackers to bypass authentication by leveraging access to a 192.168.x.2 source IP address, aka Bug ID…

  • CVE-2013-6439Dec 23, 2013
    risk 0.00cvss epss 0.02

    Candlepin in Red Hat Subscription Asset Manager 1.0 through 1.3 uses a weak authentication scheme when the configuration file does not specify a scheme, which has unspecified impact and attack vectors.

  • CVE-2013-5413Dec 21, 2013
    risk 0.00cvss epss 0.01

    IBM Sterling B2B Integrator 5.2 and Sterling File Gateway 2.2 do not invalidate a session upon a logout action, which allows remote attackers to bypass authentication by leveraging an unattended workstation.

  • CVE-2013-5426Dec 19, 2013
    risk 0.00cvss epss 0.01

    Session fixation vulnerability in IBM InfoSphere Master Data Management - Collaborative Edition 10.x before 10.1 IF5 and 11.0 before IF1 and InfoSphere Master Data Management Server for Product Information Management 9.x before 9.1 IF11 allows remote authenticated users to…

  • CVE-2013-4001Dec 14, 2013
    risk 0.00cvss epss 0.01

    Session fixation vulnerability in IBM Cognos Command Center before 10.2 allows remote attackers to hijack web sessions via an authorization cookie.

  • CVE-2013-1364Dec 14, 2013
    risk 0.00cvss epss 0.02

    The user.login function in Zabbix before 1.8.16 and 2.x before 2.0.5rc1 allows remote attackers to override LDAP configuration via the cnf parameter.

  • CVE-2013-7093Dec 13, 2013
    risk 0.00cvss epss 0.03

    SAP Network Interface Router (SAProuter) 39.3 SP4 allows remote attackers to bypass authentication and modify the configuration via unspecified vectors.

  • CVE-2013-6171Dec 9, 2013
    risk 0.00cvss epss 0.01

    checkpassword-reply in Dovecot before 2.2.7 performs setuid operations to a user who is authenticating, which allows local users to bypass authentication and access virtual email accounts by attaching to the process and using a restricted file descriptor to modify account…

  • CVE-2013-6920Dec 7, 2013
    risk 0.00cvss epss 0.03

    Siemens SINAMICS S/G controllers with firmware before 4.6.11 do not require authentication for FTP and TELNET sessions, which allows remote attackers to bypass intended access restrictions via TCP traffic to port (1) 21 or (2) 23.

  • CVE-2013-6634Dec 7, 2013
    risk 0.00cvss epss 0.01

    The OneClickSigninHelper::ShowInfoBarIfPossible function in browser/ui/sync/one_click_signin_helper.cc in Google Chrome before 31.0.1650.63 uses an incorrect URL during realm validation, which allows remote attackers to conduct session fixation attacks and hijack web sessions by…

  • CVE-2013-6859Nov 23, 2013
    risk 0.00cvss epss 0.02

    SAP Sybase Adaptive Server Enterprise (ASE) before 15.0.3 ESD#4.3. 15.5 before 15.5 ESD#5.3, and 15.7 before 15.7 SP50 or 15.7 SP100 does not properly perform authorization, which allows remote authenticated users to gain privileges via unspecified vectors.

  • CVE-2013-6828Nov 20, 2013
    risk 0.00cvss epss 0.01

    admin/management.html in PineApp Mail-SeCure allows remote attackers to bypass authentication and perform a sys_usermng operation via the it parameter.

  • CVE-2013-4435Nov 5, 2013
    risk 0.00cvss epss 0.02

    Salt (aka SaltStack) 0.15.0 through 0.17.0 allows remote authenticated users who are using external authentication or client ACL to execute restricted routines by embedding the routine in another routine.

  • CVE-2013-6347Nov 2, 2013
    risk 0.00cvss epss 0.01

    Session fixation vulnerability in Novell ZENworks Configuration Management (ZCM) before 11.2.4 allows remote attackers to hijack web sessions via unspecified vectors.

  • CVE-2013-6012Oct 28, 2013
    risk 0.00cvss epss 0.02

    Juniper Junos 12.1X44 before 12.1.X44-D20 and 12.1X45 before 12.1X45-D15, when the no-validate option is enabled, does not properly handle configuration validation errors during the config commit phase of the boot-up sequence, which allows remote attackers to bypass…

  • CVE-2013-2102Oct 28, 2013
    risk 0.00cvss epss 0.01

    The default configuration of Red Hat JBoss Portal before 6.1.0 enables the JGroups diagnostics service with no authentication when a JGroups channel is started, which allows remote attackers to obtain sensitive information (diagnostics) by accessing the service.

  • CVE-2013-4965Oct 25, 2013
    risk 0.00cvss epss 0.01

    Puppet Enterprise before 3.1.0 does not properly restrict the number of authentication attempts by a console account, which makes it easier for remote attackers to bypass intended access restrictions via a brute-force attack.

  • CVE-2013-5531Oct 25, 2013
    risk 0.00cvss epss 0.01

    Cisco Identity Services Engine (ISE) 1.x before 1.1.1 allows remote attackers to bypass authentication, and read support-bundle configuration and credentials data, via a crafted session on TCP port 443, aka Bug ID CSCty20405.