VYPR

CWE-287

Improper Authentication

ClassDraftLikelihood: High

Description

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-114 · CAPEC-115 · CAPEC-151 · CAPEC-194 · CAPEC-22 · CAPEC-57 · CAPEC-593 · CAPEC-633 · CAPEC-650 · CAPEC-94

CVEs mapped to this weakness (2,419)

page 96 of 121
  • CVE-2013-5511Oct 13, 2013
    risk 0.00cvss epss 0.02

    The Adaptive Security Device Management (ASDM) remote-management feature in Cisco Adaptive Security Appliance (ASA) Software 8.2.x before 8.2(5.46), 8.3.x before 8.3(2.39), 8.4.x before 8.4(6), 8.5.x before 8.5(1.18), 8.6.x before 8.6(1.12), 8.7.x before 8.7(1.7), 9.0.x before…

  • CVE-2013-5510Oct 13, 2013
    risk 0.00cvss epss 0.01

    The remote-access VPN implementation in Cisco Adaptive Security Appliance (ASA) Software 7.x before 7.2(5.12), 8.x before 8.2(5.46), 8.3.x before 8.3(2.39), 8.4.x before 8.4(6), 8.6.x before 8.6(1.12), 9.0.x before 9.0(3.1), and 9.1.x before 9.1(2.5), when an…

  • CVE-2013-3610Oct 5, 2013
    risk 0.00cvss epss 0.01

    qis/QIS_finish.htm on the ASUS RT-N10E router with firmware before 2.0.0.25 does not require authentication, which allows remote attackers to discover the administrator password via a direct request.

  • CVE-2013-5163Oct 4, 2013
    risk 0.00cvss epss 0.00

    Directory Services in Apple Mac OS X before 10.8.5 Supplemental Update allows local users to bypass password-based authentication and modify arbitrary Directory Services records via unspecified vectors.

  • CVE-2013-5944Oct 3, 2013
    risk 0.00cvss epss 0.02

    The integrated web server on Siemens SCALANCE X-200 switches with firmware before 4.5.0 and X-200IRT switches with firmware before 5.1.0 does not properly enforce authentication requirements, which allows remote attackers to perform administrative actions via requests to the…

  • CVE-2013-3417Sep 30, 2013
    risk 0.00cvss epss 0.01

    The administrative web interface in Cisco Video Surveillance Operations Manager does not properly perform authentication, which allows remote attackers to watch video feeds via a crafted URL, aka Bug ID CSCtg72262.

  • CVE-2013-5200Sep 25, 2013
    risk 0.00cvss epss 0.01

    The (1) REST and (2) memcache interfaces in the Hazelcast cluster API in Open-Xchange AppSuite 7.0.x before 7.0.2-rev15 and 7.2.x before 7.2.2-rev16 do not require authentication, which allows remote attackers to obtain sensitive information or modify data via an API call.

  • CVE-2012-4078Sep 24, 2013
    risk 0.00cvss epss 0.04

    The Baseboard Management Controller (BMC) in Cisco Unified Computing System (UCS) does not properly handle SSH escape sequences, which allows remote authenticated users to bypass an unspecified authentication step via SSH port forwarding, aka Bug ID CSCtg17656.

  • CVE-2013-5119Sep 23, 2013
    risk 0.00cvss epss 0.01

    Zimbra Collaboration Suite (ZCS) 6.0.16 and earlier allows man-in-the-middle attackers to obtain access by sniffing the network and replaying the ZM_AUTH_TOKEN token.

  • CVE-2013-1443Sep 23, 2013
    risk 0.00cvss epss 0.03

    The authentication framework (django.contrib.auth) in Django 1.4.x before 1.4.8, 1.5.x before 1.5.4, and 1.6.x before 1.6 beta 4 allows remote attackers to cause a denial of service (CPU consumption) via a long password which is then hashed.

  • CVE-2013-3473Sep 20, 2013
    risk 0.00cvss epss 0.02

    The web framework in Cisco Prime Central for Hosted Collaboration Solution (HCS) Assurance before 9.1.1 does not properly determine the existence of an authenticated session, which allows remote attackers to discover usernames and passwords via an HTTP request, aka Bug ID…

  • CVE-2013-5497Sep 19, 2013
    risk 0.00cvss epss 0.02

    The authentication manager process in the web framework in Cisco Intrusion Prevention System (IPS) does not properly handle user tokens, which allows remote attackers to cause a denial of service (intermittent MainApp hang) via a crafted management-interface connection request,…

  • CVE-2013-3039Sep 12, 2013
    risk 0.00cvss epss 0.00

    IBM Rational Requirements Composer before 4.0.4 does not properly perform authentication, which has unspecified impact and remote attack vectors.

  • CVE-2013-4061Sep 9, 2013
    risk 0.00cvss epss 0.01

    IBM Rational Policy Tester 8.5 before 8.5.0.5 does not properly check authorization for changes to the set of authentication hosts, which allows remote authenticated users to perform spoofing attacks involving an HTTP redirect via unspecified vectors.

  • CVE-2012-6603Aug 31, 2013
    risk 0.00cvss epss 0.04

    The web management UI in Palo Alto Networks PAN-OS before 3.1.12, 4.0.x before 4.0.10, and 4.1.x before 4.1.4 allows remote attackers to bypass authentication and obtain administrator privileges via unspecified vectors, aka Ref ID 37034.

  • CVE-2013-3466Aug 29, 2013
    risk 0.00cvss epss 0.05

    The EAP-FAST authentication module in Cisco Secure Access Control Server (ACS) 4.x before 4.2.1.15.11, when a RADIUS server configuration is enabled, does not properly parse user identities, which allows remote attackers to execute arbitrary commands via crafted EAP-FAST…

  • CVE-2013-4958Aug 20, 2013
    risk 0.00cvss epss 0.00

    Puppet Enterprise before 3.0.1 does not use a session timeout, which makes it easier for attackers to gain privileges by leveraging an unattended workstation.

  • CVE-2013-2157Aug 20, 2013
    risk 0.00cvss epss 0.03

    OpenStack Keystone Folsom, Grizzly before 2013.1.3, and Havana, when using LDAP with Anonymous binding, allows remote attackers to bypass authentication via an empty password.

  • CVE-2013-3659Aug 9, 2013
    risk 0.00cvss epss 0.01

    The NTT DOCOMO overseas usage application 2.0.0 through 2.0.4 for Android does not properly connect to Wi-Fi access points, which allows remote attackers to obtain sensitive information by leveraging presence in an 802.11 network's coverage area.

  • CVE-2013-2993Aug 1, 2013
    risk 0.00cvss epss 0.01

    IBM WebSphere Commerce 6.x through 6.0.0.11 and 7.x through 7.0.0.7 does not properly perform authentication for unspecified web services, which allows remote attackers to issue requests in the context of an arbitrary user's active session via unknown vectors.