VYPR

CWE-289

Authentication Bypass by Alternate Name

BaseIncomplete

Description

The product performs authentication based on the name of a resource being accessed, or the name of the actor performing the access, but it does not properly check all possible names for that resource or actor.

Hierarchy (View 1000)

Parents

Children

none

CVEs mapped to this weakness (25)

page 1 of 2
  • CVE-2025-13613CriDec 10, 2025
    risk 0.64cvss 9.8epss 0.00

    The Elated Membership plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.2. This is due to the plugin not properly logging in a user with the data that was previously verified through the 'eltdf_membership_check_facebook_user' and…

  • CVE-2024-39223CriJul 3, 2024
    risk 0.64cvss 9.8epss 0.01

    An authentication bypass in the SSH service of gost v2.11.5 allows attackers to intercept communications via setting the HostKeyCallback function to ssh.InsecureIgnoreHostKey

  • CVE-2023-1803CriApr 14, 2023
    risk 0.64cvss 9.8epss 0.01

    Authentication Bypass by Alternate Name vulnerability in DTS Electronics Redline Router firmware allows Authentication Bypass. This issue affects Redline Router: before 7.17.

  • CVE-2026-50627CriJun 12, 2026
    risk 0.59cvss 9.1epss 0.00

    The JwtAccessTokenValidator class in Apache CXF fails to validate the 'aud' (Audience) claims of incoming JWT access tokens. This allows a JWT issued for one Resource Server to be successfully replayed against a completely different Resource Server, leading to Token…

  • CVE-2017-16590HigJan 23, 2018
    risk 0.57cvss 8.8epss 0.03

    This vulnerability allows remote attackers to bypass authentication on vulnerable installations of NetGain Systems Enterprise Manager 7.2.699 build 1001. User interaction is required to exploit this vulnerability. The specific flaw exists within the MainFilter servlet. The issue…

  • CVE-2025-29266CriMar 31, 2025
    risk 0.55cvss 9.6epss 0.00

    Unraid 7.0.0 before 7.0.1 allows remote users to access the Unraid WebGUI and web console as root without authentication if a container is running in Host networking mode with Use Tailscale enabled.

  • CVE-2025-64343HigNov 7, 2025
    risk 0.51cvss 7.8epss 0.00

    (conda) Constructor is a tool that enables users to create installers for conda package collections. In versions 3.12.2 and below, the installation directory inherits permissions from its parent directory. Outside of restricted directories, the permissions are very permissive…

  • CVE-2025-60375HigOct 9, 2025
    risk 0.47cvss 7.3epss 0.00

    The authentication mechanism in Perfex CRM before 3.3.1 allows attackers to bypass login credentials due to insufficient server-side validation. By sending empty username and password parameters in the login request, an attacker can gain unauthorized access to user accounts,…

  • CVE-2024-34519MedMay 5, 2024
    risk 0.44cvss 6.8epss 0.00

    Avantra Server 24.x before 24.0.7 and 24.1.x before 24.1.1 mishandles the security of dashboards, aka XAN-5367. If a user can create a dashboard with an auto-login user, data disclosure may occur. Access control can be bypassed when there is a shared dashboard, and its…

  • CVE-2025-41248HigSep 16, 2025
    risk 0.42cvss 7.5epss 0.00

    The Spring Security annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue when using @PreAuthorize and other method security annotations, resulting in…

  • CVE-2024-51996HigNov 13, 2024
    risk 0.42cvss 7.5epss 0.01

    Symphony process is a module for the Symphony PHP framework which executes commands in sub-processes. When consuming a persisted remember-me cookie, Symfony does not check if the username persisted in the database matches the username attached with the cookie, leading to…

  • CVE-2024-2098HigJun 13, 2024
    risk 0.42cvss 7.5epss 0.00

    The Download Manager plugin for WordPress is vulnerable to unauthorized access of data due to an improper authorization check on the 'protectMediaLibrary' function in all versions up to, and including, 3.2.89. This makes it possible for unauthenticated attackers to download…

  • CVE-2025-14777MedDec 16, 2025
    risk 0.39cvss 6.0epss 0.00

    A flaw was found in Keycloak. An IDOR (Broken Access Control) vulnerability exists in the admin API endpoints for authorization resource management, specifically in ResourceSetService and PermissionTicketService. The system checks authorization against the resourceServer…

  • CVE-2025-8415MedAug 20, 2025
    risk 0.38cvss 5.9epss 0.00

    A vulnerability was found in the Cryostat HTTP API. Cryostat's HTTP API binds to all network interfaces, allowing possible external visibility and access to the API port if Network Policies are disabled, allowing an unauthenticated, malicious attacker to jeopardize the…

  • CVE-2026-43617MedMay 20, 2026
    risk 0.24cvss 4.8epss 0.00

    Rsync version 3.4.2 and prior contain an authorization bypass vulnerability in the rsync daemon's hostname-based access control list enforcement when configured with chroot. Attackers can bypass hostname-based deny rules by controlling the PTR record for their source IP…

  • CVE-2026-3184LowApr 3, 2026
    risk 0.24cvss 3.7epss 0.00

    A flaw was found in util-linux. Improper hostname canonicalization in the `login(1)` utility, when invoked with the `-h` option, can modify the supplied remote hostname before setting `PAM_RHOST`. A remote attacker could exploit this by providing a specially crafted hostname,…

  • CVE-2026-34506MedMar 31, 2026
    risk 0.21cvss 4.3epss 0.00

    OpenClaw before 2026.3.8 contains a sender allowlist bypass vulnerability in its Microsoft Teams plugin that allows unauthorized senders to bypass intended authorization checks. When a team/channel route allowlist is configured with an empty groupAllowFrom parameter, the message…

  • CVE-2026-32036Mar 19, 2026
    risk 0.00cvss epss 0.00

    OpenClaw gateway plugin versions prior to 2026.2.26 contain a path traversal vulnerability that allows remote attackers to bypass route authentication checks by manipulating /api/channels paths with encoded dot-segment traversal sequences. Attackers can craft alternate paths…

  • CVE-2026-23903Feb 9, 2026
    risk 0.00cvss epss 0.00

    Authentication Bypass by Alternate Name vulnerability in Apache Shiro. This issue affects Apache Shiro: before 2.0.7. Users are recommended to upgrade to version 2.0.7, which fixes the issue. The issue only effects static files. If static files are served from a…

  • CVE-2026-24058Jan 22, 2026
    risk 0.00cvss epss 0.01

    Soft Serve is a self-hostable Git server for the command line. Versions 0.11.2 and below have a critical authentication bypass vulnerability that allows an attacker to impersonate any user (including admin) by "offering" the victim's public key during the SSH handshake before…