VYPR

CWE-345

Insufficient Verification of Data Authenticity

ClassDraft

Description

The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-111 · CAPEC-141 · CAPEC-142 · CAPEC-148 · CAPEC-218 · CAPEC-384 · CAPEC-385 · CAPEC-386 · CAPEC-387 · CAPEC-388 · CAPEC-665 · CAPEC-701

CVEs mapped to this weakness (306)

page 2 of 16
  • CVE-2023-2987CriMay 31, 2023
    risk 0.57cvss 9.8epss 0.01

    The Wordapp plugin for WordPress is vulnerable to authorization bypass due to an use of insufficiently unique cryptographic signature on the 'wa_pdx_op_config_set' function in versions up to, and including, 1.6.0. This makes it possible for unauthenticated attackers to the…

  • CVE-2018-7932HigApr 24, 2018
    risk 0.57cvss 8.8epss 0.00

    Huawei AppGallery versions before 8.0.4.301 has an arbitrary Javascript running vulnerability. An attacker may set up a malicious network environment and trick user into accessing a malicious web page to bypass the whitelist mechanism, which make the malicious Javascript loaded…

  • CVE-2017-3219HigJun 21, 2017
    risk 0.57cvss 8.8epss 0.00

    Acronis True Image up to and including version 2017 Build 8053 performs software updates using HTTP. Downloaded updates are only verified using a server-provided MD5 hash.

  • CVE-2017-3218HigJun 21, 2017
    risk 0.57cvss 8.8epss 0.00

    Samsung Magician 5.0 fails to validate TLS certificates for HTTPS software update traffic. Prior to version 5.0, Samsung Magician uses HTTP for software updates.

  • CVE-2022-4992HigJun 2, 2026
    risk 0.56cvss 8.6epss 0.00

    Dräger Infinity Acute Care System and Standalone Infinity M540 patient monitors versions VG4.1.1, VG4.0.3, and lower (with VG4.2 partially affected) contain a network message handling vulnerability that allows remote attackers to inject spoofed or tampered data and cause…

  • CVE-2025-1108HigFeb 7, 2025
    risk 0.56cvss 8.6epss 0.00

    Insufficient data authenticity verification vulnerability in Janto, versions prior to r12. This allows an unauthenticated attacker to modify the content of emails sent to reset the password. To exploit the vulnerability, the attacker must create a POST request by injecting…

  • CVE-2018-10080HigApr 13, 2018
    risk 0.56cvss 8.6epss 0.01

    Secutech RiS-11, RiS-22, and RiS-33 devices with firmware V5.07.52_es_FRI01 allow DNS settings changes via a goform/AdvSetDns?GO=wan_dns.asp request in conjunction with a crafted admin cookie.

  • CVE-2026-33471CriApr 22, 2026
    risk 0.55cvss 9.6epss 0.00

    nimiq-block contains block primitives to be used in Nimiq's Rust implementation. `SkipBlockProof::verify` computes its quorum check using `BitSet.len()`, then iterates `BitSet` indices and casts each `usize` index to `u16` (`slot as u16`) for slot lookup. Prior to version 1.3.0,…

  • CVE-2025-59934CriSep 26, 2025
    risk 0.54cvss 9.4epss 0.08

    Formbricks is an open source qualtrics alternative. Prior to version 4.0.1, Formbricks is missing JWT signature verification. This vulnerability stems from a token validation routine that only decodes JWTs (jwt.decode) without verifying their signatures. Both the email…

  • CVE-2026-4984HigMar 27, 2026
    risk 0.53cvss 8.2epss 0.00

    The Twilio integration webhook handler accepts any POST request without validating Twilio's 'X-Twilio-Signature'. When processing media messages, it fetches user-controlled URLs ('MediaUrlN' parameters) using HTTP requests that include the integration's Twilio credentials in…

  • CVE-2026-4478HigMar 20, 2026
    risk 0.53cvss 8.1epss 0.00

    A vulnerability was identified in Yi Technology YI Home Camera 2 2.1.1_20171024151200. This impacts an unknown function of the file home/web/ipc of the component HTTP Firmware Update Handler. The manipulation leads to improper verification of cryptographic signature. The attack…

  • CVE-2025-67298HigMar 11, 2026
    risk 0.53cvss 8.1epss 0.00

    An issue in ClasroomIO before v.0.2.6 allows a remote attacker to escalate privileges via the endpoints /api/verify and /rest/v1/profile

  • CVE-2025-71057HigFeb 26, 2026
    risk 0.53cvss 8.2epss 0.00

    Improper session management in D-Link Wireless N 300 ADSL2+ Modem Router DSL-124 ME_1.00 allows attackers to execute a session hijacking attack via spoofing the IP address of an authenticated user.

  • CVE-2025-66016CriNov 25, 2025
    risk 0.53cvss epss 0.00

    CGGMP24 is a state-of-art ECDSA TSS protocol that supports 1-round signing (requires 3 preprocessing rounds), identifiable abort, and a key refresh protocol. Prior to version 0.6.3, there is a missing check in the ZK proof that enables an attack in which single malicious signer…

  • CVE-2024-48916HigJul 30, 2025
    risk 0.53cvss 8.1epss 0.00

    Ceph is a distributed object, block, and file storage platform. In versions 19.2.3 and below, it is possible to send an JWT that has "none" as JWT alg. And by doing so the JWT signature is not checked. The vulnerability is most likely in the RadosGW OIDC provider. As of time of…

  • CVE-2018-7798HigNov 2, 2018
    risk 0.53cvss 8.2epss 0.01

    A Insufficient Verification of Data Authenticity (CWE-345) vulnerability exists in the Modicon M221, all versions, which could cause a change of IPv4 configuration (IP address, mask and gateway) when remotely connected to the device.

  • CVE-2017-3224HigJul 24, 2018
    risk 0.53cvss 8.2epss 0.01

    Open Shortest Path First (OSPF) protocol implementations may improperly determine Link State Advertisement (LSA) recency for LSAs with MaxSequenceNumber. According to RFC 2328 section 13.1, for two instances of the same LSA, recency is determined by first comparing sequence…

  • CVE-2018-12333HigJun 17, 2018
    risk 0.53cvss 8.1epss 0.00

    Insufficient Verification of Data Authenticity vulnerability in ECOS Secure Boot Stick (aka SBS) 5.6.5 allows an attacker to manipulate security relevant configurations and execute malicious code.

  • CVE-2017-2667HigMar 12, 2018
    risk 0.53cvss 8.1epss 0.01

    Hammer CLI, a CLI utility for Foreman, before version 0.10.0, did not explicitly set the verify_ssl flag for apipie-bindings that disable it by default. As a result the server certificates are not checked and connections are prone to man-in-the-middle attacks.

  • CVE-2017-11130HigAug 1, 2017
    risk 0.53cvss 8.1epss 0.00

    An issue was discovered in heinekingmedia StashCat through 1.7.5 for Android, through 0.0.80w for Web, and through 0.0.86 for Desktop. The product's protocol only tries to ensure confidentiality. In the whole protocol, no integrity or authenticity checks are done. Therefore…