VYPR

CWE-345

Insufficient Verification of Data Authenticity

ClassDraft

Description

The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-111 · CAPEC-141 · CAPEC-142 · CAPEC-148 · CAPEC-218 · CAPEC-384 · CAPEC-385 · CAPEC-386 · CAPEC-387 · CAPEC-388 · CAPEC-665 · CAPEC-701

CVEs mapped to this weakness (306)

page 7 of 16
  • CVE-2015-8254MedDec 27, 2015
    risk 0.38cvss 5.9epss 0.00

    The Frontel protocol before 3 on RSI Video Technologies Videofied devices does not use integrity protection, which makes it easier for man-in-the-middle attackers to (1) initiate a false alarm or (2) deactivate an alarm by modifying the client-server data stream.

  • CVE-2024-40644MedJul 18, 2024
    risk 0.37cvss 6.8epss 0.00

    gitoxide An idiomatic, lean, fast & safe pure Rust implementation of Git. `gix-path` can be tricked into running another `git.exe` placed in an untrusted location by a limited user account on Windows systems. Windows permits limited user accounts without administrative…

  • CVE-2025-2346MedMar 16, 2025
    risk 0.36cvss 5.6epss 0.00

    A vulnerability has been found in IROAD Dash Cam X5 and Dash Cam X6 up to 20250308 and classified as problematic. This vulnerability affects unknown code of the component Domain Handler. The manipulation of the argument Domain Name leads to origin validation error. The attack…

  • CVE-2026-39969MedMay 22, 2026
    risk 0.35cvss 6.5epss 0.00

    TypeBot is a chatbot builder tool. In versions 3.16.0 and prior, the WhatsApp Cloud API webhook endpoint (POST /v1/workspaces/{workspaceId}/whatsapp/{credentialsId}/webhook) does not verify the x-hub-signature-256 HMAC signature included by Meta in every webhook delivery. The…

  • CVE-2026-40037MedApr 8, 2026
    risk 0.35cvss 6.5epss 0.00

    OpenClaw before 2026.3.31 (patched in 2026.4.8) contains a request body replay vulnerability in fetchWithSsrFGuard that allows unsafe request bodies to be resent across cross-origin redirects. Attackers can exploit this by triggering redirects to exfiltrate sensitive request…

  • CVE-2026-39366MedApr 7, 2026
    risk 0.35cvss 6.5epss 0.00

    WWBN AVideo is an open source video platform. In versions 26.0 and prior, the PayPal IPN v1 handler at plugin/PayPalYPT/ipn.php lacks transaction deduplication, allowing an attacker to replay a single legitimate IPN notification to repeatedly inflate their wallet balance and…

  • CVE-2025-30144MedMar 19, 2025
    risk 0.35cvss 6.5epss 0.01

    fast-jwt provides fast JSON Web Token (JWT) implementation. Prior to 5.0.6, the fast-jwt library does not properly validate the iss claim based on the RFC 7519. The iss (issuer) claim validation within the fast-jwt library permits an array of strings as a valid iss value. This…

  • CVE-2024-53259MedDec 2, 2024
    risk 0.35cvss 6.5epss 0.01

    quic-go is an implementation of the QUIC protocol in Go. An off-path attacker can inject an ICMP Packet Too Large packet. Since affected quic-go versions used IP_PMTUDISC_DO, the kernel would then return a "message too large" error on sendmsg, i.e. when quic-go attempts to send…

  • CVE-2024-34354MedMay 14, 2024
    risk 0.35cvss 6.5epss 0.00

    CMSaaSStarter is a SaaS template/boilerplate built with SvelteKit, Tailwind, and Supabase. Any forks of the CMSaaSStarter template before commit 7904d416d2c72ec75f42fbf51e9e64fa74062ee6 are impacted. The issue is the user JWT Token is not verified on server session. You should…

  • CVE-2015-9232MedSep 20, 2017
    risk 0.35cvss 5.3epss 0.01

    The Good for Enterprise application 3.0.0.415 for Android does not use signature protection for its Authentication Delegation API intent. Also, the Good Dynamic application activation process does not attempt to detect malicious activation attempts involving modified names…

  • CVE-2026-8608MedJun 6, 2026
    risk 0.34cvss 5.3epss 0.00

    The Event Monster – Event Management, Events Calendar, Tickets plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in versions up to, and including, 2.1.0. This is due to the capture_payment() AJAX handler (registered via…

  • CVE-2026-44308MedMay 14, 2026
    risk 0.34cvss epss 0.00

    Spring Cloud AWS simplifies using AWS managed services in a Spring and Spring Boot applications. From 3.0.0 to 4.0.1, pplications using Spring Cloud AWS SNS HTTP/HTTPS endpoint support (@NotificationMessageMapping, @NotificationSubscriptionMapping,…

  • CVE-2025-12752MedNov 22, 2025
    risk 0.34cvss 5.3epss 0.00

    The Subscriptions & Memberships for PayPal plugin for WordPress is vulnerable to fake payment creation in all versions up to, and including, 1.1.7. This is due to the plugin not properly verifying the authenticity of an IPN request. This makes it possible for unauthenticated…

  • CVE-2024-50347MedOct 31, 2024
    risk 0.34cvss epss 0.00

    Laravel Reverb provides a real-time WebSocket communication backend for Laravel applications. Prior to 1.4.0, there is an issue where verification signatures for requests sent to Reverb's Pusher-compatible API were not being verified. This API is used in scenarios such as…

  • CVE-2024-25584MedSep 6, 2024
    risk 0.34cvss 5.3epss 0.00

    Dovecot accepts dot LF DOT LF symbol as end of DATA command. RFC requires that it should always be CR LF DOT CR LF. This causes Dovecot to convert single mail with LF DOT LF in middle, into two emails when relaying to SMTP. Dovecot will split mail with LF DOT LF into two mails.…

  • CVE-2024-2382MedJun 4, 2024
    risk 0.34cvss 5.3epss 0.00

    The Authorize.net Payment Gateway For WooCommerce plugin for WordPress is vulnerable to payment bypass in all versions up to, and including, 8.0. This is due to the plugin not properly verifying the authenticity of the request that updates a orders payment status. This makes it…

  • CVE-2024-1718MedJun 4, 2024
    risk 0.34cvss 5.3epss 0.00

    The Claudio Sanches – Checkout Cielo for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to insufficient payment validation in the update_order_status() function in all versions up to, and including, 1.1.0. This makes it possible for…

  • CVE-2024-31341MedMay 17, 2024
    risk 0.34cvss 5.3epss 0.00

    Insufficient Verification of Data Authenticity vulnerability in Cozmoslabs Profile Builder allows Functionality Bypass.This issue affects Profile Builder: from n/a through 3.11.2.

  • CVE-2024-1321MedMar 13, 2024
    risk 0.34cvss 5.3epss 0.00

    The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to payment bypass in all versions up to, and including, 3.4.2. This is due to the plugin allowing unauthenticated users to update the status of order payments. This makes it possible for…

  • CVE-2018-17938MedOct 3, 2018
    risk 0.34cvss 5.3epss 0.01

    Zimbra Collaboration before 8.8.10 GA allows text content spoofing via a loginErrorCode value.