VYPR

CWE-345

Insufficient Verification of Data Authenticity

ClassDraft

Description

The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-111 · CAPEC-141 · CAPEC-142 · CAPEC-148 · CAPEC-218 · CAPEC-384 · CAPEC-385 · CAPEC-386 · CAPEC-387 · CAPEC-388 · CAPEC-665 · CAPEC-701

CVEs mapped to this weakness (306)

page 8 of 16
  • CVE-2017-10862MedOct 12, 2017
    risk 0.34cvss 5.3epss 0.01

    jwt-scala 1.2.2 and earlier fails to verify token signatures correctly which may lead to an attacker being able to pass specially crafted JWT data as a correctly signed token.

  • CVE-2026-1195MedJan 20, 2026
    risk 0.33cvss 5.0epss 0.00

    A weakness has been identified in MineAdmin 1.x/2.x. This impacts the function refresh of the file /system/refresh of the component JWT Token Handler. This manipulation causes insufficient verification of data authenticity. It is possible to initiate the attack remotely. The…

  • CVE-2022-33861MedNov 25, 2024
    risk 0.33cvss 5.1epss 0.00

    IPP software versions prior to v1.71 do not sufficiently verify the authenticity of data, in a way that causes it to accept invalid data.

  • CVE-2026-3446MedApr 10, 2026
    risk 0.32cvss epss 0.00

    When calling base64.b64decode() or related functions the decoding process would stop after encountering the first padded quad regardless of whether there was more information to be processed. This can lead to data being accepted which may be processed differently by other…

  • CVE-2026-46539MedJun 10, 2026
    risk 0.31cvss 5.9epss 0.00

    Nimiq is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. Prior to version 1.4.0, a logic flaw in BlockInclusionProof::is_block_proven causes the function to return true without performing any cryptographic verification when…

  • CVE-2026-34778MedApr 4, 2026
    risk 0.31cvss 5.9epss 0.00

    Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.1, 40.8.1, and 41.0.0, a service worker running in a session could spoof reply messages on the internal IPC channel used by…

  • CVE-2026-32294MedMar 17, 2026
    risk 0.31cvss 4.7epss 0.00

    JetKVM prior to 0.5.4 does not verify the authenticity of downloaded firmware files. An attacker-in-the-middle or a compromised update server could modify the firmware and the corresponding SHA256 hash to pass verification.

  • CVE-2026-32290MedMar 17, 2026
    risk 0.31cvss 4.7epss 0.00

    The GL-iNet Comet (GL-RM1) KVM before version 1.8.2 does not sufficiently verify the authenticity of uploaded firmware files. An attacker-in-the-middle or a compromised update server could modify the firmware and the corresponding MD5 hash to pass verification.

  • CVE-2021-22947MedSep 29, 2021
    risk 0.31cvss 5.9epss 0.03

    When curl >= 7.20.0 and <= 7.78.0 connects to an IMAP or POP3 server to retrieve data using STARTTLS to upgrade to TLS security, the server can respond and send back multiple responses at once that curl caches. curl would then upgrade to TLS but not flush the in-queue of cached…

  • CVE-2026-42206MedMay 8, 2026
    risk 0.30cvss epss 0.00

    Roadiz is a polymorphic content management system based on a node system. Prior to versions 2.3.43, 2.5.45, 2.6.31, and 2.7.18, the roadiz/openid package generates an OIDC nonce in OAuth2LinkGenerator::generate() and includes it in the authorization request sent to the identity…

  • CVE-2025-25188MedFeb 10, 2025
    risk 0.30cvss epss 0.00

    Hickory DNS is a Rust based DNS client, server, and resolver. A vulnerability present starting in version 0.8.0 and prior to versions 0.24.3 and 0.25.0-alpha.5 impacts Hickory DNS users relying on DNSSEC verification in the client library, stub resolver, or recursive resolver.…

  • CVE-2026-41164MedMay 26, 2026
    risk 0.29cvss 4.4epss 0.00

    nuts-node is the reference implementation of the Nuts specification. Prior to 6.2.3 and 5.4.31, the v1 access token introspection endpoint (/auth/v1/introspect_access_token) accepts any JWT signed by a key present on the node, without validating the JWT type, issuer-to-key…

  • CVE-2026-25602MedMay 20, 2026
    risk 0.29cvss 4.4epss 0.00

    Insufficient Verification of Data Authenticity vulnerability in Mesalvo Meona Client Launcher Component, Mesalvo Meona Server Component makes it possible to send messages to any email address. This issue affects Meona Client Launcher Component: through 19.06.2020 15:11:49;…

  • CVE-2024-53267MedNov 26, 2024
    risk 0.29cvss 5.5epss 0.00

    sigstore-java is a sigstore java client for interacting with sigstore infrastructure. sigstore-java has insufficient verification for a situation where a validly-signed but "mismatched" bundle is presented as proof of inclusion into a transparency log. This bug impacts clients…

  • CVE-2018-10626MedAug 10, 2018
    risk 0.29cvss 4.4epss 0.00

    Medtronic MyCareLink Patient Monitor’s update service does not sufficiently verify the authenticity of the data uploaded. An attacker who obtains per-product credentials from the monitor and paired implantable cardiac device information can potentially upload invalid data…

  • CVE-2017-1405MedJun 8, 2018
    risk 0.29cvss 4.4epss 0.00

    IBM Security Identity Manager Virtual Appliance 7.0 processes patches, image backups and other updates without sufficiently verifying the origin and integrity of the code. IBM X-Force ID: 127392.

  • CVE-2016-3016MedFeb 1, 2017
    risk 0.29cvss 4.4epss 0.00

    IBM Security Access Manager for Web processes patches, image backups and other updates without sufficiently verifying the origin and integrity of the code, which could allow an authenticated attacker to load malicious code.

  • CVE-2026-53900MedJun 16, 2026
    risk 0.28cvss 4.3epss 0.00

    Firefox for iOS preserved cookies set on the initial PDF request across cross-origin HTTP redirects in TemporaryDocument, allowing a malicious site to inject arbitrary cookies into requests to an unrelated target domain. This vulnerability was fixed in Firefox for iOS 152.0.

  • CVE-2026-31835MedMay 5, 2026
    risk 0.28cvss 5.4epss 0.00

    Vaultwarden is a Bitwarden-compatible server written in Rust. In versions 1.35.4 and earlier, the WebAuthn authentication flow in `validate_webauthn_login()` updates persistent credential metadata (1backup_eligible1 and 1backup_state flags1) based on unverified…

  • CVE-2024-2384MedMar 20, 2024
    risk 0.28cvss 4.3epss 0.00

    The WooCommerce POS plugin for WordPress is vulnerable to information disclosure in all versions up to, and including, 1.4.11. This is due to the plugin not properly verifying the authentication and authorization of the current user This makes it possible for authenticated…