VYPR

CWE-836

Use of Password Hash Instead of Password for Authentication

BaseIncomplete

Description

The product records password hashes in a data store, receives a hash of a password from a client, and compares the supplied hash to the hash obtained from the data store.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-644 · CAPEC-652

CVEs mapped to this weakness (5)

  • CVE-2026-46488criJun 22, 2026
    risk 0.59cvss epss

    ### Summary An authentication bypass vulnerability exists due to improper trust in client-controlled cookies. The application accepts user-supplied cookie values containing a username and password-hash-derived value as sufficient authentication material. These cookies can be set…

  • CVE-2017-7927HigMay 6, 2017
    risk 0.50cvss 7.3epss 0.37

    A Use of Password Hash Instead of Password for Authentication issue was discovered in Dahua DH-IPC-HDBW23A0RN-ZS, DH-IPC-HDBW13A0SN, DH-IPC-HDW1XXX, DH-IPC-HDW2XXX, DH-IPC-HDW4XXX, DH-IPC-HFW1XXX, DH-IPC-HFW2XXX, DH-IPC-HFW4XXX, DH-SD6CXX, DH-NVR1XXX, DH-HCVR4XXX, DH-HCVR5XXX,…

  • CVE-2019-25552HigMar 21, 2026
    risk 0.49cvss 7.5epss 0.00

    CEWE PHOTO SHOW 6.4.3 contains a denial of service vulnerability that allows attackers to crash the application by submitting an excessively long buffer to the password field. Attackers can paste a large string of repeated characters into the password input during the upload…

  • CVE-2023-23450MedMay 15, 2023
    risk 0.40cvss 6.2epss 0.01

    Use of Password Hash Instead of Password for Authentication in SICK FTMg AIR FLOW SENSOR with Partnumbers 1100214, 1100215, 1100216, 1120114, 1120116, 1122524, 1122526 allows an unprivileged remote attacker to use a password hash instead of an actual password to login to a valid…

  • CVE-2026-40103MedApr 10, 2026
    risk 0.21cvss 4.3epss 0.00

    Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, Vikunja's scoped API token enforcement for custom project background routes is method-confused. A token with only projects.background can successfully delete a project background, while a token with…