Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-287 (认证机制不恰当) — Vulnerability Class 1203

1203 vulnerabilities classified as CWE-287 (认证机制不恰当). AI Chinese analysis included.

CWE-287 represents a critical authentication weakness where a system fails to adequately verify the identity of an actor claiming a specific identity. This flaw typically allows attackers to bypass security controls by exploiting insufficient verification mechanisms, enabling unauthorized access through stolen credentials, brute-force attacks, or session hijacking. When authentication logic is flawed, malicious entities can impersonate legitimate users, leading to severe data breaches and privilege escalation. Developers mitigate this risk by implementing robust, multi-factor authentication protocols and ensuring that identity verification processes are rigorous and resistant to common attack vectors. By strictly validating credentials against secure, hashed databases and employing adaptive security measures, organizations can significantly reduce the likelihood of unauthorized access, thereby protecting sensitive information and maintaining system integrity against sophisticated cyber threats.

MITRE CWE Description
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Common Consequences (1)
Integrity, Confidentiality, Availability, Access ControlRead Application Data, Gain Privileges or Assume Identity, Execute Unauthorized Code or Commands
This weakness can lead to the exposure of resources or functionality to unintended actors, possibly providing attackers with sensitive information or even execute arbitrary code.
Mitigations (1)
Architecture and DesignUse an authentication framework or library such as the OWASP ESAPI Authentication feature.
Examples (2)
The following code intends to ensure that the user is already logged in. If not, the code performs authentication with the user-provided username and password. If successful, it sets the loggedin and user cookies to "remember" that the user has already logged in. Finally, the code performs administrator tasks if the logged-in user has the "Administrator" username, as recorded in the user cookie.
my $q = new CGI; if ($q->cookie('loggedin') ne "true") { if (! AuthenticateUser($q->param('username'), $q->param('password'))) { ExitError("Error: you need to log in first"); } else { # Set loggedin and user cookies. $q->cookie( -name => 'loggedin', -value => 'true' ); $q->cookie( -name => 'user', -value => $q->param('username') ); } } if ($q->cookie('user') eq "Administrator") { DoAdministratorTasks(); }
Bad · Perl
GET /cgi-bin/vulnerable.cgi HTTP/1.1 Cookie: user=Administrator Cookie: loggedin=true [body of request]
Attack
In January 2009, an attacker was able to gain administrator access to a Twitter server because the server did not restrict the number of login attempts [REF-236]. The attacker targeted a member of Twitter's support team and was able to successfully guess the member's password using a brute force attack by guessing a large number of common words. After gaining access as the member of the support st…
CVE IDTitleCVSSSeverityPublished
CVE-2025-5985 code-projects School Fees Payment System improper authentication — School Fees Payment System 7.3 High2025-06-10
CVE-2025-5870 TRENDnet TV-IP121W Web Interface setup.cgi improper authentication — TV-IP121W 7.3 High2025-06-09
CVE-2024-13088 QHora — QuRouter 7.8AIHighAI2025-06-06
CVE-2025-48909 Huawei HarmonyOS 安全漏洞 — HarmonyOS 7.1 High2025-06-06
CVE-2025-49012 Himmelblau's Name-Based Group Matching in `pam_allow_groups` Leads to Potential Security Bypass — himmelblau 5.4 Medium2025-06-05
CVE-2025-5597 WF Steuerungstechnik GmbH - airleader MASTER - Authentication Bypass — airleader MASTER 9.8AICriticalAI2025-06-04
CVE-2025-49001 Dataease Authentication Bypass Vulnerability — dataease 5.3AIMediumAI2025-06-03
CVE-2025-5512 quequnlong shiyi-blog Administrator Backend verifyPassword improper authentication — shiyi-blog 7.3 High2025-06-03
CVE-2025-46548 Apache Pekko Management, Apache Pekko Management, Apache Pekko Management, Akka Management, Akka Management, Akka Management: management API basic authentication is not effective — Apache Pekko Management 9.8AICriticalAI2025-06-03
CVE-2025-5495 Netgear WNR614 URL improper authentication — WNR614 7.3 High2025-06-03
CVE-2025-5437 Multilaser Sirius RE016 Password Change cstecgi.cgi improper authentication — Sirius RE016 5.3 Medium2025-06-02
CVE-2025-48370 auth-js Vulnerable to Insecure Path Routing from Malformed User Input — auth-js 8.2AIHighAI2025-05-27
CVE-2025-5247 Gowabby HFish url.go LoadUrl improper authentication — HFish 7.3 High2025-05-27
CVE-2025-5149 WCMS Login getallcon getMemberByUid improper authentication — WCMS 5.6 Medium2025-05-25
CVE-2024-7487 Improper Authentication in WSO2 Identity Server 7.0.0 Allows Bypass of App-Native Authentication — WSO2 Identity Server 5.8 Medium2025-05-22
CVE-2025-4978 Netgear DGND3700 Basic Authentication BRS_top.html improper authentication — DGND3700 9.8 Critical2025-05-20
CVE-2025-47790 Nextcloud Server doesn't request second factor after session timeout — security-advisories 6.4 Medium2025-05-16
CVE-2025-4755 D-Link DI-7003GV2 netconfig.asp sub_497DE4 improper authentication — DI-7003GV2 7.3 High2025-05-16
CVE-2025-47275 Brute Force Authentication Tags of CookieStore Sessions in Auth0-PHP SDK — auth0-PHP 9.1 Critical2025-05-15
CVE-2025-26685 Microsoft Defender for Identity Spoofing Vulnerability — Microsoft Defender for Identity 6.5 Medium2025-05-13
CVE-2025-3659 Improper authentication handling for Digi PortServer TS; Digi One SP, SP IA, IA; Digi One IAP — Digi PortServer TS 9.8AICriticalAI2025-05-12
CVE-2025-4494 JAdmin-JAVA JAdmin Admin Backend NoNeedLoginController.java toLogin improper authentication — JAdmin 7.3 High2025-05-09
CVE-2024-11186 On affected versions of the CloudVision Portal, improper access controls could enable a malicious authenticated user to take broader actions on managed EOS devices than intended. This advisory impacts the Arista CloudVision Portal products when run on-prem — CloudVision Portal 10.0 Critical2025-05-08
CVE-2025-46573 passport-wsfed-saml2 Has SAML Authentication Bypass via Attribute Smuggling — passport-wsfed-saml2 7.4AIHighAI2025-05-06
CVE-2025-46572 passport-wsfed-saml2 Has SAML Authentication Bypass via Signature Wrapping — passport-wsfed-saml2 7.4AIHighAI2025-05-06
CVE-2025-22477 Dell Storage Manager 授权问题漏洞 — Dell Storage Center - Dell Storage Manager 8.3 High2025-05-06
CVE-2025-46590 Huawei HarmonyOS 安全漏洞 — HarmonyOS 6.3 Medium2025-05-06
CVE-2025-0217 Privileged Remote Access Authentication Bypass — Privileged Remote Access 5.5AIMediumAI2025-05-05
CVE-2025-4144 PKCE bypass via downgrade attack 5.3AIMediumAI2025-05-01
CVE-2025-29906 Finit bundled getty can bypass /bin/login — finit 8.6 High2025-04-29

Vulnerabilities classified as CWE-287 (认证机制不恰当) represent 1203 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.