Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-287 (认证机制不恰当) — Vulnerability Class 1203

1203 vulnerabilities classified as CWE-287 (认证机制不恰当). AI Chinese analysis included.

CWE-287 represents a critical authentication weakness where a system fails to adequately verify the identity of an actor claiming a specific identity. This flaw typically allows attackers to bypass security controls by exploiting insufficient verification mechanisms, enabling unauthorized access through stolen credentials, brute-force attacks, or session hijacking. When authentication logic is flawed, malicious entities can impersonate legitimate users, leading to severe data breaches and privilege escalation. Developers mitigate this risk by implementing robust, multi-factor authentication protocols and ensuring that identity verification processes are rigorous and resistant to common attack vectors. By strictly validating credentials against secure, hashed databases and employing adaptive security measures, organizations can significantly reduce the likelihood of unauthorized access, thereby protecting sensitive information and maintaining system integrity against sophisticated cyber threats.

MITRE CWE Description
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Common Consequences (1)
Integrity, Confidentiality, Availability, Access ControlRead Application Data, Gain Privileges or Assume Identity, Execute Unauthorized Code or Commands
This weakness can lead to the exposure of resources or functionality to unintended actors, possibly providing attackers with sensitive information or even execute arbitrary code.
Mitigations (1)
Architecture and DesignUse an authentication framework or library such as the OWASP ESAPI Authentication feature.
Examples (2)
The following code intends to ensure that the user is already logged in. If not, the code performs authentication with the user-provided username and password. If successful, it sets the loggedin and user cookies to "remember" that the user has already logged in. Finally, the code performs administrator tasks if the logged-in user has the "Administrator" username, as recorded in the user cookie.
my $q = new CGI; if ($q->cookie('loggedin') ne "true") { if (! AuthenticateUser($q->param('username'), $q->param('password'))) { ExitError("Error: you need to log in first"); } else { # Set loggedin and user cookies. $q->cookie( -name => 'loggedin', -value => 'true' ); $q->cookie( -name => 'user', -value => $q->param('username') ); } } if ($q->cookie('user') eq "Administrator") { DoAdministratorTasks(); }
Bad · Perl
GET /cgi-bin/vulnerable.cgi HTTP/1.1 Cookie: user=Administrator Cookie: loggedin=true [body of request]
Attack
In January 2009, an attacker was able to gain administrator access to a Twitter server because the server did not restrict the number of login attempts [REF-236]. The attacker targeted a member of Twitter's support team and was able to successfully guess the member's password using a brute force attack by guessing a large number of common words. After gaining access as the member of the support st…
CVE IDTitleCVSSSeverityPublished
CVE-2025-3910 Org.keycloak.authentication: two factor authentication bypass 5.4 Medium2025-04-29
CVE-2025-46348 YesWiki Vulnerable to Unauthenticated Site Backup Creation and Download — yeswiki 10.0 Critical2025-04-29
CVE-2025-3627 Moodle: partial data exposure in moodle before completing multi-factor authentication 4.3 Medium2025-04-25
CVE-2025-3634 Moodle: moodle allows course self-enrolment before completing mfa 4.3 Medium2025-04-25
CVE-2024-11917 JobSearch WP Job Board <= 2.9.2 - Authentication Bypass via Social Logins — JobSearch WP Job Board 8.1 High2025-04-25
CVE-2025-2771 BEC Technologies Multiple Routers Authentication Bypass Vulnerability — Multiple Routers 9.8 -2025-04-23
CVE-2025-3850 YXJ2018 SpringBoot-Vue-OnlineExam API improper authentication — SpringBoot-Vue-OnlineExam 3.7 Low2025-04-22
CVE-2025-31478 Zulip Authentication Backend Configuration Bypass — zulip 8.2 High2025-04-16
CVE-2025-2572 WhatsUp Gold NmConfigurationManager.exe database manipulation vulnerability — WhatsUp Gold 5.6 Medium2025-04-14
CVE-2025-22232 Spring Cloud Config Server May Not Use Vault Token Sent By Clients — Spring Cloud Config 5.3 Medium2025-04-10
CVE-2025-22375 Authentication Bypass in CyberAudit-Web — CyberAudit-Web 9.1AICriticalAI2025-04-10
CVE-2025-30287 ColdFusion | Improper Authentication (CWE-287) — ColdFusion 8.2 High2025-04-08
CVE-2025-30282 ColdFusion | Improper Authentication (CWE-287) — ColdFusion 9.1 Critical2025-04-08
CVE-2025-25227 [20250402] - Joomla Core - MFA Authentication Bypass — Joomla! CMS 8.1 -2025-04-08
CVE-2025-3268 qinguoyi TinyWebServer http_conn.cpp improper authentication — TinyWebServer 5.3 Medium2025-04-04
CVE-2025-31122 scratch-coding-hut.github.io Login Links Generation vulnerability — Scratch-Coding-Hut 10.0 -2025-03-31
CVE-2025-2859 Improper Authentication vulnerability in saTECH BCU — saTECH BCU 7.1 -2025-03-28
CVE-2025-30361 WeGIA Vulnerable to Broken Authentication - Old Password Validation — WeGIA 9.1AICriticalAI2025-03-27
CVE-2025-30168 Parse Server has an OAuth login vulnerability — parse-server 6.9 Medium2025-03-21
CVE-2025-26475 Dell Secure Connect Gateway(Dell SCG) 授权问题漏洞 — Secure Connect Gateway (SCG) 5.0 Appliance - SRS 5.5 Medium2025-03-19
CVE-2025-2388 Keytop 路内停车收费系统 API getParks improper authentication — 路内停车收费系统 7.3 High2025-03-17
CVE-2025-2339 otale Tale Blog logs improper authentication — Tale Blog 5.3 Medium2025-03-16
CVE-2025-2230 Philips Intellispace Cardiovascular (ISCV) Improper Authentication — Intellispace Cardiovascular (ISCV) 7.7 High2025-03-13
CVE-2025-29773 Froxlor allows Multiple Accounts to Share the Same Email Address Leading to Potential Privilege Escalation or Account Takeover — Froxlor 5.8 Medium2025-03-13
CVE-2025-27138 DataEase has an improper authentication vulnerability — dataease 9.1 -2025-03-13
CVE-2025-0813 Schneider Electric EcoStruxure Power Automation System User Interface 授权问题漏洞 — EcoStruxure Power Automation System User Interface (EPAS-UI) - Secured Versions 6.8 Medium2025-03-12
CVE-2025-27403 Ratify Azure authentication providers can leak authentication tokens to non-Azure container registries — ratify 7.1 -2025-03-11
CVE-2024-56336 Siemens SINAMICS S200 授权问题漏洞 — SINAMICS S200 9.8 Critical2025-03-11
CVE-2024-11087 miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn) Pro Addon <= 200.3.9 - Authentication Bypass — miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn) 8.1 High2025-03-08
CVE-2025-1475 WPCOM Member <= 1.7.5 - Authentication Bypass via 'user_phone' — WPCOM Member 9.8 Critical2025-03-07

Vulnerabilities classified as CWE-287 (认证机制不恰当) represent 1203 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.