Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-287 (认证机制不恰当) — Vulnerability Class 1203

1203 vulnerabilities classified as CWE-287 (认证机制不恰当). AI Chinese analysis included.

CWE-287 represents a critical authentication weakness where a system fails to adequately verify the identity of an actor claiming a specific identity. This flaw typically allows attackers to bypass security controls by exploiting insufficient verification mechanisms, enabling unauthorized access through stolen credentials, brute-force attacks, or session hijacking. When authentication logic is flawed, malicious entities can impersonate legitimate users, leading to severe data breaches and privilege escalation. Developers mitigate this risk by implementing robust, multi-factor authentication protocols and ensuring that identity verification processes are rigorous and resistant to common attack vectors. By strictly validating credentials against secure, hashed databases and employing adaptive security measures, organizations can significantly reduce the likelihood of unauthorized access, thereby protecting sensitive information and maintaining system integrity against sophisticated cyber threats.

MITRE CWE Description
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Common Consequences (1)
Integrity, Confidentiality, Availability, Access ControlRead Application Data, Gain Privileges or Assume Identity, Execute Unauthorized Code or Commands
This weakness can lead to the exposure of resources or functionality to unintended actors, possibly providing attackers with sensitive information or even execute arbitrary code.
Mitigations (1)
Architecture and DesignUse an authentication framework or library such as the OWASP ESAPI Authentication feature.
Examples (2)
The following code intends to ensure that the user is already logged in. If not, the code performs authentication with the user-provided username and password. If successful, it sets the loggedin and user cookies to "remember" that the user has already logged in. Finally, the code performs administrator tasks if the logged-in user has the "Administrator" username, as recorded in the user cookie.
my $q = new CGI; if ($q->cookie('loggedin') ne "true") { if (! AuthenticateUser($q->param('username'), $q->param('password'))) { ExitError("Error: you need to log in first"); } else { # Set loggedin and user cookies. $q->cookie( -name => 'loggedin', -value => 'true' ); $q->cookie( -name => 'user', -value => $q->param('username') ); } } if ($q->cookie('user') eq "Administrator") { DoAdministratorTasks(); }
Bad · Perl
GET /cgi-bin/vulnerable.cgi HTTP/1.1 Cookie: user=Administrator Cookie: loggedin=true [body of request]
Attack
In January 2009, an attacker was able to gain administrator access to a Twitter server because the server did not restrict the number of login attempts [REF-236]. The attacker targeted a member of Twitter's support team and was able to successfully guess the member's password using a brute force attack by guessing a large number of common words. After gaining access as the member of the support st…
CVE IDTitleCVSSSeverityPublished
CVE-2024-13309 Login Disable - Critical - Access bypass - SA-CONTRIB-2024-073 — Login Disable 8.2 -2025-01-09
CVE-2024-53704 SonicWALL SSLVPN 安全漏洞 — SonicOS 9.8 -2025-01-09
CVE-2024-56445 Huawei HarmonyOS 授权问题漏洞 — HarmonyOS 4.3 Medium2025-01-08
CVE-2024-12264 PayU CommercePro Plugin <= 3.8.3 - Unauthenticated Privilege Escalation — PayU CommercePro Plugin 9.8 Critical2025-01-07
CVE-2025-21618 NiceGUI On Air authentication issue — nicegui 7.5 High2025-01-06
CVE-2024-13111 Beijing Yunfan Internet Technology Yunfan Learning Examination System JWT Token SysUserControl improper authentication — Yunfan Learning Examination System 5.6 Medium2025-01-02
CVE-2024-1609 OPPO Store APP has a WebView component privilege escalation vulnerability. — OPPP Store 8.8 -2024-12-25
CVE-2023-31279 Improper Authentication — AirVantage, AirVantage-Capable Devices: All Sierra Wireless devices. 8.1 High2024-12-20
CVE-2024-56329 Account Takeover Vulnerability in Social Account Linking in joelbutcher/socialstream — socialstream--2024-12-20
CVE-2020-9250 Micro Focus Vibe 跨站脚本漏洞 — HUAWEI Mate 20 Pro 3.3 Low2024-12-20
CVE-2024-12287 Biagiotti Membership <= 1.0.2 - Authentication Bypass via biagiotti_membership_check_facebook_user — Biagiotti Membership 9.8 Critical2024-12-18
CVE-2024-1610 OPPO Store app include remote account token hijacking and sensitive information leakage — OPPO Store APP 8.8 -2024-12-18
CVE-2024-21543 djoser 安全漏洞 — djoser 7.1 High2024-12-13
CVE-2024-55886 OpenTelemetry Logs source may lack authentication with some custom plugins — data-prepper 6.9 Medium2024-12-12
CVE-2024-10111 OAuth Single Sign On – SSO (OAuth Client) <= 6.26.3 - Authentication Bypass — OAuth Single Sign On – SSO (OAuth Client) 8.1 High2024-12-12
CVE-2024-11015 Sign In With Google <= 1.8.0 - Authentication Bypass in authenticate_user — Sign In With Google 9.8 Critical2024-12-12
CVE-2024-45404 OpenCTI's lack of Rate Limit lead to OTP brute forcing — opencti 8.1 High2024-12-11
CVE-2024-47761 GLPI vulnerable to account takeover via the password reset feature — glpi 7.2 -2024-12-11
CVE-2024-10511 Schneider Electric PowerChute Serial Shutdown 授权问题漏洞 — PowerChute Serial Shutdown 5.3 Medium2024-12-11
CVE-2024-49076 Windows Virtualization-Based Security (VBS) Enclave Elevation of Privilege Vulnerability — Windows 10 Version 1809 7.8 High2024-12-10
CVE-2024-0130 NVIDIA UFM 授权问题漏洞 — UFM Enterprise GA 8.8 High2024-12-06
CVE-2024-48859 QTS, QuTS hero — QTS 9.8 -2024-12-06
CVE-2024-11293 Registration Forms – User Registration Forms, Invitation-Based Registrations, Front-end User Profile, Login Form & Content Restriction Social Sites Login <= 1.7.9 - Authentication Bypass via WordPress.com OAuth provider — Pie Register - Social Sites Login (Add on) 8.1 High2024-12-04
CVE-2024-45106 Apache Ozone: Improper authentication when generating S3 secrets — Apache Ozone 6.8 -2024-12-03
CVE-2024-53990 AsyncHttpClient (AHC) library's `CookieStore` replaces explicitly defined `Cookie`s — async-http-client 8.2 -2024-12-02
CVE-2018-11952 Improper Authentication in TrustZone — Snapdragon 7.8 High2024-11-26
CVE-2016-10394 Improper Authentication in Core — Snapdragon 9.8 High2024-11-26
CVE-2024-11671 Devolutions Remote Desktop Manager 安全漏洞 — Remote Desktop Manager 8.8AIHighAI2024-11-25
CVE-2022-33862 Improper access control mechanism in IPP — Intelligent Power Protector (IPP) 6.7 Medium2024-11-25
CVE-2024-45369 mySCADA myPRO Improper Authentication — myPRO Manager 8.1 High2024-11-22

Vulnerabilities classified as CWE-287 (认证机制不恰当) represent 1203 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.