Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-287 (认证机制不恰当) — Vulnerability Class 1203

1203 vulnerabilities classified as CWE-287 (认证机制不恰当). AI Chinese analysis included.

CWE-287 represents a critical authentication weakness where a system fails to adequately verify the identity of an actor claiming a specific identity. This flaw typically allows attackers to bypass security controls by exploiting insufficient verification mechanisms, enabling unauthorized access through stolen credentials, brute-force attacks, or session hijacking. When authentication logic is flawed, malicious entities can impersonate legitimate users, leading to severe data breaches and privilege escalation. Developers mitigate this risk by implementing robust, multi-factor authentication protocols and ensuring that identity verification processes are rigorous and resistant to common attack vectors. By strictly validating credentials against secure, hashed databases and employing adaptive security measures, organizations can significantly reduce the likelihood of unauthorized access, thereby protecting sensitive information and maintaining system integrity against sophisticated cyber threats.

MITRE CWE Description
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Common Consequences (1)
Integrity, Confidentiality, Availability, Access ControlRead Application Data, Gain Privileges or Assume Identity, Execute Unauthorized Code or Commands
This weakness can lead to the exposure of resources or functionality to unintended actors, possibly providing attackers with sensitive information or even execute arbitrary code.
Mitigations (1)
Architecture and DesignUse an authentication framework or library such as the OWASP ESAPI Authentication feature.
Examples (2)
The following code intends to ensure that the user is already logged in. If not, the code performs authentication with the user-provided username and password. If successful, it sets the loggedin and user cookies to "remember" that the user has already logged in. Finally, the code performs administrator tasks if the logged-in user has the "Administrator" username, as recorded in the user cookie.
my $q = new CGI; if ($q->cookie('loggedin') ne "true") { if (! AuthenticateUser($q->param('username'), $q->param('password'))) { ExitError("Error: you need to log in first"); } else { # Set loggedin and user cookies. $q->cookie( -name => 'loggedin', -value => 'true' ); $q->cookie( -name => 'user', -value => $q->param('username') ); } } if ($q->cookie('user') eq "Administrator") { DoAdministratorTasks(); }
Bad · Perl
GET /cgi-bin/vulnerable.cgi HTTP/1.1 Cookie: user=Administrator Cookie: loggedin=true [body of request]
Attack
In January 2009, an attacker was able to gain administrator access to a Twitter server because the server did not restrict the number of login attempts [REF-236]. The attacker targeted a member of Twitter's support team and was able to successfully guess the member's password using a brute force attack by guessing a large number of common words. After gaining access as the member of the support st…
CVE IDTitleCVSSSeverityPublished
CVE-2023-44252 Fortinet FortiWAN 安全漏洞 — FortiWAN 8.6 High2023-12-13
CVE-2023-45801 Nadatel DVR 安全漏洞 — DVR 7.5 High2023-12-13
CVE-2023-36004 Windows DPAPI (Data Protection Application Programming Interface) Spoofing Vulnerability — Windows 10 Version 1809 7.5 High2023-12-12
CVE-2023-5970 SonicWALL SSL-VPN SMA100 series 安全漏洞 — SMA100 9.6 -2023-12-05
CVE-2023-33070 Improper Authentication in Automotive OS — Snapdragon 7.1 High2023-12-05
CVE-2023-33054 Improper Authentication in GPS HLOS Driver — Snapdragon 9.1 Critical2023-12-05
CVE-2023-44302 Dell DM5500 安全漏洞 — Dell PowerProtect Data Manager DM5500 Appliance 8.1 High2023-12-04
CVE-2023-6354 Tyler Technologies Magistrate Court Case Management Plus PDFViewer.aspx allows authentication bypass — Magistrate Court Case Management Plus 5.3 Medium2023-11-30
CVE-2023-6353 Tyler Technologies Civil and Criminal Electronic Filing Upload.aspx allows authentication bypass — Civil and Criminal Electronic Filing 5.3 Medium2023-11-30
CVE-2023-6344 Tyler Technologies Court Case Management Plus use of Aquaforest TIFF Server te003.aspx and te004.aspx allows authentication bypass — Court Case Management Plus 5.3 Medium2023-11-30
CVE-2023-6343 Tyler Technologies Court Case Management Plus use of Aquaforest TIFF Server tssp.aspx allows authentication bypass — Court Case Management Plus 5.3 Medium2023-11-30
CVE-2023-6342 Tyler Technologies Court Case Management Plus "pay for print" allows authentication bypass — Court Case Management Plus 5.3 Medium2023-11-30
CVE-2023-34388 Improper authentication could lead to session hijacking — SEL-451 6.5 Medium2023-11-30
CVE-2023-35137 Zyxel NAS326 授权问题漏洞 — NAS326 firmware 7.5 High2023-11-30
CVE-2023-29062 Unsecure Identity Verification — FACSChorus 3.8 Low2023-11-28
CVE-2022-41678 Apache ActiveMQ: Insufficient API restrictions on Jolokia allow authenticated users to perform RCE — Apache ActiveMQ 8.8 -2023-11-28
CVE-2023-41999 Arcserve UDP Management Authentication Bypass — Arcserve UDP 9.8 Critical2023-11-27
CVE-2023-6329 Control iD iDSecure passwordCustom Authentication Bypass — iDSecure 9.8 Critical2023-11-27
CVE-2023-48312 Authentication bypass using an empty token in capsule-proxy — capsule-proxy 9.8 Critical2023-11-24
CVE-2023-4677 Unauthenticated Admin Account Takeover Via Cron Log File Backups — Pandora FMS 7.0 High2023-11-23
CVE-2023-6248 Data leakage and arbitrary remote code execution in Syrus cloud devices — Syrus4 IoT Telematics Gateway 10.0 Critical2023-11-21
CVE-2023-48228 OAuth2: PKCE can be fully circumvented — authentik 7.5 High2023-11-21
CVE-2023-44324 ZDI-CAN-21344: Adobe FrameMaker Publishing Server Authentication Bypass Vulnerability — Adobe Framemaker Publishing Server 9.8 Critical2023-11-17
CVE-2023-24852 Improper Authentication in Core — Snapdragon 8.4 High2023-11-07
CVE-2023-39345 Unauthorized Access to Private Fields in User Registration API in strapi — strapi 7.6 High2023-11-06
CVE-2023-40660 Opensc: potential pin bypass when card tracks its own login state 6.6 Medium2023-11-06
CVE-2023-26455 Open-Xchange App Suite 授权问题漏洞 — OX App Suite 5.6 Medium2023-11-02
CVE-2023-46249 authentik potential installation takeover when default admin user is deleted — authentik 9.7 Critical2023-10-31
CVE-2023-44397 CloudExplorer Lite permission bypass vulnerability — CloudExplorer-Lite 7.5 High2023-10-30
CVE-2023-5830 ColumbiaSoft Document Locator WebTools login improper authentication — Document Locator 7.3 High2023-10-27

Vulnerabilities classified as CWE-287 (认证机制不恰当) represent 1203 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.