Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-287 (认证机制不恰当) — Vulnerability Class 1203

1203 vulnerabilities classified as CWE-287 (认证机制不恰当). AI Chinese analysis included.

CWE-287 represents a critical authentication weakness where a system fails to adequately verify the identity of an actor claiming a specific identity. This flaw typically allows attackers to bypass security controls by exploiting insufficient verification mechanisms, enabling unauthorized access through stolen credentials, brute-force attacks, or session hijacking. When authentication logic is flawed, malicious entities can impersonate legitimate users, leading to severe data breaches and privilege escalation. Developers mitigate this risk by implementing robust, multi-factor authentication protocols and ensuring that identity verification processes are rigorous and resistant to common attack vectors. By strictly validating credentials against secure, hashed databases and employing adaptive security measures, organizations can significantly reduce the likelihood of unauthorized access, thereby protecting sensitive information and maintaining system integrity against sophisticated cyber threats.

MITRE CWE Description
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Common Consequences (1)
Integrity, Confidentiality, Availability, Access ControlRead Application Data, Gain Privileges or Assume Identity, Execute Unauthorized Code or Commands
This weakness can lead to the exposure of resources or functionality to unintended actors, possibly providing attackers with sensitive information or even execute arbitrary code.
Mitigations (1)
Architecture and DesignUse an authentication framework or library such as the OWASP ESAPI Authentication feature.
Examples (2)
The following code intends to ensure that the user is already logged in. If not, the code performs authentication with the user-provided username and password. If successful, it sets the loggedin and user cookies to "remember" that the user has already logged in. Finally, the code performs administrator tasks if the logged-in user has the "Administrator" username, as recorded in the user cookie.
my $q = new CGI; if ($q->cookie('loggedin') ne "true") { if (! AuthenticateUser($q->param('username'), $q->param('password'))) { ExitError("Error: you need to log in first"); } else { # Set loggedin and user cookies. $q->cookie( -name => 'loggedin', -value => 'true' ); $q->cookie( -name => 'user', -value => $q->param('username') ); } } if ($q->cookie('user') eq "Administrator") { DoAdministratorTasks(); }
Bad · Perl
GET /cgi-bin/vulnerable.cgi HTTP/1.1 Cookie: user=Administrator Cookie: loggedin=true [body of request]
Attack
In January 2009, an attacker was able to gain administrator access to a Twitter server because the server did not restrict the number of login attempts [REF-236]. The attacker targeted a member of Twitter's support team and was able to successfully guess the member's password using a brute force attack by guessing a large number of common words. After gaining access as the member of the support st…
CVE IDTitleCVSSSeverityPublished
CVE-2023-1617 Improper Authentication Mechanism in B&R VC4 Visualization — B&R VC4 9.8 Critical2023-04-14
CVE-2023-28121 WordPress plugin WooCommerce Payments 授权问题漏洞 — WooCommerce Payments WordPress Plugin 9.8 -2023-04-12
CVE-2023-23761 Improper authentication vulnerability in GitHub Enterprise Server leading to modification of secret gists — Enterprise Server 7.7 High2023-04-07
CVE-2023-1784 jeecg-boot API Documentation improper authentication — jeecg-boot 5.3 Medium2023-03-31
CVE-2023-28646 App lockout in nextcloud Android app can be bypassed via thirdparty apps — security-advisories 4.4 Medium2023-03-30
CVE-2022-43620 D-Link DIR-1935 授权问题漏洞 — DIR-1935 8.8 -2023-03-29
CVE-2023-1464 SourceCodester Medicine Tracker System improper authentication — Medicine Tracker System 7.3 High2023-03-17
CVE-2023-1460 SourceCodester Online Pizza Ordering System Password Change improper authentication — Online Pizza Ordering System 6.5 Medium2023-03-17
CVE-2023-21455 SAMSUNG Mobile Devices 安全漏洞 — Samsung Mobile Devices 5.9 Medium2023-03-16
CVE-2023-21460 SAMSUNG Mobile Devices 授权问题漏洞 — Samsung Mobile Devices 4.4 Medium2023-03-16
CVE-2022-46773 IBM Robotic Process Automation security bypass — Robotic Process Automation 4.3 Medium2023-03-15
CVE-2022-46774 IBM Manage Application security bypass — Manage Application 5.4 Medium2023-03-15
CVE-2023-23857 Improper Access Control in SAP NetWeaver AS for Java — NetWeaver AS for Java 9.9 Critical2023-03-14
CVE-2023-27582 Full authentication bypass if SASL authorization username is specified — maddy 9.1 Critical2023-03-13
CVE-2022-44574 Avalanche 授权问题漏洞 — Ivanti Avalanche 7.5 -2023-03-10
CVE-2023-27482 Home Assistant 授权问题漏洞 — core 10.0 Critical2023-03-08
CVE-2022-33242 Improper authentication in Qualcomm IPC — Snapdragon 7.8 High2023-03-07
CVE-2023-0228 Improper authentication vulnerability in S+ Operations — Symphony Plus S+ Operations 8.8 High2023-03-02
CVE-2023-1065 Snyk kubernetes-monitor 授权问题漏洞 — Snyk Kubernetes Monitor 6.5 Medium2023-02-28
CVE-2023-20012 Cisco Nexus 9300-FX3 Series Fabric Extender for UCS Fabric Interconnects Authentication Bypass Vulnerability — Cisco Unified Computing System (Managed) 5.3 Medium2023-02-23
CVE-2015-10083 harrystech Dynosaur-Rails application_controller.rb basic_auth improper authentication — Dynosaur-Rails 6.3 Medium2023-02-21
CVE-2023-0905 SourceCodester Employee Task Management System changePasswordForEmployee.php improper authentication — Employee Task Management System 7.3 High2023-02-18
CVE-2022-47508 Disable NTLM: SAM 2022.4 — Server & Application Monitor (SAM) 7.5 High2023-02-15
CVE-2023-21817 Windows Kerberos Elevation of Privilege Vulnerability — Windows 10 Version 1809 7.8 High2023-02-14
CVE-2023-21721 Microsoft OneNote Elevation of Privilege Vulnerability — Microsoft OneNote for Android 6.5 Medium2023-02-14
CVE-2023-25559 System account impersonation in DataHub — datahub 8.2 High2023-02-10
CVE-2023-21419 SAMSUNG Mobile devices 安全漏洞 — Samsung Mobile Devices 4.3 Medium2023-02-09
CVE-2023-21425 SAMSUNG Mobile devices 授权问题漏洞 — Samsung Mobile Devices 4.3 Medium2023-02-09
CVE-2023-21437 SAMSUNG Mobile devices 授权问题漏洞 — Samsung Mobile Devices 4.0 Medium2023-02-09
CVE-2023-24830 Apache IoTDB Workbench: apache/iotdb-web-workbench: create a user without authorization — Apache IoTDB Workbench 9.8 -2023-01-30

Vulnerabilities classified as CWE-287 (认证机制不恰当) represent 1203 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.