Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-287 (认证机制不恰当) — Vulnerability Class 1203

1203 vulnerabilities classified as CWE-287 (认证机制不恰当). AI Chinese analysis included.

CWE-287 represents a critical authentication weakness where a system fails to adequately verify the identity of an actor claiming a specific identity. This flaw typically allows attackers to bypass security controls by exploiting insufficient verification mechanisms, enabling unauthorized access through stolen credentials, brute-force attacks, or session hijacking. When authentication logic is flawed, malicious entities can impersonate legitimate users, leading to severe data breaches and privilege escalation. Developers mitigate this risk by implementing robust, multi-factor authentication protocols and ensuring that identity verification processes are rigorous and resistant to common attack vectors. By strictly validating credentials against secure, hashed databases and employing adaptive security measures, organizations can significantly reduce the likelihood of unauthorized access, thereby protecting sensitive information and maintaining system integrity against sophisticated cyber threats.

MITRE CWE Description
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Common Consequences (1)
Integrity, Confidentiality, Availability, Access ControlRead Application Data, Gain Privileges or Assume Identity, Execute Unauthorized Code or Commands
This weakness can lead to the exposure of resources or functionality to unintended actors, possibly providing attackers with sensitive information or even execute arbitrary code.
Mitigations (1)
Architecture and DesignUse an authentication framework or library such as the OWASP ESAPI Authentication feature.
Examples (2)
The following code intends to ensure that the user is already logged in. If not, the code performs authentication with the user-provided username and password. If successful, it sets the loggedin and user cookies to "remember" that the user has already logged in. Finally, the code performs administrator tasks if the logged-in user has the "Administrator" username, as recorded in the user cookie.
my $q = new CGI; if ($q->cookie('loggedin') ne "true") { if (! AuthenticateUser($q->param('username'), $q->param('password'))) { ExitError("Error: you need to log in first"); } else { # Set loggedin and user cookies. $q->cookie( -name => 'loggedin', -value => 'true' ); $q->cookie( -name => 'user', -value => $q->param('username') ); } } if ($q->cookie('user') eq "Administrator") { DoAdministratorTasks(); }
Bad · Perl
GET /cgi-bin/vulnerable.cgi HTTP/1.1 Cookie: user=Administrator Cookie: loggedin=true [body of request]
Attack
In January 2009, an attacker was able to gain administrator access to a Twitter server because the server did not restrict the number of login attempts [REF-236]. The attacker targeted a member of Twitter's support team and was able to successfully guess the member's password using a brute force attack by guessing a large number of common words. After gaining access as the member of the support st…
CVE IDTitleCVSSSeverityPublished
CVE-2022-2553 booth 授权问题漏洞 — Booth 6.5 -2022-07-28
CVE-2022-28666 WordPress Custom Product Tabs for WooCommerce plugin <= 1.7.7 - Broken Access Control vulnerability — Custom Product Tabs for WooCommerce (WordPress plugin) 5.3 Medium2022-07-21
CVE-2022-31164 Tovy before v0.7.51 vulnerable to users logging in as and impersonating other users — tovy 7.5 High2022-07-21
CVE-2022-2141 ICSA-22-200-01 MiCODUS MV720 GPS tracker Improper Authentication — MV720 9.8 Critical2022-07-20
CVE-2022-2133 OAuth Single Sign On < 6.22.6 - Authentication Bypass — OAuth Single Sign On – SSO (OAuth Client) 5.3 -2022-07-17
CVE-2017-20133 Itech Job Portal Script admin improper authentication — Job Portal Script 7.3 High2022-07-16
CVE-2022-33689 SAMSUNG Mobile devices TelephonyUI 安全漏洞 — Samsung Mobile Devices 6.2 Medium2022-07-11
CVE-2022-30755 SAMSUNG Mobile devices App lock 授权问题漏洞 — Samsung Mobile Devices 7.3 High2022-07-11
CVE-2015-5298 Jenkins Plugin Google Login 授权问题漏洞 — Jenkins Google Login Plugin 9.4 -2022-07-07
CVE-2022-31131 Ownership check missing when updating or deleting mail attachments in Nextcloud mail — security-advisories 5.4 Medium2022-07-06
CVE-2022-31125 Authentication Bypass in Roxy-wi — roxy-wi 10.0 Critical2022-07-06
CVE-2022-2197 Exemys RME1 — RME1-AI firmware 9.8 Critical2022-06-30
CVE-2021-26638 Xi Smarthome wallpad authentication bypass vulnerability — S&D smarthome (smartcare) 7.3 High2022-06-22
CVE-2021-26637 SiHAS Improper Authentication vulnerability — SiHAS firmware 8.8 High2022-06-22
CVE-2022-31083 Authentication bypass in Parse Server Apple Game Center auth adapter — parse-server 8.6 High2022-06-17
CVE-2020-36548 GE Voluson S8 Service Browser users.cgi improper authentication — Voluson S8 5.9 Medium2022-06-17
CVE-2018-25043 uTorrent PRNG improper authentication — uTorrent 5.0 Medium2022-06-17
CVE-2022-20798 Cisco Email Security Appliance and Cisco Secure Email and Web Manager External Authentication Bypass Vulnerability — Cisco Email Security Appliance (ESA) 9.8 Critical2022-06-15
CVE-2022-20733 Cisco Identity Services Engine Authentication Bypass Vulnerability — Cisco Identity Services Engine Software 5.3 Medium2022-06-15
CVE-2022-30749 Samsung mobile 授权问题漏洞 — Smart Things 3.3 Low2022-06-07
CVE-2020-36533 Klapp App JSON Web Token improper authentication — App 3.7 Low2022-06-03
CVE-2022-30238 Schneider Electric Wiser Smart 授权问题漏洞 — Wiser Smart 8.3 High2022-06-02
CVE-2022-31013 Authentication bypass in Vartalap chat-server — chat-server 9.1 Critical2022-05-31
CVE-2022-31011 TiDB authentication bypass vulnerability — tidb 7.8 High2022-05-31
CVE-2022-24422 DELL iDRAC9 授权问题漏洞 — Integrated Dell Remote Access Controller 9 9.6 Critical2022-05-26
CVE-2022-22576 curl 访问控制错误漏洞 — https://github.com/curl/curl 8.1 -2022-05-26
CVE-2021-4230 Airfield Online MySQL Backup improper authentication — Airfield Online 3.7 Low2022-05-24
CVE-2013-10004 Telecommunication Software SAMwin Contact Center Suite Password SAMwinLIBVB.dll passwordScramble improper authentication — SAMwin Contact Center Suite 6.5 Medium2022-05-24
CVE-2022-29237 Limited Authentication Bypass for Media Files in Opencast — opencast 5.4 Medium2022-05-24
CVE-2022-0910 Zyxel USG/ZyWALL 授权问题漏洞 — USG/ZyWALL series firmware 6.5 Medium2022-05-24

Vulnerabilities classified as CWE-287 (认证机制不恰当) represent 1203 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.