Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-287 (认证机制不恰当) — Vulnerability Class 1203

1203 vulnerabilities classified as CWE-287 (认证机制不恰当). AI Chinese analysis included.

CWE-287 represents a critical authentication weakness where a system fails to adequately verify the identity of an actor claiming a specific identity. This flaw typically allows attackers to bypass security controls by exploiting insufficient verification mechanisms, enabling unauthorized access through stolen credentials, brute-force attacks, or session hijacking. When authentication logic is flawed, malicious entities can impersonate legitimate users, leading to severe data breaches and privilege escalation. Developers mitigate this risk by implementing robust, multi-factor authentication protocols and ensuring that identity verification processes are rigorous and resistant to common attack vectors. By strictly validating credentials against secure, hashed databases and employing adaptive security measures, organizations can significantly reduce the likelihood of unauthorized access, thereby protecting sensitive information and maintaining system integrity against sophisticated cyber threats.

MITRE CWE Description
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Common Consequences (1)
Integrity, Confidentiality, Availability, Access ControlRead Application Data, Gain Privileges or Assume Identity, Execute Unauthorized Code or Commands
This weakness can lead to the exposure of resources or functionality to unintended actors, possibly providing attackers with sensitive information or even execute arbitrary code.
Mitigations (1)
Architecture and DesignUse an authentication framework or library such as the OWASP ESAPI Authentication feature.
Examples (2)
The following code intends to ensure that the user is already logged in. If not, the code performs authentication with the user-provided username and password. If successful, it sets the loggedin and user cookies to "remember" that the user has already logged in. Finally, the code performs administrator tasks if the logged-in user has the "Administrator" username, as recorded in the user cookie.
my $q = new CGI; if ($q->cookie('loggedin') ne "true") { if (! AuthenticateUser($q->param('username'), $q->param('password'))) { ExitError("Error: you need to log in first"); } else { # Set loggedin and user cookies. $q->cookie( -name => 'loggedin', -value => 'true' ); $q->cookie( -name => 'user', -value => $q->param('username') ); } } if ($q->cookie('user') eq "Administrator") { DoAdministratorTasks(); }
Bad · Perl
GET /cgi-bin/vulnerable.cgi HTTP/1.1 Cookie: user=Administrator Cookie: loggedin=true [body of request]
Attack
In January 2009, an attacker was able to gain administrator access to a Twitter server because the server did not restrict the number of login attempts [REF-236]. The attacker targeted a member of Twitter's support team and was able to successfully guess the member's password using a brute force attack by guessing a large number of common words. After gaining access as the member of the support st…
CVE IDTitleCVSSSeverityPublished
CVE-2022-1349 WPQA < 5.2 - Subscriber+ Arbitrary Profile Picture Deletion via IDOR — WPQA Builder Plugin 6.5 -2022-05-16
CVE-2022-29883 Siemens SICAM 访问控制错误漏洞 — SICAM T 5.3 Medium2022-05-10
CVE-2019-12254 TECSON/GOK: Improper Authentication and Access Control on multiple devices — e-litro net 9.8 Critical2022-05-06
CVE-2021-26253 Bypass of Splunk Enterprise's implementation of DUO MFA — Splunk Enterprise 8.1 High2022-05-06
CVE-2021-44057 Improper authentication in Photo Station — Photo Station 7.1 High2022-05-05
CVE-2021-44056 Improper authentication in Video Station — Video Station 7.1 High2022-05-05
CVE-2022-28790 Link to Windows Service 授权问题漏洞 — Link to Windows Service 4.0 Medium2022-05-03
CVE-2022-0916 Broken authentication on Logitech Options due to misvalidation of Oauth state parameter — Options 8.4 High2022-05-03
CVE-2022-0985 Moodle 授权问题漏洞 — moodle 4.3 -2022-04-29
CVE-2022-24885 Improper Authentication in Nextcloud Android Files — security-advisories 2.0 Low2022-04-27
CVE-2022-24882 Server side NTLM does not properly check parameters in FreeRDP — FreeRDP 9.1 Critical2022-04-26
CVE-2022-24883 FreeRDP Server authentication might allow invalid credentials to pass — FreeRDP 7.4 High2022-04-26
CVE-2021-3652 389-ds-base 安全漏洞 — 389-ds-base 6.5 -2022-04-18
CVE-2022-24857 Multi factor authentication bypass in django-mfa3 — django-mfa3 7.3 High2022-04-15
CVE-2022-27839 Samsung Internet 授权问题漏洞 — Samsung Internet 3.3 Low2022-04-11
CVE-2022-25833 Samsung SMR 授权问题漏洞 — Samsung Mobile Devices 3.3 Low2022-04-11
CVE-2022-25832 Samsung SMR 授权问题漏洞 — Samsung Mobile Devices 4.0 Medium2022-04-11
CVE-2022-1248 SAP Information System POST Request add_admin.php improper authentication — SAP Information System 7.3 High2022-04-06
CVE-2021-20238 Red Hat OpenShift Container Platform 访问控制错误漏洞 — openshift/machine-config-operator 5.9 -2022-04-01
CVE-2022-1084 SourceCodester One Church Management System Session userregister.php improper authentication — One Church Management System 7.3 High2022-03-29
CVE-2018-25030 Mirmay Secure Private Browser / File Manager Auto Lock improper authentication — Secure Private Browser 3.3 Low2022-03-28
CVE-2022-0342 Zyxel USG/ZyWALL 授权问题漏洞 — USG/ZyWALL series firmware 9.8 Critical2022-03-28
CVE-2022-1049 Pacemaker 授权问题漏洞 — clusterlabs/pcs 8.8 -2022-03-25
CVE-2021-26620 IPTIME NAS2dual improper authentication vulnerability — ipTIME NAS product (NAS1, 2, 3, 4, 1dual, 2dual 4dual) 7.5 High2022-03-25
CVE-2021-4197 Linux kernel 授权问题漏洞 — kernel 7.8 -2022-03-23
CVE-2021-44759 Improper authentication vulnerability in TLS origin verification — Apache Traffic Server 7.7 -2022-03-23
CVE-2022-24740 Improper Authentication in Volto — volto 5.0 Medium2022-03-14
CVE-2022-24748 Incorrect Authentication in shopware — platform 6.8 Medium2022-03-09
CVE-2022-0715 多款Schneider Electric产品数据伪造问题漏洞 — APC Smart-UPS 9.1 -2022-03-09
CVE-2022-25825 Samsung Account 授权问题漏洞 — Samsung Account 6.2 Medium2022-03-08

Vulnerabilities classified as CWE-287 (认证机制不恰当) represent 1203 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.