Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-287 (认证机制不恰当) — Vulnerability Class 1203

1203 vulnerabilities classified as CWE-287 (认证机制不恰当). AI Chinese analysis included.

CWE-287 represents a critical authentication weakness where a system fails to adequately verify the identity of an actor claiming a specific identity. This flaw typically allows attackers to bypass security controls by exploiting insufficient verification mechanisms, enabling unauthorized access through stolen credentials, brute-force attacks, or session hijacking. When authentication logic is flawed, malicious entities can impersonate legitimate users, leading to severe data breaches and privilege escalation. Developers mitigate this risk by implementing robust, multi-factor authentication protocols and ensuring that identity verification processes are rigorous and resistant to common attack vectors. By strictly validating credentials against secure, hashed databases and employing adaptive security measures, organizations can significantly reduce the likelihood of unauthorized access, thereby protecting sensitive information and maintaining system integrity against sophisticated cyber threats.

MITRE CWE Description
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Common Consequences (1)
Integrity, Confidentiality, Availability, Access ControlRead Application Data, Gain Privileges or Assume Identity, Execute Unauthorized Code or Commands
This weakness can lead to the exposure of resources or functionality to unintended actors, possibly providing attackers with sensitive information or even execute arbitrary code.
Mitigations (1)
Architecture and DesignUse an authentication framework or library such as the OWASP ESAPI Authentication feature.
Examples (2)
The following code intends to ensure that the user is already logged in. If not, the code performs authentication with the user-provided username and password. If successful, it sets the loggedin and user cookies to "remember" that the user has already logged in. Finally, the code performs administrator tasks if the logged-in user has the "Administrator" username, as recorded in the user cookie.
my $q = new CGI; if ($q->cookie('loggedin') ne "true") { if (! AuthenticateUser($q->param('username'), $q->param('password'))) { ExitError("Error: you need to log in first"); } else { # Set loggedin and user cookies. $q->cookie( -name => 'loggedin', -value => 'true' ); $q->cookie( -name => 'user', -value => $q->param('username') ); } } if ($q->cookie('user') eq "Administrator") { DoAdministratorTasks(); }
Bad · Perl
GET /cgi-bin/vulnerable.cgi HTTP/1.1 Cookie: user=Administrator Cookie: loggedin=true [body of request]
Attack
In January 2009, an attacker was able to gain administrator access to a Twitter server because the server did not restrict the number of login attempts [REF-236]. The attacker targeted a member of Twitter's support team and was able to successfully guess the member's password using a brute force attack by guessing a large number of common words. After gaining access as the member of the support st…
CVE IDTitleCVSSSeverityPublished
CVE-2021-21513 Dell EMC OpenManage Server Administrator 授权问题漏洞 — Dell Open Manage Server Administrator 8.6 High2021-03-02
CVE-2021-21308 Improper session management for soft logout — PrestaShop 6.1 Medium2021-02-26
CVE-2021-22858 ChanGate EnterPrise Co., Ltd property management system - Broken Authentication — property management system 8.8 High2021-02-17
CVE-2021-25910 ZIV AUTOMATION 4CCT vulnerable to improper authentication — 4CCT-EA6-334126BF 8.0 High2021-01-29
CVE-2021-26117 ActiveMQ: LDAP-Authentication does not verify passwords on servers with anonymous bind — Apache ActiveMQ 7.5 -2021-01-27
CVE-2020-24675 Weak Authentication in Symphony Plus — ABB Ability™ Symphony® Plus Operations 9.8 Critical2020-12-22
CVE-2020-27254 X-STREAM enhanced XEGP 授权问题漏洞 — Emerson Rosemount X-STREAM Gas Analyzer 7.5 -2020-12-21
CVE-2020-27780 Linux-pam 授权问题漏洞 — pam 9.8 -2020-12-17
CVE-2020-16102 Gallagher Group Command Centre 访问控制错误漏洞 — Command Centre 7.1 High2020-12-14
CVE-2020-25183 Medtronic MyCareLink Smart Improper Authentication — Smart Model 25000 Patient Reader 8.0 High2020-12-14
CVE-2020-7533 多款 Schneider Electric 产品信任管理问题漏洞 — Web Server on Modicon M340, Modicon Quantum and Modicon Premium Legacy offers and their Communication Modules (see security notification for version information) 9.8 -2020-12-01
CVE-2020-1778 Bypassing user account validation — OTRS 4.1 Medium2020-11-23
CVE-2020-26236 Verification Code Hijacking in ScratchVerifier — ScratchVerifier 7.5 High2020-11-20
CVE-2020-8272 Citrix Systems SD-WAN Center 授权问题漏洞 — Citrix SD-WAN Center 7.5 -2020-11-16
CVE-2020-25165 BD Alaris PC Unit和BD Alaris Systems Manager 授权问题漏洞 — BD Alaris PC Unit and BD Alaris Systems Manager 7.5 -2020-11-13
CVE-2020-26214 LDAP authentication bypass in Alerta — alerta 9.1 Critical2020-11-06
CVE-2020-8267 Ubiquiti Networks UniFi Cloud Key 授权问题漏洞 — UniFi Protect 8.2 -2020-11-05
CVE-2020-5425 User Impersonation possible in Tanzu SSO — Single Sign-On for VMware Tanzu 8.2 -2020-10-31
CVE-2020-8236 Nextcloud 授权问题漏洞 — Nextcloud Server 6.1 -2020-10-30
CVE-2020-3410 Cisco Firepower Management Center Software Common Access Card Authentication Bypass Vulnerability — Cisco Firepower Management Center 8.1 High2020-10-21
CVE-2020-15240 Regression in JWT Signature Validation — omniauth-auth0 7.4 High2020-10-21
CVE-2020-15269 Expired token reuse in Spree — spree 7.4 High2020-10-20
CVE-2020-14299 PicketBox 授权问题漏洞 — picketbox 6.5 -2020-10-16
CVE-2020-8350 Lenovo ThinkPad Stack Wireless Router 授权问题漏洞 — ThinkPad Stack WIreless Router firmware 8.8 High2020-10-14
CVE-2020-15243 WebApi Authentication attribute missing in Smartstore — SmartStoreNET 9.1 Critical2020-10-08
CVE-2020-15222 Replay of private_key_jwt possible in ORY Fosite — fosite 8.1 High2020-09-24
CVE-2019-16028 Cisco Firepower Management Center Lightweight Directory Access Protocol Authentication Bypass Vulnerability — Cisco Firepower Management Center 9.8 -2020-09-23
CVE-2020-8200 Citrix StoreFront 授权问题漏洞 — Citrix StoreFront 6.5 -2020-09-18
CVE-2020-8253 Citrix XenMobile Server 授权问题漏洞 — Citrix XenMobile Server 7.5 -2020-09-18
CVE-2020-7297 Web Gateway (MWG) - Privilege Escalation vulnerability — McAfee Web Gateway (MWG) 5.7 Medium2020-09-15

Vulnerabilities classified as CWE-287 (认证机制不恰当) represent 1203 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.