Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-287 (认证机制不恰当) — Vulnerability Class 1203

1203 vulnerabilities classified as CWE-287 (认证机制不恰当). AI Chinese analysis included.

CWE-287 represents a critical authentication weakness where a system fails to adequately verify the identity of an actor claiming a specific identity. This flaw typically allows attackers to bypass security controls by exploiting insufficient verification mechanisms, enabling unauthorized access through stolen credentials, brute-force attacks, or session hijacking. When authentication logic is flawed, malicious entities can impersonate legitimate users, leading to severe data breaches and privilege escalation. Developers mitigate this risk by implementing robust, multi-factor authentication protocols and ensuring that identity verification processes are rigorous and resistant to common attack vectors. By strictly validating credentials against secure, hashed databases and employing adaptive security measures, organizations can significantly reduce the likelihood of unauthorized access, thereby protecting sensitive information and maintaining system integrity against sophisticated cyber threats.

MITRE CWE Description
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Common Consequences (1)
Integrity, Confidentiality, Availability, Access ControlRead Application Data, Gain Privileges or Assume Identity, Execute Unauthorized Code or Commands
This weakness can lead to the exposure of resources or functionality to unintended actors, possibly providing attackers with sensitive information or even execute arbitrary code.
Mitigations (1)
Architecture and DesignUse an authentication framework or library such as the OWASP ESAPI Authentication feature.
Examples (2)
The following code intends to ensure that the user is already logged in. If not, the code performs authentication with the user-provided username and password. If successful, it sets the loggedin and user cookies to "remember" that the user has already logged in. Finally, the code performs administrator tasks if the logged-in user has the "Administrator" username, as recorded in the user cookie.
my $q = new CGI; if ($q->cookie('loggedin') ne "true") { if (! AuthenticateUser($q->param('username'), $q->param('password'))) { ExitError("Error: you need to log in first"); } else { # Set loggedin and user cookies. $q->cookie( -name => 'loggedin', -value => 'true' ); $q->cookie( -name => 'user', -value => $q->param('username') ); } } if ($q->cookie('user') eq "Administrator") { DoAdministratorTasks(); }
Bad · Perl
GET /cgi-bin/vulnerable.cgi HTTP/1.1 Cookie: user=Administrator Cookie: loggedin=true [body of request]
Attack
In January 2009, an attacker was able to gain administrator access to a Twitter server because the server did not restrict the number of login attempts [REF-236]. The attacker targeted a member of Twitter's support team and was able to successfully guess the member's password using a brute force attack by guessing a large number of common words. After gaining access as the member of the support st…
CVE IDTitleCVSSSeverityPublished
CVE-2020-7296 Web Gateway (MWG) - Privilege Escalation vulnerability — McAfee Web Gateway (MWG) 5.7 Medium2020-09-15
CVE-2020-7295 Web Gateway (MWG) - Privilege Escalation vulnerability — McAfee Web Gateway (MWG) 3.5 Low2020-09-15
CVE-2020-7294 Web Gateway (MWG) - Privilege Escalation vulnerability — McAfee Web Gateway (MWG) 4.6 Medium2020-09-15
CVE-2020-7293 Web Gateway (MWG) - Privilege Escalation vulnerability — McAfee Web Gateway (MWG) 9.0 Critical2020-09-15
CVE-2020-16098 Gallagher Group Command Centre 访问控制错误漏洞 — Command Centre 9.8 Critical2020-09-15
CVE-2020-16222 Philips Patient Monitoring Devices Improper Authentication — Patient Information Center iX (PICiX) 8.8 -2020-09-11
CVE-2020-7323 Authentication Protection Bypass vulnerability in ENS for Windows — Endpoint Security for Windows 6.9 Medium2020-09-09
CVE-2020-8097 Improper authentication vulnerability in Bitdefender Endpoint Security Tools and Endpoint Security SDK (VA-8646) — Endpoinit Security Tools for Windows 8.1 High2020-08-30
CVE-2020-15164 Authentication Bypass in Scratch Login (mediawiki-scratch-login) — mediawiki-scratch-login 10.0 Critical2020-08-28
CVE-2020-3151 Cisco Connected Mobile Experiences Restricted Shell Escape Vulnerability — Cisco Connected Mobile Experiences 8.2 -2020-08-26
CVE-2020-16239 Philips SureSigns VS4 Improper Authentication — SureSigns VS4 4.9 Medium2020-08-21
CVE-2020-15136 Improper authentication in etcd — etcd 6.5 Medium2020-08-06
CVE-2020-8108 Insufficient client validation in Bitdefender Endpoint Security for Mac (VA-8759) — Endpoint Security for Mac 8.2 High2020-08-03
CVE-2020-8206 Pulse Secure Pulse Connect Secure 授权问题漏洞 — Pulse Connect Secure 7.5 -2020-07-30
CVE-2020-10918 C-More HMI EA9 授权问题漏洞 — HMI EA9 7.5 -2020-07-23
CVE-2020-14494 OpenClinic GA 授权问题漏洞 — OpenClinic GA 9.8 -2020-07-20
CVE-2020-3388 Cisco SD-WAN vManage Software Command Injection Vulnerability — Cisco SD-WAN vManage 7.8 -2020-07-16
CVE-2020-3197 Cisco Meetings App Missing TURN Server Credentials Expiration Vulnerability — Cisco Meeting App 8.6 -2020-07-16
CVE-2020-4074 Improper Authentication — PrestaShop 8.9 High2020-07-02
CVE-2020-3297 Cisco Small Business Smart and Managed Switches Session Management Vulnerability — Cisco Small Business 200 Series Smart Switches 9.8 -2020-07-02
CVE-2019-18252 Biotronik CardioMessenger II-S 授权问题漏洞 — BIOTRONIK CardioMessenger II-S T-Line, CardioMessenger II-S GSM 4.3 -2020-06-29
CVE-2019-18246 Biotronik CardioMessenger II-S 授权问题漏洞 — BIOTRONIK CardioMessenger II-S T-Line, CardioMessenger II-S GSM 8.1 -2020-06-29
CVE-2020-12035 Baxter PrismaFlex和PrisMax 信任管理问题漏洞 — Baxter PrismaFlex and PrisMax 5.9 -2020-06-29
CVE-2020-3361 Cisco Webex Meetings and Cisco Webex Meetings Server Token Handling Unauthorized Access Vulnerability — Cisco WebEx Meetings Server 8.1 High2020-06-18
CVE-2020-10754 NetworkManager 访问控制错误漏洞 — NetworkManager 4.3 Medium2020-06-08
CVE-2020-3216 Cisco IOS XE SD-WAN Software Authentication Bypass Vulnerability — Cisco IOS XE SD-WAN Software 6.8 -2020-06-03
CVE-2020-2018 PAN-OS: Panorama authentication bypass vulnerability — PAN-OS 9.0 Critical2020-05-13
CVE-2020-1718 Red Hat Keycloak 授权问题漏洞 — keycloak 7.1 High2020-05-12
CVE-2020-10916 TP-Link TL-WA855RE 授权问题漏洞 — TL-WA855RE 8.0 -2020-05-07
CVE-2020-3125 Cisco Adaptive Security Appliance Software Kerberos Authentication Bypass Vulnerability — Cisco Adaptive Security Appliance (ASA) Software 9.1 -2020-05-06

Vulnerabilities classified as CWE-287 (认证机制不恰当) represent 1203 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.