Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-287 (认证机制不恰当) — Vulnerability Class 1203

1203 vulnerabilities classified as CWE-287 (认证机制不恰当). AI Chinese analysis included.

CWE-287 represents a critical authentication weakness where a system fails to adequately verify the identity of an actor claiming a specific identity. This flaw typically allows attackers to bypass security controls by exploiting insufficient verification mechanisms, enabling unauthorized access through stolen credentials, brute-force attacks, or session hijacking. When authentication logic is flawed, malicious entities can impersonate legitimate users, leading to severe data breaches and privilege escalation. Developers mitigate this risk by implementing robust, multi-factor authentication protocols and ensuring that identity verification processes are rigorous and resistant to common attack vectors. By strictly validating credentials against secure, hashed databases and employing adaptive security measures, organizations can significantly reduce the likelihood of unauthorized access, thereby protecting sensitive information and maintaining system integrity against sophisticated cyber threats.

MITRE CWE Description
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Common Consequences (1)
Integrity, Confidentiality, Availability, Access ControlRead Application Data, Gain Privileges or Assume Identity, Execute Unauthorized Code or Commands
This weakness can lead to the exposure of resources or functionality to unintended actors, possibly providing attackers with sensitive information or even execute arbitrary code.
Mitigations (1)
Architecture and DesignUse an authentication framework or library such as the OWASP ESAPI Authentication feature.
Examples (2)
The following code intends to ensure that the user is already logged in. If not, the code performs authentication with the user-provided username and password. If successful, it sets the loggedin and user cookies to "remember" that the user has already logged in. Finally, the code performs administrator tasks if the logged-in user has the "Administrator" username, as recorded in the user cookie.
my $q = new CGI; if ($q->cookie('loggedin') ne "true") { if (! AuthenticateUser($q->param('username'), $q->param('password'))) { ExitError("Error: you need to log in first"); } else { # Set loggedin and user cookies. $q->cookie( -name => 'loggedin', -value => 'true' ); $q->cookie( -name => 'user', -value => $q->param('username') ); } } if ($q->cookie('user') eq "Administrator") { DoAdministratorTasks(); }
Bad · Perl
GET /cgi-bin/vulnerable.cgi HTTP/1.1 Cookie: user=Administrator Cookie: loggedin=true [body of request]
Attack
In January 2009, an attacker was able to gain administrator access to a Twitter server because the server did not restrict the number of login attempts [REF-236]. The attacker targeted a member of Twitter's support team and was able to successfully guess the member's password using a brute force attack by guessing a large number of common words. After gaining access as the member of the support st…
CVE IDTitleCVSSSeverityPublished
CVE-2025-67859 Polkit Authorization Check can be Bypassed in the TLP power daemon — TLP 5.5AIMediumAI2026-01-14
CVE-2025-68931 Jervis has AES CBC Mode Without Authentication — jervis 9.1AICriticalAI2026-01-13
CVE-2026-0408 Path traversal vulnerability in Netgear WiFi Range Extenders — EX5000 5.7AIMediumAI2026-01-13
CVE-2026-0407 Authentication bypass in NETGEAR WiFi Range Extenders via network adjacent attacks — EX5000 8.8AIHighAI2026-01-13
CVE-2026-0405 Authentication Bypass in NETGEAR Orbi Devices — RBE970 6.8AIMediumAI2026-01-13
CVE-2025-69273 Spectrum broken authentication — DX NetOps Spectrum 9.8AICriticalAI2026-01-12
CVE-2026-22594 Ghost has Staff 2FA bypass — Ghost 8.1 High2026-01-10
CVE-2026-21891 ZimaOS has Authentication Bypass via System-Level Username — ZimaOS 9.4 Critical2026-01-08
CVE-2026-21881 Kanboard is Vulnerable to Reverse Proxy Authentication Bypass — kanboard 9.1 Critical2026-01-08
CVE-2026-21854 Tarkov Data Manager Authentication Bypass vulnerability — tarkov-data-manager 9.8 Critical2026-01-07
CVE-2025-14942 Authentication Bypass — wolfSSH 9.8 -2026-01-06
CVE-2025-69197 Pterodactyl TOTPs can be reused during validity window — panel 6.5 Medium2026-01-06
CVE-2025-64423 Coolify has a Privilege Escalation - low privileged users can see and use admin invitation links — coolify 8.0 -2026-01-05
CVE-2026-0589 code-projects Online Product Reservation System Administration Backend improper authentication — Online Product Reservation System 7.3 High2026-01-05
CVE-2025-15458 bg5sbk MiniCMS Article post-edit.php improper authentication — MiniCMS 7.3 High2026-01-05
CVE-2025-15457 bg5sbk MiniCMS Trash File Restore post.php improper authentication — MiniCMS 7.3 High2026-01-05
CVE-2025-15456 bg5sbk MiniCMS Publish page-edit.php improper authentication — MiniCMS 7.3 High2026-01-05
CVE-2025-15455 bg5sbk MiniCMS File Recovery Request page.php delete_page improper authentication — MiniCMS 6.5 Medium2026-01-05
CVE-2025-15069 Privilege Escalation in Gmission Web FAX — Web Fax 7.1 High2025-12-29
CVE-2025-15135 joey-zhou xiaozhi-esp32-server-java Cookie AuthenticationInterceptor.java tryAuthenticateWithCookies improper authentication — xiaozhi-esp32-server-java 6.3 Medium2025-12-28
CVE-2025-15099 simstudioai sim CRON Secret internal.ts improper authentication — sim 7.3 High2025-12-26
CVE-2025-15097 Alteryx Server status improper authentication — Server 7.3 High2025-12-26
CVE-2025-14908 JeecgBoot Multi-Tenant Management SysTenantController.java improper authentication — JeecgBoot 6.3 Medium2025-12-19
CVE-2025-13427 Authentication Bypass in Dialogflow CX Messenger — Dialogflow CX Messenger 9.1AICriticalAI2025-12-18
CVE-2025-14738 Configuration Disclosure Vulnerability in TP-Link WA850RE — WA850RE 7.5AIHighAI2025-12-18
CVE-2025-44005 Smallstep step-ca 安全漏洞 — Step-CA 10.0 Critical2025-12-17
CVE-2025-14097 Remote Code Execution Vulnerability in Radiometer Products — ABL90 FLEX and ABL90 FLEX PLUS Analyzers 7.2 High2025-12-17
CVE-2025-14002 WPCOM Member <= 1.7.16 - Authentication Bypass via Weak OTP — WPCOM Member 8.1 High2025-12-16
CVE-2025-14746 Ningyuanda TC155 RTSP Live Video Stream Endpoint improper authentication — TC155 4.3 Medium2025-12-16
CVE-2025-37731 Elasticsearch Improper Authentication — Elasticsearch 6.8 Medium2025-12-15

Vulnerabilities classified as CWE-287 (认证机制不恰当) represent 1203 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.