Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-287 (认证机制不恰当) — Vulnerability Class 1203

1203 vulnerabilities classified as CWE-287 (认证机制不恰当). AI Chinese analysis included.

CWE-287 represents a critical authentication weakness where a system fails to adequately verify the identity of an actor claiming a specific identity. This flaw typically allows attackers to bypass security controls by exploiting insufficient verification mechanisms, enabling unauthorized access through stolen credentials, brute-force attacks, or session hijacking. When authentication logic is flawed, malicious entities can impersonate legitimate users, leading to severe data breaches and privilege escalation. Developers mitigate this risk by implementing robust, multi-factor authentication protocols and ensuring that identity verification processes are rigorous and resistant to common attack vectors. By strictly validating credentials against secure, hashed databases and employing adaptive security measures, organizations can significantly reduce the likelihood of unauthorized access, thereby protecting sensitive information and maintaining system integrity against sophisticated cyber threats.

MITRE CWE Description
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Common Consequences (1)
Integrity, Confidentiality, Availability, Access ControlRead Application Data, Gain Privileges or Assume Identity, Execute Unauthorized Code or Commands
This weakness can lead to the exposure of resources or functionality to unintended actors, possibly providing attackers with sensitive information or even execute arbitrary code.
Mitigations (1)
Architecture and DesignUse an authentication framework or library such as the OWASP ESAPI Authentication feature.
Examples (2)
The following code intends to ensure that the user is already logged in. If not, the code performs authentication with the user-provided username and password. If successful, it sets the loggedin and user cookies to "remember" that the user has already logged in. Finally, the code performs administrator tasks if the logged-in user has the "Administrator" username, as recorded in the user cookie.
my $q = new CGI; if ($q->cookie('loggedin') ne "true") { if (! AuthenticateUser($q->param('username'), $q->param('password'))) { ExitError("Error: you need to log in first"); } else { # Set loggedin and user cookies. $q->cookie( -name => 'loggedin', -value => 'true' ); $q->cookie( -name => 'user', -value => $q->param('username') ); } } if ($q->cookie('user') eq "Administrator") { DoAdministratorTasks(); }
Bad · Perl
GET /cgi-bin/vulnerable.cgi HTTP/1.1 Cookie: user=Administrator Cookie: loggedin=true [body of request]
Attack
In January 2009, an attacker was able to gain administrator access to a Twitter server because the server did not restrict the number of login attempts [REF-236]. The attacker targeted a member of Twitter's support team and was able to successfully guess the member's password using a brute force attack by guessing a large number of common words. After gaining access as the member of the support st…
CVE IDTitleCVSSSeverityPublished
CVE-2025-14703 Shiguangwu sgwbox N3 POST Message fsnotify improper authentication — sgwbox N3 5.3 Medium2025-12-15
CVE-2025-67507 Filament's multi-factor authentication (app) recovery codes can be used multiple times — filament 8.1 High2025-12-10
CVE-2025-66039 FreePBX Endpoint Manager Allows Unauthenticated Logins to Administrator Control Panel via Forged Basic Auth Header — framework 7.4AIHighAI2025-12-09
CVE-2025-66515 Nextcloud Approval app allows users to request approval for other users file — security-advisories 2.7 Low2025-12-05
CVE-2025-12374 Email Verification, Email OTP, Block Spam Email, Passwordless login, Hide Login, Magic Login – User Verification <= 2.0.44 - Authentication Bypass to Account Takeover — User Verification by PickPlugins 9.8 Critical2025-12-05
CVE-2025-9803 Improper Authentication in lunary-ai/lunary — lunary-ai/lunary 9.8AICriticalAI2025-11-25
CVE-2024-21635 Memos Access Tokens Stay Valid after User Password Change — memos 8.0 -2025-11-14
CVE-2025-64717 ZITADEL vulnerable to Account Takeover with deactivated Instance IdP — zitadel 3.8 -2025-11-13
CVE-2025-64517 sudo-rs doesn't record authenticating user properly in timestamp — sudo-rs 4.4 Medium2025-11-12
CVE-2025-12998 Broken Authentication in extension “Modules” (modules) — Extension "Modules" 9.1 -2025-11-12
CVE-2025-64513 Milvus Proxy has Critical Authentication Bypass Vulnerability — milvus 9.8 -2025-11-10
CVE-2025-64434 KubeVirt Improper TLS Certificate Management Handling Allows API Identity Spoofing — kubevirt 4.7 Medium2025-11-07
CVE-2025-64432 KubeVirt Affected by an Authentication Bypass in Kubernetes Aggregation Layer — kubevirt 4.7 Medium2025-11-07
CVE-2025-3222 Smallworld SWMFS Improper Authentication — Smallworld 9.8 -2025-11-07
CVE-2025-20730 MediaTek Chipsets 安全漏洞 — MT2737, MT6739, MT6761, MT6765, MT6768, MT6781, MT6789, MT6833, MT6835, MT6853, MT6855, MT6877, MT6878, MT6879, MT6883, MT6885, MT6886, MT6889, MT6893, MT6895, MT6897, MT6899, MT6983, MT6985, MT6989, MT6990, MT6991, MT8188, MT8195, MT8676, MT8678, MT8696 6.7AIMediumAI2025-11-04
CVE-2025-62717 Emlog Pro session verification code error due to clearing logic error — emlog 8.1 -2025-10-24
CVE-2025-43995 Dell Storage Manager 授权问题漏洞 — Dell Storage Manager 9.8 Critical2025-10-24
CVE-2025-6979 Captive Portal can allow authentication bypass — Arista Edge Threat Management - Arista Next Generation Firewall 8.8 High2025-10-23
CVE-2025-62169 OctoPrint-SpoolManager Plugin APIs do not enforce authentication — OctoPrint-SpoolManager 8.1 High2025-10-23
CVE-2025-62398 Moodle: possible to bypass mfa 8.1AIHighAI2025-10-23
CVE-2025-41110 Improper Authentication vulnerability in Ghost Robotics' Vision 60 — Vision 60 8.8AIHighAI2025-10-22
CVE-2025-41108 Improper Authentication vulnerability in Ghost Robotics' Vision 60 — Vision 60 9.8AICriticalAI2025-10-22
CVE-2025-11625 Host verification bypass and credential leak — wolfSSH 9.8AICriticalAI2025-10-21
CVE-2025-61922 PrestaShop Checkout allows customer account takeover via email — ps_checkout 9.1 Critical2025-10-16
CVE-2025-10293 Keyy Two Factor Authentication (like Clef) <= 1.2.3 - Authenticated (Subscriber+) Privilege Escalation via Account Takeover — Keyy Two Factor Authentication (like Clef) 8.8 High2025-10-15
CVE-2025-62376 pwn.college DOJO vulnerable to improper authentication in workspace endpoint allowing unauthorized Windows VM access — dojo 9.8AICriticalAI2025-10-14
CVE-2025-59280 Windows SMB Client Tampering Vulnerability — Windows 10 Version 1507 3.1 Low2025-10-14
CVE-2025-55340 Windows Remote Desktop Protocol Security Feature Bypass — Windows 10 Version 21H2 7.0 High2025-10-14
CVE-2025-53845 Fortinet FortiAnalyzer 授权问题漏洞 — FortiAnalyzer 6.2 Medium2025-10-14
CVE-2025-9064 Rockwell Automation FactoryTalk View Machine Edition Path Traversal — FactoryTalk View Machine Edition 8.1AIHighAI2025-10-14

Vulnerabilities classified as CWE-287 (认证机制不恰当) represent 1203 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.