Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-287 (认证机制不恰当) — Vulnerability Class 1203

1203 vulnerabilities classified as CWE-287 (认证机制不恰当). AI Chinese analysis included.

CWE-287 represents a critical authentication weakness where a system fails to adequately verify the identity of an actor claiming a specific identity. This flaw typically allows attackers to bypass security controls by exploiting insufficient verification mechanisms, enabling unauthorized access through stolen credentials, brute-force attacks, or session hijacking. When authentication logic is flawed, malicious entities can impersonate legitimate users, leading to severe data breaches and privilege escalation. Developers mitigate this risk by implementing robust, multi-factor authentication protocols and ensuring that identity verification processes are rigorous and resistant to common attack vectors. By strictly validating credentials against secure, hashed databases and employing adaptive security measures, organizations can significantly reduce the likelihood of unauthorized access, thereby protecting sensitive information and maintaining system integrity against sophisticated cyber threats.

MITRE CWE Description
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Common Consequences (1)
Integrity, Confidentiality, Availability, Access ControlRead Application Data, Gain Privileges or Assume Identity, Execute Unauthorized Code or Commands
This weakness can lead to the exposure of resources or functionality to unintended actors, possibly providing attackers with sensitive information or even execute arbitrary code.
Mitigations (1)
Architecture and DesignUse an authentication framework or library such as the OWASP ESAPI Authentication feature.
Examples (2)
The following code intends to ensure that the user is already logged in. If not, the code performs authentication with the user-provided username and password. If successful, it sets the loggedin and user cookies to "remember" that the user has already logged in. Finally, the code performs administrator tasks if the logged-in user has the "Administrator" username, as recorded in the user cookie.
my $q = new CGI; if ($q->cookie('loggedin') ne "true") { if (! AuthenticateUser($q->param('username'), $q->param('password'))) { ExitError("Error: you need to log in first"); } else { # Set loggedin and user cookies. $q->cookie( -name => 'loggedin', -value => 'true' ); $q->cookie( -name => 'user', -value => $q->param('username') ); } } if ($q->cookie('user') eq "Administrator") { DoAdministratorTasks(); }
Bad · Perl
GET /cgi-bin/vulnerable.cgi HTTP/1.1 Cookie: user=Administrator Cookie: loggedin=true [body of request]
Attack
In January 2009, an attacker was able to gain administrator access to a Twitter server because the server did not restrict the number of login attempts [REF-236]. The attacker targeted a member of Twitter's support team and was able to successfully guess the member's password using a brute force attack by guessing a large number of common words. After gaining access as the member of the support st…
CVE IDTitleCVSSSeverityPublished
CVE-2025-54573 CVAT vulnerable to email verification bypass by use of basic authentication — cvat 4.3 Medium2025-07-30
CVE-2025-54419 Node-SAML Contains SAML Signature Verification Vulnerability — node-saml 10.0 Critical2025-07-28
CVE-2025-0249 HCL IEM is affected by an improper invalidation of access or JWT token vulnerability — IEM 3.3 Low2025-07-24
CVE-2024-12310 Bypass of Login Screen on Shared Kiosk Workstations — Enterprise Access Management 6.8 -2025-07-23
CVE-2025-54452 SAMSUNG MagicINFO 9 Server 安全漏洞 — MagicINFO 9 Server 7.3 High2025-07-23
CVE-2025-41459 Insecure authentication due to missing bruteforce protection and runtime manipulation in Two App Studio Journey 5.5.6 for iOS — Journey 7.8 High2025-07-21
CVE-2024-6107 Canonical MAAS 安全漏洞 — MAAS 9.6 Critical2025-07-21
CVE-2025-53771 Microsoft SharePoint Server Spoofing Vulnerability — Microsoft SharePoint Enterprise Server 2016 6.5 Medium2025-07-20
CVE-2025-7875 Metasoft 美特软件 MetaCRM debug.jsp improper authentication — MetaCRM 7.3 High2025-07-20
CVE-2025-7699 An improper access control vulnerability was found in the EZ Sync Manager of ADM — ADM 6.5AIMediumAI2025-07-16
CVE-2025-7703 TECNO tech.palm.id 安全漏洞 — tech.palm.id 7.5AIHighAI2025-07-16
CVE-2025-49831 Conjur OSS and Secrets Manager, Self-Hosted (formerly Conjur Enterprise) vulnerable to IAM Authenticator Bypass via Mis-configured Network Device — conjur 9.3AICriticalAI2025-07-15
CVE-2025-53889 Directus missing permission checks for manual trigger Flows — directus 6.5 Medium2025-07-14
CVE-2025-7574 LB-LINK BL-WR9000 Web Interface lighttpd.cgi restore improper authentication — BL-AC1900 9.8 Critical2025-07-14
CVE-2025-49812 Apache HTTP Server: mod_ssl TLS upgrade attack — Apache HTTP Server 7.4AIHighAI2025-07-10
CVE-2025-49706 Microsoft SharePoint Server Spoofing Vulnerability — Microsoft SharePoint Enterprise Server 2016 6.5 Medium2025-07-08
CVE-2025-53545 Press has a potential 2FA bypass — press 9.8AICriticalAI2025-07-08
CVE-2025-21450 Improper Authentication in GPS_GNSS — Snapdragon 9.1 Critical2025-07-08
CVE-2025-6926 Security Authentication Bypass in CentralAuth — Mediawiki - CentralAuth Extension 9.8AICriticalAI2025-07-03
CVE-2025-52553 authentik has Insufficient Session verification for Remote Access Control endpoint access — authentik 9.1AICriticalAI2025-06-27
CVE-2025-53013 Himmelblau offline auth permits authentication with invalid Hello PIN — himmelblau 5.2 Medium2025-06-26
CVE-2025-52572 Hikka vulnerable to RCE through dangling web interface — Hikka 10.0 Critical2025-06-24
CVE-2025-52571 Hikka vulnerable to RCE through edits in a channel — Hikka 9.7 Critical2025-06-24
CVE-2025-49851 Improper Authentication in ControlID iDSecure On-premises — iDSecure On-premises 9.8AICriticalAI2025-06-24
CVE-2025-6528 70mai M300 RTSP Live Video Stream Endpoint 12 improper authentication — M300 4.3 Medium2025-06-23
CVE-2025-6524 70mai 1S Video Services improper authentication — 1S 3.1 Low2025-06-23
CVE-2024-45347 Mi Connect Service APP protocol flaws lead to unauthorized access — Xiaomi Mi Connect Service 9.6 Critical2025-06-23
CVE-2025-6172 TECNO com.afmobi.boomplayer 安全漏洞 — com.afmobi.boomplayer 8.8AIHighAI2025-06-16
CVE-2025-6083 ExtremeCloud Universal ZTNA Improper Authorization — ExtremeCloud Universal ZTNA 5.3AIMediumAI2025-06-13
CVE-2025-49146 pgjdbc Client Allows Fallback to Insecure Authentication Despite channelBinding=require Configuration — pgjdbc 8.2 High2025-06-11

Vulnerabilities classified as CWE-287 (认证机制不恰当) represent 1203 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.