Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-303 (认证算法的不正确实现) — Vulnerability Class 68

68 vulnerabilities classified as CWE-303 (认证算法的不正确实现). AI Chinese analysis included.

CWE-303 represents a critical implementation flaw where developers fail to correctly execute an established authentication algorithm, despite specifying its use in system requirements. This weakness typically arises from coding errors, such as improper handling of cryptographic primitives or logic mistakes in password verification routines. Attackers exploit this vulnerability by manipulating input data to trigger unintended code paths, effectively bypassing authentication mechanisms without valid credentials. Such exploits can lead to unauthorized access, data breaches, and complete system compromise. To prevent CWE-303, developers must rigorously adhere to standardized cryptographic libraries and avoid custom implementations of security-critical algorithms. Comprehensive unit testing, code reviews, and adherence to secure coding guidelines ensure that authentication logic functions as intended, thereby maintaining the integrity of the authentication process and protecting sensitive user data from unauthorized intrusion.

MITRE CWE Description
The requirements for the product dictate the use of an established authentication algorithm, but the implementation of the algorithm is incorrect. This incorrect implementation may allow authentication to be bypassed.
Common Consequences (1)
Access ControlBypass Protection Mechanism
CVE IDTitleCVSSSeverityPublished
CVE-2026-33190 CoreDNS TSIG authentication bypass on encrypted DNS transports — coredns--2026-05-05
CVE-2026-27656 Account Takeover via Substring Matching in OpenID Connect Authentication — Mattermost 5.7 Medium2026-03-25
CVE-2026-32953 Tillitis: TKey Client has an Error in Protocol Implementation — tkeyclient 7.5 -2026-03-20
CVE-2026-29515 MiCode FileExplorer SwiFTP Server Authentication Bypass — FileExplorer 9.8AICriticalAI2026-03-11
CVE-2019-25436 Sricam DeviceViewer 3.12.0.1 Password Change Security Bypass — DeviceViewer 6.5 Medium2026-02-20
CVE-2026-0999 Authentication bypass via userID login when email and username login are disabled — Mattermost 5.4 Medium2026-02-16
CVE-2025-14510 ABB Ability OPTIMAX Authentication Bypass in Single-Sign On — ABB Ability OPTIMAX 8.1 High2026-01-16
CVE-2025-4676 Authentication bypass by brute forcing Authentication Headers — WebPro SNMP Card PowerValue 8.8 High2026-01-07
CVE-2025-14273 Mattermost Jira plugin user spoofing enables Jira request forgery. — Mattermost 7.2 High2025-12-22
CVE-2025-66489 Cal.com Authentication Bypass via bad TOTP + password checks — cal.com 9.8AICriticalAI2025-12-03
CVE-2025-13390 WP Directory Kit <= 1.4.4 - Authentication Bypass to Privilege Escalation via Account Takeover — WP Directory Kit 10.0 Critical2025-12-03
CVE-2025-12421 Account Takeover via Code Exchange Endpoint — Mattermost 9.9 Critical2025-11-27
CVE-2025-12419 Account takeover on OAuth/OpenID-enabled servers — Mattermost 9.9 Critical2025-11-27
CVE-2025-53782 Microsoft Exchange Server Elevation of Privilege Vulnerability — Microsoft Exchange Server 2016 Cumulative Update 23 8.4 High2025-10-14
CVE-2025-61783 Python Social Auth - Django has unsafe account association — social-app-django 9.1AICriticalAI2025-10-09
CVE-2025-43727 Dell PowerProtect Data Domain 安全漏洞 — PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release 7.5 High2025-10-07
CVE-2025-57808 ESP-IDF web_server basic auth bypass using empty or incomplete Authorization header — esphome 8.1 High2025-09-02
CVE-2025-43856 immich allows account hijacking through oauth2 — immich 8.8AIHighAI2025-07-11
CVE-2025-48994 SignXML's signature verification with HMAC is vulnerable to an algorithm confusion attack — signxml 9.1AICriticalAI2025-06-02
CVE-2025-3230 Bypass of System Admin User Deactivation Controls for Personal Access Tokens in Mattermost Server — Mattermost 5.4 Medium2025-05-30
CVE-2025-2571 Google OAuth Authentication Bypass for Converted Bot Accounts — Mattermost 4.2 Medium2025-05-30
CVE-2025-2475 Unauthorized Bot Login Using Credentials — Mattermost 5.4 Medium2025-04-14
CVE-2024-8314 Improper session handling in B&R APROL — APROL 8.8AIHighAI2025-03-25
CVE-2025-23046 GLPI vulnerable to unauthorized authentication by email using the OAuthIMAP plugin — glpi 8.8 -2025-02-25
CVE-2025-21311 Windows NTLM V1 Elevation of Privilege Vulnerability — Windows 11 Version 24H2 9.8 Critical2025-01-14
CVE-2024-56128 Apache Kafka: SCRAM authentication vulnerable to replay attacks when used without encryption — Apache Kafka 7.5 -2024-12-18
CVE-2024-10127 Support for authentication bypass condition in M-Files LDAP authentication — M-Files Server 8.1AIHighAI2024-11-20
CVE-2024-9999 Multi-Factor Authentication Bypass in Progress WS_FTP Server — WS_FTP Server 6.5 Medium2024-11-12
CVE-2024-36250 MFA Code Replay — Mattermost 3.1 Low2024-11-09
CVE-2024-10214 Incorrect Session Creation with Desktop SSO — Mattermost 3.5 Low2024-10-28

Vulnerabilities classified as CWE-303 (认证算法的不正确实现) represent 68 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.