CWE-287— Improper Authentication
4,295 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-287page 6 of 86
- CVE-2008-5575NONECVSS 0.0EG 0.02008-12-15
Session fixation vulnerability in Pro Clan Manager 0.4.2 and earlier allows remote attackers to hijack web sessions by setting the PHPSESSID parameter.
- CVE-2008-5576NONECVSS 0.0EG 0.02008-12-15
admin/forums.php in sCssBoard 1.0, 1.1, 1.11, and 1.12 allows remote attackers to bypass authentication and gain administrative access via a large value of the current_user[users_level] parameter.
- CVE-2008-5686NONECVSS 0.0EG 0.02008-12-19
IBM Tivoli Provisioning Manager (TPM) before 5.1.1.1 IF0006, when its LDAP service is shared with other applications, does not require that an LDAP user be listed in the TPM user records, which allows remote authenticated users to execute …
- CVE-2008-5692NONECVSS 0.0EG 0.02008-12-19
Ipswitch WS_FTP Server Manager before 6.1.1, and possibly other Ipswitch products, allows remote attackers to bypass authentication and read logs via a logLogout action to FTPLogServer/login.asp followed by a request to FTPLogServer/LogVie…
- CVE-2008-5708NONECVSS 0.0EG 0.02008-12-24
redirect.php in SlimCMS 1.0.0 does not require authentication, which allows remote attackers to create administrative users by using the newusername and newpassword parameters and setting the newisadmin parameter to 1.
- CVE-2008-5721NONECVSS 0.0EG 0.02008-12-26
SapporoWorks BlackJumboDog (BJD) before 4.2.3 allows remote attackers to bypass authentication and obtain sensitive information via unspecified vectors.
- CVE-2008-5783NONECVSS 0.0EG 0.02008-12-31
admin/index.php in V3 Chat Live Support 3.0.4 allows remote attackers to bypass authentication and gain administrative access by setting the admin cookie to 1.
- CVE-2008-5809NONECVSS 0.0EG 0.02009-01-02
futomi CGI Cafe Access Analyzer CGI Standard 4.0.1 and earlier and Access Analyzer CGI Professional 4.11.3 and earlier use a predictable session id, which makes it easier for remote attackers to hijack sessions, and obtain sensitive inform…
- CVE-2008-5880NONECVSS 0.0EG 0.02009-01-08
admin/auth.php in Gobbl CMS 1.0 allows remote attackers to bypass authentication and gain administrative access by setting the auth cookie to "ok".
- CVE-2008-5945NONECVSS 0.0EG 0.02009-01-22
Nukeviet 2.0 Beta allows remote attackers to bypass authentication and gain administrative access by setting the admf cookie to 1. NOTE: the provenance of this information is unknown; the details are obtained solely from third party infor…
- CVE-2008-5964NONECVSS 0.0EG 0.02009-01-23
Session fixation vulnerability in Social ImpressCMS before 1.1.1 RC1 allows remote attackers to hijack web sessions by setting the PHPSESSID parameter.
- CVE-2008-5967NONECVSS 0.0EG 0.02009-01-26
admin/index.php in PHP iCalendar 2.3.4, 2.24, and earlier does not require administrative authentication for an addupdate action, which allows remote attackers to upload a calendar (aka .ics) file with arbitrary content to the calendars/ d…
- CVE-2008-6009NONECVSS 0.0EG 0.02009-01-30
SG Real Estate Portal 2.0 allows remote attackers to bypass authentication and gain administrative access by setting the Auth cookie to 1.
- CVE-2008-6045NONECVSS 0.0EG 0.02009-02-03
Session fixation vulnerability in shopping_cart.php in xt:Commerce 3.0.4 and earlier allows remote attackers to hijack web sessions by setting the XTCsid parameter.
- CVE-2008-6092NONECVSS 0.0EG 0.02009-02-09
phpscripts Ranking Script allows remote attackers to bypass authentication and gain administrative access by sending an admin=ja cookie.
- CVE-2008-6118NONECVSS 0.0EG 0.02009-02-11
win/content/upload.php in Goople CMS 1.7 allows remote attackers to bypass authentication and gain administrative access by setting the loggedin cookie to 1.
- CVE-2008-6128NONECVSS 0.0EG 0.02009-02-13
Session fixation vulnerability in moziloCMS 1.10.2 and earlier allows remote attackers to hijack web sessions by setting the PHPSESSID parameter.
- CVE-2008-6131NONECVSS 0.0EG 0.02009-02-13
Session fixation vulnerability in moziloWiki 1.0.1 and earlier allows remote attackers to hijack web sessions by setting the PHPSESSID parameter.
- CVE-2008-6143NONECVSS 0.0EG 0.02009-02-16
OwenPoll 1.0 allows remote attackers to bypass authentication and obtain administrative access via a modified account name in the username cookie.
- CVE-2008-6162NONECVSS 0.0EG 0.02009-02-20
Bux.to Clone script allows remote attackers to bypass authentication and gain administrative access by setting the loggedin cookie to 1 and the usNick cookie to admin.
- CVE-2008-6269NONECVSS 0.0EG 0.02009-02-25
Joovili 3.1.4 allows remote attackers to bypass authentication and gain privileges as other users, including the administrator, by setting the (1) session_id, session_logged_in, and session_username cookies for user privileges; (2) session…
- CVE-2008-6300NONECVSS 0.0EG 0.02009-02-26
Galatolo WebManager 1.3a allows remote attackers to bypass authentication and gain administrative access by setting the (1) gwm_user and (2) gwm_pass cookies to admin. NOTE: the provenance of this information is unknown; the details are o…
- CVE-2008-6307NONECVSS 0.0EG 0.02009-02-26
E-topbiz Link Back Checker 1 allows remote attackers to bypass authentication and gain administrative access by setting the auth cookie to "admin."
- CVE-2008-6411NONECVSS 0.0EG 0.02009-03-06
Explay CMS 2.1 and earlier allows remote attackers to bypass authentication and gain administrative access by setting the login cookie to 1.
- CVE-2008-6440NONECVSS 0.0EG 0.02009-03-06
Cerberus Helpdesk before 4.0 (Build 600) allows remote attackers to obtain sensitive information via direct requests for "controllers ... that aren't standard helpdesk pages," possibly involving the (1) /display and (2) /kb URIs.
- CVE-2008-6445NONECVSS 0.0EG 0.02009-03-09
Unspecified vulnerability in YourPlace before 1.0.1 has unknown impact and attack vectors, possibly related to improper authentication and the ability to upload arbitrary PHP code. NOTE: some of these details are obtained from third party…
- CVE-2008-6455NONECVSS 0.0EG 0.02009-03-13
Session fixation vulnerability in Edikon phpShop 0.8.1 allows remote attackers to hijack web sessions via unspecified vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party informati…
- CVE-2008-6523NONECVSS 0.0EG 0.02009-03-25
auth.php in openInvoice 0.90 beta and earlier allows remote attackers to bypass authentication and gain privileges by setting the oiauth cookie. NOTE: this can be leveraged with a separate vulnerability in resetpass.php to modify password…
- CVE-2008-6553NONECVSS 0.0EG 0.02009-03-30
microcms-admin-home.php in Implied by Design Micro CMS (Micro-CMS) 3.5 (aka 0.3.5) does not require authentication as an administrator, which allows remote attackers to (1) create administrative accounts via an add_admin action, (2) remove…
- CVE-2008-6569NONECVSS 0.0EG 0.02009-03-31
Session fixation vulnerability in Cybozu Garoon 2.0.0 through 2.1.3 allows remote attackers to hijack web sessions via the session ID in the login page.
- CVE-2008-6581NONECVSS 0.0EG 0.02009-04-02
login.php in PhpAddEdit 1.3 allows remote attackers to bypass authentication and gain administrative access by setting the addedit cookie parameter.
- CVE-2008-6664NONECVSS 0.0EG 0.02009-04-08
action.php in SH-News 3.0 allows remote attackers to bypass authentication and gain administrator privileges by setting the shuser and shpass cookies to non-zero values.
- CVE-2008-6667NONECVSS 0.0EG 0.02009-04-08
A+ PHP Scripts News Management System (NMS) allows remote attackers to bypass authentication and gain administrator privileges by setting the mobsuser and mobspass cookies to 1.
- CVE-2008-6707NONECVSS 0.0EG 0.02009-04-10
The Web management interface in Avaya SIP Enablement Services (SES) 3.x and 4.0, as used with Avaya Communication Manager 3.1.x, does not perform authentication for certain functionality, which allows remote attackers to obtain sensitive i…
- CVE-2008-6714NONECVSS 0.0EG 0.02009-04-10
admin.php in xeCMS 1.0.0 RC2 and earlier allows remote attackers to bypass authentication and access the admin panel by setting the xecms_username cookie.
- CVE-2008-6716NONECVSS 0.0EG 0.02009-04-13
homeadmin/adminhome.php in Pre ADS Portal 2.0 and earlier does not require administrative authentication, which allows remote attackers to have an unspecified impact via a direct request.
- CVE-2008-6717NONECVSS 0.0EG 0.02009-04-13
U&M Software Signup 1.0 and 1.1 does not require administrative authentication for all scripts in the admin/ directory, which allows remote attackers to have an unspecified impact via a direct request to (1) adminstart.php, (2) admineventt…
- CVE-2008-6718NONECVSS 0.0EG 0.02009-04-13
U&M Software JustBookIt 1.0 does not require administrative authentication for all scripts in the admin/ directory, which allows remote attackers to have an unspecified impact via a direct request to (1) user_manual.php, (2) user_config.ph…
- CVE-2008-6719NONECVSS 0.0EG 0.02009-04-13
U&M Software Event Lister (aka JustListIt) 1.0 does not require administrative authentication for all scripts in the admin/ directory, which allows remote attackers to have an unspecified impact via a direct request to (1) start.php, (2) a…
- CVE-2008-6723NONECVSS 0.0EG 0.02009-04-14
TurnkeyForms Entertainment Portal 2.0 allows remote attackers to bypass authentication and gain administrative access by setting the adminLogged cookie to Administrator.
- CVE-2008-6738NONECVSS 0.0EG 0.02009-04-21
MyShoutPro 1.2 allows remote attackers to bypass authentication and gain administrative access by setting the admin_access cookie to 1.
- CVE-2008-6739NONECVSS 0.0EG 0.02009-04-21
Todd Woolums ASP Download management script 1.03 does not require authentication for setupdownload.asp, which allows remote attackers to gain administrator privileges via a direct request.
- CVE-2008-6743NONECVSS 0.0EG 0.02009-04-22
RSMScript 1.21 allows remote attackers to bypass authentication and gain administrative privileges by setting the verified cookie to an arbitrary value and performing a direct request to (1) delete.php, (2) edit-submit.php, (3) edit.php, (…
- CVE-2008-6763NONECVSS 0.0EG 0.02009-04-28
login2.php in Silentum LoginSys 1.0.0 allows remote attackers to bypass authentication and obtain access to an arbitrary account by setting the logged_in cookie to that account's username.
- CVE-2008-6804NONECVSS 0.0EG 0.02009-05-11
Tribiq CMS 5.0.9a beta allows remote attackers to bypass authentication and gain administrative access by setting the COOKIE_LAST_ADMIN_USER and COOKIE_LAST_ADMIN_LANG cookies. NOTE: a third party reports that the vendor disputes the exis…
- CVE-2008-6815NONECVSS 0.0EG 0.02009-05-28
mykdownload.php in MyKtools 2.4 does not require administrative authentication, which allows remote attackers to read a database backup by making a direct request, and then sending an unspecified request to the download page for the backup.
- CVE-2008-6816NONECVSS 0.0EG 0.02009-05-28
Eaton MGEOPS Network Shutdown Module before 3.10 Build 13 allows remote attackers to execute arbitrary code by adding a custom action to the MGE frontend via pane_actionbutton.php, and then executing this action via exec_action.php.
- CVE-2008-6854NONECVSS 0.0EG 0.02009-07-14
Xigla Software Absolute FAQ Manager.NET 6.0 allows remote attackers to bypass authentication and gain administrative access by setting a cookie to a certain value.
- CVE-2008-6855NONECVSS 0.0EG 0.02009-07-14
Xigla Software Absolute News Feed 1.0 and possibly 1.5 allows remote attackers to bypass authentication and gain administrative access by setting a certain cookie.
- CVE-2008-6856NONECVSS 0.0EG 0.02009-07-14
Xigla Software Absolute News Manager.NET 5.1 allows remote attackers to bypass authentication and gain administrative access by setting a cookie to a certain value.
Map vulnerabilities like CWE-287 to your infrastructure
EchelonGraph correlates every CVE — across CWE-287 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →