CWE-1390
Allowed-with-ReviewWeak Authentication
Abstraction: Class · Status: Incomplete
The product uses an authentication mechanism to restrict access to specific users or identities, but the mechanism does not sufficiently prove that the claimed identity is correct.
155 vulnerabilities reference this CWE, most recent first.
GHSA-5PFR-259P-873J
Vulnerability from github – Published: 2026-02-20 03:31 – Updated: 2026-02-20 03:31Sensitive data disclosure and manipulation due to improper authentication. The following products are affected: Acronis Cyber Protect 16 (Linux, Windows) before build 39938, Acronis Cyber Protect 15 (Linux, Windows) before build 41800.
{
"affected": [],
"aliases": [
"CVE-2025-30411"
],
"database_specific": {
"cwe_ids": [
"CWE-1390"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-20T01:15:59Z",
"severity": "CRITICAL"
},
"details": "Sensitive data disclosure and manipulation due to improper authentication. The following products are affected: Acronis Cyber Protect 16 (Linux, Windows) before build 39938, Acronis Cyber Protect 15 (Linux, Windows) before build 41800.",
"id": "GHSA-5pfr-259p-873j",
"modified": "2026-02-20T03:31:39Z",
"published": "2026-02-20T03:31:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30411"
},
{
"type": "WEB",
"url": "https://security-advisory.acronis.com/advisories/SEC-8768"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5RH9-R47C-Q36P
Vulnerability from github – Published: 2024-08-01 00:33 – Updated: 2024-08-01 00:33Weak authentication in Microsoft Dynamics 365 allows an unauthenticated attacker to elevate privileges over a network.
{
"affected": [],
"aliases": [
"CVE-2024-38182"
],
"database_specific": {
"cwe_ids": [
"CWE-1390"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-31T23:15:13Z",
"severity": "CRITICAL"
},
"details": "Weak authentication in Microsoft Dynamics 365 allows an unauthenticated attacker to elevate privileges over a network.",
"id": "GHSA-5rh9-r47c-q36p",
"modified": "2024-08-01T00:33:22Z",
"published": "2024-08-01T00:33:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38182"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38182"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-66RJ-6JJF-MMHQ
Vulnerability from github – Published: 2025-04-08 09:31 – Updated: 2025-04-08 09:31A vulnerability has been identified in Industrial Edge Device Kit - arm64 V1.17 (All versions), Industrial Edge Device Kit - arm64 V1.18 (All versions), Industrial Edge Device Kit - arm64 V1.19 (All versions), Industrial Edge Device Kit - arm64 V1.20 (All versions < V1.20.2-1), Industrial Edge Device Kit - arm64 V1.21 (All versions < V1.21.1-1), Industrial Edge Device Kit - x86-64 V1.17 (All versions), Industrial Edge Device Kit - x86-64 V1.18 (All versions), Industrial Edge Device Kit - x86-64 V1.19 (All versions), Industrial Edge Device Kit - x86-64 V1.20 (All versions < V1.20.2-1), Industrial Edge Device Kit - x86-64 V1.21 (All versions < V1.21.1-1), Industrial Edge Own Device (IEOD) (All versions < V1.21.1-1-a), Industrial Edge Virtual Device (All versions < V1.21.1-1-a), SCALANCE LPE9413 (6GK5998-3GS01-2AC2) (All versions), SIMATIC IPC BX-39A Industrial Edge Device (All versions < V3.0), SIMATIC IPC BX-59A Industrial Edge Device (All versions < V3.0), SIMATIC IPC127E Industrial Edge Device (All versions < V3.0), SIMATIC IPC227E Industrial Edge Device (All versions < V3.0), SIMATIC IPC427E Industrial Edge Device (All versions < V3.0), SIMATIC IPC847E Industrial Edge Device (All versions < V3.0). Affected devices do not properly enforce user authentication on specific API endpoints when identity federation is used. This could facilitate an unauthenticated remote attacker to circumvent authentication and impersonate a legitimate user. Successful exploitation requires that identity federation is currently or has previously been used and the attacker has learned the identity of a legitimate user.
{
"affected": [],
"aliases": [
"CVE-2024-54092"
],
"database_specific": {
"cwe_ids": [
"CWE-1390"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-08T09:15:23Z",
"severity": "CRITICAL"
},
"details": "A vulnerability has been identified in Industrial Edge Device Kit - arm64 V1.17 (All versions), Industrial Edge Device Kit - arm64 V1.18 (All versions), Industrial Edge Device Kit - arm64 V1.19 (All versions), Industrial Edge Device Kit - arm64 V1.20 (All versions \u003c V1.20.2-1), Industrial Edge Device Kit - arm64 V1.21 (All versions \u003c V1.21.1-1), Industrial Edge Device Kit - x86-64 V1.17 (All versions), Industrial Edge Device Kit - x86-64 V1.18 (All versions), Industrial Edge Device Kit - x86-64 V1.19 (All versions), Industrial Edge Device Kit - x86-64 V1.20 (All versions \u003c V1.20.2-1), Industrial Edge Device Kit - x86-64 V1.21 (All versions \u003c V1.21.1-1), Industrial Edge Own Device (IEOD) (All versions \u003c V1.21.1-1-a), Industrial Edge Virtual Device (All versions \u003c V1.21.1-1-a), SCALANCE LPE9413 (6GK5998-3GS01-2AC2) (All versions), SIMATIC IPC BX-39A Industrial Edge Device (All versions \u003c V3.0), SIMATIC IPC BX-59A Industrial Edge Device (All versions \u003c V3.0), SIMATIC IPC127E Industrial Edge Device (All versions \u003c V3.0), SIMATIC IPC227E Industrial Edge Device (All versions \u003c V3.0), SIMATIC IPC427E Industrial Edge Device (All versions \u003c V3.0), SIMATIC IPC847E Industrial Edge Device (All versions \u003c V3.0). Affected devices do not properly enforce user authentication on specific API endpoints when identity federation is used. This could facilitate an unauthenticated remote attacker to circumvent authentication and impersonate a legitimate user. Successful exploitation requires that identity federation is currently or has previously been used and the attacker has learned the identity of a legitimate user.",
"id": "GHSA-66rj-6jjf-mmhq",
"modified": "2025-04-08T09:31:12Z",
"published": "2025-04-08T09:31:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-54092"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-634640.html"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-819629.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-69R7-7QX9-RHM7
Vulnerability from github – Published: 2024-12-13 15:30 – Updated: 2026-04-28 21:35Weak Authentication vulnerability in Guido VS Contact Form allows Authentication Abuse.This issue affects VS Contact Form: from n/a through 14.0.
{
"affected": [],
"aliases": [
"CVE-2023-41862"
],
"database_specific": {
"cwe_ids": [
"CWE-1390"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-13T15:15:25Z",
"severity": "MODERATE"
},
"details": "Weak Authentication vulnerability in Guido VS Contact Form allows Authentication Abuse.This issue affects VS Contact Form: from n/a through 14.0.",
"id": "GHSA-69r7-7qx9-rhm7",
"modified": "2026-04-28T21:35:26Z",
"published": "2024-12-13T15:30:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41862"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/very-simple-contact-form/vulnerability/wordpress-vs-contact-form-plugin-13-9-sum-captcha-bypass-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-6R8M-7Q26-8WCC
Vulnerability from github – Published: 2023-05-04 00:30 – Updated: 2024-04-04 03:47A weak authentication vulnerability [CWE-1390] in FortiNAC-F version 7.2.0, FortiNAC version 9.4.2 and below, 9.2 all versions, 9.1 all versions, 8.8 all versions, 8.7 all versions in device registration page may allow an unauthenticated attacker to perform password spraying attacks with an increased chance of success.
{
"affected": [],
"aliases": [
"CVE-2022-45860"
],
"database_specific": {
"cwe_ids": [
"CWE-1390",
"CWE-287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-05-03T22:15:15Z",
"severity": "HIGH"
},
"details": "A weak authentication vulnerability [CWE-1390] in FortiNAC-F version 7.2.0, FortiNAC version 9.4.2 and below, 9.2 all versions, 9.1 all versions, 8.8 all versions, 8.7 all versions in device registration page may allow an unauthenticated attacker to perform password spraying attacks with an increased chance of success.",
"id": "GHSA-6r8m-7q26-8wcc",
"modified": "2024-04-04T03:47:36Z",
"published": "2023-05-04T00:30:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45860"
},
{
"type": "WEB",
"url": "https://fortiguard.com/psirt/FG-IR-22-464"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-6W37-3RRJ-MG8J
Vulnerability from github – Published: 2026-07-14 15:32 – Updated: 2026-07-14 15:32A security issue exists within FactoryTalk® Services Platform (FTSP), allowing an attacker to bypass JWT signature validation during Okta Web Authentication. The vulnerability stems from the application not verifying that the JWT algorithm is configured for RSA, enabling an attacker to set the algorithm to "none" and craft forged tokens. This could allow an authenticated low-privilege user to impersonate any authorized user on the FTSP server, resulting in unauthorized access to system configuration and the ability to grant permissions to other systems protected by FTSP.
{
"affected": [],
"aliases": [
"CVE-2026-10714"
],
"database_specific": {
"cwe_ids": [
"CWE-1390"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-14T15:16:55Z",
"severity": "HIGH"
},
"details": "A security issue exists within FactoryTalk\u00ae Services Platform (FTSP), allowing an attacker to bypass JWT signature validation during Okta Web Authentication. The vulnerability stems from the application not verifying that the JWT algorithm is configured for RSA, enabling an attacker to set the algorithm to \"none\" and craft forged tokens. This could allow an authenticated low-privilege user to impersonate any authorized user on the FTSP server, resulting in unauthorized access to system configuration and the ability to grant permissions to other systems protected by FTSP.",
"id": "GHSA-6w37-3rrj-mg8j",
"modified": "2026-07-14T15:32:17Z",
"published": "2026-07-14T15:32:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-10714"
},
{
"type": "WEB",
"url": "https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1786.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-754Q-9VHG-63G7
Vulnerability from github – Published: 2025-12-16 18:31 – Updated: 2025-12-16 18:31phpfm 1.7.9 contains an authentication bypass vulnerability that allows attackers to log in by exploiting loose type comparison in password hash validation. Attackers can craft specific password hashes beginning with 0e or 00e to bypass authentication and upload malicious PHP files to the server.
{
"affected": [],
"aliases": [
"CVE-2023-53894"
],
"database_specific": {
"cwe_ids": [
"CWE-1390"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-16T17:16:01Z",
"severity": "CRITICAL"
},
"details": "phpfm 1.7.9 contains an authentication bypass vulnerability that allows attackers to log in by exploiting loose type comparison in password hash validation. Attackers can craft specific password hashes beginning with 0e or 00e to bypass authentication and upload malicious PHP files to the server.",
"id": "GHSA-754q-9vhg-63g7",
"modified": "2025-12-16T18:31:34Z",
"published": "2025-12-16T18:31:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53894"
},
{
"type": "WEB",
"url": "https://www.dulldusk.com/phpfm"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/51594"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/phpfm-authentication-bypass-via-type-juggling-vulnerability"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-885M-7FCX-5RGV
Vulnerability from github – Published: 2025-04-17 18:31 – Updated: 2026-04-01 18:34Weak Authentication vulnerability in Quentn.com GmbH Quentn WP allows Privilege Escalation. This issue affects Quentn WP: from n/a through 1.2.8.
{
"affected": [],
"aliases": [
"CVE-2025-39596"
],
"database_specific": {
"cwe_ids": [
"CWE-1390"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-17T16:15:59Z",
"severity": "CRITICAL"
},
"details": "Weak Authentication vulnerability in Quentn.com GmbH Quentn WP allows Privilege Escalation. This issue affects Quentn WP: from n/a through 1.2.8.",
"id": "GHSA-885m-7fcx-5rgv",
"modified": "2026-04-01T18:34:53Z",
"published": "2025-04-17T18:31:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-39596"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/quentn-wp/vulnerability/wordpress-quentn-wp-1-2-8-privilege-escalation-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8F6G-63PM-5FMX
Vulnerability from github – Published: 2024-04-15 00:30 – Updated: 2024-04-15 00:30The Web interface of Evolution Controller Versions 2.04.560.31.03.2024 and below uses poor session management, allowing for an unauthenticated attacker to access administrator functionality if any other user is already signed in.
{
"affected": [],
"aliases": [
"CVE-2024-29837"
],
"database_specific": {
"cwe_ids": [
"CWE-1390",
"CWE-284",
"CWE-287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-15T00:15:13Z",
"severity": "HIGH"
},
"details": "The Web interface of Evolution Controller Versions 2.04.560.31.03.2024 and below uses poor session management, allowing for an unauthenticated attacker to access administrator functionality if any other user is already signed in.",
"id": "GHSA-8f6g-63pm-5fmx",
"modified": "2024-04-15T00:30:40Z",
"published": "2024-04-15T00:30:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29837"
},
{
"type": "WEB",
"url": "https://directcyber.com.au/sa/CVE-2024-29836-to-29844-evolution-controller-multiple-vulnerabilities.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8HXX-VM7Q-2FJX
Vulnerability from github – Published: 2025-06-12 21:30 – Updated: 2025-06-12 21:30A username and password are required to authenticate to the central SinoTrack device management interface. The username for all devices is an identifier printed on the receiver. The default password is well-known and common to all devices. Modification of the default password is not enforced during device setup. A malicious actor can retrieve device identifiers with either physical access or by capturing identifiers from pictures of the devices posted on publicly accessible websites such as eBay.
{
"affected": [],
"aliases": [
"CVE-2025-5484"
],
"database_specific": {
"cwe_ids": [
"CWE-1390"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-12T20:15:22Z",
"severity": "HIGH"
},
"details": "A username and password are required to authenticate to the central \nSinoTrack device management interface. The username for all devices is \nan identifier printed on the receiver. The default password is \nwell-known and common to all devices. Modification of the default \npassword is not enforced during device setup. A malicious actor can \nretrieve device identifiers with either physical access or by capturing \nidentifiers from pictures of the devices posted on publicly accessible \nwebsites such as eBay.",
"id": "GHSA-8hxx-vm7q-2fjx",
"modified": "2025-06-12T21:30:31Z",
"published": "2025-06-12T21:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5484"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-160-01"
},
{
"type": "WEB",
"url": "https://www.sinotrackgps.com/help-center"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.