CWE-1390
Allowed-with-ReviewWeak Authentication
Abstraction: Class · Status: Incomplete
The product uses an authentication mechanism to restrict access to specific users or identities, but the mechanism does not sufficiently prove that the claimed identity is correct.
155 vulnerabilities reference this CWE, most recent first.
GHSA-8P7H-P6P4-GQFW
Vulnerability from github – Published: 2025-05-02 15:31 – Updated: 2025-05-02 15:31An issue was discovered on goTenna Mesh devices with app 5.5.3 and firmware 1.1.12. The app there makes it possible to inject any custom message (into existing mesh networks) with any GID and Callsign via a software defined radio. This can be exploited if the device is being used in an unencrypted environment or if the cryptography has already been compromised.
{
"affected": [],
"aliases": [
"CVE-2025-32883"
],
"database_specific": {
"cwe_ids": [
"CWE-1390"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-01T18:15:55Z",
"severity": "MODERATE"
},
"details": "An issue was discovered on goTenna Mesh devices with app 5.5.3 and firmware 1.1.12. The app there makes it possible to inject any custom message (into existing mesh networks) with any GID and Callsign via a software defined radio. This can be exploited if the device is being used in an unencrypted environment or if the cryptography has already been compromised.",
"id": "GHSA-8p7h-p6p4-gqfw",
"modified": "2025-05-02T15:31:43Z",
"published": "2025-05-02T15:31:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32883"
},
{
"type": "WEB",
"url": "https://github.com/Dollarhyde/goTenna_v1_and_Mesh_vulnerabilities"
},
{
"type": "WEB",
"url": "https://gotenna.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-8PH3-X4H3-835G
Vulnerability from github – Published: 2026-04-01 18:36 – Updated: 2026-04-01 21:30Improper authentication in the two-factor authentication (2FA) feature in Devolutions Server 2026.1.11 and earlier allows a remote attacker with valid credentials to bypass multifactor authentication and gain unauthorized access to the victim account via reuse of a partially authenticated session token.
{
"affected": [],
"aliases": [
"CVE-2026-4924"
],
"database_specific": {
"cwe_ids": [
"CWE-1390"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-01T16:23:51Z",
"severity": "HIGH"
},
"details": "Improper\n authentication in the two-factor authentication (2FA) feature in \nDevolutions Server 2026.1.11 and earlier allows a remote attacker with valid \ncredentials to bypass multifactor authentication and gain unauthorized \naccess to the victim account via reuse of a partially authenticated \nsession token.",
"id": "GHSA-8ph3-x4h3-835g",
"modified": "2026-04-01T21:30:29Z",
"published": "2026-04-01T18:36:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4924"
},
{
"type": "WEB",
"url": "https://devolutions.net/security/advisories/DEVO-2026-0010"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-9X3P-H9V5-QFPH
Vulnerability from github – Published: 2025-10-14 18:30 – Updated: 2025-10-14 18:30Weak authentication in Microsoft Exchange Server allows an authorized attacker to elevate privileges over a network.
{
"affected": [],
"aliases": [
"CVE-2025-59249"
],
"database_specific": {
"cwe_ids": [
"CWE-1390"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-14T17:16:07Z",
"severity": "HIGH"
},
"details": "Weak authentication in Microsoft Exchange Server allows an authorized attacker to elevate privileges over a network.",
"id": "GHSA-9x3p-h9v5-qfph",
"modified": "2025-10-14T18:30:35Z",
"published": "2025-10-14T18:30:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59249"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59249"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-C5JQ-762R-Q8RG
Vulnerability from github – Published: 2025-08-12 18:31 – Updated: 2025-08-12 18:31Weak authentication in Windows Installer allows an authorized attacker to elevate privileges locally.
{
"affected": [],
"aliases": [
"CVE-2025-50173"
],
"database_specific": {
"cwe_ids": [
"CWE-1390"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-12T18:15:36Z",
"severity": "HIGH"
},
"details": "Weak authentication in Windows Installer allows an authorized attacker to elevate privileges locally.",
"id": "GHSA-c5jq-762r-q8rg",
"modified": "2025-08-12T18:31:31Z",
"published": "2025-08-12T18:31:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-50173"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-50173"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-C745-QW8J-JHVX
Vulnerability from github – Published: 2023-08-08 03:30 – Updated: 2024-04-04 06:37SAP Commerce Cloud may accept an empty passphrase for user ID and passphrase authentication, allowing users to log into the system without a passphrase.
{
"affected": [],
"aliases": [
"CVE-2023-39439"
],
"database_specific": {
"cwe_ids": [
"CWE-1390",
"CWE-258"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-08T01:15:19Z",
"severity": "CRITICAL"
},
"details": "SAP Commerce Cloud may accept an empty passphrase for user ID and passphrase authentication, allowing users to log into the system without a passphrase.\n\n",
"id": "GHSA-c745-qw8j-jhvx",
"modified": "2024-04-04T06:37:35Z",
"published": "2023-08-08T03:30:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39439"
},
{
"type": "WEB",
"url": "https://me.sap.com/notes/3346500"
},
{
"type": "WEB",
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-CP6C-FF57-294G
Vulnerability from github – Published: 2025-04-08 18:34 – Updated: 2025-04-08 18:34Weak authentication in Windows Hello allows an authorized attacker to bypass a security feature over a network.
{
"affected": [],
"aliases": [
"CVE-2025-26635"
],
"database_specific": {
"cwe_ids": [
"CWE-1390"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-08T18:15:47Z",
"severity": "MODERATE"
},
"details": "Weak authentication in Windows Hello allows an authorized attacker to bypass a security feature over a network.",
"id": "GHSA-cp6c-ff57-294g",
"modified": "2025-04-08T18:34:45Z",
"published": "2025-04-08T18:34:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-26635"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-26635"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-F5QP-WFGR-PM73
Vulnerability from github – Published: 2025-05-02 15:31 – Updated: 2025-05-02 15:31An issue was discovered on goTenna v1 devices with app 5.5.3 and firmware 0.25.5. The app there makes it possible to inject any custom message (into existing v1 networks) with any GID and Callsign via a software defined radio. This can be exploited if the device is being used in an unencrypted environment or if the cryptography has already been compromised.
{
"affected": [],
"aliases": [
"CVE-2025-32885"
],
"database_specific": {
"cwe_ids": [
"CWE-1390"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-01T18:15:55Z",
"severity": "MODERATE"
},
"details": "An issue was discovered on goTenna v1 devices with app 5.5.3 and firmware 0.25.5. The app there makes it possible to inject any custom message (into existing v1 networks) with any GID and Callsign via a software defined radio. This can be exploited if the device is being used in an unencrypted environment or if the cryptography has already been compromised.",
"id": "GHSA-f5qp-wfgr-pm73",
"modified": "2025-05-02T15:31:44Z",
"published": "2025-05-02T15:31:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32885"
},
{
"type": "WEB",
"url": "https://github.com/Dollarhyde/goTenna_v1_and_Mesh_vulnerabilities"
},
{
"type": "WEB",
"url": "https://gotenna.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-F89R-FGHX-493C
Vulnerability from github – Published: 2024-06-11 18:30 – Updated: 2024-06-11 18:30Microsoft Dynamics 365 Business Central Elevation of Privilege Vulnerability
{
"affected": [],
"aliases": [
"CVE-2024-35248"
],
"database_specific": {
"cwe_ids": [
"CWE-1390",
"CWE-287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-11T17:16:02Z",
"severity": "HIGH"
},
"details": "Microsoft Dynamics 365 Business Central Elevation of Privilege Vulnerability",
"id": "GHSA-f89r-fghx-493c",
"modified": "2024-06-11T18:30:50Z",
"published": "2024-06-11T18:30:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35248"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-35248"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-FG6P-6VJG-95R5
Vulnerability from github – Published: 2024-09-26 18:31 – Updated: 2024-10-07 15:31In the goTenna Pro there is a vulnerability that makes it possible to inject any custom message with any GID and Callsign using a software defined radio in existing gotenna mesh networks. This vulnerability can be exploited if the device is being used in a unencrypted environment or if the cryptography has already been compromised.
{
"affected": [],
"aliases": [
"CVE-2024-47127"
],
"database_specific": {
"cwe_ids": [
"CWE-1390",
"CWE-287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-26T18:15:09Z",
"severity": "MODERATE"
},
"details": "In the goTenna Pro there is a vulnerability that makes it possible to inject any custom message with any GID and Callsign using a software defined radio in existing gotenna mesh networks. This vulnerability can be exploited if the device is being used in a unencrypted environment or if the cryptography has already been compromised.",
"id": "GHSA-fg6p-6vjg-95r5",
"modified": "2024-10-07T15:31:38Z",
"published": "2024-09-26T18:31:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47127"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-270-04"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-FX9P-PVQH-VRHG
Vulnerability from github – Published: 2026-06-11 00:32 – Updated: 2026-07-10 18:32An improper validation of credentials vulnerability in the CommvaultSecurityIQ integration for Cortex XSOAR and Cortex XSIAM allows an unauthenticated attacker to access and modify protected resources.
{
"affected": [],
"aliases": [
"CVE-2026-0274"
],
"database_specific": {
"cwe_ids": [
"CWE-1390"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-10T22:16:55Z",
"severity": "HIGH"
},
"details": "An improper validation of credentials vulnerability in the CommvaultSecurityIQ integration for Cortex XSOAR and Cortex XSIAM allows an unauthenticated attacker to access and modify protected resources.",
"id": "GHSA-fx9p-pvqh-vrhg",
"modified": "2026-07-10T18:32:02Z",
"published": "2026-06-11T00:32:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0274"
},
{
"type": "WEB",
"url": "https://security.paloaltonetworks.com/CVE-2026-0274"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:D/RE:M/U:Red",
"type": "CVSS_V4"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.