Common Weakness Enumeration

CWE-1390

Allowed-with-Review

Weak Authentication

Abstraction: Class · Status: Incomplete

The product uses an authentication mechanism to restrict access to specific users or identities, but the mechanism does not sufficiently prove that the claimed identity is correct.

155 vulnerabilities reference this CWE, most recent first.

GHSA-G894-3PCR-4HV9

Vulnerability from github – Published: 2026-04-01 18:36 – Updated: 2026-04-01 21:30
VLAI
Details

Improper authentication in the OAuth login functionality in Devolutions Server 2026.1.11 and earlier allows a remote attacker with valid credentials to bypass multi-factor authentication via a crafted login request.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-4828"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1390"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-01T16:23:51Z",
    "severity": "HIGH"
  },
  "details": "Improper authentication in the OAuth login functionality in Devolutions Server 2026.1.11 and earlier allows a remote attacker with valid credentials to bypass multi-factor authentication via a crafted login request.",
  "id": "GHSA-g894-3pcr-4hv9",
  "modified": "2026-04-01T21:30:29Z",
  "published": "2026-04-01T18:36:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4828"
    },
    {
      "type": "WEB",
      "url": "https://devolutions.net/security/advisories/DEVO-2026-0010"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GJRQ-W46Q-R7W2

Vulnerability from github – Published: 2024-12-18 09:31 – Updated: 2024-12-18 09:31
VLAI
Details

Weak authentication issue exists in AE1021 firmware versions 2.0.10 and earlier and AE1021PE firmware versions 2.0.10 and earlier. If this vulnerability is exploited, the authentication may be bypassed with an undocumented specific string.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-47397"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1390"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-18T07:15:07Z",
    "severity": "HIGH"
  },
  "details": "Weak authentication issue exists in AE1021 firmware versions 2.0.10 and earlier and AE1021PE firmware versions 2.0.10 and earlier. If this vulnerability is exploited, the authentication may be bypassed with an undocumented specific string.",
  "id": "GHSA-gjrq-w46q-r7w2",
  "modified": "2024-12-18T09:31:35Z",
  "published": "2024-12-18T09:31:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47397"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/vu/JVNVU91084137"
    },
    {
      "type": "WEB",
      "url": "https://www.fxc.jp/news/20241213"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GQF5-WJQV-V83C

Vulnerability from github – Published: 2025-01-09 21:31 – Updated: 2025-01-10 18:31
VLAI
Details

Weak Authentication vulnerability in Drupal Two-factor Authentication (TFA) allows Authentication Abuse.This issue affects Two-factor Authentication (TFA): from 0.0.0 before 1.5.0.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-13239"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1390"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-09T19:15:17Z",
    "severity": "CRITICAL"
  },
  "details": "Weak Authentication vulnerability in Drupal Two-factor Authentication (TFA) allows Authentication Abuse.This issue affects Two-factor Authentication (TFA): from 0.0.0 before 1.5.0.",
  "id": "GHSA-gqf5-wjqv-v83c",
  "modified": "2025-01-10T18:31:39Z",
  "published": "2025-01-09T21:31:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-13239"
    },
    {
      "type": "WEB",
      "url": "https://www.drupal.org/sa-contrib-2024-003"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GRXW-7CVC-96RV

Vulnerability from github – Published: 2026-07-14 18:32 – Updated: 2026-07-14 18:32
VLAI
Details

Weak authentication in Microsoft Office SharePoint allows an unauthorized attacker to bypass a security feature over a network.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-55040"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1390"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-14T18:18:15Z",
    "severity": "CRITICAL"
  },
  "details": "Weak authentication in Microsoft Office SharePoint allows an unauthorized attacker to bypass a security feature over a network.",
  "id": "GHSA-grxw-7cvc-96rv",
  "modified": "2026-07-14T18:32:33Z",
  "published": "2026-07-14T18:32:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-55040"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-55040"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-H53W-VP9X-9HFP

Vulnerability from github – Published: 2026-07-02 12:31 – Updated: 2026-07-02 12:31
VLAI
Details

Unauthenticated Broken Authentication in ALD – Dropshipping and Fulfillment for AliExpress and WooCommerce <= 2.2.0 versions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-57352"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1390"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-02T12:17:35Z",
    "severity": "MODERATE"
  },
  "details": "Unauthenticated Broken Authentication in ALD \u2013 Dropshipping and Fulfillment for AliExpress and WooCommerce \u003c= 2.2.0 versions.",
  "id": "GHSA-h53w-vp9x-9hfp",
  "modified": "2026-07-02T12:31:01Z",
  "published": "2026-07-02T12:31:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-57352"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/plugin/woo-alidropship/vulnerability/wordpress-ald-dropshipping-and-fulfillment-for-aliexpress-and-woocommerce-plugin-2-2-0-broken-authentication-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HCP3-9RG5-2F9P

Vulnerability from github – Published: 2025-06-10 18:32 – Updated: 2025-06-10 18:32
VLAI
Details

An improper authentication vulnerability [CWE-287] in Fortinet FortiClientEMS version 7.4.0 and before 7.2.4 allows an unauthenticated attacker with the knowledge of the targeted user's FCTUID and VDOM to perform operations such as uploading or tagging on behalf of the targeted user via specially crafted TCP requests.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-32119"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1390"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-10T17:19:14Z",
    "severity": "MODERATE"
  },
  "details": "An improper authentication vulnerability [CWE-287] in Fortinet FortiClientEMS version 7.4.0 and before 7.2.4 allows an unauthenticated attacker with the knowledge of the targeted user\u0027s FCTUID and VDOM to perform operations such as uploading or tagging on behalf of the targeted user via specially crafted TCP requests.",
  "id": "GHSA-hcp3-9rg5-2f9p",
  "modified": "2025-06-10T18:32:27Z",
  "published": "2025-06-10T18:32:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32119"
    },
    {
      "type": "WEB",
      "url": "https://fortiguard.fortinet.com/psirt/FG-IR-23-375"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HF9P-447V-5G26

Vulnerability from github – Published: 2025-04-07 12:33 – Updated: 2025-04-07 12:33
VLAI
Details

Cryptographic issue occurs during PIN/password verification using Gatekeeper, where RPMB writes can be dropped on verification failure, potentially leading to a user throttling bypass.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-45551"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1390"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-07T11:15:49Z",
    "severity": "MODERATE"
  },
  "details": "Cryptographic issue occurs during PIN/password verification using Gatekeeper, where RPMB writes can be dropped on verification failure, potentially leading to a user throttling bypass.",
  "id": "GHSA-hf9p-447v-5g26",
  "modified": "2025-04-07T12:33:18Z",
  "published": "2025-04-07T12:33:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45551"
    },
    {
      "type": "WEB",
      "url": "https://docs.qualcomm.com/product/publicresources/securitybulletin/april-2025-bulletin.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HRP7-JRG8-XFWX

Vulnerability from github – Published: 2024-06-07 15:30 – Updated: 2024-08-01 15:31
VLAI
Details

An issue in Netgear WNR614 JNR1010V2 N300-V1.1.0.54_1.0.1 allows attackers to bypass authentication and access the administrative interface via unspecified vectors.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-36787"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1390"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-07T15:15:50Z",
    "severity": "HIGH"
  },
  "details": "An issue in Netgear WNR614 JNR1010V2 N300-V1.1.0.54_1.0.1 allows attackers to bypass authentication and access the administrative interface via unspecified vectors.",
  "id": "GHSA-hrp7-jrg8-xfwx",
  "modified": "2024-08-01T15:31:47Z",
  "published": "2024-06-07T15:30:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36787"
    },
    {
      "type": "WEB",
      "url": "https://redfoxsec.com/blog/security-advisory-multiple-vulnerabilities-in-netgear-wnr614-router"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J28R-MXRM-39F3

Vulnerability from github – Published: 2025-03-13 12:30 – Updated: 2025-03-13 12:30
VLAI
Details

This vulnerability exists in the CAP back office application due to improper authentication check at the API endpoint. An unauthenticated remote attacker with a valid login ID could exploit this vulnerability by manipulating API input parameters through API request URL/payload leading to unauthorized access to other user accounts.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-29994"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1390"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-13T12:15:13Z",
    "severity": "HIGH"
  },
  "details": "This vulnerability exists in the CAP back office application due to improper authentication check at the API endpoint. An unauthenticated remote attacker with a valid login ID could exploit this vulnerability by manipulating API input parameters through API request URL/payload leading to unauthorized access to other user accounts.",
  "id": "GHSA-j28r-mxrm-39f3",
  "modified": "2025-03-13T12:30:32Z",
  "published": "2025-03-13T12:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-29994"
    },
    {
      "type": "WEB",
      "url": "https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01\u0026VLCODE=CIVN-2025-0048"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-J7FX-RMF6-CRMW

Vulnerability from github – Published: 2024-09-10 18:30 – Updated: 2024-09-10 18:30
VLAI
Details

Windows Kerberos Elevation of Privilege Vulnerability

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-38239"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1390"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-10T17:15:27Z",
    "severity": "HIGH"
  },
  "details": "Windows Kerberos Elevation of Privilege Vulnerability",
  "id": "GHSA-j7fx-rmf6-crmw",
  "modified": "2024-09-10T18:30:46Z",
  "published": "2024-09-10T18:30:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38239"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38239"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.