CWE-1390
Allowed-with-ReviewWeak Authentication
Abstraction: Class · Status: Incomplete
The product uses an authentication mechanism to restrict access to specific users or identities, but the mechanism does not sufficiently prove that the claimed identity is correct.
155 vulnerabilities reference this CWE, most recent first.
GHSA-W4RQ-MVCF-XC7H
Vulnerability from github – Published: 2025-04-08 18:34 – Updated: 2025-04-08 18:34Weak authentication in Windows Active Directory Certificate Services allows an authorized attacker to elevate privileges over a network.
{
"affected": [],
"aliases": [
"CVE-2025-27740"
],
"database_specific": {
"cwe_ids": [
"CWE-1390"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-08T18:16:02Z",
"severity": "HIGH"
},
"details": "Weak authentication in Windows Active Directory Certificate Services allows an authorized attacker to elevate privileges over a network.",
"id": "GHSA-w4rq-mvcf-xc7h",
"modified": "2025-04-08T18:34:55Z",
"published": "2025-04-08T18:34:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27740"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-27740"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-X37P-2FC6-57XH
Vulnerability from github – Published: 2026-05-12 18:30 – Updated: 2026-05-12 18:30Weak authentication in Dynamics Business Central allows an authorized attacker to elevate privileges locally.
{
"affected": [],
"aliases": [
"CVE-2026-40417"
],
"database_specific": {
"cwe_ids": [
"CWE-1390"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-12T18:17:19Z",
"severity": "HIGH"
},
"details": "Weak authentication in Dynamics Business Central allows an authorized attacker to elevate privileges locally.",
"id": "GHSA-x37p-2fc6-57xh",
"modified": "2026-05-12T18:30:45Z",
"published": "2026-05-12T18:30:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40417"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40417"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XJ5X-4C9J-JR89
Vulnerability from github – Published: 2026-02-20 03:31 – Updated: 2026-02-20 03:31Sensitive data disclosure and manipulation due to improper authentication. The following products are affected: Acronis Cyber Protect 16 (Linux, Windows) before build 39938, Acronis Cyber Protect 15 (Linux, Windows) before build 41800.
{
"affected": [],
"aliases": [
"CVE-2025-30412"
],
"database_specific": {
"cwe_ids": [
"CWE-1390"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-20T01:15:59Z",
"severity": "CRITICAL"
},
"details": "Sensitive data disclosure and manipulation due to improper authentication. The following products are affected: Acronis Cyber Protect 16 (Linux, Windows) before build 39938, Acronis Cyber Protect 15 (Linux, Windows) before build 41800.",
"id": "GHSA-xj5x-4c9j-jr89",
"modified": "2026-02-20T03:31:39Z",
"published": "2026-02-20T03:31:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30412"
},
{
"type": "WEB",
"url": "https://security-advisory.acronis.com/advisories/SEC-8598"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XQF6-9HF7-323F
Vulnerability from github – Published: 2025-11-20 21:30 – Updated: 2025-11-21 00:30An issue was discovered in weijiang1994 university-bbs (aka Blogin) in commit 9e06bab430bfc729f27b4284ba7570db3b11ce84 (2025-01-13). A weak verification code generation mechanism combined with missing rate limiting allows attackers to perform brute-force attacks on verification codes without authentication. Successful exploitation may result in account takeover via password reset or other authentication bypass methods.
{
"affected": [],
"aliases": [
"CVE-2025-63807"
],
"database_specific": {
"cwe_ids": [
"CWE-1390",
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-20T21:16:06Z",
"severity": "HIGH"
},
"details": "An issue was discovered in weijiang1994 university-bbs (aka Blogin) in commit 9e06bab430bfc729f27b4284ba7570db3b11ce84 (2025-01-13). A weak verification code generation mechanism combined with missing rate limiting allows attackers to perform brute-force attacks on verification codes without authentication. Successful exploitation may result in account takeover via password reset or other authentication bypass methods.",
"id": "GHSA-xqf6-9hf7-323f",
"modified": "2025-11-21T00:30:22Z",
"published": "2025-11-20T21:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-63807"
},
{
"type": "WEB",
"url": "https://gist.github.com/Rycarl-Furry/3e93c6f0d48a29518adf341e0fc7e2dd"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XW45-W4R2-G9C2
Vulnerability from github – Published: 2024-09-26 18:31 – Updated: 2024-09-26 18:31In the goTenna Pro ATAK Plugin there is a vulnerability that makes it possible to inject any custom message with any GID and Callsign using a software defined radio in existing gotenna mesh networks. This vulnerability can be exploited if the device is being used in a unencrypted environment or if the cryptography has already been compromised.
{
"affected": [],
"aliases": [
"CVE-2024-41722"
],
"database_specific": {
"cwe_ids": [
"CWE-1390"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-26T18:15:06Z",
"severity": "MODERATE"
},
"details": "In the goTenna Pro ATAK Plugin there is a vulnerability that makes it \npossible to inject any custom message with any GID and Callsign using a \nsoftware defined radio in existing gotenna mesh networks. This \nvulnerability can be exploited if the device is being used in a \nunencrypted environment or if the cryptography has already been \ncompromised.",
"id": "GHSA-xw45-w4r2-g9c2",
"modified": "2024-09-26T18:31:45Z",
"published": "2024-09-26T18:31:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41722"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-270-05"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.