目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1310

100%
请我们喝杯咖啡

CWE-287 认证机制不恰当 类漏洞列表 1258

CWE-287 认证机制不恰当 类弱点 1258 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-287 属于身份验证缺陷漏洞,指系统在验证用户身份时未能充分核实其声明的真实性。攻击者常利用此弱点通过暴力破解、凭证填充或会话劫持等手段冒充合法用户,从而获取未授权访问权限。开发者应实施多因素认证、使用强哈希算法存储凭证、设置合理的账户锁定策略,并严格验证每次访问的身份凭证,以确保身份声明得到充分证明。

MITRE CWE 官方描述
CWE:CWE-287 Improper Authentication 英文:当某个actor声称具有某一特定身份时,产品未能证明或未能充分证明该声明是正确的。
常见影响 (1)
Integrity, Confidentiality, Availability, Access ControlRead Application Data, Gain Privileges or Assume Identity, Execute Unauthorized Code or Commands
This weakness can lead to the exposure of resources or functionality to unintended actors, possibly providing attackers with sensitive information or even execute arbitrary code.
缓解措施 (1)
Architecture and DesignUse an authentication framework or library such as the OWASP ESAPI Authentication feature.
代码示例 (2)
The following code intends to ensure that the user is already logged in. If not, the code performs authentication with the user-provided username and password. If successful, it sets the loggedin and user cookies to "remember" that the user has already logged in. Finally, the code performs administrator tasks if the logged-in user has the "Administrator" username, as recorded in the user cookie.
my $q = new CGI; if ($q->cookie('loggedin') ne "true") { if (! AuthenticateUser($q->param('username'), $q->param('password'))) { ExitError("Error: you need to log in first"); } else { # Set loggedin and user cookies. $q->cookie( -name => 'loggedin', -value => 'true' ); $q->cookie( -name => 'user', -value => $q->param('username') ); } } if ($q->cookie('user') eq "Administrator") { DoAdministratorTasks(); }
Bad · Perl
GET /cgi-bin/vulnerable.cgi HTTP/1.1 Cookie: user=Administrator Cookie: loggedin=true [body of request]
Attack
In January 2009, an attacker was able to gain administrator access to a Twitter server because the server did not restrict the number of login attempts [REF-236]. The attacker targeted a member of Twitter's support team and was able to successfully guess the member's password using a brute force attack by guessing a large number of common words. After gaining access as the member of the support st…
CVE ID标题CVSS风险等级Published
CVE-2026-45289 CloudburstMC 协议:FULL 类型认证令牌部分缺失验证 — Protocol 5.3 Medium2026-06-02
CVE-2026-49448 authentik 通过空POST绕过SourceStage — authentik 9.8 Critical2026-06-02
CVE-2026-49443 authentik UserSourceConnection.group可被API修改 — authentik 8.8 High2026-06-02
CVE-2026-10619 Sayan365 学生管理系统 认证绕过漏洞 — student-management-system 7.3 High2026-06-02
CVE-2026-5076 ARMember Premium <= 7.3.1 不安全密码重置机制导致未授权提权漏洞 — ARMember Premium – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup 9.8 Critical2026-06-02
CVE-2026-10611 MISP LDAP混合认证下OTP绕过漏洞 — misp--2026-06-02
CVE-2026-10548 NousResearch Hermes-Agent 凭据池同步认证绕过漏洞 — hermes-agent 5.3 Medium2026-06-02
CVE-2026-40964 Cloud Foundry log-cache身份绕过漏洞 — log-cache_release 7.5 High2026-06-01
CVE-2026-10288 酒店旅游预订系统登录认证绕过漏洞 — Hotel and Tourism Reservation System 7.3 High2026-06-01
CVE-2026-45691 Nextcloud DAV端点二次认证绕过漏洞 — security-advisories 5.9 Medium2026-06-01
CVE-2026-45690 Nextcloud 等待会话令牌重放导致双因素认证绕过漏洞 — security-advisories 5.9 Medium2026-06-01
CVE-2026-45283 Nextcloud Files Lock 应用允许锁定和解锁其他用户的文件 — security-advisories 6.3 Medium2026-06-01
CVE-2026-45156 Nextcloud ID4me OIDC认证绕过漏洞 — security-advisories 8.1 High2026-06-01
CVE-2026-45153 Nextcloud PIN绕过漏洞 — security-advisories 4.6 Medium2026-06-01
CVE-2026-10167 School Student Management System 授权问题漏洞 — School Student Management System 7.3 High2026-05-31
CVE-2026-10157 Open5GS 授权问题漏洞 — Open5GS 7.3 High2026-05-31
CVE-2026-46579 Red Hat OpenShift Container Platform 授权问题漏洞 — Red Hat OpenShift Container Platform 4 7.4 High2026-05-29
CVE-2026-49197 Acer Predator Connect W6x 安全漏洞 — Predator Connect W6x--2026-05-29
CVE-2026-3655 WordPress plugin OTP Login With Phone Number OTP Verification 授权问题漏洞 — OTP Login With Phone Number, OTP Verification 9.8 Critical2026-05-29
CVE-2026-48526 pyjwt 数据伪造问题漏洞 — pyjwt 7.4 High2026-05-28
CVE-2026-8979 MENNEKES AMTRON 安全漏洞 — Amtron--2026-05-28
CVE-2026-44720 OpenLearnX 数据伪造问题漏洞 — OpenLearnX--2026-05-27
CVE-2026-47272 pam_usb 安全漏洞 — pam_usb 7.1 High2026-05-27
CVE-2026-7876 IBM Aspera HSTS for CP4I 授权问题漏洞 — Aspera HSTS for CP4I--2026-05-27
CVE-2026-8994 WordPress plugin Login with NEAR 授权问题漏洞 — Login with NEAR 8.1 High2026-05-27
CVE-2026-44847 MaxKB 访问控制错误漏洞 — MaxKB 7.5 High2026-05-26
CVE-2026-47202 kavita 安全漏洞 — Kavita--2026-05-26
CVE-2026-48896 Joomla! CMS 授权问题漏洞 — Joomla! CMS--2026-05-26
CVE-2026-48897 Joomla! CMS 授权问题漏洞 — Joomla! CMS--2026-05-26
CVE-2026-9373 JeecgBoot 授权问题漏洞 — JeecgBoot 3.7 Low2026-05-24

CWE-287(认证机制不恰当) 是常见的弱点类别,本平台收录该类弱点关联的 1258 条 CVE 漏洞。