Common Weakness Enumeration

CWE-1390

Allowed-with-Review

Weak Authentication

Abstraction: Class · Status: Incomplete

The product uses an authentication mechanism to restrict access to specific users or identities, but the mechanism does not sufficiently prove that the claimed identity is correct.

155 vulnerabilities reference this CWE, most recent first.

GHSA-W4RQ-MVCF-XC7H

Vulnerability from github – Published: 2025-04-08 18:34 – Updated: 2025-04-08 18:34
VLAI
Details

Weak authentication in Windows Active Directory Certificate Services allows an authorized attacker to elevate privileges over a network.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-27740"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1390"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-08T18:16:02Z",
    "severity": "HIGH"
  },
  "details": "Weak authentication in Windows Active Directory Certificate Services allows an authorized attacker to elevate privileges over a network.",
  "id": "GHSA-w4rq-mvcf-xc7h",
  "modified": "2025-04-08T18:34:55Z",
  "published": "2025-04-08T18:34:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27740"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-27740"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X37P-2FC6-57XH

Vulnerability from github – Published: 2026-05-12 18:30 – Updated: 2026-05-12 18:30
VLAI
Details

Weak authentication in Dynamics Business Central allows an authorized attacker to elevate privileges locally.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-40417"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1390"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-12T18:17:19Z",
    "severity": "HIGH"
  },
  "details": "Weak authentication in Dynamics Business Central allows an authorized attacker to elevate privileges locally.",
  "id": "GHSA-x37p-2fc6-57xh",
  "modified": "2026-05-12T18:30:45Z",
  "published": "2026-05-12T18:30:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40417"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40417"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XJ5X-4C9J-JR89

Vulnerability from github – Published: 2026-02-20 03:31 – Updated: 2026-02-20 03:31
VLAI
Details

Sensitive data disclosure and manipulation due to improper authentication. The following products are affected: Acronis Cyber Protect 16 (Linux, Windows) before build 39938, Acronis Cyber Protect 15 (Linux, Windows) before build 41800.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-30412"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1390"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-20T01:15:59Z",
    "severity": "CRITICAL"
  },
  "details": "Sensitive data disclosure and manipulation due to improper authentication. The following products are affected: Acronis Cyber Protect 16 (Linux, Windows) before build 39938, Acronis Cyber Protect 15 (Linux, Windows) before build 41800.",
  "id": "GHSA-xj5x-4c9j-jr89",
  "modified": "2026-02-20T03:31:39Z",
  "published": "2026-02-20T03:31:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30412"
    },
    {
      "type": "WEB",
      "url": "https://security-advisory.acronis.com/advisories/SEC-8598"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XQF6-9HF7-323F

Vulnerability from github – Published: 2025-11-20 21:30 – Updated: 2025-11-21 00:30
VLAI
Details

An issue was discovered in weijiang1994 university-bbs (aka Blogin) in commit 9e06bab430bfc729f27b4284ba7570db3b11ce84 (2025-01-13). A weak verification code generation mechanism combined with missing rate limiting allows attackers to perform brute-force attacks on verification codes without authentication. Successful exploitation may result in account takeover via password reset or other authentication bypass methods.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-63807"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1390",
      "CWE-307"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-20T21:16:06Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in weijiang1994 university-bbs (aka Blogin) in commit 9e06bab430bfc729f27b4284ba7570db3b11ce84 (2025-01-13). A weak verification code generation mechanism combined with missing rate limiting allows attackers to perform brute-force attacks on verification codes without authentication. Successful exploitation may result in account takeover via password reset or other authentication bypass methods.",
  "id": "GHSA-xqf6-9hf7-323f",
  "modified": "2025-11-21T00:30:22Z",
  "published": "2025-11-20T21:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-63807"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/Rycarl-Furry/3e93c6f0d48a29518adf341e0fc7e2dd"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XW45-W4R2-G9C2

Vulnerability from github – Published: 2024-09-26 18:31 – Updated: 2024-09-26 18:31
VLAI
Details

In the goTenna Pro ATAK Plugin there is a vulnerability that makes it possible to inject any custom message with any GID and Callsign using a software defined radio in existing gotenna mesh networks. This vulnerability can be exploited if the device is being used in a unencrypted environment or if the cryptography has already been compromised.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-41722"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1390"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-26T18:15:06Z",
    "severity": "MODERATE"
  },
  "details": "In the goTenna Pro ATAK Plugin there is a vulnerability that makes it \npossible to inject any custom message with any GID and Callsign using a \nsoftware defined radio in existing gotenna mesh networks. This \nvulnerability can be exploited if the device is being used in a \nunencrypted environment or if the cryptography has already been \ncompromised.",
  "id": "GHSA-xw45-w4r2-g9c2",
  "modified": "2024-09-26T18:31:45Z",
  "published": "2024-09-26T18:31:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41722"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-270-05"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.