CWE-287 – Improper Authentication
Description When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct. Modes of...
CWE-288 – Authentication Bypass Using an Alternate Path or Channel
Description A product requires authentication, but the product has an alternate path or channel that does not require authentication. Modes of Introduction: - Architecture and...
CWE-289 – Authentication Bypass by Alternate Name
Description The software performs authentication based on the name of a resource being accessed, or the name of the actor performing the access, but it...
CWE-29 – Path Traversal: ‘..filename’
Description The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '..filename' (leading...
CWE-290 – Authentication Bypass by Spoofing
Description This attack-focused weakness is caused by improperly implemented authentication schemes that are subject to spoofing attacks. Modes of Introduction: - Architecture and Design ...
CWE-291 – Reliance on IP Address for Authentication
Description The software uses an IP address for authentication. IP addresses can be easily spoofed. Attackers can forge the source IP address of the packets...
CWE-292 – DEPRECATED: Trusting Self-reported DNS Name
Description This entry has been deprecated because it was a duplicate of CWE-350. All content has been transferred to CWE-350. Modes of Introduction: ...
CWE-293 – Using Referer Field for Authentication
Description The referer field in HTTP requests can be easily modified and, as such, is not a valid means of message integrity checking. The referer...
CWE-294 – Authentication Bypass by Capture-replay
Description A capture-replay flaw exists when the design of the software makes it possible for a malicious user to sniff network traffic and bypass authentication...
CWE-295 – Improper Certificate Validation
Description The software does not validate, or incorrectly validates, a certificate. When a certificate is invalid or malicious, it might allow an attacker to spoof...