CWE-290— Authentication Bypass by Spoofing
368 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-290page 1 of 8
- CVE-2013-5661MEDIUMCVSS 5.9EG 5.92019-11-05
Cache Poisoning issue exists in DNS Response Rate Limiting.
- CVE-2017-12095MEDIUMCVSS 6.52018-04-05
An exploitable vulnerability exists in the WiFi Access Point feature of Circle with Disney running firmware 2.0.1. A series of WiFi packets can force Circle to setup an Access Point with default credentials. An attacker needs to send a ser…
- CVE-2017-18190HIGHCVSS 7.52018-02-16
A localhost.localdomain whitelist entry in valid_host() in scheduler/client.c in CUPS before 2.2.2 allows remote attackers to execute arbitrary IPP commands by sending POST requests to the CUPS daemon in conjunction with DNS rebinding. The…
- CVE-2018-12331HIGHCVSS 7.42018-06-17
Authentication Bypass by Spoofing vulnerability in ECOS System Management Appliance (aka SMA) 5.2.68 allows a man-in-the-middle attacker to compromise authentication keys and configurations via IP spoofing during "Easy Enrollment."
- CVE-2018-15588HIGHCVSS 7.5EG 7.52019-02-11
MailMate before 1.11.3 mishandles a suspicious HTML/MIME structure in a signed/encrypted email.
- CVE-2018-15715CRITICALCVSS 9.82018-11-30
Zoom clients on Windows (before version 4.1.34814.1119), Mac OS (before version 4.1.34801.1116), and Linux (2.4.129780.0915 and below) are vulnerable to unauthorized message processing. A remote unauthenticated attacker can spoof UDP messa…
- CVE-2018-16483HIGHCVSS 8.82019-02-01
A deficiency in the access control in module express-cart <=1.1.5 allows unprivileged users to add new users to the application as administrators.
- CVE-2018-1695HIGHCVSS 7.32018-09-06
IBM WebSphere Application Server 7.0, 8.0, and 8.5.5 installations using Form Login could allow a remote attacker to conduct spoofing attacks. IBM X-Force ID: 145769.
- CVE-2018-25361MEDIUMCVSS 6.8EG 6.82026-05-25
Soroush IM Desktop App 0.17.0 contains an authentication bypass vulnerability that allows local attackers to remove passcodes by injecting pre-encrypted database entries using a constant encryption key. Attackers can inject malicious datab…
- CVE-2018-3829MEDIUMCVSS 5.3EG 5.32018-09-19
In Elastic Cloud Enterprise (ECE) versions prior to 1.1.4 it was discovered that a user could scale out allocators on new hosts with an invalid roles token. An attacker with access to the previous runner ID and IP address of the coordinato…
- CVE-2018-5353CRITICALCVSS 9.8EG 9.82020-09-30
The custom GINA/CP module in Zoho ManageEngine ADSelfService Plus before 5.5 build 5517 allows remote attackers to execute code and escalate privileges via spoofing. It does not authenticate the intended server before opening a browser win…
- CVE-2018-5354HIGHCVSS 8.8EG 8.82020-09-30
The custom GINA/CP module in ANIXIS Password Reset Client before version 3.22 allows remote attackers to execute code and escalate privileges via spoofing. When the client is configured to use HTTP, it does not authenticate the intended se…
- CVE-2018-7160HIGHCVSS 8.82018-05-17
The Node.js inspector, in 6.x and later is vulnerable to a DNS rebinding attack which could be exploited to perform remote code execution. An attack is possible from malicious websites open in a web browser on the same computer, or another…
- CVE-2018-7842CRITICALCVSS 9.8EG 9.82019-05-22
A CWE-290: Authentication Bypass by Spoofing vulnerability exists in all versions of the Modicon M580, Modicon M340, Modicon Quantum, and Modicon Premium which could cause an elevation of privilege by conducting a brute force attack on Mod…
- CVE-2018-8153MEDIUMCVSS 5.42018-05-09
A spoofing vulnerability exists in Microsoft Exchange Server when Outlook Web Access (OWA) fails to properly handle web requests, aka "Microsoft Exchange Spoofing Vulnerability." This affects Microsoft Exchange Server.
- CVE-2018-8278MEDIUMCVSS 6.12018-07-11
A spoofing vulnerability exists when Microsoft Edge improperly handles specific HTML content, aka "Microsoft Edge Spoofing Vulnerability." This affects Microsoft Edge.
- CVE-2018-8383MEDIUMCVSS 4.32018-08-15
A spoofing vulnerability exists when Microsoft Edge does not properly parse HTTP content, aka "Microsoft Edge Spoofing Vulnerability." This affects Microsoft Edge. This CVE ID is unique from CVE-2018-8388.
- CVE-2018-8388MEDIUMCVSS 4.32018-08-15
A spoofing vulnerability exists when Microsoft Edge improperly handles specific HTML content, aka "Microsoft Edge Spoofing Vulnerability." This affects Microsoft Edge. This CVE ID is unique from CVE-2018-8383.
- CVE-2018-8425MEDIUMCVSS 4.32018-09-13
A spoofing vulnerability exists when Microsoft Edge improperly handles specific HTML content, aka "Microsoft Edge Spoofing Vulnerability." This affects Microsoft Edge.
- CVE-2019-0283HIGHCVSS 7.12019-04-10
SAP NetWeaver Process Integration (Adapter Engine), fixed in versions 7.10 to 7.11, 7.30, 7.31, 7.40, 7.50; is vulnerable to Digital Signature Spoofing. It is possible to spoof XML signatures and send arbitrary requests to the server via P…
- CVE-2019-0388MEDIUMCVSS 5.3EG 5.32019-11-13
SAP UI5 HTTP Handler (corrected in SAP_UI versions 7.5, 7.51, 7.52, 7.53, 7.54 and SAP UI_700 version 2.0) allows an attacker to manipulate content due to insufficient URL validation.
- CVE-2019-0608MEDIUMCVSS 4.3EG 4.32019-10-10
A spoofing vulnerability exists when Microsoft Browsers does not properly parse HTTP content, aka 'Microsoft Browser Spoofing Vulnerability'. This CVE ID is unique from CVE-2019-1357.
- CVE-2019-10875MEDIUMCVSS 6.52019-04-05
A URL spoofing vulnerability was found in all international versions of Xiaomi Mi browser 10.5.6-g (aka the MIUI native browser) and Mint Browser 1.5.3 due to the way they handle the "q" query parameter. The portion of an https URL before …
- CVE-2019-11189HIGHCVSS 7.5EG 7.52020-02-20
Authentication Bypass by Spoofing in org.onosproject.acl (access control) and org.onosproject.mobility (host mobility) in ONOS v2.0 and earlier allows attackers to bypass network access control via data plane packet injection. To exploit t…
- CVE-2019-12131CRITICALCVSS 9.1EG 9.12020-03-18
An issue was detected in ONAP APPC through Dublin and SDC through Dublin. By setting a USER_ID parameter in an HTTP header, an attacker may impersonate an arbitrary existing user without any authentication. All APPC and SDC setups are affe…
- CVE-2019-1234HIGHCVSS 7.5EG 7.52019-11-12
A spoofing vulnerability exists when Azure Stack fails to validate certain requests, aka 'Azure Stack Spoofing Vulnerability'.
- CVE-2019-1318MEDIUMCVSS 5.9EG 5.92019-10-10
A spoofing vulnerability exists when Transport Layer Security (TLS) accesses non- Extended Master Secret (EMS) sessions, aka 'Microsoft Windows Transport Layer Security Spoofing Vulnerability'.
- CVE-2019-1357MEDIUMCVSS 4.3EG 4.32019-10-10
A spoofing vulnerability exists when Microsoft Browsers improperly handle browser cookies, aka 'Microsoft Browser Spoofing Vulnerability'. This CVE ID is unique from CVE-2019-0608.
- CVE-2019-13701MEDIUMCVSS 4.3EG 4.32019-11-25
Incorrect implementation in navigation in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.
- CVE-2019-13703MEDIUMCVSS 4.3EG 4.32019-11-25
Insufficient policy enforcement in the Omnibox in Google Chrome on Android prior to 78.0.3904.70 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.
- CVE-2019-13704MEDIUMCVSS 4.3EG 4.32019-11-25
Insufficient policy enforcement in navigation in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to bypass content security policy via a crafted HTML page.
- CVE-2019-13708MEDIUMCVSS 4.3EG 4.32019-11-25
Inappropriate implementation in navigation in Google Chrome on iOS prior to 78.0.3904.70 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.
- CVE-2019-13709MEDIUMCVSS 6.5EG 6.52019-11-25
Insufficient policy enforcement in downloads in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to bypass download restrictions via a crafted HTML page.
- CVE-2019-13715MEDIUMCVSS 4.3EG 4.32019-11-25
Insufficient validation of untrusted input in Omnibox in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted domain name.
- CVE-2019-15022HIGHCVSS 7.5EG 7.52019-10-09
A security vulnerability exists in Zingbox Inspector versions 1.294 and earlier, that allows for the Inspector to be susceptible to ARP spoofing.
- CVE-2019-16378CRITICALCVSS 9.8EG 9.82019-09-17
OpenDMARC through 1.3.2 and 1.4.x through 1.4.0-Beta1 is prone to a signature-bypass vulnerability with multiple From: addresses, which might affect applications that consider a domain name to be relevant to the origin of an e-mail message.
- CVE-2019-16766HIGHCVSS 8.7EG 8.72019-11-29
When using wagtail-2fa before 1.3.0, if someone gains access to someone's Wagtail login credentials, they can log into the CMS and bypass the 2FA check by changing the URL. They can then add a new device and gain full access to the CMS. Th…
- CVE-2019-16871CRITICALCVSS 9.8EG 9.82019-12-19
Beckhoff Embedded Windows PLCs through 3.1.4024.0, and Beckhoff Twincat on Windows Engineering stations, allow an attacker to achieve Remote Code Execution (as SYSTEM) via the Beckhoff ADS protocol.
- CVE-2019-18259CRITICALCVSS 9.8EG 9.82019-12-16
In Omron PLC CJ series, all versions and Omron PLC CS series, all versions, an attacker could spoof arbitrary messages or execute commands.
- CVE-2019-18659MEDIUMCVSS 5.3EG 5.32019-11-02
The Wireless Emergency Alerts (WEA) protocol allows remote attackers to spoof a Presidential Alert because cryptographic authentication is not used, as demonstrated by MessageIdentifier 4370 in LTE System Information Block 12 (aka SIB12). …
- CVE-2019-18989MEDIUMCVSS 5.4EG 5.42020-09-30
A partial authentication bypass vulnerability exists on Mediatek MT7620N 1.06 devices. The vulnerability allows sending an unencrypted data frame to a WPA2-protected WLAN router where the packet is routed through the network. If successful…
- CVE-2019-18990MEDIUMCVSS 5.4EG 5.42020-09-30
A partial authentication bypass vulnerability exists on Realtek RTL8812AR 1.21WW, RTL8196D 1.0.0, RTL8192ER 2.10, and RTL8881AN 1.09 devices. The vulnerability allows sending an unencrypted data frame to a WPA2-protected WLAN router where …
- CVE-2019-18991MEDIUMCVSS 5.4EG 5.42020-09-30
A partial authentication bypass vulnerability exists on Atheros AR9132 3.60(AMX.8), AR9283 1.85, and AR9285 1.0.0.12NA devices. The vulnerability allows sending an unencrypted data frame to a WPA2-protected WLAN router where the packet is …
- CVE-2019-20203MEDIUMCVSS 5.3EG 5.32020-01-02
The Authorized Addresses feature in the Postie plugin 1.9.40 for WordPress allows remote attackers to publish posts by spoofing the From information of an email message.
- CVE-2019-20790CRITICALCVSS 9.8EG 9.82020-04-27
OpenDMARC through 1.3.2 and 1.4.x, when used with pypolicyd-spf 2.0.2, allows attacks that bypass SPF and DMARC authentication in situations where the HELO field is inconsistent with the MAIL FROM field.
- CVE-2019-25023MEDIUMCVSS 6.5EG 6.52021-02-27
An issue was discovered in Scytl sVote 2.1. Because the IP address from an X-Forwarded-For header (which can be manipulated client-side) is used for the internal application logs, an attacker can inject wrong IP addresses into these logs.
- CVE-2019-3775HIGHCVSS 7.1EG 6.52019-03-07
Cloud Foundry UAA, versions prior to v70.0, allows a user to update their own email address. A remote authenticated user can impersonate a different user by changing their email address to that of a different user.
- CVE-2019-3884MEDIUMCVSS 5.4EG 5.42019-08-01
A vulnerability exists in the garbage collection mechanism of atomic-openshift. An attacker able spoof the UUID of a valid object from another namespace is able to delete children of those objects. Versions 3.6, 3.7, 3.8, 3.9, 3.10, 3.11 a…
- CVE-2020-10135MEDIUMCVSS 5.4EG 5.42020-05-19
Legacy pairing and secure-connections pairing authentication in Bluetooth BR/EDR Core Specification v5.2 and earlier may allow an unauthenticated user to complete authentication without pairing credentials via adjacent access. An unauthent…
- CVE-2020-10136MEDIUMCVSS 5.3EG 5.32020-06-02
IP-in-IP protocol specifies IP Encapsulation within IP standard (RFC 2003, STD 1) that decapsulate and route IP-in-IP traffic is vulnerable to spoofing, access-control bypass and other unexpected behavior due to the lack of validation to v…
Map vulnerabilities like CWE-290 to your infrastructure
EchelonGraph correlates every CVE — across CWE-290 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →