VYPR

CWE-306

Missing Authentication for Critical Function

BaseDraftLikelihood: High

Description

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

Hierarchy (View 1000)

Parents

Related attack patterns (CAPEC)

CAPEC-12 · CAPEC-166 · CAPEC-216 · CAPEC-36 · CAPEC-62

CVEs mapped to this weakness (964)

page 12 of 49
  • CVE-2024-9137CriOct 14, 2024
    risk 0.61cvss 9.4epss 0.01

    The affected product lacks an authentication check when sending commands to the server via the Moxa service. This vulnerability allows an attacker to execute specified commands, potentially leading to unauthorized downloads or uploads of configuration files and system compromise.

  • CVE-2024-4332CriJun 3, 2024
    risk 0.61cvss epss 0.01

    An authentication bypass vulnerability has been identified in the REST and SOAP API components of Tripwire Enterprise (TE) 9.1.0 when TE is configured to use LDAP/Active Directory SAML authentication and its optional "Auto-synchronize LDAP Users, Roles, and Groups" feature is…

  • CVE-2024-0336CriJun 3, 2024
    risk 0.61cvss epss 0.00

    Missing Authentication for Critical Function vulnerability in EMTA Grup PDKS allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects PDKS: from V3.04 before 20240603. NOTE: The vendor was contacted early about this disclosure but did not…

  • CVE-2026-28766CriApr 3, 2026
    risk 0.60cvss 9.3epss 0.00

    A specific endpoint exposes all user account information for registered Gardyn users without requiring authentication.

  • CVE-2026-3356CriMar 31, 2026
    risk 0.60cvss epss 0.00

    The MS27102A Remote Spectrum Monitor is vulnerable to an authentication bypass that allows unauthorized users to access and manipulate its management interface. Because the device provides no mechanism to enable or configure authentication, the issue is inherent to its design…

  • CVE-2026-33340CriMar 24, 2026
    risk 0.60cvss 9.1epss 0.22

    LoLLMs WEBUI provides the Web user interface for Lord of Large Language and Multi modal Systems. A critical Server-Side Request Forgery (SSRF) vulnerability has been identified in all known existing versions of `lollms-webui`. The `@router.post("/api/proxy")` endpoint allows…

  • CVE-2026-1341CriFeb 3, 2026
    risk 0.60cvss epss 0.00

    Avation Light Engine Pro exposes its configuration and control interface without any authentication or access control.

  • CVE-2026-25137CriFeb 2, 2026
    risk 0.60cvss 9.1epss 0.10

    The NixOs Odoo package is an open source ERP and CRM system. From 21.11 to before 25.11 and 26.05, every NixOS based Odoo setup publicly exposes the database manager without any authentication. This allows unauthorized actors to delete and download the entire database, including…

  • CVE-2026-24728CriJan 30, 2026
    risk 0.60cvss epss 0.00

    A missing authentication for critical function vulnerability in the /servlet/baServer3 endpoint of Interinfo DreamMaker versions before 2025/10/22 allows remote attackers to access exposed administrative functionality without prior authentication.

  • CVE-2025-59097CriJan 26, 2026
    risk 0.60cvss epss 0.01

    The exos 9300 application can be used to configure Access Managers (e.g. 92xx, 9230 and 9290). The configuration is done in a graphical user interface on the dormakaba exos server. As soon as the save button is clicked in exos 9300, the whole configuration is sent to the…

  • CVE-2025-59090CriJan 26, 2026
    risk 0.60cvss epss 0.01

    On the exos 9300 server, a SOAP API is reachable on port 8002. This API does not require any authentication prior to sending requests. Therefore, network access to the exos server allows e.g. the creation of arbitrary access log events as well as querying the 2FA PINs associated…

  • CVE-2026-23746CriJan 15, 2026
    risk 0.60cvss epss 0.01

    Entrust Instant Financial Issuance (IFI) On Premise software (formerly referred to as CardWizard) versions 5.x, prior to 6.10.5, and prior to 6.11.1 contain an insecure .NET Remoting exposure in the SmartCardController service (DCG.SmartCardControllerService.exe). The service…

  • CVE-2026-0625CriJan 5, 2026
    risk 0.60cvss epss 0.01

    Multiple D-Link DSL/DIR/DNS devices contain an authentication bypass and improper access control vulnerability in the dnscfg.cgi endpoint that allows an unauthenticated attacker to access DNS configuration functionality. By directly requesting this endpoint, an attacker can…

  • CVE-2025-13510CriDec 2, 2025
    risk 0.60cvss epss 0.01

    The Iskra iHUB and iHUB Lite smart metering gateway exposes its web management interface without requiring authentication, allowing unauthenticated users to access and modify critical device settings.

  • CVE-2025-12108CriNov 4, 2025
    risk 0.60cvss epss 0.00

    The Survision LPR Camera system does not enforce password protection by default. This allows access to the configuration wizard immediately without a login prompt or credentials check.

  • CVE-2023-7325CriOct 30, 2025
    risk 0.60cvss epss 0.00

    Anheng Mingyu Operation and Maintenance Audit and Risk Control System up to 2023-08-10 contains a server-side request forgery (SSRF) vulnerability in the xmlrpc.sock handler. The product accepts specially crafted XML-RPC requests that can be used to instruct the server to…

  • CVE-2021-4461CriOct 30, 2025
    risk 0.60cvss epss 0.01

    Seeyon Zhiyuan OA Web Application System versions up to and including 7.0 SP1 improperly decode and parse the `enc` parameter in thirdpartyController.do. The decoded map values can influence session attributes without sufficient authentication/authorization checks, enabling…

  • CVE-2025-52551CriSep 2, 2025
    risk 0.60cvss epss 0.00

    E2 Facility Management Systems use a proprietary protocol that allows for unauthenticated file operations on any file in the file system.

  • CVE-2025-34110CriJul 15, 2025
    risk 0.60cvss epss 0.01

    A directory traversal vulnerability exists in ColoradoFTP Server ≤ 1.3 Build 8 for Windows, allowing unauthenticated attackers to read or write arbitrary files outside the configured FTP root directory. The flaw is due to insufficient sanitation of user-supplied file paths in…

  • CVE-2025-2407CriMay 27, 2025
    risk 0.60cvss epss 0.00

    Missing Authentication & Authorization in Web-API in Mobatime AMX MTAPI v6 on IIS allows adversaries to unrestricted access via the network. The vulnerability is fixed in Version 1.5.