VYPR

CWE-306

Missing Authentication for Critical Function

BaseDraftLikelihood: High

Description

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

Hierarchy (View 1000)

Parents

Related attack patterns (CAPEC)

CAPEC-12 · CAPEC-166 · CAPEC-216 · CAPEC-36 · CAPEC-62

CVEs mapped to this weakness (964)

page 18 of 49
  • CVE-2025-6916HigJun 30, 2025
    risk 0.57cvss 8.8epss 0.01

    A vulnerability, which was classified as critical, was found in TOTOLINK T6 4.1.5cu.748_B20211015. This affects the function Form_Login of the file /formLoginAuth.htm. The manipulation of the argument authCode/goURL leads to missing authentication. The attack needs to be…

  • CVE-2025-49596CriJun 13, 2025
    risk 0.57cvss epss 0.37

    The MCP inspector is a developer tool for testing and debugging MCP servers. Versions of MCP Inspector below 0.14.1 are vulnerable to remote code execution due to lack of authentication between the Inspector client and proxy, allowing unauthenticated requests to launch MCP…

  • CVE-2025-49652CriJun 9, 2025
    risk 0.57cvss 9.8epss 0.00

    Missing Authentication in the registration feature of Lablup's BackendAI allows arbitrary users to create user accounts that can access private data even when registration is disabled.

  • CVE-2025-3759HigMay 8, 2025
    risk 0.57cvss epss 0.00

    Endpoint /cgi-bin-igd/netcore_set.cgi which is used for changing device configuration is accessible without authentication. This poses a significant security threat allowing for e.g: administrator account hijacking or AP password changing. The vendor was contacted early about…

  • CVE-2025-3758HigMay 8, 2025
    risk 0.57cvss epss 0.00

    WF2220 exposes endpoint /cgi-bin-igd/netcore_get.cgi that returns configuration of the device to unauthorized users. Returned configuration includes cleartext password. The vendor was contacted early about this disclosure but did not respond in any way.

  • CVE-2024-50381HigDec 2, 2024
    risk 0.57cvss epss 0.01

    A vulnerability exists in Snap One OVRC cloud where an attacker can impersonate a Hub device and send requests to claim and unclaim devices. The attacker only needs to provide the MAC address of the targeted device and can make a request to unclaim it from its original…

  • CVE-2024-52438HigNov 20, 2024
    risk 0.57cvss 8.8epss 0.00

    Missing Authentication for Critical Function vulnerability in deco.agency de:branding debranding allows Privilege Escalation.This issue affects de:branding: from n/a through <= 1.0.2.

  • CVE-2024-52437HigNov 20, 2024
    risk 0.57cvss 8.8epss 0.00

    Missing Authentication for Critical Function vulnerability in Saul Morales Pacheco Banner System banner-system allows Privilege Escalation.This issue affects Banner System: from n/a through <= 1.0.0.

  • CVE-2024-41969HigNov 18, 2024
    risk 0.57cvss 8.8epss 0.00

    A low privileged remote attacker may modify the configuration of the CODESYS V3 service through a missing authentication vulnerability which could lead to full system access and/or DoS.

  • CVE-2024-10284CriNov 9, 2024
    risk 0.57cvss 9.8epss 0.00

    The CE21 Suite plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.2.0. This is due to hardcoded encryption key in the 'ce21_authentication_phrase' function. This makes it possible for unauthenticated attackers to log in as any…

  • CVE-2024-49399HigOct 17, 2024
    risk 0.57cvss epss 0.00

    The affected product is vulnerable to an attacker being able to use commands without providing a password which may allow an attacker to leak information.

  • CVE-2023-22650HigOct 16, 2024
    risk 0.57cvss 8.8epss 0.01

    A vulnerability has been identified in which Rancher does not automatically clean up a user which has been deleted from the configured authentication provider (AP). This characteristic also applies to disabled or revoked users, Rancher will not reflect these modifications which…

  • CVE-2024-31218CriApr 5, 2024
    risk 0.57cvss 9.8epss 0.01

    Webhood is a self-hosted URL scanner used analyzing phishing and malicious sites. Webhood's backend container images in versions 0.9.0 and earlier are subject to Missing Authentication for Critical Function vulnerability. This vulnerability allows an unauthenticated attacker to…

  • CVE-2023-2834CriJun 30, 2023
    risk 0.57cvss 9.8epss 0.02

    The BookIt plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.3.7. This is due to insufficient verification on the user being supplied during booking an appointment through the plugin. This makes it possible for unauthenticated…

  • CVE-2020-36724CriJun 7, 2023
    risk 0.57cvss 9.8epss 0.02

    The Wordable plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.1.1. This is due to the use of a user supplied hashing algorithm passed to the hash_hmac() function and the use of a loose comparison on the hash which allows an attacker…

  • CVE-2016-6541HigJul 6, 2018
    risk 0.57cvss 8.8epss 0.01

    TrackR Bravo device allows unauthenticated pairing, which enables unauthenticated connected applications to write to various device attributes. Updated apps, version 5.1.6 for iOS and 2.2.5 for Android, have been released by the vendor to address the vulnerabilities in…

  • CVE-2018-4854HigJul 3, 2018
    risk 0.57cvss 8.8epss 0.03

    A vulnerability has been identified in SICLOCK TC100 (All versions) and SICLOCK TC400 (All versions). An attacker with network access to port 69/udp could modify the administrative client stored on the device. If a legitimate user downloads and executes the modified client from…

  • CVE-2018-8016CriJun 28, 2018
    risk 0.57cvss 9.8epss 0.02

    The default configuration in Apache Cassandra 3.8 through 3.11.1 binds an unauthenticated JMX/RMI interface to all network interfaces, which allows remote attackers to execute arbitrary Java code via an RMI request. This issue is a regression of CVE-2015-0225. The regression was…

  • CVE-2018-11476HigMay 30, 2018
    risk 0.57cvss 8.8epss 0.01

    An issue was discovered on Vgate iCar 2 Wi-Fi OBD2 Dongle devices. The dongle opens an unprotected wireless LAN that cannot be configured with encryption or a password. This enables anyone within the range of the WLAN to connect to the network without authentication.

  • CVE-2018-0554HigApr 9, 2018
    risk 0.57cvss 8.8epss 0.01

    Buffalo WZR-1750DHP2 Ver.2.30 and earlier allows an attacker to bypass authentication and execute arbitrary commands on the device via unspecified vectors.