CWE-306
Missing Authentication for Critical Function
BaseDraftLikelihood: High
Description
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-12 · CAPEC-166 · CAPEC-216 · CAPEC-36 · CAPEC-62
CVEs mapped to this weakness (651)
page 21 of 33| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-41655 | Hig | 0.49 | 7.5 | 0.00 | May 26, 2025 | An unauthenticated remote attacker can access a URL which causes the device to reboot. | |
| CVE-2024-23815 | Hig | 0.49 | 7.5 | 0.00 | May 13, 2025 | A vulnerability has been identified in Desigo CC (All versions if access from Installed Clients to Desigo CC server is allowed from networks outside of a highly protected zone), Desigo CC (All versions if access from Installed Clients to Desigo CC server is only allowed within highly protected zones). The affected server application fails to authenticate specific client requests. Modification of the client binary could allow an unauthenticated remote attacker to execute arbitrary SQL queries on the server database via the event port (default: 4998/tcp) | |
| CVE-2025-29870 | Hig | 0.49 | 7.5 | 0.00 | Apr 9, 2025 | Missing authentication for critical function vulnerability exists in Wi-Fi AP UNIT 'AC-WPS-11ac series'. If exploited, a remote unauthenticated attacker may obtain the product configuration information including authentication information. | |
| CVE-2025-30111 | Hig | 0.49 | 7.5 | 0.00 | Mar 18, 2025 | On IROAD v9 devices, one can Remotely Dump Video Footage and the Live Video Stream. The dashcam exposes endpoints that allow unauthorized users, who gained access through other means, to list and download recorded videos, as well as access live video streams without proper authentication. | |
| CVE-2024-12511 | Hig | 0.49 | 7.6 | 0.00 | Feb 3, 2025 | With address book access, SMB/FTP settings could be modified, redirecting scans and possibly capturing credentials. This requires enabled scan functions and printer access. | |
| CVE-2025-0355 | Hig | 0.49 | 7.5 | 0.00 | Jan 15, 2025 | Missing Authentication for Critical Function vulnerability in NEC Corporation Aterm WG2600HS Ver.1.7.2 and earlier, WF1200CRS Ver.1.6.0 and earlier, WG1200CRS Ver.1.5.0 and earlier, GB1200PE Ver.1.3.0 and earlier, WG2600HP4 Ver.1.4.2 and earlier, WG2600HM4 Ver.1.4.2 and earlier, WG2600HS2 Ver.1.3.2 and earlier, WX3000HP Ver.2.4.2 and earlier and WX4200D5 Ver.1.2.4 and earlier allows a attacker to get a Wi-Fi password via the network. | |
| CVE-2024-13186 | Hig | 0.49 | 7.5 | 0.00 | Jan 8, 2025 | The MinigameCenter module has insufficient restrictions on loading URLs, which may lead to some information leakage. | |
| CVE-2024-13185 | Hig | 0.49 | 7.5 | 0.00 | Jan 8, 2025 | The MinigameCenter module has insufficient restrictions on loading URLs, which may lead to some information leakage. | |
| CVE-2024-13173 | Hig | 0.49 | 7.5 | 0.00 | Jan 8, 2025 | The health module has insufficient restrictions on loading URLs, which may lead to some information leakage. | |
| CVE-2024-53623 | Hig | 0.49 | 7.5 | 0.00 | Nov 29, 2024 | Incorrect access control in the component l_0_0.xml of TP-Link ARCHER-C7 v5 allows attackers to access sensitive information. | |
| CVE-2024-50589 | Hig | 0.49 | 7.5 | 0.00 | Nov 8, 2024 | An unauthenticated attacker with access to the local network of the medical office can query an unprotected Fast Healthcare Interoperability Resources (FHIR) API to get access to sensitive electronic health records (EHR). | |
| CVE-2024-48791 | Hig | 0.49 | 7.5 | 0.00 | Oct 14, 2024 | An issue in Plug n Play Camera com.starvedia.mCamView.zwave 5.5.1 allows a remote attacker to obtain sensitive information via the firmware update process | |
| CVE-2024-48777 | Hig | 0.49 | 7.5 | 0.00 | Oct 11, 2024 | LEDVANCE com.ledvance.smartplus.eu 2.1.10 allows a remote attacker to obtain sensitive information via the firmware update process. | |
| CVE-2024-48776 | Hig | 0.49 | 7.5 | 0.00 | Oct 11, 2024 | An issue in Shelly com.home.shelly 1.0.4 allows a remote attacker to obtain sensitive information via the firmware update process | |
| CVE-2024-48775 | Hig | 0.49 | 7.5 | 0.00 | Oct 11, 2024 | An issue in Plug n Play Camera com.ezset.delaney 1.2.0 allows a remote attacker to obtain sensitive information via the firmware update process. | |
| CVE-2024-48774 | Hig | 0.49 | 7.5 | 0.00 | Oct 11, 2024 | An issue in Fermax Asia Pacific Pte Ltd com.fermax.vida 2.4.6 allows a remote attacker to obtain sensitve information via the firmware update process. | |
| CVE-2024-48773 | Hig | 0.49 | 7.5 | 0.00 | Oct 11, 2024 | An issue in WoFit v.7.2.3 allows a remote attacker to obtain sensitive information via the firmware update process | |
| CVE-2024-48771 | Hig | 0.49 | 7.5 | 0.00 | Oct 11, 2024 | An issue in almando GmbH Almando Play APP (com.almando.play) 1.8.2 allows a remote attacker to obtain sensitive information via the firmware update process | |
| CVE-2024-48768 | Hig | 0.49 | 7.5 | 0.00 | Oct 11, 2024 | An issue in almaodo GmbH appinventor.ai_google.almando_control 2.3.1 allows a remote attacker to obtain sensitive information via the firmware update process | |
| CVE-2024-8751 | Hig | 0.49 | 7.5 | 0.00 | Sep 12, 2024 | A vulnerability in the MSC800 allows an unauthenticated attacker to modify the product’s IP address over Sopas ET. This can lead to Denial of Service. Users are recommended to upgrade both MSC800 and MSC800 LFT to version V4.26 and S2.93.20 respectively which fixes this issue. |