CWE-306
Missing Authentication for Critical Function
Description
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-12 · CAPEC-166 · CAPEC-216 · CAPEC-36 · CAPEC-62
CVEs mapped to this weakness (964)
page 27 of 49| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-0355 | Hig | 0.49 | 7.5 | 0.01 | Jan 15, 2025 | Missing Authentication for Critical Function vulnerability in NEC Corporation Aterm WG2600HS Ver.1.7.2 and earlier, WF1200CRS Ver.1.6.0 and earlier, WG1200CRS Ver.1.5.0 and earlier, GB1200PE Ver.1.3.0 and earlier, WG2600HP4 Ver.1.4.2 and earlier, WG2600HM4 Ver.1.4.2 and earlier,… | ||
| CVE-2024-13186 | Hig | 0.49 | 7.5 | 0.00 | Jan 8, 2025 | The MinigameCenter module has insufficient restrictions on loading URLs, which may lead to some information leakage. | ||
| CVE-2024-13185 | Hig | 0.49 | 7.5 | 0.00 | Jan 8, 2025 | The MinigameCenter module has insufficient restrictions on loading URLs, which may lead to some information leakage. | ||
| CVE-2024-13173 | Hig | 0.49 | 7.5 | 0.00 | Jan 8, 2025 | The health module has insufficient restrictions on loading URLs, which may lead to some information leakage. | ||
| CVE-2024-53623 | Hig | 0.49 | 7.5 | 0.00 | Nov 29, 2024 | Incorrect access control in the component l_0_0.xml of TP-Link ARCHER-C7 v5 allows attackers to access sensitive information. | ||
| CVE-2024-50589 | — | Hig | 0.49 | 7.5 | 0.01 | Nov 8, 2024 | An unauthenticated attacker with access to the local network of the medical office can query an unprotected Fast Healthcare Interoperability Resources (FHIR) API to get access to sensitive electronic health records (EHR). | |
| CVE-2024-48791 | Hig | 0.49 | 7.5 | 0.00 | Oct 14, 2024 | An issue in Plug n Play Camera com.starvedia.mCamView.zwave 5.5.1 allows a remote attacker to obtain sensitive information via the firmware update process | ||
| CVE-2024-48777 | Hig | 0.49 | 7.5 | 0.01 | Oct 11, 2024 | LEDVANCE com.ledvance.smartplus.eu 2.1.10 allows a remote attacker to obtain sensitive information via the firmware update process. | ||
| CVE-2024-48776 | Hig | 0.49 | 7.5 | 0.01 | Oct 11, 2024 | An issue in Shelly com.home.shelly 1.0.4 allows a remote attacker to obtain sensitive information via the firmware update process | ||
| CVE-2024-48775 | Hig | 0.49 | 7.5 | 0.01 | Oct 11, 2024 | An issue in Plug n Play Camera com.ezset.delaney 1.2.0 allows a remote attacker to obtain sensitive information via the firmware update process. | ||
| CVE-2024-48774 | Hig | 0.49 | 7.5 | 0.01 | Oct 11, 2024 | An issue in Fermax Asia Pacific Pte Ltd com.fermax.vida 2.4.6 allows a remote attacker to obtain sensitve information via the firmware update process. | ||
| CVE-2024-48773 | Hig | 0.49 | 7.5 | 0.01 | Oct 11, 2024 | An issue in WoFit v.7.2.3 allows a remote attacker to obtain sensitive information via the firmware update process | ||
| CVE-2024-48771 | Hig | 0.49 | 7.5 | 0.00 | Oct 11, 2024 | An issue in almando GmbH Almando Play APP (com.almando.play) 1.8.2 allows a remote attacker to obtain sensitive information via the firmware update process | ||
| CVE-2024-48768 | Hig | 0.49 | 7.5 | 0.01 | Oct 11, 2024 | An issue in almaodo GmbH appinventor.ai_google.almando_control 2.3.1 allows a remote attacker to obtain sensitive information via the firmware update process | ||
| CVE-2024-8751 | Hig | 0.49 | 7.5 | 0.01 | Sep 12, 2024 | A vulnerability in the MSC800 allows an unauthenticated attacker to modify the product’s IP address over Sopas ET. This can lead to Denial of Service. Users are recommended to upgrade both MSC800 and MSC800 LFT to version V4.26 and S2.93.20 respectively which fixes this… | ||
| CVE-2024-43798 | Hig | 0.49 | 8.6 | 0.00 | Aug 26, 2024 | Chisel is a fast TCP/UDP tunnel, transported over HTTP, secured via SSH. The Chisel server doesn't ever read the documented `AUTH` environment variable used to set credentials, which allows any unauthenticated user to connect, even if credentials were set. Anyone running the… | ||
| CVE-2024-1662 | Hig | 0.49 | 7.5 | 0.00 | Jun 5, 2024 | Missing Authentication for Critical Function, Missing Authorization vulnerability in PORTY Smart Tech Technology Joint Stock Company PowerBank Application allows Retrieve Embedded Sensitive Data. This issue affects PowerBank Application: before 2.02. | ||
| CVE-2022-32503 | Hig | 0.49 | 7.6 | 0.01 | May 14, 2024 | An issue was discovered on certain Nuki Home Solutions devices. An attacker with physical access to this JTAG port may be able to connect to the device and bypass both hardware and software security protections. This affects Nuki Keypad before 1.9.2 and Nuki Fob before 1.8.1. | ||
| CVE-2024-1491 | — | Hig | 0.49 | 7.5 | 0.01 | Apr 18, 2024 | The devices allow access to an unprotected endpoint that allows MPFS file system binary image upload without authentication. The MPFS2 file system module provides a light-weight read-only file system that can be stored in external EEPROM, external serial flash, or internal… | |
| CVE-2023-4857 | Hig | 0.49 | 7.5 | 0.01 | Apr 15, 2024 | An authentication bypass vulnerability was identified in SMM/SMM2 and FPC that could allow an authenticated user to execute certain IPMI calls that could lead to exposure of limited system information. |
- risk 0.49cvss 7.5epss 0.01
Missing Authentication for Critical Function vulnerability in NEC Corporation Aterm WG2600HS Ver.1.7.2 and earlier, WF1200CRS Ver.1.6.0 and earlier, WG1200CRS Ver.1.5.0 and earlier, GB1200PE Ver.1.3.0 and earlier, WG2600HP4 Ver.1.4.2 and earlier, WG2600HM4 Ver.1.4.2 and earlier,…
- risk 0.49cvss 7.5epss 0.00
The MinigameCenter module has insufficient restrictions on loading URLs, which may lead to some information leakage.
- risk 0.49cvss 7.5epss 0.00
The MinigameCenter module has insufficient restrictions on loading URLs, which may lead to some information leakage.
- risk 0.49cvss 7.5epss 0.00
The health module has insufficient restrictions on loading URLs, which may lead to some information leakage.
- risk 0.49cvss 7.5epss 0.00
Incorrect access control in the component l_0_0.xml of TP-Link ARCHER-C7 v5 allows attackers to access sensitive information.
- risk 0.49cvss 7.5epss 0.01
An unauthenticated attacker with access to the local network of the medical office can query an unprotected Fast Healthcare Interoperability Resources (FHIR) API to get access to sensitive electronic health records (EHR).
- risk 0.49cvss 7.5epss 0.00
An issue in Plug n Play Camera com.starvedia.mCamView.zwave 5.5.1 allows a remote attacker to obtain sensitive information via the firmware update process
- risk 0.49cvss 7.5epss 0.01
LEDVANCE com.ledvance.smartplus.eu 2.1.10 allows a remote attacker to obtain sensitive information via the firmware update process.
- risk 0.49cvss 7.5epss 0.01
An issue in Shelly com.home.shelly 1.0.4 allows a remote attacker to obtain sensitive information via the firmware update process
- risk 0.49cvss 7.5epss 0.01
An issue in Plug n Play Camera com.ezset.delaney 1.2.0 allows a remote attacker to obtain sensitive information via the firmware update process.
- risk 0.49cvss 7.5epss 0.01
An issue in Fermax Asia Pacific Pte Ltd com.fermax.vida 2.4.6 allows a remote attacker to obtain sensitve information via the firmware update process.
- risk 0.49cvss 7.5epss 0.01
An issue in WoFit v.7.2.3 allows a remote attacker to obtain sensitive information via the firmware update process
- risk 0.49cvss 7.5epss 0.00
An issue in almando GmbH Almando Play APP (com.almando.play) 1.8.2 allows a remote attacker to obtain sensitive information via the firmware update process
- risk 0.49cvss 7.5epss 0.01
An issue in almaodo GmbH appinventor.ai_google.almando_control 2.3.1 allows a remote attacker to obtain sensitive information via the firmware update process
- risk 0.49cvss 7.5epss 0.01
A vulnerability in the MSC800 allows an unauthenticated attacker to modify the product’s IP address over Sopas ET. This can lead to Denial of Service. Users are recommended to upgrade both MSC800 and MSC800 LFT to version V4.26 and S2.93.20 respectively which fixes this…
- risk 0.49cvss 8.6epss 0.00
Chisel is a fast TCP/UDP tunnel, transported over HTTP, secured via SSH. The Chisel server doesn't ever read the documented `AUTH` environment variable used to set credentials, which allows any unauthenticated user to connect, even if credentials were set. Anyone running the…
- risk 0.49cvss 7.5epss 0.00
Missing Authentication for Critical Function, Missing Authorization vulnerability in PORTY Smart Tech Technology Joint Stock Company PowerBank Application allows Retrieve Embedded Sensitive Data. This issue affects PowerBank Application: before 2.02.
- risk 0.49cvss 7.6epss 0.01
An issue was discovered on certain Nuki Home Solutions devices. An attacker with physical access to this JTAG port may be able to connect to the device and bypass both hardware and software security protections. This affects Nuki Keypad before 1.9.2 and Nuki Fob before 1.8.1.
- risk 0.49cvss 7.5epss 0.01
The devices allow access to an unprotected endpoint that allows MPFS file system binary image upload without authentication. The MPFS2 file system module provides a light-weight read-only file system that can be stored in external EEPROM, external serial flash, or internal…
- risk 0.49cvss 7.5epss 0.01
An authentication bypass vulnerability was identified in SMM/SMM2 and FPC that could allow an authenticated user to execute certain IPMI calls that could lead to exposure of limited system information.