VYPR

CWE-306

Missing Authentication for Critical Function

BaseDraftLikelihood: High

Description

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

Hierarchy (View 1000)

Parents

Related attack patterns (CAPEC)

CAPEC-12 · CAPEC-166 · CAPEC-216 · CAPEC-36 · CAPEC-62

CVEs mapped to this weakness (964)

page 27 of 49
  • CVE-2025-0355HigJan 15, 2025
    risk 0.49cvss 7.5epss 0.01

    Missing Authentication for Critical Function vulnerability in NEC Corporation Aterm WG2600HS Ver.1.7.2 and earlier, WF1200CRS Ver.1.6.0 and earlier, WG1200CRS Ver.1.5.0 and earlier, GB1200PE Ver.1.3.0 and earlier, WG2600HP4 Ver.1.4.2 and earlier, WG2600HM4 Ver.1.4.2 and earlier,…

  • CVE-2024-13186HigJan 8, 2025
    risk 0.49cvss 7.5epss 0.00

    The MinigameCenter module has insufficient restrictions on loading URLs, which may lead to some information leakage.

  • CVE-2024-13185HigJan 8, 2025
    risk 0.49cvss 7.5epss 0.00

    The MinigameCenter module has insufficient restrictions on loading URLs, which may lead to some information leakage.

  • CVE-2024-13173HigJan 8, 2025
    risk 0.49cvss 7.5epss 0.00

    The health module has insufficient restrictions on loading URLs, which may lead to some information leakage.

  • CVE-2024-53623HigNov 29, 2024
    risk 0.49cvss 7.5epss 0.00

    Incorrect access control in the component l_0_0.xml of TP-Link ARCHER-C7 v5 allows attackers to access sensitive information.

  • CVE-2024-50589HigNov 8, 2024
    risk 0.49cvss 7.5epss 0.01

    An unauthenticated attacker with access to the local network of the medical office can query an unprotected Fast Healthcare Interoperability Resources (FHIR) API to get access to sensitive electronic health records (EHR).

  • CVE-2024-48791HigOct 14, 2024
    risk 0.49cvss 7.5epss 0.00

    An issue in Plug n Play Camera com.starvedia.mCamView.zwave 5.5.1 allows a remote attacker to obtain sensitive information via the firmware update process

  • CVE-2024-48777HigOct 11, 2024
    risk 0.49cvss 7.5epss 0.01

    LEDVANCE com.ledvance.smartplus.eu 2.1.10 allows a remote attacker to obtain sensitive information via the firmware update process.

  • CVE-2024-48776HigOct 11, 2024
    risk 0.49cvss 7.5epss 0.01

    An issue in Shelly com.home.shelly 1.0.4 allows a remote attacker to obtain sensitive information via the firmware update process

  • CVE-2024-48775HigOct 11, 2024
    risk 0.49cvss 7.5epss 0.01

    An issue in Plug n Play Camera com.ezset.delaney 1.2.0 allows a remote attacker to obtain sensitive information via the firmware update process.

  • CVE-2024-48774HigOct 11, 2024
    risk 0.49cvss 7.5epss 0.01

    An issue in Fermax Asia Pacific Pte Ltd com.fermax.vida 2.4.6 allows a remote attacker to obtain sensitve information via the firmware update process.

  • CVE-2024-48773HigOct 11, 2024
    risk 0.49cvss 7.5epss 0.01

    An issue in WoFit v.7.2.3 allows a remote attacker to obtain sensitive information via the firmware update process

  • CVE-2024-48771HigOct 11, 2024
    risk 0.49cvss 7.5epss 0.00

    An issue in almando GmbH Almando Play APP (com.almando.play) 1.8.2 allows a remote attacker to obtain sensitive information via the firmware update process

  • CVE-2024-48768HigOct 11, 2024
    risk 0.49cvss 7.5epss 0.01

    An issue in almaodo GmbH appinventor.ai_google.almando_control 2.3.1 allows a remote attacker to obtain sensitive information via the firmware update process

  • CVE-2024-8751HigSep 12, 2024
    risk 0.49cvss 7.5epss 0.01

    A vulnerability in the MSC800 allows an unauthenticated attacker to modify the product’s IP address over Sopas ET. This can lead to Denial of Service. Users are recommended to upgrade both MSC800 and MSC800 LFT to version V4.26 and S2.93.20 respectively which fixes this…

  • CVE-2024-43798HigAug 26, 2024
    risk 0.49cvss 8.6epss 0.00

    Chisel is a fast TCP/UDP tunnel, transported over HTTP, secured via SSH. The Chisel server doesn't ever read the documented `AUTH` environment variable used to set credentials, which allows any unauthenticated user to connect, even if credentials were set. Anyone running the…

  • CVE-2024-1662HigJun 5, 2024
    risk 0.49cvss 7.5epss 0.00

    Missing Authentication for Critical Function, Missing Authorization vulnerability in PORTY Smart Tech Technology Joint Stock Company PowerBank Application allows Retrieve Embedded Sensitive Data. This issue affects PowerBank Application: before 2.02.

  • CVE-2022-32503HigMay 14, 2024
    risk 0.49cvss 7.6epss 0.01

    An issue was discovered on certain Nuki Home Solutions devices. An attacker with physical access to this JTAG port may be able to connect to the device and bypass both hardware and software security protections. This affects Nuki Keypad before 1.9.2 and Nuki Fob before 1.8.1.

  • CVE-2024-1491HigApr 18, 2024
    risk 0.49cvss 7.5epss 0.01

    The devices allow access to an unprotected endpoint that allows MPFS file system binary image upload without authentication. The MPFS2 file system module provides a light-weight read-only file system that can be stored in external EEPROM, external serial flash, or internal…

  • CVE-2023-4857HigApr 15, 2024
    risk 0.49cvss 7.5epss 0.01

    An authentication bypass vulnerability was identified in SMM/SMM2 and FPC that could allow an authenticated user to execute certain IPMI calls that could lead to exposure of limited system information.