VYPR

CWE-306

Missing Authentication for Critical Function

BaseDraftLikelihood: High

Description

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

Hierarchy (View 1000)

Parents

Related attack patterns (CAPEC)

CAPEC-12 · CAPEC-166 · CAPEC-216 · CAPEC-36 · CAPEC-62

CVEs mapped to this weakness (964)

page 28 of 49
  • CVE-2018-17880HigOct 3, 2018
    risk 0.49cvss 7.5epss 0.02

    On D-Link DIR-823G 2018-09-19 devices, the GoAhead configuration allows /HNAP1 RunReboot commands without authentication to trigger a reboot.

  • CVE-2018-14796HigSep 20, 2018
    risk 0.49cvss 7.5epss 0.01

    Tec4Data SmartCooler, all versions prior to firmware 180806, the device responds to a remote unauthenticated reboot command that may be used to perform a denial of service attack.

  • CVE-2017-12575HigAug 24, 2018
    risk 0.49cvss 7.5epss 0.02

    An issue was discovered on the NEC Aterm WG2600HP2 1.0.2. The router has a set of web service APIs for access to and setup of the configuration. Some APIs don't require authentication. An attacker could exploit this vulnerability by sending a crafted HTTP request to retrieve…

  • CVE-2016-6544HigJul 13, 2018
    risk 0.49cvss 7.5epss 0.03

    getgps data in iTrack Easy can be modified without authentication by setting the data using the parametercmd:setothergps. This vulnerability can be exploited to alter the GPS data of a lost device.

  • CVE-2017-0919HigJul 3, 2018
    risk 0.49cvss 7.5epss 0.01

    GitLab Community and Enterprise Editions before 10.1.6, 10.2.6, and 10.3.4 are vulnerable to an authorization bypass issue in the GitLab import component resulting in an attacker being able to perform operations under a group in which they were previously unauthorized.

  • CVE-2018-4840HigMar 8, 2018
    risk 0.49cvss 7.5epss 0.02

    A vulnerability has been identified in DIGSI 4 (All versions < V4.92), EN100 Ethernet module DNP3 variant (All versions < V1.05.00), EN100 Ethernet module IEC 104 variant (All versions), EN100 Ethernet module IEC 61850 variant (All versions < V4.30), EN100 Ethernet module Modbus…

  • CVE-2018-4838HigMar 8, 2018
    risk 0.49cvss 7.5epss 0.01

    A vulnerability has been identified in EN100 Ethernet module IEC 61850 variant (All versions < V4.30), EN100 Ethernet module DNP3 variant (All versions < V1.04), EN100 Ethernet module PROFINET IO variant (All versions), EN100 Ethernet module Modbus TCP variant (All versions),…

  • CVE-2018-2360HigJan 9, 2018
    risk 0.49cvss 7.5epss 0.03

    SAP Startup Service, SAP KERNEL 7.45, 7.49, and 7.52, is missing an authentication check for functionalities that require user identity and cause consumption of file system storage.

  • CVE-2017-16241HigDec 10, 2017
    risk 0.49cvss 7.5epss 0.02

    Incorrect access control in AMAG Symmetry Door Edge Network Controllers (EN-1DBC Boot App 23611 03.60 and STD App 23603 03.60; EN-2DBC Boot App 24451 01.00 and STD App 2461 01.00) enables remote attackers to execute door controller commands (e.g., lock, unlock, add ID card…

  • CVE-2017-1523HigOct 24, 2017
    risk 0.49cvss 7.5epss 0.02

    IBM InfoSphere Master Data Management - Collaborative Edition 11.5 could allow an unauthorized user to download reports without authentication. IBM X-Force ID: 129892.

  • CVE-2017-4055HigJul 12, 2017
    risk 0.49cvss 7.5epss 0.01

    Exploitation of Authentication vulnerability in the web interface in McAfee Advanced Threat Defense (ATD) 3.10, 3.8, 3.6, 3.4 allows remote unauthenticated users / remote attackers to bypass ATD detection via loose enforcement of authentication and authorization.

  • CVE-2002-1810HigDec 31, 2002
    risk 0.49cvss 7.5epss 0.02

    D-Link DWL-900AP+ Access Point 2.1 and 2.2 allows remote attackers to access the TFTP server without authentication and read the config.img file, which contains sensitive information such as the administrative password, the WEP encryption keys, and network configuration…

  • CVE-2025-71257HigMar 19, 2026
    risk 0.48cvss 7.3epss 0.04

    BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001 contain an authentication bypass vulnerability due to improper enforcement of security filters on restricted REST API endpoints and servlets. Unauthenticated remote attackers can bypass access controls to invoke…

  • CVE-2025-7114HigJul 7, 2025
    risk 0.48cvss 7.3epss 0.01

    A vulnerability was found in SimStudioAI sim up to 37786d371e17d35e0764e1b5cd519d873d90d97b. It has been declared as critical. Affected by this vulnerability is the function POST of the file apps/sim/app/api/files/upload/route.ts of the component Session Handler. The…

  • CVE-2025-5906HigJun 10, 2025
    risk 0.48cvss 7.3epss 0.01

    A vulnerability classified as critical has been found in code-projects Laundry System 1.0. This affects an unknown part of the file /data/. The manipulation leads to missing authentication. It is possible to initiate the attack remotely. The exploit has been disclosed to the…

  • CVE-2023-5935HigMay 15, 2024
    risk 0.48cvss 7.4epss 0.00

    When configuring Arc (e.g. during the first setup), a local web interface is provided to ease the configuration process. Such web interface lacks authentication and may thus be abused by a local attacker or malware running on the machine itself. A malicious local user or…

  • CVE-2024-27758HigMar 12, 2024
    risk 0.48cvss 8.4epss 0.01

    In RPyC before 6.0.0, when a server exposes a method that calls the attribute named __array__ for a client-provided netref (e.g., np.array(client_netref)), a remote attacker can craft a class that results in remote code execution.

  • CVE-2017-6873HigAug 8, 2017
    risk 0.48cvss 7.4epss 0.01

    A vulnerability was discovered in Siemens OZW672 (all versions) and OZW772 (all versions) that could allow an attacker to read and manipulate data in TLS sessions while performing a man-in-the-middle (MITM) attack on the integrated web server on port 443/tcp.

  • CVE-2026-10617HigJun 2, 2026
    risk 0.47cvss 7.3epss 0.00

    A security vulnerability has been detected in nextlevelbuilder GoClaw up to 3.11.3. This affects the function resolveAuth of the file internal/http/auth.go of the component Webhook Verification Handler. The manipulation leads to missing authentication. Remote exploitation of the…

  • CVE-2026-10243HigJun 1, 2026
    risk 0.47cvss 7.3epss 0.01

    A security vulnerability has been detected in code-projects Smart Parking System 1.0. Affected is an unknown function of the component Admin Endpoint. Such manipulation leads to missing authentication. It is possible to launch the attack remotely. The exploit has been disclosed…