CWE-306
Missing Authentication for Critical Function
BaseDraftLikelihood: High
Description
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-12 · CAPEC-166 · CAPEC-216 · CAPEC-36 · CAPEC-62
CVEs mapped to this weakness (650)
page 31 of 33| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-2344 | Med | 0.34 | 5.3 | 0.00 | Mar 16, 2025 | A vulnerability, which was classified as critical, has been found in IROAD Dash Cam X5 and Dash Cam X6 up to 20250308. Affected by this issue is some unknown functionality of the component API Endpoint. The manipulation leads to missing authentication. The attack may be launched remotely. The vendor was contacted early about this disclosure but did not respond in any way. | |
| CVE-2024-52285 | Med | 0.34 | 5.3 | 0.00 | Mar 11, 2025 | A vulnerability has been identified in SiPass integrated AC5102 (ACC-G2) (All versions < V6.4.8), SiPass integrated ACC-AP (All versions < V6.4.8). Affected devices expose several MQTT URLs without authentication. This could allow an unauthenticated remote attacker to access sensitive data. | |
| CVE-2025-23194 | Med | 0.34 | 5.3 | 0.00 | Mar 11, 2025 | SAP NetWeaver Enterprise Portal OBN does not perform proper authentication check for a particular configuration setting. As result, a non-authenticated user can set it to an undesired value causing low impact on integrity. There is no impact on confidentiality or availability of the application. | |
| CVE-2024-33616 | Med | 0.34 | 5.3 | 0.00 | Nov 26, 2024 | Admin authentication can be bypassed with some specific invalid credentials, which allows logging in with an administrative privilege. Sharp Corporation states the telnet feature is implemented on older models only, and is planning to provide the firmware update to remove the feature. As for the details of affected product names, model numbers, and versions, refer to the information provided by the respective vendors listed under [References]. | |
| CVE-2024-47865 | Med | 0.34 | 5.3 | 0.00 | Nov 20, 2024 | Missing authentication for critical function vulnerability exists in Rakuten Turbo 5G firmware version V1.3.18 and earlier. If this vulnerability is exploited, a remote unauthenticated attacker may update or downgrade the firmware on the device. | |
| CVE-2024-39707 | Med | 0.34 | 5.3 | 0.00 | Nov 14, 2024 | Insyde IHISI function 0x49 can restore factory defaults for certain UEFI variables without further authentication by default, which could lead to a possible roll-back attack in certain platforms. This is fixed in: kernel 5.2, version 05.29.19; kernel 5.3, version 05.38.19; kernel 5.4, version 05.46.19; kernel 5.5, version 05.54.19; kernel 5.6, version 05.61.19. | |
| CVE-2024-9430 | Med | 0.34 | 5.3 | 0.01 | Oct 31, 2024 | The Get Quote For Woocommerce – Request A Quote For Woocommerce plugin for WordPress is vulnerable to unauthorized access of Quote data due to a missing capability check on the ct_tepfw_wp_loaded function in all versions up to, and including, 1.0.0. This makes it possible for unauthenticated attackers to download Quote PDF and CSV documents. | |
| CVE-2024-43272 | Med | 0.34 | 5.3 | 0.00 | Aug 19, 2024 | Missing Authentication for Critical Function vulnerability in icegram Icegram allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Icegram: from n/a through 3.1.24. | |
| CVE-2024-36457 | Med | 0.34 | — | 0.00 | Jul 15, 2024 | The vulnerability allows an attacker to bypass the authentication requirements for a specific PAM endpoint. | |
| CVE-2024-21846 | Med | 0.34 | 5.3 | 0.00 | Apr 18, 2024 | An unauthenticated attacker can reset the board and stop transmitter operations by sending a specially-crafted GET request to the command.cgi gateway, resulting in a denial-of-service scenario. | |
| CVE-2023-6949 | Med | 0.34 | 5.2 | 0.00 | Apr 2, 2024 | A Missing Authentication for Critical Function issue affecting the HTTP service running on the DJI Mavic Mini 3 Pro on the standard port 80 could allow an attacker to enumerate and download videos and pictures saved on the drone internal or external memory without requiring any kind of authentication. | |
| CVE-2024-21824 | Med | 0.34 | 5.3 | 0.00 | Mar 18, 2024 | Improper authentication vulnerability in exists in multiple printers and scanners which implement Web Based Management provided by BROTHER INDUSTRIES, LTD. If this vulnerability is exploited, a network-adjacent user who can access the product may impersonate an administrative user. As for the details of affected product names, model numbers, and versions, refer to the information provided by the respective vendors listed under [References]. | |
| CVE-2026-42303 | Med | 0.33 | — | 0.00 | May 12, 2026 | Fides is an open-source privacy engineering platform. From 2.75.0 to before 2.83.2, Fides deployments that enable both subject identity verification and duplicate privacy request detection are affected by a vulnerability in which an administrator can approve a privacy request whose identity was never verified. For erasure policies, this can result in unauthorized deletion of a data subject's records across every integration configured in the affected deployment. This vulnerability is fixed in 2.83.2. | |
| CVE-2026-4582 | Med | 0.33 | 5.0 | 0.00 | Mar 23, 2026 | A security vulnerability has been detected in Shenzhen HCC Technology MPOS M6 PLUS 1V.31-N. Affected by this vulnerability is an unknown functionality of the component Bluetooth. Such manipulation leads to missing authentication. The attack must be carried out from within the local network. Attacks of this nature are highly complex. The exploitation appears to be difficult. The vendor was contacted early about this disclosure but did not respond in any way. | |
| CVE-2026-2756 | Med | 0.33 | 5.0 | 0.00 | Mar 21, 2026 | A security vulnerability has been detected in OmniPEMF NeoRhythm up to 20260308. This affects an unknown function of the component BLE Interface. Such manipulation leads to missing authentication. The attack can only be initiated within the local network. This attack is characterized by high complexity. The exploitability is reported as difficult. The vendor was contacted early about this disclosure but did not respond in any way. | |
| CVE-2025-60251 | Med | 0.33 | 5.0 | 0.00 | Sep 26, 2025 | Unitree Go2, G1, H1, and B2 devices through 2025-09-20 accept any handshake secret with the unitree substring. | |
| CVE-2025-5719 | Med | 0.33 | — | 0.00 | Jun 6, 2025 | The wallet has an authentication bypass vulnerability that allows access to specific pages. | |
| CVE-2024-57055 | Med | 0.33 | 5.0 | 0.00 | Feb 18, 2025 | Server-Side Access Control Bypass vulnerability in WombatDialer before 25.02 could allow unauthorized users to potentially call certain services without the necessary access level. This issue is limited to services used by the client (not the general-use JSON services) and requires reverse engineering of the proprietary serialization protocol, making it difficult to exploit. | |
| CVE-2024-6895 | Med | 0.33 | — | 0.00 | Jul 19, 2024 | Insufficient authentication in user account management in Yugabyte Platform allows local network attackers with a compromised user session to change critical security information without re-authentication. An attacker with user session and access to application can modify settings such as password and email without being prompted for the current password, enabling account takeover. | |
| CVE-2025-25265 | Med | 0.32 | 4.9 | 0.00 | Jun 16, 2025 | A web application for configuring the controller is accessible at a specific path. It contains an endpoint that allows a high privileged remote attacker to read files from the system’s file structure. |