VYPR

CWE-306

Missing Authentication for Critical Function

BaseDraftLikelihood: High

Description

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

Hierarchy (View 1000)

Parents

Related attack patterns (CAPEC)

CAPEC-12 · CAPEC-166 · CAPEC-216 · CAPEC-36 · CAPEC-62

CVEs mapped to this weakness (964)

page 34 of 49
  • CVE-2025-10746MedOct 4, 2025
    risk 0.42cvss 6.5epss 0.00

    The Integrate Dynamics 365 CRM plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 1.0.9. This is due to missing capability checks and nonce verification on functions hooked to 'init'. This makes it possible for unauthenticated…

  • CVE-2025-7045MedSep 6, 2025
    risk 0.42cvss 6.5epss 0.00

    The Cloud SAML SSO plugin for WordPress is vulnerable to Identity Provider Deletion due to a missing capability check on the delete_config action of the csso_handle_actions() function in all versions up to, and including, 1.0.19. This makes it possible for unauthenticated…

  • CVE-2025-27803MedMay 21, 2025
    risk 0.42cvss 6.5epss 0.00

    The devices do not implement any authentication for the web interface or the MQTT server. An attacker who has network access to the device immediately gets administrative access to the devices and can perform arbitrary administrative actions and reconfigure the devices or…

  • CVE-2025-4560MedMay 12, 2025
    risk 0.42cvss 6.5epss 0.00

    The ISOinsight from Netvision has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to access certain system functions. These functions include viewing the administrator list, viewing and editing IP settings, and uploading files.

  • CVE-2025-32377MedApr 18, 2025
    risk 0.42cvss 6.5epss 0.00

    Rasa Pro is a framework for building scalable, dynamic conversational AI assistants that integrate large language models (LLMs). A vulnerability has been identified in Rasa Pro where voice connectors in Rasa Pro do not properly implement authentication even when a token is…

  • CVE-2020-12484MedDec 17, 2024
    risk 0.42cvss 6.4epss 0.00

    When using special mode to connect to enterprise wifi, certain options are not properly configured and attackers can pretend to be enterprise wifi through a carefully constructed wifi with the same name, which can lead to man-in-the-middle attacks.

  • CVE-2024-51362MedNov 5, 2024
    risk 0.42cvss 6.5epss 0.00

    The LSC Smart Connect Indoor IP Camera V7.6.32 is vulnerable to an information disclosure issue where live camera footage can be accessed through the RTSP protocol on port 8554 without requiring authentication. This allows unauthorized users with network access to view the…

  • CVE-2024-48442MedOct 24, 2024
    risk 0.42cvss 6.5epss 0.00

    Incorrect access control in Shenzhen Tuoshi Network Communications Co.,Ltd 5G CPE Router NR500-EA RG500UEAABxCOMSLICv3.2.2543.12.18 allows attackers to access the SSH protocol without authentication.

  • CVE-2024-35294MedOct 2, 2024
    risk 0.42cvss 6.5epss 0.00

    An unauthenticated remote attacker may use the devices traffic capture without authentication to grab plaintext administrative credentials.

  • CVE-2024-39601MedJul 22, 2024
    risk 0.42cvss 6.5epss 0.01

    A vulnerability has been identified in CPCI85 Central Processing/Communication (All versions < V5.40), SICORE Base system (All versions < V1.4.0). Affected devices allow a remote authenticated user or an unauthenticated user with physical access to downgrade the firmware of the…

  • CVE-2024-33622MedJun 18, 2024
    risk 0.42cvss 6.5epss 0.00

    Missing authentication for critical function vulnerability exists in ID Link Manager and FUJITSU Software TIME CREATOR. If this vulnerability is exploited, sensitive information may be obtained and/or the information stored in the database may be altered by a remote…

  • CVE-2022-38057MedMar 25, 2024
    risk 0.42cvss 6.5epss 0.01

    Missing Authorization vulnerability in ThemeHunk Advance WordPress Search Plugin.This issue affects Advance WordPress Search Plugin: from n/a through 1.2.1.

  • CVE-2016-9496MedJul 13, 2018
    risk 0.42cvss 6.5epss 0.01

    Hughes high-performance broadband satellite modems, models HN7740S DW7000 HN7000S/SM, lacks authentication. An unauthenticated user may send an HTTP GET request to http://[ip]/com/gatewayreset or http://[ip]/cgi/reboot.bin to cause the modem to reboot.

  • CVE-2016-6540MedJul 6, 2018
    risk 0.42cvss 6.5epss 0.01

    Unauthenticated access to the cloud-based service maintained by TrackR Bravo is allowed for querying or sending GPS data for any Trackr device by using the tracker ID number which can be discovered as described in CVE-2016-6539. Updated apps, version 5.1.6 for iOS and 2.2.5 for…

  • CVE-2017-17747MedDec 20, 2017
    risk 0.42cvss 6.5epss 0.01

    Weak access controls in the Device Logout functionality on the TP-Link TL-SG108E v1.0.0 allow remote attackers to call the logout functionality, triggering a denial of service condition.

  • CVE-2017-12440HigAug 18, 2017
    risk 0.42cvss 7.5epss 0.02

    Aodh as packaged in Openstack Ocata and Newton before change-ID I8fd11a7f9fe3c0ea5f9843a89686ac06713b7851 and before Pike-rc1 does not verify that trust IDs belong to the user when creating alarm action with the scheme trust+http, which allows remote authenticated users with…

  • CVE-2017-6872MedAug 8, 2017
    risk 0.42cvss 6.5epss 0.01

    A vulnerability was discovered in Siemens OZW672 (all versions) and OZW772 (all versions) that could allow an attacker with access to port 21/tcp to access or alter historical measurement data stored on the device.

  • CVE-2016-10364MedJun 16, 2017
    risk 0.42cvss 6.5epss 0.01

    With X-Pack installed, Kibana versions 5.0.0 and 5.0.1 were not properly authenticating requests to advanced settings and the short URL service, any authenticated user could make requests to those services regardless of their own permissions.

  • CVE-2026-25599MedJun 1, 2026
    risk 0.41cvss 6.3epss 0.00

    Missing authentication and clear‑text transmission of data from the heat pumps to the control server, combined with the absence of input validation on aggregated data, can lead to stored XSS that enables theft of cookies from the pump’s web control interface. Older Orca…

  • CVE-2026-44460HigMay 27, 2026
    risk 0.41cvss 7.4epss 0.00

    FileRise is a self-hosted web-based file manager with multi-file upload, editing, and batch operations. Prior to 3.12.0, /api/totp_setup.php is callable from a session that has only passed the password check (state pending_login_user). When the target account already has TOTP…