VYPR

CWE-306

Missing Authentication for Critical Function

BaseDraftLikelihood: High

Description

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

Hierarchy (View 1000)

Parents

Related attack patterns (CAPEC)

CAPEC-12 · CAPEC-166 · CAPEC-216 · CAPEC-36 · CAPEC-62

CVEs mapped to this weakness (964)

page 39 of 49
  • CVE-2025-11671MedOct 13, 2025
    risk 0.34cvss 5.3epss 0.00

    Uniweb/SoliPACS WebServer developed by EBM Technologies has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to access a specific page to obtain information such as account names and IP addresses.

  • CVE-2025-11171MedOct 8, 2025
    risk 0.34cvss 5.3epss 0.00

    The Chartify – WordPress Chart Plugin for WordPress is vulnerable to Missing Authentication for Critical Function in all versions up to, and including, 3.5.9. This is due to the plugin registering an unauthenticated AJAX action that dispatches to admin-class methods based on a…

  • CVE-2025-41716MedSep 24, 2025
    risk 0.34cvss 5.3epss 0.00

    The web application allows an unauthenticated remote attacker to learn information about existing user accounts with their corresponding role due to missing authentication for critical function.

  • CVE-2025-10267MedSep 12, 2025
    risk 0.34cvss 5.3epss 0.00

    NUP Portal developed by NewType Infortech has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to directly upload files. If the attacker manages to bypass the file extension restrictions, they could upload a webshell and execute it on the server…

  • CVE-2025-30048MedAug 27, 2025
    risk 0.34cvss epss 0.00

    The "serverConfig" endpoint, which returns the module configuration including credentials, is accessible without authentication.

  • CVE-2025-30126MedJul 28, 2025
    risk 0.34cvss 5.3epss 0.00

    An issue was discovered on Marbella KR8s Dashcam FF 2.0.8 devices. Via port 7777 without any need to pair or press a physical button, a remote attacker can disable recording, delete recordings, or even disable battery protection to cause a flat battery to essentially disable the…

  • CVE-2025-5876MedJun 9, 2025
    risk 0.34cvss 5.3epss 0.00

    A vulnerability classified as problematic was found in Lucky LM-520-SC, LM-520-FSC and LM-520-FSC-SAM up to 20250321. Affected by this vulnerability is an unknown functionality. The manipulation leads to missing authentication. The attack can be launched remotely. The exploit…

  • CVE-2025-5872MedJun 9, 2025
    risk 0.34cvss 5.3epss 0.00

    A vulnerability was found in eGauge EG3000 Energy Monitor 3.6.3. It has been classified as problematic. This affects an unknown part of the component Setting Handler. The manipulation leads to missing authentication. It is possible to initiate the attack remotely. The exploit…

  • CVE-2025-5871MedJun 9, 2025
    risk 0.34cvss 5.3epss 0.00

    A vulnerability was found in Papendorf SOL Connect Center 3.3.0.0 and classified as problematic. Affected by this issue is some unknown functionality of the component Web Interface. The manipulation leads to missing authentication. The attack may be launched remotely. The…

  • CVE-2025-32738MedMay 15, 2025
    risk 0.34cvss 5.3epss 0.00

    Missing authentication for critical function issue exists in I-O DATA network attached hard disk 'HDL-T Series' firmware Ver.1.21 and earlier. If exploited, a remote unauthenticated attacker may change the product settings.

  • CVE-2025-2344MedMar 16, 2025
    risk 0.34cvss 5.3epss 0.00

    A vulnerability, which was classified as critical, has been found in IROAD Dash Cam X5 and Dash Cam X6 up to 20250308. Affected by this issue is some unknown functionality of the component API Endpoint. The manipulation leads to missing authentication. The attack may be launched…

  • CVE-2024-52285MedMar 11, 2025
    risk 0.34cvss 5.3epss 0.00

    A vulnerability has been identified in SiPass integrated AC5102 (ACC-G2) (All versions < V6.4.8), SiPass integrated ACC-AP (All versions < V6.4.8). Affected devices expose several MQTT URLs without authentication. This could allow an unauthenticated remote attacker to access…

  • CVE-2025-23194MedMar 11, 2025
    risk 0.34cvss 5.3epss 0.00

    SAP NetWeaver Enterprise Portal OBN does not perform proper authentication check for a particular configuration setting. As result, a non-authenticated user can set it to an undesired value causing low impact on integrity. There is no impact on confidentiality or availability of…

  • CVE-2024-33616MedNov 26, 2024
    risk 0.34cvss 5.3epss 0.01

    Admin authentication can be bypassed with some specific invalid credentials, which allows logging in with an administrative privilege. Sharp Corporation states the telnet feature is implemented on older models only, and is planning to provide the firmware update to remove the…

  • CVE-2024-47865MedNov 20, 2024
    risk 0.34cvss 5.3epss 0.00

    Missing authentication for critical function vulnerability exists in Rakuten Turbo 5G firmware version V1.3.18 and earlier. If this vulnerability is exploited, a remote unauthenticated attacker may update or downgrade the firmware on the device.

  • CVE-2024-39707MedNov 14, 2024
    risk 0.34cvss 5.3epss 0.00

    Insyde IHISI function 0x49 can restore factory defaults for certain UEFI variables without further authentication by default, which could lead to a possible roll-back attack in certain platforms. This is fixed in: kernel 5.2, version 05.29.19; kernel 5.3, version 05.38.19;…

  • CVE-2024-9430MedOct 31, 2024
    risk 0.34cvss 5.3epss 0.00

    The Get Quote For Woocommerce – Request A Quote For Woocommerce plugin for WordPress is vulnerable to unauthorized access of Quote data due to a missing capability check on the ct_tepfw_wp_loaded function in all versions up to, and including, 1.0.0. This makes it possible for…

  • CVE-2024-43272MedAug 19, 2024
    risk 0.34cvss 5.3epss 0.00

    Missing Authentication for Critical Function vulnerability in icegram Icegram allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Icegram: from n/a through 3.1.24.

  • CVE-2024-36457MedJul 15, 2024
    risk 0.34cvss epss 0.00

    The vulnerability allows an attacker to bypass the authentication requirements for a specific PAM endpoint.

  • CVE-2024-21846MedApr 18, 2024
    risk 0.34cvss 5.3epss 0.00

    An unauthenticated attacker can reset the board and stop transmitter operations by sending a specially-crafted GET request to the command.cgi gateway, resulting in a denial-of-service scenario.