CWE-306
Missing Authentication for Critical Function
Description
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-12 · CAPEC-166 · CAPEC-216 · CAPEC-36 · CAPEC-62
CVEs mapped to this weakness (964)
page 39 of 49| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-11671 | Med | 0.34 | 5.3 | 0.00 | Oct 13, 2025 | Uniweb/SoliPACS WebServer developed by EBM Technologies has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to access a specific page to obtain information such as account names and IP addresses. | ||
| CVE-2025-11171 | Med | 0.34 | 5.3 | 0.00 | Oct 8, 2025 | The Chartify – WordPress Chart Plugin for WordPress is vulnerable to Missing Authentication for Critical Function in all versions up to, and including, 3.5.9. This is due to the plugin registering an unauthenticated AJAX action that dispatches to admin-class methods based on a… | ||
| CVE-2025-41716 | — | Med | 0.34 | 5.3 | 0.00 | Sep 24, 2025 | The web application allows an unauthenticated remote attacker to learn information about existing user accounts with their corresponding role due to missing authentication for critical function. | |
| CVE-2025-10267 | Med | 0.34 | 5.3 | 0.00 | Sep 12, 2025 | NUP Portal developed by NewType Infortech has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to directly upload files. If the attacker manages to bypass the file extension restrictions, they could upload a webshell and execute it on the server… | ||
| CVE-2025-30048 | — | Med | 0.34 | — | 0.00 | Aug 27, 2025 | The "serverConfig" endpoint, which returns the module configuration including credentials, is accessible without authentication. | |
| CVE-2025-30126 | Med | 0.34 | 5.3 | 0.00 | Jul 28, 2025 | An issue was discovered on Marbella KR8s Dashcam FF 2.0.8 devices. Via port 7777 without any need to pair or press a physical button, a remote attacker can disable recording, delete recordings, or even disable battery protection to cause a flat battery to essentially disable the… | ||
| CVE-2025-5876 | Med | 0.34 | 5.3 | 0.00 | Jun 9, 2025 | A vulnerability classified as problematic was found in Lucky LM-520-SC, LM-520-FSC and LM-520-FSC-SAM up to 20250321. Affected by this vulnerability is an unknown functionality. The manipulation leads to missing authentication. The attack can be launched remotely. The exploit… | ||
| CVE-2025-5872 | Med | 0.34 | 5.3 | 0.00 | Jun 9, 2025 | A vulnerability was found in eGauge EG3000 Energy Monitor 3.6.3. It has been classified as problematic. This affects an unknown part of the component Setting Handler. The manipulation leads to missing authentication. It is possible to initiate the attack remotely. The exploit… | ||
| CVE-2025-5871 | Med | 0.34 | 5.3 | 0.00 | Jun 9, 2025 | A vulnerability was found in Papendorf SOL Connect Center 3.3.0.0 and classified as problematic. Affected by this issue is some unknown functionality of the component Web Interface. The manipulation leads to missing authentication. The attack may be launched remotely. The… | ||
| CVE-2025-32738 | Med | 0.34 | 5.3 | 0.00 | May 15, 2025 | Missing authentication for critical function issue exists in I-O DATA network attached hard disk 'HDL-T Series' firmware Ver.1.21 and earlier. If exploited, a remote unauthenticated attacker may change the product settings. | ||
| CVE-2025-2344 | Med | 0.34 | 5.3 | 0.00 | Mar 16, 2025 | A vulnerability, which was classified as critical, has been found in IROAD Dash Cam X5 and Dash Cam X6 up to 20250308. Affected by this issue is some unknown functionality of the component API Endpoint. The manipulation leads to missing authentication. The attack may be launched… | ||
| CVE-2024-52285 | Med | 0.34 | 5.3 | 0.00 | Mar 11, 2025 | A vulnerability has been identified in SiPass integrated AC5102 (ACC-G2) (All versions < V6.4.8), SiPass integrated ACC-AP (All versions < V6.4.8). Affected devices expose several MQTT URLs without authentication. This could allow an unauthenticated remote attacker to access… | ||
| CVE-2025-23194 | Med | 0.34 | 5.3 | 0.00 | Mar 11, 2025 | SAP NetWeaver Enterprise Portal OBN does not perform proper authentication check for a particular configuration setting. As result, a non-authenticated user can set it to an undesired value causing low impact on integrity. There is no impact on confidentiality or availability of… | ||
| CVE-2024-33616 | — | Med | 0.34 | 5.3 | 0.01 | Nov 26, 2024 | Admin authentication can be bypassed with some specific invalid credentials, which allows logging in with an administrative privilege. Sharp Corporation states the telnet feature is implemented on older models only, and is planning to provide the firmware update to remove the… | |
| CVE-2024-47865 | Med | 0.34 | 5.3 | 0.00 | Nov 20, 2024 | Missing authentication for critical function vulnerability exists in Rakuten Turbo 5G firmware version V1.3.18 and earlier. If this vulnerability is exploited, a remote unauthenticated attacker may update or downgrade the firmware on the device. | ||
| CVE-2024-39707 | Med | 0.34 | 5.3 | 0.00 | Nov 14, 2024 | Insyde IHISI function 0x49 can restore factory defaults for certain UEFI variables without further authentication by default, which could lead to a possible roll-back attack in certain platforms. This is fixed in: kernel 5.2, version 05.29.19; kernel 5.3, version 05.38.19;… | ||
| CVE-2024-9430 | Med | 0.34 | 5.3 | 0.00 | Oct 31, 2024 | The Get Quote For Woocommerce – Request A Quote For Woocommerce plugin for WordPress is vulnerable to unauthorized access of Quote data due to a missing capability check on the ct_tepfw_wp_loaded function in all versions up to, and including, 1.0.0. This makes it possible for… | ||
| CVE-2024-43272 | Med | 0.34 | 5.3 | 0.00 | Aug 19, 2024 | Missing Authentication for Critical Function vulnerability in icegram Icegram allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Icegram: from n/a through 3.1.24. | ||
| CVE-2024-36457 | — | Med | 0.34 | — | 0.00 | Jul 15, 2024 | The vulnerability allows an attacker to bypass the authentication requirements for a specific PAM endpoint. | |
| CVE-2024-21846 | — | Med | 0.34 | 5.3 | 0.00 | Apr 18, 2024 | An unauthenticated attacker can reset the board and stop transmitter operations by sending a specially-crafted GET request to the command.cgi gateway, resulting in a denial-of-service scenario. |
- risk 0.34cvss 5.3epss 0.00
Uniweb/SoliPACS WebServer developed by EBM Technologies has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to access a specific page to obtain information such as account names and IP addresses.
- risk 0.34cvss 5.3epss 0.00
The Chartify – WordPress Chart Plugin for WordPress is vulnerable to Missing Authentication for Critical Function in all versions up to, and including, 3.5.9. This is due to the plugin registering an unauthenticated AJAX action that dispatches to admin-class methods based on a…
- risk 0.34cvss 5.3epss 0.00
The web application allows an unauthenticated remote attacker to learn information about existing user accounts with their corresponding role due to missing authentication for critical function.
- risk 0.34cvss 5.3epss 0.00
NUP Portal developed by NewType Infortech has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to directly upload files. If the attacker manages to bypass the file extension restrictions, they could upload a webshell and execute it on the server…
- risk 0.34cvss —epss 0.00
The "serverConfig" endpoint, which returns the module configuration including credentials, is accessible without authentication.
- risk 0.34cvss 5.3epss 0.00
An issue was discovered on Marbella KR8s Dashcam FF 2.0.8 devices. Via port 7777 without any need to pair or press a physical button, a remote attacker can disable recording, delete recordings, or even disable battery protection to cause a flat battery to essentially disable the…
- risk 0.34cvss 5.3epss 0.00
A vulnerability classified as problematic was found in Lucky LM-520-SC, LM-520-FSC and LM-520-FSC-SAM up to 20250321. Affected by this vulnerability is an unknown functionality. The manipulation leads to missing authentication. The attack can be launched remotely. The exploit…
- risk 0.34cvss 5.3epss 0.00
A vulnerability was found in eGauge EG3000 Energy Monitor 3.6.3. It has been classified as problematic. This affects an unknown part of the component Setting Handler. The manipulation leads to missing authentication. It is possible to initiate the attack remotely. The exploit…
- risk 0.34cvss 5.3epss 0.00
A vulnerability was found in Papendorf SOL Connect Center 3.3.0.0 and classified as problematic. Affected by this issue is some unknown functionality of the component Web Interface. The manipulation leads to missing authentication. The attack may be launched remotely. The…
- risk 0.34cvss 5.3epss 0.00
Missing authentication for critical function issue exists in I-O DATA network attached hard disk 'HDL-T Series' firmware Ver.1.21 and earlier. If exploited, a remote unauthenticated attacker may change the product settings.
- risk 0.34cvss 5.3epss 0.00
A vulnerability, which was classified as critical, has been found in IROAD Dash Cam X5 and Dash Cam X6 up to 20250308. Affected by this issue is some unknown functionality of the component API Endpoint. The manipulation leads to missing authentication. The attack may be launched…
- risk 0.34cvss 5.3epss 0.00
A vulnerability has been identified in SiPass integrated AC5102 (ACC-G2) (All versions < V6.4.8), SiPass integrated ACC-AP (All versions < V6.4.8). Affected devices expose several MQTT URLs without authentication. This could allow an unauthenticated remote attacker to access…
- risk 0.34cvss 5.3epss 0.00
SAP NetWeaver Enterprise Portal OBN does not perform proper authentication check for a particular configuration setting. As result, a non-authenticated user can set it to an undesired value causing low impact on integrity. There is no impact on confidentiality or availability of…
- risk 0.34cvss 5.3epss 0.01
Admin authentication can be bypassed with some specific invalid credentials, which allows logging in with an administrative privilege. Sharp Corporation states the telnet feature is implemented on older models only, and is planning to provide the firmware update to remove the…
- risk 0.34cvss 5.3epss 0.00
Missing authentication for critical function vulnerability exists in Rakuten Turbo 5G firmware version V1.3.18 and earlier. If this vulnerability is exploited, a remote unauthenticated attacker may update or downgrade the firmware on the device.
- risk 0.34cvss 5.3epss 0.00
Insyde IHISI function 0x49 can restore factory defaults for certain UEFI variables without further authentication by default, which could lead to a possible roll-back attack in certain platforms. This is fixed in: kernel 5.2, version 05.29.19; kernel 5.3, version 05.38.19;…
- risk 0.34cvss 5.3epss 0.00
The Get Quote For Woocommerce – Request A Quote For Woocommerce plugin for WordPress is vulnerable to unauthorized access of Quote data due to a missing capability check on the ct_tepfw_wp_loaded function in all versions up to, and including, 1.0.0. This makes it possible for…
- risk 0.34cvss 5.3epss 0.00
Missing Authentication for Critical Function vulnerability in icegram Icegram allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Icegram: from n/a through 3.1.24.
- risk 0.34cvss —epss 0.00
The vulnerability allows an attacker to bypass the authentication requirements for a specific PAM endpoint.
- risk 0.34cvss 5.3epss 0.00
An unauthenticated attacker can reset the board and stop transmitter operations by sending a specially-crafted GET request to the command.cgi gateway, resulting in a denial-of-service scenario.