VYPR

CWE-306

Missing Authentication for Critical Function

BaseDraftLikelihood: High

Description

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

Hierarchy (View 1000)

Parents

Related attack patterns (CAPEC)

CAPEC-12 · CAPEC-166 · CAPEC-216 · CAPEC-36 · CAPEC-62

CVEs mapped to this weakness (964)

page 42 of 49
  • CVE-2020-11651KEVApr 30, 2020
    risk 0.23cvss epss 0.96

    An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods without authentication. These methods can be used to retrieve user…

  • CVE-2025-14058LowJan 14, 2026
    risk 0.21cvss 3.2epss 0.00

    A potential missing authentication vulnerability was reported in some Lenovo Tablets that could allow an unauthorized user with physical access to modify Control Center settings if the device is locked when the "Allow Control Center access when locked" option is disabled.

  • CVE-2024-53701LowNov 29, 2024
    risk 0.20cvss 3.1epss 0.00

    Multiple FCNT Android devices provide the original security features such as "privacy mode" where arbitrary applications can be set not to be displayed, etc. Under certain conditions, and when an attacker can directly operate the device which its screen is unlocked by a user,…

  • CVE-2026-40184LowApr 10, 2026
    risk 0.17cvss 3.7epss 0.00

    TREK is a collaborative travel planner. Prior to 2.7.2, TREK served uploaded photos without requiring authentication. This vulnerability is fixed in 2.7.2.

  • CVE-2020-13927KEVNov 10, 2020
    risk 0.16cvss epss 1.00

    The previous default setting for Airflow's Experimental API was to allow all API requests without authentication, but this poses security risks to users who miss this fact. From Airflow 1.10.11 the default has been changed to deny all requests by default and is documented at…

  • CVE-2023-4505LowSep 27, 2023
    risk 0.14cvss 2.2epss 0.01

    The Staff / Employee Business Directory for Active Directory plugin for WordPress is vulnerable to LDAP Passback in versions up to, and including, 1.2.3. This is due to insufficient validation when changing the LDAP server. This makes it possible for authenticated attackers,…

  • CVE-2025-8943Aug 14, 2025
    risk 0.10cvss epss 0.71

    The Custom MCPs feature is designed to execute OS commands, for instance, using tools like `npx` to spin up local MCP Servers. However, Flowise's inherent authentication and authorization model is minimal and lacks role-based access controls (RBAC). Furthermore, in Flowise…

  • CVE-2014-9195Jan 17, 2015
    risk 0.09cvss epss 0.81

    Phoenix Contact ProConOs and MultiProg do not require authentication, which allows remote attackers to execute arbitrary commands via protocol-compliant traffic.

  • CVE-2014-4872Oct 10, 2014
    risk 0.09cvss epss 0.80

    BMC Track-It! 11.3.0.355 does not require authentication on TCP port 9010, which allows remote attackers to upload arbitrary files, execute arbitrary code, or obtain sensitive credential and configuration information via a .NET Remoting request to (1) FileStorageService or (2)…

  • CVE-2020-12492LowNov 25, 2024
    risk 0.07cvss epss 0.00

    Improper handling of WiFi information by framework services can allow certain malicious applications to obtain sensitive information.

  • CVE-2023-4506LowSep 27, 2023
    risk 0.07cvss 2.2epss 0.01

    The Active Directory Integration / LDAP Integration plugin for WordPress is vulnerable to LDAP Passback in versions up to, and including, 4.1.10. This is due to insufficient validation when changing the LDAP server. This makes it possible for authenticated attackers, with…

  • CVE-2022-45933Nov 27, 2022
    risk 0.07cvss epss 0.52

    KubeView through 0.1.31 allows attackers to obtain control of a Kubernetes cluster because api/scrape/kube-system does not require authentication, and retrieves certificate files that can be used for authentication as kube-admin. NOTE: the vendor's position is that KubeView was…

  • CVE-2021-41266Nov 15, 2021
    risk 0.07cvss epss 0.47

    Minio console is a graphical user interface for the for MinIO operator. Minio itself is a multi-cloud object storage project. Affected versions are subject to an authentication bypass issue in the Operator Console when an external IDP is enabled. All users on release v0.12.2 and…

  • CVE-2021-27358Mar 18, 2021
    risk 0.07cvss epss 0.83

    The snapshot feature in Grafana 6.7.3 through 7.4.1 can allow an unauthenticated remote attackers to trigger a Denial of Service via a remote API call if a commonly used configuration is set.

  • CVE-2020-9480Jun 23, 2020
    risk 0.07cvss epss 0.29

    In Apache Spark 2.4.5 and earlier, a standalone resource manager's master may be configured to require authentication (spark.authenticate) via a shared secret. When enabled, however, a specially-crafted RPC to the master can succeed in starting an application's resources on the…

  • CVE-2022-38817Oct 3, 2022
    risk 0.06cvss epss 0.03

    Dapr Dashboard v0.1.0 through v0.10.0 is vulnerable to Incorrect Access Control that allows attackers to obtain sensitive data.

  • CVE-2022-23944Jan 25, 2022
    risk 0.06cvss epss 0.79

    User can access /plugin api without authentication. This issue affected Apache ShenYu 2.4.0 and 2.4.1.

  • CVE-2021-29442Apr 27, 2021
    risk 0.05cvss epss 0.65

    Nacos is a platform designed for dynamic service discovery and configuration and service management. In Nacos before version 1.4.1, the ConfigOpsController lets the user perform management operations like querying the database or even wiping it out. While the /data/remove…

  • CVE-2020-12478Apr 29, 2020
    risk 0.03cvss epss 0.07

    TeamPass 2.1.27.36 allows an unauthenticated attacker to retrieve files from the TeamPass web root. This may include backups or LDAP debug files.

  • CVE-2009-1780May 22, 2009
    risk 0.03cvss epss 0.04

    admin.php in Frax.dk Php Recommend 1.3 and earlier does not require authentication when the user password is changed, which allows remote attackers to gain administrative privileges via modified form_admin_user and form_admin_pass parameters.