VYPR

CWE-306

Missing Authentication for Critical Function

BaseDraftLikelihood: High

Description

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

Hierarchy (View 1000)

Parents

Related attack patterns (CAPEC)

CAPEC-12 · CAPEC-166 · CAPEC-216 · CAPEC-36 · CAPEC-62

CVEs mapped to this weakness (964)

page 47 of 49
  • CVE-2023-43644Sep 25, 2023
    risk 0.00cvss epss 0.01

    Sing-box is an open source proxy system. Affected versions are subject to an authentication bypass when specially crafted requests are sent to sing-box. This affects all SOCKS5 inbounds with user authentication and an attacker may be able to bypass authentication. Users are…

  • CVE-2023-4815Sep 7, 2023
    risk 0.00cvss epss 0.01

    Missing Authentication for Critical Function in GitHub repository answerdev/answer prior to v1.1.3.

  • CVE-2023-40170Aug 28, 2023
    risk 0.00cvss epss 0.01

    jupyter-server is the backend for Jupyter web applications. Improper cross-site credential checks on `/files/` URLs could allow exposure of certain file contents, or accessing files when opening untrusted files via "Open image in new tab". This issue has been addressed in…

  • CVE-2023-37265Jul 17, 2023
    risk 0.00cvss epss 0.06

    CasaOS is an open-source Personal Cloud system. Due to a lack of IP address verification an unauthenticated attackers can execute arbitrary commands as `root` on CasaOS instances. The problem was addressed by improving the detection of client IP addresses in `391dd7f`. This…

  • CVE-2023-31143May 9, 2023
    risk 0.00cvss epss 0.01

    mage-ai is an open-source data pipeline tool for transforming and integrating data. Those who use Mage starting in version 0.8.34 and prior to 0.8.72 with user authentication enabled may be affected by a vulnerability. The terminal could be accessed by users who are not signed…

  • CVE-2023-28326Mar 28, 2023
    risk 0.00cvss epss 0.01

    Vendor: The Apache Software Foundation Versions Affected: Apache OpenMeetings from 2.0.0 before 7.0.0 Description: Attacker can elevate their privileges in any room

  • CVE-2023-25570Feb 20, 2023
    risk 0.00cvss epss 0.01

    Apollo is a configuration management system. Prior to version 2.1.0, there are potential security issues if users expose apollo-configservice to the internet, which is not recommended. This is because there is no authentication feature enabled for the built-in eureka service.…

  • CVE-2023-25014Feb 2, 2023
    risk 0.00cvss epss 0.01

    An issue was discovered in the femanager extension before 5.5.3, 6.x before 6.3.4, and 7.x before 7.1.0 for TYPO3. Missing access checks in the InvitationController allow an unauthenticated user to delete all frontend users.

  • CVE-2023-25013Feb 2, 2023
    risk 0.00cvss epss 0.01

    An issue was discovered in the femanager extension before 5.5.3, 6.x before 6.3.4, and 7.x before 7.1.0 for TYPO3. Missing access checks in the InvitationController allow an unauthenticated user to set the password of all frontend users.

  • CVE-2020-23256Jan 20, 2023
    risk 0.00cvss epss 0.01

    An issue was discovered in Electerm 1.3.22, allows attackers to execute arbitrary code via unverified request to electerms service.

  • CVE-2022-4018Nov 16, 2022
    risk 0.00cvss epss 0.01

    Missing Authentication for Critical Function in GitHub repository ikus060/rdiffweb prior to 2.5.0a6.

  • CVE-2022-45378Nov 14, 2022
    risk 0.00cvss epss 0.02

    In the default configuration of Apache SOAP, an RPCRouterServlet is available without authentication. This gives an attacker the possibility to invoke methods on the classpath that meet certain criteria. Depending on what classes are available on the classpath this might even…

  • CVE-2022-3327Oct 19, 2022
    risk 0.00cvss epss 0.01

    Missing Authentication for Critical Function in GitHub repository ikus060/rdiffweb prior to 2.5.0a6.

  • CVE-2022-36884Jul 27, 2022
    risk 0.00cvss epss 0.01

    The webhook endpoint in Jenkins Git Plugin 4.11.3 and earlier provide unauthenticated attackers information about the existence of jobs configured to use an attacker-specified Git repository.

  • CVE-2021-34538Jul 16, 2022
    risk 0.00cvss epss 0.01

    Apache Hive before 3.1.3 "CREATE" and "DROP" function operations does not check for necessary authorization of involved entities in the query. It was found that an unauthorized user can manipulate an existing UDF without having the privileges to do so. This allowed unauthorized…

  • CVE-2022-31022Jun 1, 2022
    risk 0.00cvss epss 0.00

    Bleve is a text indexing library for go. Bleve includes HTTP utilities under bleve/http package, that are used by its sample application. These HTTP methods pave way for exploitation of a node’s filesystem where the bleve index resides, if the user has used bleve’s own HTTP…

  • CVE-2022-24820Apr 8, 2022
    risk 0.00cvss epss 0.01

    XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. A guest user without the right to view pages of the wiki can still list documents by rendering some velocity documents. The problem has been patched in XWiki versions…

  • CVE-2021-3589Mar 23, 2022
    risk 0.00cvss epss 0.01

    An authorization flaw was found in Foreman Ansible. An authenticated attacker with certain permissions to create and run Ansible jobs can access hosts through job templates. The highest threat from this vulnerability is to data confidentiality and integrity as well as system…

  • CVE-2022-25508Mar 10, 2022
    risk 0.00cvss epss 0.01

    An access control issue in the component /ManageRoute/postRoute of FreeTAKServer v1.9.8 allows unauthenticated attackers to cause a Denial of Service (DoS) via an unusually large amount of created routes, or create unsafe or false routes for legitimate users.

  • CVE-2022-23945Jan 25, 2022
    risk 0.00cvss epss 0.04

    Missing authentication on ShenYu Admin when register by HTTP. This issue affected Apache ShenYu 2.4.0 and 2.4.1.