CWE-306
Missing Authentication for Critical Function
BaseDraftLikelihood: High
Description
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-12 · CAPEC-166 · CAPEC-216 · CAPEC-36 · CAPEC-62
CVEs mapped to this weakness (650)
page 7 of 33| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-4555 | Cri | 0.64 | 9.8 | 0.00 | May 12, 2025 | The web management interface of Okcat Parking Management Platform from ZONG YU has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to directly access system functions. These functions include opening gates, viewing license plates and parking records, and restarting the system. | |
| CVE-2025-46275 | Cri | 0.64 | 9.8 | 0.00 | Apr 24, 2025 | WGS-80HPT-V2 and WGS-4215-8T2S are missing authentication that could allow an attacker to create an administrator account without knowing any existing credentials. | |
| CVE-2025-2567 | Cri | 0.64 | 9.8 | 0.00 | Apr 15, 2025 | An attacker could modify or disable settings, disrupt fuel monitoring and supply chain operations, leading to disabling of ATG monitoring. This would result in potential safety hazards in fuel storage and transportation. | |
| CVE-2024-13771 | Cri | 0.64 | 9.8 | 0.00 | Mar 14, 2025 | The Civi - Job Board & Freelance Marketplace WordPress Theme plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.1.4. This is due to a lack of user validation before changing a password. This makes it possible for unauthenticated attackers to change the password of arbitrary users, including administrators, if the attacker knows the username of the victim. | |
| CVE-2025-24924 | Cri | 0.64 | 9.8 | 0.00 | Mar 5, 2025 | Certain functionality within GMOD Apollo does not require authentication when passed with an administrative username | |
| CVE-2024-36555 | Cri | 0.64 | 9.8 | 0.00 | Feb 6, 2025 | Built-in SMS-configuration command in Forever KidsWatch Call Me KW50 R36_YDR_A3PW_GM7S_V1.0_2019_07_15_16.19.24_cob_h and Forever KidsWatch Call Me 2 KW-60 R36CW_YDE_S4_A29_2_V1.0_2023.05.24_22.49.44_cob_b allows malicious users to change the device IMEI-number which allows for forging the identity of the device. | |
| CVE-2025-0456 | Cri | 0.64 | 9.8 | 0.01 | Jan 16, 2025 | The airPASS from NetVision Information has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to access the specific administrative functionality to retrieve * all accounts and passwords. | |
| CVE-2024-54984 | Cri | 0.64 | 9.8 | 0.00 | Dec 19, 2024 | An issue in Quectel BG96 BG96MAR02A08M1G allows attackers to bypass authentication via a crafted NAS message. NOTE: this is disputed by the supplier. | |
| CVE-2024-54983 | Cri | 0.64 | 9.8 | 0.00 | Dec 19, 2024 | An issue in Quectel BC95-CNV V100R001C00SPC051 allows attackers to bypass authentication via a crafted NAS message. | |
| CVE-2024-47138 | Cri | 0.64 | 9.8 | 0.01 | Nov 22, 2024 | The administrative interface listens by default on all interfaces on a TCP port and does not require authentication when being accessed. | |
| CVE-2024-10284 | Cri | 0.64 | 9.8 | 0.01 | Nov 9, 2024 | The CE21 Suite plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.2.0. This is due to hardcoded encryption key in the 'ce21_authentication_phrase' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email. | |
| CVE-2024-50489 | Cri | 0.64 | 9.8 | 0.00 | Oct 28, 2024 | Authentication Bypass Using an Alternate Path or Channel vulnerability in realtyworkstation Realty Workstation realty-workstation allows Authentication Bypass.This issue affects Realty Workstation: from n/a through <= 1.0.45. | |
| CVE-2024-50487 | Cri | 0.64 | 9.8 | 0.00 | Oct 28, 2024 | Authentication Bypass Using an Alternate Path or Channel vulnerability in Acnoo MaanStore API maanstore-api allows Authentication Bypass.This issue affects MaanStore API: from n/a through <= 1.0.1. | |
| CVE-2024-50486 | Cri | 0.64 | 9.8 | 0.00 | Oct 28, 2024 | Authentication Bypass Using an Alternate Path or Channel vulnerability in Acnoo Acnoo Flutter API acnoo-flutter-api allows Authentication Bypass.This issue affects Acnoo Flutter API: from n/a through <= 1.0.5. | |
| CVE-2024-49604 | Cri | 0.64 | 9.8 | 0.00 | Oct 20, 2024 | Authentication Bypass Using an Alternate Path or Channel vulnerability in N-Media Simple User Registration wp-registration allows Authentication Bypass.This issue affects Simple User Registration: from n/a through <= 6.7. | |
| CVE-2024-8310 | Cri | 0.64 | 9.8 | 0.00 | Sep 27, 2024 | OPW Fuel Management Systems SiteSentinel could allow an attacker to bypass authentication to the server and obtain full admin privileges. | |
| CVE-2024-6981 | Cri | 0.64 | 9.8 | 0.00 | Sep 27, 2024 | OMNTEC Proteus Tank Monitoring OEL8000III Series could allow an attacker to perform administrative actions without proper authentication. | |
| CVE-2024-36445 | Cri | 0.64 | 9.8 | 0.01 | Aug 22, 2024 | Swissphone DiCal-RED 4009 devices allow a remote attacker to gain a root shell via TELNET without authentication. | |
| CVE-2024-0949 | Cri | 0.64 | 9.8 | 0.00 | Jun 27, 2024 | Missing Authentication, Files or Directories Accessible to External Parties, Use of Hard-coded Credentials vulnerability in Talya Informatics Elektraweb allows Authentication Bypass.This issue affects Elektraweb: before v17.0.68. | |
| CVE-2023-51478 | Cri | 0.64 | 9.8 | 0.00 | Apr 25, 2024 | Improper Authentication vulnerability in Abdul Hakeem Build App Online allows Privilege Escalation.This issue affects Build App Online: from n/a through 1.0.19. |