VYPR

CWE-306

Missing Authentication for Critical Function

BaseDraftLikelihood: High

Description

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

Hierarchy (View 1000)

Parents

Related attack patterns (CAPEC)

CAPEC-12 · CAPEC-166 · CAPEC-216 · CAPEC-36 · CAPEC-62

CVEs mapped to this weakness (964)

page 8 of 49
  • CVE-2025-46275CriApr 24, 2025
    risk 0.64cvss 9.8epss 0.00

    WGS-80HPT-V2 and WGS-4215-8T2S are missing authentication that could allow an attacker to create an administrator account without knowing any existing credentials.

  • CVE-2025-2567CriApr 15, 2025
    risk 0.64cvss 9.8epss 0.00

    An attacker could modify or disable settings, disrupt fuel monitoring and supply chain operations, leading to disabling of ATG monitoring. This would result in potential safety hazards in fuel storage and transportation.

  • CVE-2024-13771CriMar 14, 2025
    risk 0.64cvss 9.8epss 0.00

    The Civi - Job Board & Freelance Marketplace WordPress Theme plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.1.4. This is due to a lack of user validation before changing a password. This makes it possible for unauthenticated…

  • CVE-2025-24924CriMar 5, 2025
    risk 0.64cvss 9.8epss 0.01

    Certain functionality within GMOD Apollo does not require authentication when passed with an administrative username

  • CVE-2024-36555CriFeb 6, 2025
    risk 0.64cvss 9.8epss 0.00

    Built-in SMS-configuration command in Forever KidsWatch Call Me KW50 R36_YDR_A3PW_GM7S_V1.0_2019_07_15_16.19.24_cob_h and Forever KidsWatch Call Me 2 KW-60 R36CW_YDE_S4_A29_2_V1.0_2023.05.24_22.49.44_cob_b allows malicious users to change the device IMEI-number which allows for…

  • CVE-2025-0456CriJan 16, 2025
    risk 0.64cvss 9.8epss 0.01

    The airPASS from NetVision Information has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to access the specific administrative functionality to retrieve * all accounts and passwords.

  • CVE-2024-54984CriDec 19, 2024
    risk 0.64cvss 9.8epss 0.00

    An issue in Quectel BG96 BG96MAR02A08M1G allows attackers to bypass authentication via a crafted NAS message. NOTE: this is disputed by the supplier.

  • CVE-2024-54983CriDec 19, 2024
    risk 0.64cvss 9.8epss 0.00

    An issue in Quectel BC95-CNV V100R001C00SPC051 allows attackers to bypass authentication via a crafted NAS message.

  • CVE-2024-47138CriNov 22, 2024
    risk 0.64cvss 9.8epss 0.01

    The administrative interface listens by default on all interfaces on a TCP port and does not require authentication when being accessed.

  • CVE-2024-50489CriOct 28, 2024
    risk 0.64cvss 9.8epss 0.01

    Authentication Bypass Using an Alternate Path or Channel vulnerability in realtyworkstation Realty Workstation realty-workstation allows Authentication Bypass.This issue affects Realty Workstation: from n/a through <= 1.0.45.

  • CVE-2024-50487CriOct 28, 2024
    risk 0.64cvss 9.8epss 0.01

    Authentication Bypass Using an Alternate Path or Channel vulnerability in Acnoo MaanStore API maanstore-api allows Authentication Bypass.This issue affects MaanStore API: from n/a through <= 1.0.1.

  • CVE-2024-50486CriOct 28, 2024
    risk 0.64cvss 9.8epss 0.01

    Authentication Bypass Using an Alternate Path or Channel vulnerability in Acnoo Acnoo Flutter API acnoo-flutter-api allows Authentication Bypass.This issue affects Acnoo Flutter API: from n/a through <= 1.0.5.

  • CVE-2024-49604CriOct 20, 2024
    risk 0.64cvss 9.8epss 0.01

    Authentication Bypass Using an Alternate Path or Channel vulnerability in N-Media Simple User Registration wp-registration allows Authentication Bypass.This issue affects Simple User Registration: from n/a through <= 6.7.

  • CVE-2024-8310CriSep 27, 2024
    risk 0.64cvss 9.8epss 0.01

    OPW Fuel Management Systems SiteSentinel could allow an attacker to bypass authentication to the server and obtain full admin privileges.

  • CVE-2024-6981CriSep 27, 2024
    risk 0.64cvss 9.8epss 0.01

    OMNTEC Proteus Tank Monitoring OEL8000III Series could allow an attacker to perform administrative actions without proper authentication.

  • CVE-2024-7015CriSep 9, 2024
    risk 0.64cvss 9.8epss 0.00

    Missing Authentication for Critical Function vulnerability in Profelis Informatics and Consulting PassBox allows Authentication Abuse. This issue affects PassBox: before v1.2.

  • CVE-2024-4428CriAug 29, 2024
    risk 0.64cvss 9.8epss 0.00

    Missing Authentication for Critical Function, Missing Authorization vulnerability in Menulux Information Technologies Managment Portal allows Collect Data as Provided by Users. This issue affects Managment Portal: through 21.05.2024.

  • CVE-2024-36445CriAug 22, 2024
    risk 0.64cvss 9.8epss 0.01

    Swissphone DiCal-RED 4009 devices allow a remote attacker to gain a root shell via TELNET without authentication.

  • CVE-2024-0949CriJun 27, 2024
    risk 0.64cvss 9.8epss 0.01

    Missing Authentication, Files or Directories Accessible to External Parties, Use of Hard-coded Credentials vulnerability in Talya Informatics Elektraweb allows Authentication Bypass. This issue affects Elektraweb: before v17.0.68.

  • CVE-2024-36543CriJun 17, 2024
    risk 0.64cvss 9.8epss 0.01

    Incorrect access control in the Kafka Connect REST API in the STRIMZI Project 0.41.0 and earlier allows an attacker to deny the service for Kafka Mirroring, potentially mirror the topics' content to his Kafka cluster via a malicious connector (bypassing Kafka ACL if it exists),…