CWE-306
Missing Authentication for Critical Function
Description
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-12 · CAPEC-166 · CAPEC-216 · CAPEC-36 · CAPEC-62
CVEs mapped to this weakness (964)
page 9 of 49| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-51478 | Cri | 0.64 | 9.8 | 0.01 | Apr 25, 2024 | Improper Authentication vulnerability in Abdul Hakeem Build App Online allows Privilege Escalation.This issue affects Build App Online: from n/a through 1.0.19. | ||
| CVE-2023-1083 | — | Cri | 0.64 | 9.8 | 0.01 | Apr 9, 2024 | An unauthenticated remote attacker who is aware of a MQTT topic name can send and receive messages, including GET/SET configuration commands, reboot commands and firmware updates. | |
| CVE-2023-4702 | Cri | 0.64 | 9.8 | 0.01 | Sep 14, 2023 | Authentication Bypass Using an Alternate Path or Channel vulnerability in Yepas Digital Yepas allows Authentication Bypass. This issue affects Digital Yepas: before 1.0.1. | ||
| CVE-2020-36713 | Cri | 0.64 | 9.8 | 0.02 | Jun 7, 2023 | The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.1.5. This is due to unrestricted access to the 'register' and 'update_user_profile' routes. This makes it possible for unauthenticated attackers to create new… | ||
| CVE-2023-2704 | Cri | 0.64 | 9.8 | 0.02 | May 19, 2023 | The BP Social Connect plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.5. This is due to insufficient verification on the user being supplied during a Facebook login through the plugin. This makes it possible for unauthenticated… | ||
| CVE-2022-0992 | Cri | 0.64 | 9.8 | 0.03 | Apr 19, 2022 | The SiteGround Security plugin for WordPress is vulnerable to authentication bypass that allows unauthenticated users to log in as administrative users due to missing identity verification on initial 2FA set-up that allows unauthenticated and unauthorized users to configure 2FA… | ||
| CVE-2020-15798 | Cri | 0.64 | 9.8 | 0.05 | Feb 9, 2021 | A vulnerability has been identified in SIMATIC HMI Comfort Panels (incl. SIPLUS variants) (All versions < V16 Update 3a), SIMATIC HMI KTP Mobile Panels (All versions < V16 Update 3a), SINAMICS GH150 (All versions), SINAMICS GL150 (with option X30) (All versions), SINAMICS GM150… | ||
| CVE-2019-9201 | Cri | 0.64 | 9.8 | 0.03 | Feb 26, 2019 | Multiple Phoenix Contact devices allow remote attackers to establish TCP sessions to port 1962 and obtain sensitive information or make changes, as demonstrated by using the Create Backup feature to traverse all directories. | ||
| CVE-2018-11247 | Cri | 0.64 | 9.8 | 0.03 | Aug 15, 2018 | The JMX/RMI interface in Nasdaq BWise 5.0 does not require authentication for an SAP BO Component, which allows remote attackers to execute arbitrary code via a session on port 81. | ||
| CVE-2018-10603 | Cri | 0.64 | 9.8 | 0.03 | Jul 31, 2018 | Martem TELEM GW6 and GWM devices with firmware 2018.04.18-linux_4-01-601cb47 and prior do not perform authentication of IEC-104 control commands, which may allow a rogue node a remote control of the industrial process. | ||
| CVE-2018-0377 | Cri | 0.64 | 9.8 | 0.03 | Jul 18, 2018 | A vulnerability in the Open Systems Gateway initiative (OSGi) interface of Cisco Policy Suite before 18.1.0 could allow an unauthenticated, remote attacker to directly connect to the OSGi interface. The vulnerability is due to a lack of authentication. An attacker could exploit… | ||
| CVE-2018-0376 | Cri | 0.64 | 9.8 | 0.03 | Jul 18, 2018 | A vulnerability in the Policy Builder interface of Cisco Policy Suite before 18.2.0 could allow an unauthenticated, remote attacker to access the Policy Builder interface. The vulnerability is due to a lack of authentication. An attacker could exploit this vulnerability by… | ||
| CVE-2018-0374 | Cri | 0.64 | 9.8 | 0.03 | Jul 18, 2018 | A vulnerability in the Policy Builder database of Cisco Policy Suite before 18.2.0 could allow an unauthenticated, remote attacker to connect directly to the Policy Builder database. The vulnerability is due to a lack of authentication. An attacker could exploit this… | ||
| CVE-2018-10635 | Cri | 0.64 | 9.8 | 0.05 | Jul 11, 2018 | In Universal Robots Robot Controllers Version CB 3.1, SW Version 3.4.5-100, ports 30001/TCP to 30003/TCP listen for arbitrary URScript code and execute the code. This enables a remote attacker who has access to the ports to remotely execute code that may allow root access to be… | ||
| CVE-2018-7778 | Cri | 0.64 | 9.8 | 0.02 | Jul 3, 2018 | In Schneider Electric Evlink Charging Station versions prior to v3.2.0-12_v1, the Web Interface has an issue that may allow a remote attacker to gain administrative privileges without properly authenticating remote users. | ||
| CVE-2018-4853 | Cri | 0.64 | 9.8 | 0.02 | Jul 3, 2018 | A vulnerability has been identified in SICLOCK TC100 (All versions) and SICLOCK TC400 (All versions). An attacker with network access to port 69/udp could modify the firmware of the device. | ||
| CVE-2018-5339 | Cri | 0.64 | 9.8 | 0.08 | Apr 18, 2018 | An issue was discovered in Zoho ManageEngine Desktop Central 10.0.124 and 10.0.184: insufficient enforcement of database query type restrictions. | ||
| CVE-2018-5338 | Cri | 0.64 | 9.8 | 0.09 | Apr 18, 2018 | An issue was discovered in Zoho ManageEngine Desktop Central 10.0.124 and 10.0.184: missing authentication/authorization for a database query mechanism. | ||
| CVE-2018-9162 | Cri | 0.64 | 9.8 | 0.02 | Mar 31, 2018 | Contec Smart Home 4.15 devices do not require authentication for new_user.php, edit_user.php, delete_user.php, and user.php, as demonstrated by changing the admin password and then obtaining control over doors. | ||
| CVE-2018-2368 | Cri | 0.64 | 9.8 | 0.03 | Mar 1, 2018 | SAP NetWeaver System Landscape Directory, LM-CORE 7.10, 7.20, 7.30, 7.31, 7.40, does not perform any authentication checks for functionalities that require user identity. |
- risk 0.64cvss 9.8epss 0.01
Improper Authentication vulnerability in Abdul Hakeem Build App Online allows Privilege Escalation.This issue affects Build App Online: from n/a through 1.0.19.
- risk 0.64cvss 9.8epss 0.01
An unauthenticated remote attacker who is aware of a MQTT topic name can send and receive messages, including GET/SET configuration commands, reboot commands and firmware updates.
- risk 0.64cvss 9.8epss 0.01
Authentication Bypass Using an Alternate Path or Channel vulnerability in Yepas Digital Yepas allows Authentication Bypass. This issue affects Digital Yepas: before 1.0.1.
- risk 0.64cvss 9.8epss 0.02
The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.1.5. This is due to unrestricted access to the 'register' and 'update_user_profile' routes. This makes it possible for unauthenticated attackers to create new…
- risk 0.64cvss 9.8epss 0.02
The BP Social Connect plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.5. This is due to insufficient verification on the user being supplied during a Facebook login through the plugin. This makes it possible for unauthenticated…
- risk 0.64cvss 9.8epss 0.03
The SiteGround Security plugin for WordPress is vulnerable to authentication bypass that allows unauthenticated users to log in as administrative users due to missing identity verification on initial 2FA set-up that allows unauthenticated and unauthorized users to configure 2FA…
- risk 0.64cvss 9.8epss 0.05
A vulnerability has been identified in SIMATIC HMI Comfort Panels (incl. SIPLUS variants) (All versions < V16 Update 3a), SIMATIC HMI KTP Mobile Panels (All versions < V16 Update 3a), SINAMICS GH150 (All versions), SINAMICS GL150 (with option X30) (All versions), SINAMICS GM150…
- risk 0.64cvss 9.8epss 0.03
Multiple Phoenix Contact devices allow remote attackers to establish TCP sessions to port 1962 and obtain sensitive information or make changes, as demonstrated by using the Create Backup feature to traverse all directories.
- risk 0.64cvss 9.8epss 0.03
The JMX/RMI interface in Nasdaq BWise 5.0 does not require authentication for an SAP BO Component, which allows remote attackers to execute arbitrary code via a session on port 81.
- risk 0.64cvss 9.8epss 0.03
Martem TELEM GW6 and GWM devices with firmware 2018.04.18-linux_4-01-601cb47 and prior do not perform authentication of IEC-104 control commands, which may allow a rogue node a remote control of the industrial process.
- risk 0.64cvss 9.8epss 0.03
A vulnerability in the Open Systems Gateway initiative (OSGi) interface of Cisco Policy Suite before 18.1.0 could allow an unauthenticated, remote attacker to directly connect to the OSGi interface. The vulnerability is due to a lack of authentication. An attacker could exploit…
- risk 0.64cvss 9.8epss 0.03
A vulnerability in the Policy Builder interface of Cisco Policy Suite before 18.2.0 could allow an unauthenticated, remote attacker to access the Policy Builder interface. The vulnerability is due to a lack of authentication. An attacker could exploit this vulnerability by…
- risk 0.64cvss 9.8epss 0.03
A vulnerability in the Policy Builder database of Cisco Policy Suite before 18.2.0 could allow an unauthenticated, remote attacker to connect directly to the Policy Builder database. The vulnerability is due to a lack of authentication. An attacker could exploit this…
- risk 0.64cvss 9.8epss 0.05
In Universal Robots Robot Controllers Version CB 3.1, SW Version 3.4.5-100, ports 30001/TCP to 30003/TCP listen for arbitrary URScript code and execute the code. This enables a remote attacker who has access to the ports to remotely execute code that may allow root access to be…
- risk 0.64cvss 9.8epss 0.02
In Schneider Electric Evlink Charging Station versions prior to v3.2.0-12_v1, the Web Interface has an issue that may allow a remote attacker to gain administrative privileges without properly authenticating remote users.
- risk 0.64cvss 9.8epss 0.02
A vulnerability has been identified in SICLOCK TC100 (All versions) and SICLOCK TC400 (All versions). An attacker with network access to port 69/udp could modify the firmware of the device.
- risk 0.64cvss 9.8epss 0.08
An issue was discovered in Zoho ManageEngine Desktop Central 10.0.124 and 10.0.184: insufficient enforcement of database query type restrictions.
- risk 0.64cvss 9.8epss 0.09
An issue was discovered in Zoho ManageEngine Desktop Central 10.0.124 and 10.0.184: missing authentication/authorization for a database query mechanism.
- risk 0.64cvss 9.8epss 0.02
Contec Smart Home 4.15 devices do not require authentication for new_user.php, edit_user.php, delete_user.php, and user.php, as demonstrated by changing the admin password and then obtaining control over doors.
- risk 0.64cvss 9.8epss 0.03
SAP NetWeaver System Landscape Directory, LM-CORE 7.10, 7.20, 7.30, 7.31, 7.40, does not perform any authentication checks for functionalities that require user identity.