CWE-306— Missing Authentication for Critical Function
2,156 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-306page 21 of 44
- CVE-2023-0354CRITICALCVSS 9.1EG 9.12023-03-13
The Akuvox E11 web server can be accessed without any user authentication, and this could allow an attacker to access sensitive information, as well as create and download packet captures with known default URLs.
- CVE-2023-0463LOWCVSS 3.3EG 3.32023-01-26
The force offline MFA prompt setting is not respected when switching to offline mode in Devolutions Remote Desktop Manager 2022.3.29 to 2022.3.30 allows a user to save sensitive data on disk.
- CVE-2023-0906HIGHCVSS 7.3EG 9.82023-02-18
A vulnerability classified as critical was found in SourceCodester Online Pizza Ordering System 1.0. Affected by this vulnerability is the function delete_category of the file ajax.php of the component POST Parameter Handler. The manipulat…
- CVE-2023-0919HIGHCVSS 8.1EG 3.52023-02-19
Missing Authentication for Critical Function in GitHub repository kareadita/kavita prior to 0.7.0.
- CVE-2023-1083CRITICALCVSS 9.8EG 9.82024-04-09
An unauthenticated remote attacker who is aware of a MQTT topic name can send and receive messages, including GET/SET configuration commands, reboot commands and firmware updates.
- CVE-2023-1096CRITICALCVSS 9.8EG 9.82023-05-12
SnapCenter versions 4.7 prior to 4.7P2 and 4.8 prior to 4.8P1 are susceptible to a vulnerability which could allow a remote unauthenticated attacker to gain access as an admin user.
- CVE-2023-1140CRITICALCVSS 9.8EG 9.82023-03-27
Delta Electronics InfraSuite Device Master versions prior to 1.0.5 contain a vulnerability that could allow an attacker to achieve unauthenticated remote code execution in the context of an administrator.
- CVE-2023-1837HIGHCVSS 8.5EG 8.52023-05-23
Missing Authentication for critical function vulnerability in HYPR Server allows Authentication Bypass when using Legacy APIs.This issue affects HYPR Server: before 8.0 (with enabled Legacy APIs)
- CVE-2023-20003MEDIUMCVSS 4.7EG 4.72023-05-18
A vulnerability in the social login configuration option for the guest users of Cisco Business Wireless Access Points (APs) could allow an unauthenticated, adjacent attacker to bypass social login authentication. This vulnerability is due …
- CVE-2023-20126CRITICALCVSS 9.8EG 9.82023-05-04
A vulnerability in the web-based management interface of Cisco SPA112 2-Port Phone Adapters could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device. This vulnerability is due to a missing authenticat…
- CVE-2023-20857MEDIUMCVSS 6.8EG 6.82023-02-28
VMware Workspace ONE Content contains a passcode bypass vulnerability. A malicious actor, with access to a users rooted device, may be able to bypass the VMware Workspace ONE Content passcode.
- CVE-2023-21743MEDIUMCVSS 5.3EG 5.32023-01-10
Microsoft SharePoint Server Security Feature Bypass Vulnerability
- CVE-2023-21837HIGHCVSS 7.5EG 7.52023-01-18
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated at…
- CVE-2023-21839HIGHCVSS 7.5EG 9.0⚠ KEV2023-01-18
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated at…
- CVE-2023-21842HIGHCVSS 7.5EG 7.52023-01-18
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Web Container). Supported versions that are affected are 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthent…
- CVE-2023-21856HIGHCVSS 7.5EG 7.52023-01-18
Vulnerability in the Oracle iSetup product of Oracle E-Business Suite (component: General Ledger Update Transform, Reports). Supported versions that are affected are 12.2.3-12.2.12. Easily exploitable vulnerability allows unauthenticated …
- CVE-2023-2187MEDIUMCVSS 5.3EG 5.32023-06-07
On Triangle MicroWorks' SCADA Data Gateway version <= v5.01.03, an unauthenticated attacker can send broadcast events to any user via the WebMonitor.An unauthenticated user can use this vulnerability to forcefully log out of any currently …
- CVE-2023-21931HIGHCVSS 7.5EG 7.52023-04-18
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated at…
- CVE-2023-21979HIGHCVSS 7.5EG 7.52023-04-18
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated at…
- CVE-2023-22047HIGHCVSS 7.5EG 9.02023-07-18
Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Portal). Supported versions that are affected are 8.59 and 8.60. Easily exploitable vulnerability allows unauthenticated attacker with networ…
- CVE-2023-22069CRITICALCVSS 9.8EG 9.82023-10-17
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with …
- CVE-2023-22072CRITICALCVSS 9.8EG 9.82023-10-17
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). The supported version that is affected is 12.2.1.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access…
- CVE-2023-22087HIGHCVSS 8.8EG 8.82023-10-17
Vulnerability in the Hospitality OPERA 5 Property Services product of Oracle Hospitality Applications (component: Opera). The supported version that is affected is 5.6. Easily exploitable vulnerability allows low privileged attacker with…
- CVE-2023-22101HIGHCVSS 8.1EG 8.12023-10-17
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Difficult to exploit vulnerability allows unauthenticated attacker wit…
- CVE-2023-2231CRITICALCVSS 9.8EG 9.82023-04-21
A vulnerability, which was classified as critical, was found in MAXTECH MAX-G866ac 0.4.1_TBRO_20160314. This affects an unknown part of the component Remote Management. The manipulation leads to missing authentication. It is possible to in…
- CVE-2023-22441HIGHCVSS 8.6EG 8.62023-05-10
Missing authentication for critical function exists in Seiko Solutions SkyBridge series, which may allow a remote attacker to obtain or alter the setting information of the product or execute some critical functions without authentication,…
- CVE-2023-22650HIGHCVSS 8.8EG 8.82024-10-16
A vulnerability has been identified in which Rancher does not automatically clean up a user which has been deleted from the configured authentication provider (AP). This characteristic also applies to disabled or revoked users, Rancher wil…
- CVE-2023-22803HIGHCVSS 7.5EG 7.52023-02-15
LS ELECTRIC XBC-DN32U with operating system version 01.80 is missing authentication to perform critical functions to the PLC. This could allow an attacker to change the PLC's mode arbitrarily.
- CVE-2023-22804CRITICALCVSS 9.1EG 9.82023-02-15
LS ELECTRIC XBC-DN32U with operating system version 01.80 is missing authentication to create users on the PLC. This could allow an attacker to create and use an account with elevated privileges and take control of the device.
- CVE-2023-22906HIGHCVSS 8.8EG 8.82023-07-04
Hero Qubo HCD01_02_V1.38_20220125 devices allow TELNET access with root privileges by default, without a password.
- CVE-2023-23444HIGHCVSS 7.5EG 7.52023-05-12
Missing Authentication for Critical Function in SICK Flexi Classic and Flexi Soft Gateways with Partnumbers 1042193, 1042964, 1044078, 1044072, 1044073, 1044074, 1099830, 1099832, 1127717, 1069070, 1112296, 1051432, 1102420, 1127487, 11215…
- CVE-2023-23451CRITICALCVSS 9.8EG 9.82023-04-19
The Flexi Classic and Flexi Soft Gateways SICK UE410-EN3 FLEXI ETHERNET GATEW. with serial number <=2311xxxx all Firmware versions, SICK UE410-EN1 FLEXI ETHERNET GATEW. with serial number <=2311xxxx all Firmware versions, SICK UE410-EN3S04…
- CVE-2023-23452CRITICALCVSS 9.8EG 9.82023-02-20
Missing Authentication for Critical Function in SICK FX0-GPNT v3 Firmware Version V3.04 and V3.05 allows an unprivileged remote attacker to achieve arbitrary remote code execution via maliciously crafted RK512 commands to the listener on T…
- CVE-2023-23453CRITICALCVSS 9.8EG 9.82023-02-20
Missing Authentication for Critical Function in SICK FX0-GENT v3 Firmware Version V3.04 and V3.05 allows an unprivileged remote attacker to achieve arbitrary remote code execution via maliciously crafted RK512 commands to the listener on T…
- CVE-2023-23545MEDIUMCVSS 5.3EG 5.32023-05-23
Missing authentication for critical function exists in T&D Corporation and ESPEC MIC CORP. data logger products, which may allow a remote unauthenticated attacker to alter the product settings without authentication. Affected products and …
- CVE-2023-23906HIGHCVSS 7.5EG 7.52023-05-10
Missing authentication for critical function exists in SkyBridge MB-A100/110 firmware Ver. 4.2.0 and earlier, which may allow a remote unauthenticated attacker to execute some critical functions without authentication, e.g., rebooting the …
- CVE-2023-24526MEDIUMCVSS 5.3EG 5.32023-03-14
SAP NetWeaver Application Server Java for Classload Service - version 7.50, does not perform any authentication checks for functionalities that require user identity, resulting in escalation of privileges. This failure has a low impact on …
- CVE-2023-24527MEDIUMCVSS 5.3EG 5.32023-04-11
SAP NetWeaver AS Java for Deploy Service - version 7.5, does not perform any access control checks for functionalities that require user identity enabling an unauthenticated attacker to attach to an open interface and make use of an open n…
- CVE-2023-24838CRITICALCVSS 9.8EG 9.82023-03-27
HGiga PowerStation has a vulnerability of Information Leakage. An unauthenticated remote attacker can exploit this vulnerability to obtain the administrator's credential. This credential can then be used to login PowerStation or Secure She…
- CVE-2023-24934MEDIUMCVSS 6.2EG 6.22023-04-14
Microsoft Defender Security Feature Bypass Vulnerability
- CVE-2023-25013HIGHCVSS 8.6EG 8.62023-02-02
An issue was discovered in the femanager extension before 5.5.3, 6.x before 6.3.4, and 7.x before 7.1.0 for TYPO3. Missing access checks in the InvitationController allow an unauthenticated user to set the password of all frontend users.
- CVE-2023-25014HIGHCVSS 8.6EG 8.62023-02-02
An issue was discovered in the femanager extension before 5.5.3, 6.x before 6.3.4, and 7.x before 7.1.0 for TYPO3. Missing access checks in the InvitationController allow an unauthenticated user to delete all frontend users.
- CVE-2023-25493MEDIUMCVSS 6.7EG 6.72024-04-05
A potential vulnerability was reported in the BIOS update tool driver for some Desktop, Smart Edge, Smart Office, and ThinkStation products that could allow a local user with elevated privileges to execute arbitrary code.
- CVE-2023-25570HIGHCVSS 7.5EG 7.52023-02-20
Apollo is a configuration management system. Prior to version 2.1.0, there are potential security issues if users expose apollo-configservice to the internet, which is not recommended. This is because there is no authentication feature ena…
- CVE-2023-25589CRITICALCVSS 9.8EG 9.82023-03-22
A vulnerability in the web-based management interface of ClearPass Policy Manager could allow an unauthenticated remote attacker to create arbitrary users on the platform. A successful exploit allows an attacker to achieve total cluster co…
- CVE-2023-25615MEDIUMCVSS 6.8EG 4.92023-03-14
Due to insufficient input sanitization, SAP ABAP - versions 751, 753, 753, 754, 756, 757, 791, allows an authenticated high privileged user to alter the current session of the user by injecting the malicious database queries over the netwo…
- CVE-2023-25780MEDIUMCVSS 5.7EG 5.72023-06-02
It is identified a vulnerability of insufficient authentication in an important specific function of Status PowerBPM. A LAN attacker with normal user privilege can exploit this vulnerability to modify substitute agent to arbitrary users, r…
- CVE-2023-26570HIGHCVSS 7.5EG 7.52023-10-25
Missing authentication in the StudentPopupDetails_Timetable method in IDAttend’s IDWeb application 3.1.052 and earlier allows extraction sensitive student data by unauthenticated attackers.
- CVE-2023-26571HIGHCVSS 7.5EG 7.52023-10-25
Missing authentication in the SetStudentNotes method in IDAttend’s IDWeb application 3.1.052 and earlier allows modification of student data by unauthenticated attackers.
- CVE-2023-26573HIGHCVSS 8.2EG 8.22023-10-25
Missing authentication in the SetDB method in IDAttend’s IDWeb application 3.1.052 and earlier allows denial of service or theft of database login credentials.
Map vulnerabilities like CWE-306 to your infrastructure
EchelonGraph correlates every CVE — across CWE-306 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →