CWE-306— Missing Authentication for Critical Function
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.— MITRE CWE catalog
2,405 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-306page 13 of 49
- CVE-2020-9062MEDIUMCVSS 5.3EG 5.32020-08-21
Diebold Nixdorf ProCash 2100xe USB ATMs running Wincor Probase version 1.1.30 do not encrypt, authenticate, or verify the integrity of messages between the CCDM and the host computer, allowing an attacker with physical access to internal A…
- CVE-2020-9143MEDIUMCVSS 5.3EG 5.32021-01-13
There is a missing authentication vulnerability in some Huawei smartphone.Successful exploitation of this vulnerability may lead to low-sensitive information exposure.
- CVE-2020-9208MEDIUMCVSS 6.5EG 6.52020-12-29
There is an information leak vulnerability in iManager NetEco 6000 versions V600R021C00. A module is lack of authentication. Attackers without access to the module can exploit this vulnerability to obtain extra information, leading to info…
- CVE-2020-9275CRITICALCVSS 9.8EG 9.82020-04-20
An issue was discovered on D-Link DSL-2640B B2 EU_4.01B devices. A cfm UDP service listening on port 65002 allows remote, unauthenticated exfiltration of administrative credentials.
- CVE-2020-9278CRITICALCVSS 9.1EG 9.12020-04-20
An issue was discovered on D-Link DSL-2640B B2 EU_4.01B devices. The device can be reset to its default configuration by accessing an unauthenticated URL.
- CVE-2020-9315HIGHCVSS 7.5EG 9.02020-05-10
** PRODUCT NOT SUPPORTED WHEN ASSIGNED ** Oracle iPlanet Web Server 7.0.x has Incorrect Access Control for admingui/version URIs in the Administration console, as demonstrated by unauthenticated read access to encryption keys. NOTE: a rela…
- CVE-2020-9325HIGHCVSS 7.5EG 7.52020-03-18
Aquaforest TIFF Server 4.0 allows Unauthenticated Arbitrary File Download.
- CVE-2020-9330HIGHCVSS 8.8EG 8.82020-02-21
Certain Xerox WorkCentre printers before 073.xxx.000.02300 do not require the user to reenter or validate LDAP bind credentials when changing the LDAP connector IP address. A malicious actor who gains access to affected devices (e.g., by u…
- CVE-2020-9349HIGHCVSS 7.5EG 7.52020-04-02
The CACAGOO Cloud Storage Intelligent Camera TV-288ZD-2MP with firmware 3.4.2.0919 allows access to the RTSP service without a password.
- CVE-2020-9473MEDIUMCVSS 6.6EG 6.62020-04-06
The S. Siedle & Soehne SG 150-0 Smart Gateway before 1.2.4 has a passwordless ftp ssh user. By using an exploit chain, an attacker with access to the network can get root access on the gateway.
- CVE-2020-9480CRITICALCVSS 9.8EG 9.82020-06-23
In Apache Spark 2.4.5 and earlier, a standalone resource manager's master may be configured to require authentication (spark.authenticate) via a shared secret. When enabled, however, a specially-crafted RPC to the master can succeed in sta…
- CVE-2020-9487HIGHCVSS 7.5EG 7.52020-10-01
In Apache NiFi 1.0.0 to 1.11.4, the NiFi download token (one-time password) mechanism used a fixed cache size and did not authenticate a request to create a download token, only when attempting to use the token to access the content. An un…
- CVE-2020-9544HIGHCVSS 7.5EG 7.52020-03-05
An issue was discovered on D-Link DSL-2640B E1 EU_1.01 devices. The administrative interface doesn't perform authentication checks for a firmware-update POST request. Any attacker that can access the administrative interface can install fi…
- CVE-2021-1011MEDIUMCVSS 5.5EG 5.52021-12-15
In setPackageStoppedState of PackageManagerService.java, there is a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.P…
- CVE-2021-1246MEDIUMCVSS 6.5EG 6.12021-01-13
Cisco Finesse, Cisco Virtualized Voice Browser, and Cisco Unified CVP OpenSocial Gadget Editor Unauthenticated Access Vulnerability A vulnerability in the web management interface of Cisco Finesse, Cisco Virtualized Voice Browser, and C…
- CVE-2021-1393CRITICALCVSS 9.8EG 9.82021-02-24
Multiple vulnerabilities in Cisco Application Services Engine could allow an unauthenticated, remote attacker to gain privileged access to host-level operations or to learn device-specific information, create diagnostic files, and make lim…
- CVE-2021-1396CRITICALCVSS 9.8EG 9.82021-02-24
Multiple vulnerabilities in Cisco Application Services Engine could allow an unauthenticated, remote attacker to gain privileged access to host-level operations or to learn device-specific information, create diagnostic files, and make lim…
- CVE-2021-1499MEDIUMCVSS 5.3EG 9.02021-05-06
A vulnerability in the web-based management interface of Cisco HyperFlex HX Data Platform could allow an unauthenticated, remote attacker to upload files to an affected device. This vulnerability is due to missing authentication for the up…
- CVE-2021-20067MEDIUMCVSS 5.3EG 5.32021-02-16
Racom's MIDGE Firmware 4.4.40.105 contains an issue that allows attackers to view sensitive syslog events without authentication.
- CVE-2021-20107MEDIUMCVSS 5.4EG 5.42021-06-30
There exists an unauthenticated BLE Interface in Sloan SmartFaucets including Optima EAF, Optima ETF/EBF, BASYS EFX, and Flushometers including SOLIS. The vulnerability allows for unauthenticated kinetic effects and information disclosure …
- CVE-2021-20136CRITICALCVSS 9.8EG 9.82021-11-01
ManageEngine Log360 Builds < 5235 are affected by an improper access control vulnerability allowing database configuration overwrite. An unauthenticated remote attacker can send a specially crafted message to Log360 to change its backend d…
- CVE-2021-20150MEDIUMCVSS 5.3EG 5.32021-12-30
Trendnet AC2600 TEW-827DRU version 2.08B01 improperly discloses information via redirection from the setup wizard. Authentication can be bypassed and a user may view information as Admin by manually browsing to the setup wizard and forcing…
- CVE-2021-20152MEDIUMCVSS 6.5EG 6.52021-12-30
Trendnet AC2600 TEW-827DRU version 2.08B01 lacks proper authentication to the bittorrent functionality. If enabled, anyone is able to visit and modify settings and files via the Bittorent web client by visiting: http://192.168.10.1:9091/tr…
- CVE-2021-20158CRITICALCVSS 9.8EG 9.82021-12-30
Trendnet AC2600 TEW-827DRU version 2.08B01 contains an authentication bypass vulnerability. It is possible for an unauthenticated, malicous actor to force the change of the admin password due to a hidden administrative command.
- CVE-2021-20161MEDIUMCVSS 6.8EG 6.82021-12-30
Trendnet AC2600 TEW-827DRU version 2.08B01 does not have sufficient protections for the UART functionality. A malicious actor with physical access to the device is able to connect to the UART port via a serial connection. No username or pa…
- CVE-2021-20198HIGHCVSS 8.1EG 8.12021-02-23
A flaw was found in the OpenShift Installer before version v0.9.0-master.0.20210125200451-95101da940b0. During installation of OpenShift Container Platform 4 clusters, bootstrap nodes are provisioned with anonymous authentication enabled o…
- CVE-2021-20238LOWCVSS 3.7EG 3.72022-04-01
It was found in OpenShift Container Platform 4 that ignition config, served by the Machine Config Server, can be accessed externally from clusters without authentication. The MCS endpoint (port 22623) provides ignition configuration used f…
- CVE-2021-20262MEDIUMCVSS 6.8EG 6.82021-03-09
A flaw was found in Keycloak 12.0.0 where re-authentication does not occur while updating the password. This flaw allows an attacker to take over an account if they can obtain temporary, physical access to a user’s browser. The highest t…
- CVE-2021-20474HIGHCVSS 7.5EG 7.52021-07-07
IBM Guardium Data Encryption (GDE) 3.0.0.2 and 4.0.0.4 does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
- CVE-2021-20662HIGHCVSS 7.5EG 7.52021-02-24
Missing authentication for critical function in SolarView Compact SV-CPT-MC310 prior to Ver.6.5 allows an attacker to alter the setting information without the access privileges via unspecified vectors.
- CVE-2021-20697CRITICALCVSS 9.8EG 9.82021-04-26
Missing authentication for critical function in DAP-1880AC firmware version 1.21 and earlier allows a remote attacker to login to the device as an authenticated user without the access privilege via unspecified vectors.
- CVE-2021-20990HIGHCVSS 7.5EG 7.52021-04-19
In Fibaro Home Center 2 and Lite devices with firmware version 4.600 and older an internal management service is accessible on port 8000 and some API endpoints could be accessed without authentication to trigger a shutdown, a reboot or a r…
- CVE-2021-20998CRITICALCVSS 10.0EG 10.02021-05-13
In multiple managed switches by WAGO in different versions without authorization and with specially crafted packets it is possible to create users.
- CVE-2021-21472HIGHCVSS 8.8EG 8.82021-02-09
SAP Software Provisioning Manager 1.0 (SAP NetWeaver Master Data Management Server 7.1) does not have an option to set password during its installation, this allows an authenticated attacker to perform various security attacks like Directo…
- CVE-2021-21535HIGHCVSS 7.4EG 7.42021-04-30
Dell Hybrid Client versions prior to 1.5 contain a missing authentication for a critical function vulnerability. A local unauthenticated attacker may exploit this vulnerability in order to gain root level access to the system.
- CVE-2021-21964HIGHCVSS 7.4EG 7.52022-02-04
A denial of service vulnerability exists in the Modbus configuration functionality of Sealevel Systems, Inc. SeaConnect 370W v1.3.34. Specially-crafted network packets can lead to denial of service. An attacker can send a malicious packet …
- CVE-2021-21986CRITICALCVSS 9.8EG 9.82021-05-26
The vSphere Client (HTML5) contains a vulnerability in a vSphere authentication mechanism for the Virtual SAN Health Check, Site Recovery, vSphere Lifecycle Manager, and VMware Cloud Director Availability plug-ins. A malicious actor with n…
- CVE-2021-22012HIGHCVSS 7.5EG 7.52021-09-23
The vCenter Server contains an information disclosure vulnerability due to an unauthenticated appliance management API. A malicious actor with network access to port 443 on vCenter Server may exploit this issue to gain access to sensitive …
- CVE-2021-22159HIGHCVSS 7.8EG 7.82021-01-26
Insider Threat Management Windows Agent Local Privilege Escalation Vulnerability The Proofpoint Insider Threat Management (formerly ObserveIT) Agent for Windows before 7.4.3, 7.5.4, 7.6.5, 7.7.5, 7.8.4, 7.9.3, 7.10.2, and 7.11.0.25 as well…
- CVE-2021-22279CRITICALCVSS 9.8EG 9.82021-12-13
A Missing Authentication vulnerability in RobotWare for the OmniCore robot controller allows an attacker to read and modify files on the robot controller if the attacker has access to the Connected Services Gateway Ethernet port.
- CVE-2021-22316MEDIUMCVSS 6.8EG 6.82021-06-03
There is a Missing Authentication for Critical Function vulnerability in Huawei Smartphone. Attackers with physical access to the device can thereby exploit this vulnerability. A successful exploitation of this vulnerability can compromise…
- CVE-2021-22322HIGHCVSS 7.5EG 7.52021-06-03
There is a Missing Authentication for Critical Function vulnerability in Huawei Smartphone. Successful exploitation of this vulnerability may impair data confidentiality.
- CVE-2021-22652CRITICALCVSS 9.8EG 9.82021-02-11
Access to the Advantech iView versions prior to v5.7.03.6112 configuration are missing authentication, which may allow an unauthorized attacker to change the configuration and obtain code execution.
- CVE-2021-22772CRITICALCVSS 9.8EG 9.82021-07-21
A CWE-306: Missing Authentication for Critical Function vulnerability exists in Easergy T200 ((Modbus) SC2-04MOD-07000100 and earlier), Easergy T200 ((IEC104) SC2-04IEC-07000100 and earlier), and Easergy T200 ((DNP3) SC2-04DNP-07000102 and…
- CVE-2021-22784MEDIUMCVSS 5.7EG 5.72021-07-21
A CWE-306: Missing Authentication for Critical Function vulnerability exists in C-Bus Toolkit v1.15.8 and prior that could allow an attacker to use a crafted webpage to obtain remote access to the system.
- CVE-2021-22805CRITICALCVSS 9.1EG 9.12022-02-11
A CWE-306: Missing Authentication for Critical Function vulnerability exists that could cause deletion of arbitrary files in the context of the user running IGSS due to lack of validation of network messages. Affected Product: Interactive …
- CVE-2021-22823CRITICALCVSS 9.1EG 9.12022-02-11
A CWE-306: Missing Authentication for Critical Function vulnerability exists that could cause deletion of arbitrary files in the context of the user running IGSS due to lack of validation of network messages. Affected Product: Interactive …
- CVE-2021-22850MEDIUMCVSS 5.3EG 9.82021-01-19
HGiga EIP product lacks ineffective access control in certain pages that allow attackers to access database or perform privileged functions.
- CVE-2021-22995HIGHCVSS 7.5EG 7.52021-03-31
On all 7.x and 6.x versions (fixed in 8.0.0), BIG-IQ high availability (HA) when using a Quorum device for automatic failover does not implement any form of authentication with the Corosync daemon. Note: Software versions which have reache…
- CVE-2021-22997HIGHCVSS 7.5EG 7.52021-03-31
On all 7.x and 6.x versions (fixed in 8.0.0), BIG-IQ HA ElasticSearch service does not implement any form of authentication for the clustering transport services, and all data used by ElasticSearch for transport is unencrypted. Note: Softw…
Map vulnerabilities like CWE-306 to your infrastructure
EchelonGraph correlates every CVE — across CWE-306 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →