CWE-306— Missing Authentication for Critical Function
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.— MITRE CWE catalog
2,405 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-306page 15 of 49
- CVE-2021-33843MEDIUMCVSS 5.3EG 5.32022-01-21
Fresenius Kabi Agilia SP MC WiFi vD25 and prior has a default configuration page accessible without authentication. An attacker may use this functionality to change the exposed configuration values such as network settings.
- CVE-2021-33882MEDIUMCVSS 6.8EG 6.82021-08-25
A Missing Authentication for Critical Function vulnerability in B. Braun SpaceCom2 prior to 012U000062 allows a remote attacker to reconfigure the device from an unknown source because of lack of authentication on proprietary networking co…
- CVE-2021-34538HIGHCVSS 7.5EG 7.52022-07-16
Apache Hive before 3.1.3 "CREATE" and "DROP" function operations does not check for necessary authorization of involved entities in the query. It was found that an unauthorized user can manipulate an existing UDF without having the privile…
- CVE-2021-34543HIGHCVSS 7.5EG 7.52021-12-07
The web administration server in Solar-Log 500 before 2.8.2 Build 52 does not require authentication, which allows remote attackers to gain administrative privileges by connecting to the server. As a result, the attacker can modify configu…
- CVE-2021-34621CRITICALCVSS 9.8EG 9.82021-07-07
A vulnerability in the user registration component found in the ~/src/Classes/RegistrationAuth.php file of the ProfilePress WordPress plugin made it possible for users to register on sites as an administrator. This issue affects versions 3…
- CVE-2021-34870MEDIUMCVSS 6.5EG 6.52022-01-25
This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of NETGEAR XR1000 1.0.0.52_1.0.38 routers. Authentication is not required to exploit this vulnerability. The specific flaw exi…
- CVE-2021-34983MEDIUMCVSS 6.5EG 6.52024-05-07
NETGEAR Multiple Routers httpd Missing Authentication for Critical Function Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of multiple …
- CVE-2021-35587CRITICALCVSS 9.8EG 9.8⚠ KEV2022-01-19
Vulnerability in the Oracle Access Manager product of Oracle Fusion Middleware (component: OpenSSO Agent). Supported versions that are affected are 11.1.2.3.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthentica…
- CVE-2021-3589HIGHCVSS 8.0EG 8.02022-03-23
An authorization flaw was found in Foreman Ansible. An authenticated attacker with certain permissions to create and run Ansible jobs can access hosts through job templates. The highest threat from this vulnerability is to data confidentia…
- CVE-2021-35936MEDIUMCVSS 5.3EG 5.32021-08-16
If remote logging is not used, the worker (in the case of CeleryExecutor) or the scheduler (in the case of LocalExecutor) runs a Flask logging server and is listening on a specific port and also binds on 0.0.0.0 by default. This logging se…
- CVE-2021-35941HIGHCVSS 7.5EG 7.52021-06-29
Western Digital WD My Book Live (2.x and later) and WD My Book Live Duo (all versions) have an administrator API that can perform a system factory restore without authentication, as exploited in the wild in June 2021, a different vulnerabi…
- CVE-2021-35979HIGHCVSS 8.1EG 8.12021-10-08
An issue was discovered in Digi RealPort through 4.8.488.0. The 'encrypted' mode is vulnerable to man-in-the-middle attacks and does not perform authentication.
- CVE-2021-36124CRITICALCVSS 9.8EG 9.82021-07-13
An issue was discovered in Echo ShareCare 8.15.5. It does not perform authentication or authorization checks when accessing a subset of sensitive resources, leading to the ability for unauthenticated users to access pages that are vulnerab…
- CVE-2021-36200MEDIUMCVSS 5.3EG 5.32022-07-22
Under certain circumstances an unauthenticated user could access the the web API for Metasys ADS/ADX/OAS 10 versions prior to 10.1.6 and 11 versions prior to 11.0.2 and enumerate users.
- CVE-2021-36779CRITICALCVSS 9.6EG 9.62021-12-17
A Missing Authentication for Critical Function vulnerability in SUSE Longhorn allows any workload in the cluster to execute any binary present in the image on the host without authentication. This issue affects: SUSE Longhorn longhorn vers…
- CVE-2021-36780HIGHCVSS 8.1EG 8.12021-12-17
A Missing Authentication for Critical Function vulnerability in longhorn of SUSE Longhorn allows attackers to connect to a longhorn-engine replica instance granting it the ability to read and write data to and from a replica that they shou…
- CVE-2021-36888CRITICALCVSS 9.8EG 9.82021-12-15
Unauthenticated Arbitrary Options Update vulnerability leading to full website compromise discovered in Image Hover Effects Ultimate (versions <= 9.6.1) WordPress plugin.
- CVE-2021-37234MEDIUMCVSS 6.5EG 6.52023-02-03
Incorrect Access Control vulnerability in Modern Honey Network commit 0abf0db9cd893c6d5c727d036e1f817c02de4c7b allows remote attackers to view sensitive information via crafted PUT request to Web API.
- CVE-2021-37415CRITICALCVSS 9.8EG 9.8⚠ KEV2021-09-01
Zoho ManageEngine ServiceDesk Plus before 11302 is vulnerable to authentication bypass that allows a few REST-API URLs without authentication.
- CVE-2021-37420MEDIUMCVSS 6.5EG 6.52021-09-21
Zoho ManageEngine ADSelfService Plus before 6112 is vulnerable to mail spoofing.
- CVE-2021-37624HIGHCVSS 7.5EG 7.52021-10-25
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.10.7, FreeSWITCH does not authenticat…
- CVE-2021-37696HIGHCVSS 7.1EG 7.12021-08-11
tmerc-cogs are a collection of open source plugins for the Red Discord bot. A vulnerability has been found in the code that allows any user to access sensitive information by crafting a specific MassDM message. Issue is patched in commit 9…
- CVE-2021-37697HIGHCVSS 7.1EG 7.12021-08-11
tmerc-cogs are a collection of open source plugins for the Red Discord bot. A vulnerability has been found in the code that allows any user to access sensitive information by crafting a specific membership event message. Issue is patched i…
- CVE-2021-37843CRITICALCVSS 9.8EG 9.82021-08-02
The resolution SAML SSO apps for Atlassian products allow a remote attacker to login to a user account when only the username is known (i.e., no other authentication is provided). The fixed versions are for Jira: 3.6.6.1, 4.0.12, 5.0.5; fo…
- CVE-2021-38147HIGHCVSS 7.5EG 7.52021-11-29
Wipro Holmes Orchestrator 20.4.1 (20.4.1_02_11_2020) allows remote attackers to download arbitrary files, such as reports containing sensitive information, because authentication is not required for API access to processexecution/DownloadE…
- CVE-2021-3825CRITICALCVSS 9.6EG 9.62021-10-01
On 2.1.15 version and below of Lider module in LiderAhenk software is leaking it's configurations via an unsecured API. An attacker with an access to the configurations API could get valid LDAP credentials.
- CVE-2021-38283HIGHCVSS 7.5EG 7.52021-11-29
Wipro Holmes Orchestrator 20.4.1 (20.4.1_02_11_2020) allows remote attackers to read application log files containing sensitive information via a predictable /log URI.
- CVE-2021-38412CRITICALCVSS 9.6EG 9.82021-09-17
Properly formatted POST requests to multiple resources on the HTTP and HTTPS web servers of the Digi PortServer TS 16 Rack device do not require authentication or authentication tokens. This vulnerability could allow an attacker to enable …
- CVE-2021-38457CRITICALCVSS 9.8EG 9.82021-10-22
The server permits communication without any authentication procedure, allowing the attacker to initiate a session with the server without providing any form of authentication.
- CVE-2021-38540CRITICALCVSS 9.8EG 9.82021-09-09
The variable import endpoint was not protected by authentication in Airflow >=2.0.0, <2.1.3. This allowed unauthenticated users to hit that endpoint to add/modify Airflow variables used in DAGs, potentially resulting in a denial of service…
- CVE-2021-39144HIGHCVSS 8.5EG 9.0⚠ KEV2021-08-23
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stre…
- CVE-2021-39233CRITICALCVSS 9.1EG 9.12021-11-19
In Apache Ozone versions prior to 1.2.0, Container related Datanode requests of Ozone Datanode were not properly authorized and can be called by any client.
- CVE-2021-39879LOWCVSS 2.2EG 2.22021-10-04
Missing authentication in all versions of GitLab CE/EE since version 7.11.0 allows an attacker with access to a victim's session to disable two-factor authentication
- CVE-2021-41104HIGHCVSS 7.5EG 7.52021-09-28
ESPHome is a system to control the ESP8266/ESP32. Anyone with web_server enabled and HTTP basic auth configured on version 2021.9.1 or older is vulnerable to an issue in which `web_server` allows over-the-air (OTA) updates without checking…
- CVE-2021-41157MEDIUMCVSS 5.3EG 5.32021-10-26
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. By default, SIP requests of the type SUBSCRIBE are not a…
- CVE-2021-41266HIGHCVSS 8.6EG 9.02021-11-15
Minio console is a graphical user interface for the for MinIO operator. Minio itself is a multi-cloud object storage project. Affected versions are subject to an authentication bypass issue in the Operator Console when an external IDP is e…
- CVE-2021-41418CRITICALCVSS 9.8EG 9.82022-06-15
AriaNg v0.1.0~v1.2.2 is affected by an incorrect access control vulnerability through not authenticating visitors' access rights.
- CVE-2021-41568MEDIUMCVSS 5.3EG 6.52021-10-08
Tad Web is vulnerable to authorization bypass, thus remote attackers can exploit the vulnerability to use the original function of viewing bulletin boards and uploading files in the system.
- CVE-2021-41974CRITICALCVSS 9.1EG 9.12021-10-08
Tad Book3 editing book page does not perform identity verification. Remote attackers can use the vulnerability to view and modify arbitrary content of books without permission.
- CVE-2021-41975HIGHCVSS 7.5EG 9.12021-10-08
TadTools special page is vulnerable to authorization bypass, thus remote attackers can use the specific parameter to delete arbitrary files in the system without logging in.
- CVE-2021-41976MEDIUMCVSS 5.3EG 5.32021-10-08
Tad Uploader edit book list function is vulnerable to authorization bypass, thus remote attackers can use the function to amend the folder names in the book list without logging in.
- CVE-2021-42539HIGHCVSS 8.0EG 8.02021-10-22
The affected product is vulnerable to a missing permission validation on system backup restore, which could lead to account take over and unapproved settings change.
- CVE-2021-42783CRITICALCVSS 9.8EG 9.82021-11-23
Missing Authentication for Critical Function vulnerability in debug_post_set.cgi of D-Link DWR-932C E1 firmware allows an unauthenticated attacker to execute administrative actions.
- CVE-2021-42889HIGHCVSS 7.5EG 7.52022-06-03
In TOTOLINK EX1200T V4.1.2cu.5215, an attacker can obtain sensitive information (wifikey, wifiname, etc.) without authorization.
- CVE-2021-42891HIGHCVSS 7.5EG 7.52022-06-03
In TOTOLINK EX1200T V4.1.2cu.5215, an attacker can obtain sensitive information (wifikey, etc.) without authorization.
- CVE-2021-42893HIGHCVSS 7.5EG 7.52022-06-03
In TOTOLINK EX1200T V4.1.2cu.5215, an attacker can obtain sensitive information (wifikey, etc.) without authorization through getSysStatusCfg.
- CVE-2021-43333MEDIUMCVSS 6.5EG 6.52022-01-01
The Datalogic DXU service on (for example) DL-Axist devices does not require authentication for configuration changes or disclosure of configuration settings.
- CVE-2021-43447HIGHCVSS 7.5EG 7.52023-01-23
ONLYOFFICE all versions as of 2021-11-08 is affected by Incorrect Access Control. An authentication bypass in the document editor allows attackers to edit documents without authentication.
- CVE-2021-43483HIGHCVSS 8.0EG 8.02022-04-08
An Access Control vulnerability exists in CLARO KAON CG3000 1.00.67 in the router configuration, which could allow a malicious user to read or update the configuraiton without authentication.
- CVE-2021-43832CRITICALCVSS 10.0EG 10.02022-01-04
Spinnaker is an open source, multi-cloud continuous delivery platform. Spinnaker has improper permissions allowing pipeline creation & execution. This lets an arbitrary user with access to the gate endpoint to create a pipeline and execute…
Map vulnerabilities like CWE-306 to your infrastructure
EchelonGraph correlates every CVE — across CWE-306 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →