CWE-306— Missing Authentication for Critical Function
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.— MITRE CWE catalog
2,405 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-306page 17 of 49
- CVE-2022-21587CRITICALCVSS 9.8EG 9.8⚠ KEV2022-10-18
Vulnerability in the Oracle Web Applications Desktop Integrator product of Oracle E-Business Suite (component: Upload). Supported versions that are affected are 12.2.3-12.2.11. Easily exploitable vulnerability allows unauthenticated attack…
- CVE-2022-21691MEDIUMCVSS 4.3EG 4.32022-01-18
OnionShare is an open source tool that lets you securely and anonymously share files, host websites, and chat with friends using the Tor network. In affected versions chat participants can spoof their channel leave message, tricking others…
- CVE-2022-21816MEDIUMCVSS 5.5EG 5.52022-02-07
NVIDIA vGPU software contains a vulnerability in the Virtual GPU Manager (nvidia.ko), where a user in the guest OS can cause a GPU interrupt storm on the hypervisor host, leading to a denial of service.
- CVE-2022-21952HIGHCVSS 7.5EG 7.52022-06-22
A Missing Authentication for Critical Function vulnerability in spacewalk-java of SUSE Manager Server 4.1, SUSE Manager Server 4.2 allows remote attackers to easily exhaust available disk resources leading to DoS. This issue affects: SUSE …
- CVE-2022-22309MEDIUMCVSS 6.8EG 6.82022-05-24
The POWER systems FSP is vulnerable to unauthenticated logins through the serial port/TTY interface. This vulnerability can be more critical if the serial port is connected to a serial-over-lan device. IBM X-Force ID: 217095.
- CVE-2022-2242CRITICALCVSS 9.8EG 9.82022-08-10
The KUKA SystemSoftware V/KSS in versions prior to 8.6.5 is prone to improper access control as an unauthorized attacker can directly read and write robot configurations when access control is not available or not enabled (default).
- CVE-2022-22526CRITICALCVSS 9.8EG 9.82022-09-28
In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in Version 2.8.3 a missing authentication allows for full access via API.
- CVE-2022-22576HIGHCVSS 8.1EG 8.12022-05-26
An improper authentication vulnerability exists in curl 7.33.0 to and including 7.82.0 which might allow reuse OAUTH2-authenticated connections without properly making sure that the connection was authenticated with the same credentials as…
- CVE-2022-22652MEDIUMCVSS 6.1EG 6.12022-03-18
The GSMA authentication panel could be presented on the lock screen. The issue was resolved by requiring device unlock to interact with the GSMA authentication panel. This issue is fixed in iOS 15.4 and iPadOS 15.4. A person with physical …
- CVE-2022-22809MEDIUMCVSS 5.3EG 5.32022-02-09
A CWE-306: Missing Authentication for Critical Function vulnerability exists that could allow modifications of the touch configurations in an unauthorized manner when an attacker attempts to modify the touch configurations. Affected Produc…
- CVE-2022-23220HIGHCVSS 7.8EG 7.82022-01-21
USBView 2.1 before 2.2 allows some local users (e.g., ones logged in via SSH) to execute arbitrary code as root because certain Polkit settings (e.g., allow_any=yes) for pkexec disable the authentication requirement. Code execution can, fo…
- CVE-2022-23227CRITICALCVSS 9.8EG 9.8⚠ KEV2022-01-14
NUUO NVRmini2 through 3.11 allows an unauthenticated attacker to upload an encrypted TAR archive, which can be abused to add arbitrary users because of the lack of handle_import_user.php authentication. When combined with another flaw (CVE…
- CVE-2022-23345HIGHCVSS 7.5EG 7.52022-03-21
BigAnt Software BigAnt Server v5.6.06 was discovered to contain incorrect access control.
- CVE-2022-23719HIGHCVSS 7.2EG 6.42022-06-30
PingID Windows Login prior to 2.8 does not authenticate communication with a local Java service used to capture security key requests. An attacker with the ability to execute code on the target machine maybe able to exploit and spoof the l…
- CVE-2022-23862HIGHCVSS 7.8EG 8.42024-10-22
A Local Privilege Escalation issue was discovered in Y Soft SAFEQ 6 Build 53. The SafeQ JMX service running on port 9696 is vulnerable to JMX MLet attacks. Because the service did not enforce authentication and was running under the "NT Au…
- CVE-2022-23944CRITICALCVSS 9.1EG 9.12022-01-25
User can access /plugin api without authentication. This issue affected Apache ShenYu 2.4.0 and 2.4.1.
- CVE-2022-23945HIGHCVSS 7.5EG 7.52022-01-25
Missing authentication on ShenYu Admin when register by HTTP. This issue affected Apache ShenYu 2.4.0 and 2.4.1.
- CVE-2022-24111MEDIUMCVSS 5.3EG 5.32022-02-10
In Mahara 21.04 before 21.04.3 and 21.10 before 21.10.1, portfolios created in groups that have not been shared with non-group members and portfolios created on the site and institution levels can be viewed without requiring a login if the…
- CVE-2022-24190HIGHCVSS 7.5EG 7.52022-11-28
The /device/acceptBind end-point for Ourphoto App version 1.4.1 does not require authentication or authorization. The user_token header is not implemented or present on this end-point. An attacker can send a request to bind their account t…
- CVE-2022-24396HIGHCVSS 7.8EG 7.82022-03-10
The Simple Diagnostics Agent - versions 1.0 up to version 1.57, does not perform any authentication checks for functionalities that can be accessed via localhost on http port 3005. Due to lack of authentication checks, an attacker could ac…
- CVE-2022-24562CRITICALCVSS 9.8EG 9.82022-06-16
In IOBit IOTransfer 4.3.1.1561, an unauthenticated attacker can send GET and POST requests to Airserv and gain arbitrary read/write access to the entire file-system (with admin privileges) on the victim's endpoint, which can result in data…
- CVE-2022-2474CRITICALCVSS 9.8EG 8.02022-10-28
Authentication is currently unsupported in Haas Controller version 100.20.000.1110 when using the “Ethernet Q Commands” service, which allows any user on the same network segment as the controller (even while connected remotely) to acc…
- CVE-2022-24820MEDIUMCVSS 5.3EG 5.32022-04-08
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. A guest user without the right to view pages of the wiki can still list documents by rendering some velocity documents. The problem ha…
- CVE-2022-24829HIGHCVSS 8.1EG 8.12022-04-11
Garden is an automation platform for Kubernetes development and testing. In versions prior to 0.12.39 multiple endpoints did not require authentication. In some operating modes this allows for an attacker to gain access to the application …
- CVE-2022-24935HIGHCVSS 7.5EG 7.52022-04-28
Lexmark products through 2022-02-10 have Incorrect Access Control.
- CVE-2022-24990HIGHCVSS 7.5EG 9.0⚠ KEV2023-02-07
TerraMaster NAS 4.2.29 and earlier allows remote attackers to discover the administrative password by sending "User-Agent: TNAS" to module/api.php?mobile/webNasIPS and then reading the PWD field in the response.
- CVE-2022-25008HIGHCVSS 8.8EG 8.82022-03-30
totolink EX300_v2 V4.0.3c.140_B20210429 and EX1200T V4.1.2cu.5230_B20210706 does not contain an authentication mechanism.
- CVE-2022-25245MEDIUMCVSS 5.3EG 5.32022-04-05
Zoho ManageEngine ServiceDesk Plus before 13001 allows anyone to know the organisation's default currency name.
- CVE-2022-25247CRITICALCVSS 9.8EG 9.82022-03-16
Axeda agent (All versions) and Axeda Desktop Server for Windows (All versions) may allow an attacker to send certain commands to a specific port without authentication. Successful exploitation of this vulnerability could allow a remote una…
- CVE-2022-25250HIGHCVSS 7.5EG 7.52022-03-16
When connecting to a certain port Axeda agent (All versions) and Axeda Desktop Server for Windows (All versions) may allow an attacker to send a certain command to a specific port without authentication. Successful exploitation of this vul…
- CVE-2022-25251CRITICALCVSS 9.8EG 9.82022-03-16
When connecting to a certain port Axeda agent (All versions) and Axeda Desktop Server for Windows (All versions) may allow an attacker to send certain XML messages to a specific port without proper authentication. Successful exploitation o…
- CVE-2022-25359CRITICALCVSS 9.1EG 9.12022-02-26
On ICL ScadaFlex II SCADA Controller SC-1 and SC-2 1.03.07 devices, unauthenticated remote attackers can overwrite, delete, or create files.
- CVE-2022-25508HIGHCVSS 7.5EG 7.52022-03-11
An access control issue in the component /ManageRoute/postRoute of FreeTAKServer v1.9.8 allows unauthenticated attackers to cause a Denial of Service (DoS) via an unusually large amount of created routes, or create unsafe or false routes f…
- CVE-2022-2552MEDIUMCVSS 5.3EG 5.32022-08-22
The Duplicator WordPress plugin before 1.4.7 does not authenticate or authorize visitors before displaying information about the system such as server software, php version and full file system path to the site.
- CVE-2022-25770HIGHCVSS 7.8EG 7.82024-09-18
Mautic allows you to update the application via an upgrade script. The upgrade logic isn't shielded off correctly, which may lead to vulnerable situation. This vulnerability is mitigated by the fact that Mautic needs to be installed in a…
- CVE-2022-25922MEDIUMCVSS 6.1EG 9.12022-03-10
Power Line Communications PLC4TRUCKS J2497 trailer brake controllers implement diagnostic functions which can be invoked by replaying J2497 messages. There is no authentication or authorization for these functions.
- CVE-2022-26026HIGHCVSS 7.5EG 7.52022-05-25
A denial of service vulnerability exists in the OAS Engine SecureConfigValues functionality of Open Automation Software OAS Platform V16.00.0112. A specially-crafted network request can lead to loss of communications. An attacker can send …
- CVE-2022-26043HIGHCVSS 7.5EG 7.52022-05-25
An external config control vulnerability exists in the OAS Engine SecureAddSecurity functionality of Open Automation Software OAS Platform V16.00.0112. A specially-crafted series of network requests can lead to the creation of a custom Sec…
- CVE-2022-26067MEDIUMCVSS 4.9EG 7.52022-05-25
An information disclosure vulnerability exists in the OAS Engine SecureTransferFiles functionality of Open Automation Software OAS Platform V16.00.0112. A specially-crafted series of network requests can lead to arbitrary file read. An att…
- CVE-2022-26082CRITICALCVSS 9.1EG 9.82022-05-25
A file write vulnerability exists in the OAS Engine SecureTransferFiles functionality of Open Automation Software OAS Platform V16.00.0112. A specially-crafted series of network requests can lead to remote code execution. An attacker can s…
- CVE-2022-26143CRITICALCVSS 9.8EG 9.8⚠ KEV2022-03-10
The TP-240 (aka tp240dvr) component in Mitel MiCollab before 9.4 SP1 FP1 and MiVoice Business Express through 8.1 allows remote attackers to obtain sensitive information and cause a denial of service (performance degradation and excessive …
- CVE-2022-26267HIGHCVSS 7.5EG 7.52022-03-18
Piwigo v12.2.0 was discovered to contain an information leak via the action parameter in /admin/maintenance_actions.php.
- CVE-2022-26303HIGHCVSS 7.5EG 7.52022-05-25
An external config control vulnerability exists in the OAS Engine SecureAddUser functionality of Open Automation Software OAS Platform V16.00.0112. A specially-crafted series of network requests can lead to the creation of an OAS user acco…
- CVE-2022-26394MEDIUMCVSS 5.5EG 5.42022-09-09
The Baxter Spectrum WBM does not perform mutual authentication with the gateway server host. This may allow an attacker to perform a man in the middle attack that modifies parameters making the network connection fail.
- CVE-2022-26501CRITICALCVSS 9.8EG 9.8⚠ KEV2022-03-17
Veeam Backup & Replication 10.x and 11.x has Incorrect Access Control (issue 1 of 2).
- CVE-2022-26833CRITICALCVSS 9.4EG 9.82022-05-25
An improper authentication vulnerability exists in the REST API functionality of Open Automation Software OAS Platform V16.00.0121. A specially-crafted series of HTTP requests can lead to unauthenticated use of the REST API. An attacker ca…
- CVE-2022-26925HIGHCVSS 8.1EG 9.0⚠ KEV2022-05-10
Windows LSA Spoofing Vulnerability
- CVE-2022-26971MEDIUMCVSS 5.3EG 5.32022-06-02
Barco Control Room Management Suite web application, which is part of TransForm N before 3.14, is exposing a license file upload mechanism. This upload can be executed without authentication.
- CVE-2022-27169HIGHCVSS 7.5EG 7.52022-05-25
An information disclosure vulnerability exists in the OAS Engine SecureBrowseFile functionality of Open Automation Software OAS Platform V16.00.0112. A specially-crafted network request can lead to a disclosure of sensitive information. An…
- CVE-2022-27332CRITICALCVSS 9.1EG 9.12022-04-27
An access control issue in Zammad v5.0.3 allows attackers to write entries to the CTI caller log without authentication. This vulnerability can allow attackers to execute phishing attacks or cause a Denial of Service (DoS).
Map vulnerabilities like CWE-306 to your infrastructure
EchelonGraph correlates every CVE — across CWE-306 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →