CWE-306— Missing Authentication for Critical Function
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.— MITRE CWE catalog
2,405 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-306page 19 of 49
- CVE-2022-34908HIGHCVSS 8.2EG 7.52023-02-27
An issue was discovered in the A4N (Aremis 4 Nomad) application 1.5.0 for Android. It possesses an authentication mechanism; however, some features do not require any token or cookie in a request. Therefore, an attacker may send a simple H…
- CVE-2022-35122CRITICALCVSS 9.1EG 9.12022-08-17
An access control issue in Ecowitt GW1100 Series Weather Stations <=GW1100B_v2.1.5 allows unauthenticated attackers to access sensitive information including device and local WiFi passwords.
- CVE-2022-35136MEDIUMCVSS 6.5EG 6.52022-10-13
Boodskap IoT Platform v4.4.9-02 allows attackers to make unauthenticated API requests.
- CVE-2022-35572HIGHCVSS 7.5EG 7.52022-09-12
On Linksys E5350 WiFi Router with firmware version 1.0.00.037 and lower, (and potentially other vendors/devices due to code reuse), the /SysInfo.htm URI does not require a session ID. This web page calls a show_sysinfo function which retri…
- CVE-2022-35733CRITICALCVSS 9.8EG 9.82022-08-23
Missing authentication for critical function vulnerability in UNIMO Technology digital video recorders (UDR-JA1004/JA1008/JA1016 firmware versions v1.0.20.13 and earlier, and UDR-JA1016 firmware versions v2.0.20.13 and earlier) allows a re…
- CVE-2022-35865HIGHCVSS 7.3EG 9.82022-08-03
This vulnerability allows remote attackers to execute arbitrary code on affected installations of BMC Track-It! 20.21.2.109. Authentication is not required to exploit this vulnerability. The specific flaw exists within the authorization of…
- CVE-2022-35871HIGHCVSS 7.8EG 7.82022-07-25
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition 8.1.15 (b2022030114). Authentication is not required to exploit this vulnerability. The specific flaw exists wi…
- CVE-2022-36129CRITICALCVSS 9.1EG 9.12022-07-26
HashiCorp Vault Enterprise 1.7.0 through 1.9.7, 1.10.4, and 1.11.0 clusters using Integrated Storage expose an unauthenticated API endpoint that could be abused to override the voter status of a node within a Vault HA cluster, introducing …
- CVE-2022-36249MEDIUMCVSS 5.4EG 5.42023-05-30
Shop Beat Solutions (Pty) LTD Shop Beat Media Player 2.5.95 up to 3.2.57 is vulnerable to Bypass 2FA via APIs. For Controlpanel Lite. "After login we are directly able to use the bearer token or jsession ID to access the apis instead of en…
- CVE-2022-36521HIGHCVSS 7.5EG 7.52022-08-26
Insecure permissions in cskefu v7.0.1 allows unauthenticated attackers to arbitrarily add administrator accounts.
- CVE-2022-36604HIGHCVSS 7.5EG 7.52022-09-01
An access control issue in Canaan Avalon ASIC Miner 2020.3.30 and below allows unauthenticated attackers to arbitrarily change user passwords via a crafted POST request.
- CVE-2022-36619HIGHCVSS 7.5EG 7.52022-08-31
In D-link DIR-816 A2_v1.10CNB04.img,the network can be reset without authentication via /goform/setMAC.
- CVE-2022-3674HIGHCVSS 7.3EG 9.82022-10-26
A vulnerability has been found in SourceCodester Sanitization Management System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality. The manipulation leads to missing authentication. The attack can be…
- CVE-2022-3675LOWCVSS 2.6EG 5.52022-11-03
Fedora CoreOS supports setting a GRUB bootloader password using a Butane config. When this feature is enabled, GRUB requires a password to access the GRUB command-line, modify kernel command-line arguments, or boot non-default OSTree deplo…
- CVE-2022-36780MEDIUMCVSS 4.9EG 5.32022-09-13
Avdor CIS - crystal quality Credentials Management Errors. The product is phone call recorder, you can hear all the recorded calls without authenticate to the system. Attacker sends crafted URL to the system: ip:port//V=2;ChannellD=number;…
- CVE-2022-36884MEDIUMCVSS 5.3EG 5.32022-07-27
The webhook endpoint in Jenkins Git Plugin 4.11.3 and earlier provide unauthenticated attackers information about the existence of jobs configured to use an attacker-specified Git repository.
- CVE-2022-36983CRITICALCVSS 9.8EG 9.82023-03-29
This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche. Authentication is not required to exploit this vulnerability. The specific flaw exists within the SetSettings class. The iss…
- CVE-2022-37062HIGHCVSS 7.5EG 7.52022-08-18
All FLIR AX8 thermal sensor cameras version up to and including 1.46.16 are affected by an insecure design vulnerability due to an improper directory access restriction. An unauthenticated, remote attacker can exploit this by sending a URI…
- CVE-2022-3738MEDIUMCVSS 5.9EG 5.42023-01-19
The vulnerability allows a remote unauthenticated attacker to download a backup file, if one exists. That backup file might contain sensitive information like credentials and cryptographic material. A valid user has to create a backup afte…
- CVE-2022-37680HIGHCVSS 7.5EG 7.52022-08-29
An improper authentication for critical function issue in Hitachi Kokusai Electric Network products for monitoring system (Camera, Decoder and Encoder) and bellow allows attckers to remotely reboot the device via a crafted POST request to …
- CVE-2022-38057MEDIUMCVSS 6.5EG 6.52024-03-25
Missing Authorization vulnerability in ThemeHunk Advance WordPress Search Plugin.This issue affects Advance WordPress Search Plugin: from n/a through 1.2.1.
- CVE-2022-38168CRITICALCVSS 9.1EG 9.12022-11-03
Broken Access Control in User Authentication in Avaya Scopia Pathfinder 10 and 20 PTS version 8.3.7.0.4 allows remote unauthenticated attackers to bypass the login page, access sensitive information, and reset user passwords via URL modifi…
- CVE-2022-38817HIGHCVSS 7.5EG 7.52022-10-03
Dapr Dashboard v0.1.0 through v0.10.0 is vulnerable to Incorrect Access Control that allows attackers to obtain sensitive data.
- CVE-2022-38870HIGHCVSS 7.5EG 2.72022-10-25
Free5gc v3.2.1 is vulnerable to Information disclosure.
- CVE-2022-39412HIGHCVSS 7.5EG 7.52022-10-18
Vulnerability in the Oracle Access Manager product of Oracle Fusion Middleware (component: Admin Console). The supported version that is affected is 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network …
- CVE-2022-39425HIGHCVSS 8.1EG 8.12022-10-18
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are Prior to 6.1.40. Difficult to exploit vulnerability allows unauthenticated attacker with network access …
- CVE-2022-39426HIGHCVSS 8.1EG 8.12022-10-18
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are Prior to 6.1.40. Difficult to exploit vulnerability allows unauthenticated attacker with network access …
- CVE-2022-4018MEDIUMCVSS 4.3EG 4.32022-11-16
Missing Authentication for Critical Function in GitHub repository ikus060/rdiffweb prior to 2.5.0a6.
- CVE-2022-40202CRITICALCVSS 9.8EG 9.82022-10-31
The database backup function in Delta Electronics InfraSuite Device Master Versions 00.00.01a and prior lacks proper authentication. An attacker could provide malicious serialized objects which, when deserialized, could activate an opcode…
- CVE-2022-40684CRITICALCVSS 9.8EG 9.8⚠ KEV2022-10-18
An authentication bypass using an alternate path or channel [CWE-288] in Fortinet FortiOS version 7.2.0 through 7.2.1 and 7.0.0 through 7.0.6, FortiProxy version 7.2.0 and version 7.0.0 through 7.0.6 and FortiSwitchManager version 7.2.0 an…
- CVE-2022-40725HIGHCVSS 7.3EG 7.32023-04-25
PingID Desktop prior to the latest released version 1.7.4 contains a vulnerability that can be exploited to bypass the maximum PIN attempts permitted before the time-based lockout is activated.
- CVE-2022-41271CRITICALCVSS 9.4EG 9.42022-12-13
An unauthenticated user can attach to an open interface exposed through JNDI by the Messaging System of SAP NetWeaver Process Integration (PI) - version 7.50. This user can make use of an open naming and directory API to access services th…
- CVE-2022-41272CRITICALCVSS 9.9EG 8.62022-12-13
An unauthenticated attacker over the network can attach to an open interface exposed through JNDI by the User Defined Search (UDS) of SAP NetWeaver Process Integration (PI) - version 7.50 and make use of an open naming and directory API to…
- CVE-2022-41331CRITICALCVSS 9.8EG 9.82023-04-11
A missing authentication for critical function vulnerability [CWE-306] in FortiPresence infrastructure server before version 1.2.1 allows a remote, unauthenticated attacker to access the Redis and MongoDB instances via crafted authenticati…
- CVE-2022-41505MEDIUMCVSS 6.4EG 6.42023-01-23
An access control issue on TP-LInk Tapo C200 V1 devices allows physically proximate attackers to obtain root access by connecting to the UART pins, interrupting the boot process, and setting an init=/bin/sh value.
- CVE-2022-41629HIGHCVSS 7.5EG 9.12022-10-31
Delta Electronics InfraSuite Device Master versions 00.00.01a and prior allow unauthenticated users to access the aprunning endpoint, which could allow an attacker to retrieve any file from the “RunningConfigs” directory. The attacker…
- CVE-2022-41644HIGHCVSS 8.8EG 8.82022-10-31
Delta Electronics InfraSuite Device Master versions 00.00.01a and prior lacks authentication for a function that changes group privileges. An attacker could use this to create a denial-of-service state or escalate their own privileges. …
- CVE-2022-41688CRITICALCVSS 9.8EG 7.52022-10-31
Delta Electronics InfraSuite Device Master versions 00.00.01a and prior lack proper authentication for functions that create and modify user groups. An attacker could provide malicious serialized objects that could run these functions wit…
- CVE-2022-41776HIGHCVSS 7.5EG 7.52022-10-31
Delta Electronics InfraSuite Device Master versions 00.00.01a and prior allow unauthenticated users to trigger the WriteConfiguration method, which could allow an attacker to provide new values for user configuration files such as UserLis…
- CVE-2022-42275HIGHCVSS 7.7EG 7.12023-01-13
NVIDIA BMC IPMI handler allows an unauthenticated host to write to a host SPI flash bypassing secureboot protections. This may lead to a loss of integrity and denial of service.
- CVE-2022-42276HIGHCVSS 7.5EG 8.22023-01-13
NVIDIA DGX A100 contains a vulnerability in SBIOS in the SmiFlash, where a local user with elevated privileges can read, write and erase flash, which may lead to code execution, escalation of privileges, denial of service, and information …
- CVE-2022-42277HIGHCVSS 7.5EG 8.22023-01-13
NVIDIA DGX Station contains a vulnerability in SBIOS in the SmiFlash, where a local user with elevated privileges can read, write and erase flash, which may lead to code execution, escalation of privileges, denial of service, and informati…
- CVE-2022-4228MEDIUMCVSS 5.3EG 7.52022-11-30
A vulnerability classified as problematic has been found in SourceCodester Book Store Management System 1.0. This affects an unknown part of the file /bsms_ci/index.php/user/edit_user/. The manipulation of the argument password leads to in…
- CVE-2022-4229HIGHCVSS 7.3EG 9.82022-11-30
A vulnerability classified as critical was found in SourceCodester Book Store Management System 1.0. This vulnerability affects unknown code of the file /bsms_ci/index.php. The manipulation leads to improper access controls. The attack can…
- CVE-2022-4240MEDIUMCVSS 6.5EG 6.52023-05-30
Missing Authentication for Critical Function vulnerability in Honeywell OneWireless allows Authentication Bypass. This issue affects OneWireless version 322.1
- CVE-2022-42458CRITICALCVSS 9.8EG 9.82022-12-07
Authentication bypass using an alternate path or channel vulnerability in bingo!CMS version1.7.4.1 and earlier allows a remote unauthenticated attacker to upload an arbitrary file. As a result, an arbitrary script may be executed and/or a …
- CVE-2022-42473MEDIUMCVSS 5.3EG 5.52022-11-02
A missing authentication for a critical function vulnerability in Fortinet FortiSOAR 6.4.0 - 6.4.4 and 7.0.0 - 7.0.3 and 7.2.0 allows an attacker to disclose information via logging into the database using a privileged account without a pa…
- CVE-2022-42785CRITICALCVSS 9.8EG 9.82022-11-15
Multiple W&T products of the ComServer Series are prone to an authentication bypass. An unathenticated remote attacker, can log in without knowledge of the password by crafting a modified HTTP GET Request.
- CVE-2022-42970CRITICALCVSS 9.8EG 9.82023-02-01
A CWE-306: Missing Authentication for Critical Function The software does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. Affected Products: APC Easy UP…
- CVE-2022-42982HIGHCVSS 7.5EG 7.52022-11-17
BKG Professional NtripCaster 2.0.39 allows querying information over the UDP protocol without authentication. The NTRIP sourcetable is typically quite long (tens of kBs) and can be requested with a packet of only 30 bytes. This presents a …
Map vulnerabilities like CWE-306 to your infrastructure
EchelonGraph correlates every CVE — across CWE-306 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →