CWE-306— Missing Authentication for Critical Function
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.— MITRE CWE catalog
2,405 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-306page 21 of 49
- CVE-2022-50790HIGHCVSS 7.5EG 9.82025-12-30
SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x and below contain an unauthenticated vulnerability that allows remote attackers to access live radio stream information through webplay or ffmpeg scripts. Attackers can exploit the vulnerability b…
- CVE-2022-50977HIGHCVSS 7.5EG 7.52026-02-02
An unauthenticated remote attacker could potentially disrupt operations by switching between multiple configuration presets via HTTP.
- CVE-2022-50978HIGHCVSS 7.5EG 7.52026-02-02
An unauthenticated remote attacker could potentially disrupt operations by switching between multiple configuration presets via Modbus (TCP).
- CVE-2022-50979MEDIUMCVSS 6.5EG 6.52026-02-02
An unauthenticated adjacent attacker could potentially disrupt operations by switching between multiple configuration presets via Modbus (RS485).
- CVE-2022-50980MEDIUMCVSS 6.5EG 6.52026-02-02
A unauthenticated adjacent attacker could potentially disrupt operations by switching between multiple configuration presets via CAN.
- CVE-2022-50981CRITICALCVSS 9.8EG 9.82026-02-02
An unauthenticated remote attacker can gain full access on the affected devices as they are shipped without a password by default and setting one is not enforced.
- CVE-2023-0052CRITICALCVSS 9.8EG 8.82023-01-20
SAUTER Controls Nova 200–220 Series with firmware version 3.3-006 and prior and BACnetstac version 4.2.1 and prior allows the execution of commands without credentials. As Telnet and file transfer protocol (FTP) are the only protocols av…
- CVE-2023-0102CRITICALCVSS 9.1EG 9.12023-02-15
LS ELECTRIC XBC-DN32U with operating system version 01.80 is missing authentication for its deletion command. This could allow an attacker to delete arbitrary files.
- CVE-2023-0116HIGHCVSS 7.5EG 7.52023-05-26
The reminder module lacks an authentication mechanism for broadcasts received. Successful exploitation of this vulnerability may affect availability.
- CVE-2023-0354CRITICALCVSS 9.1EG 9.12023-03-13
The Akuvox E11 web server can be accessed without any user authentication, and this could allow an attacker to access sensitive information, as well as create and download packet captures with known default URLs.
- CVE-2023-0463LOWCVSS 3.3EG 3.32023-01-26
The force offline MFA prompt setting is not respected when switching to offline mode in Devolutions Remote Desktop Manager 2022.3.29 to 2022.3.30 allows a user to save sensitive data on disk.
- CVE-2023-0906HIGHCVSS 7.3EG 9.82023-02-18
A vulnerability classified as critical was found in SourceCodester Online Pizza Ordering System 1.0. Affected by this vulnerability is the function delete_category of the file ajax.php of the component POST Parameter Handler. The manipulat…
- CVE-2023-0919HIGHCVSS 8.1EG 3.52023-02-19
Missing Authentication for Critical Function in GitHub repository kareadita/kavita prior to 0.7.0.
- CVE-2023-1083CRITICALCVSS 9.8EG 9.82024-04-09
An unauthenticated remote attacker who is aware of a MQTT topic name can send and receive messages, including GET/SET configuration commands, reboot commands and firmware updates.
- CVE-2023-1096CRITICALCVSS 9.8EG 9.82023-05-12
SnapCenter versions 4.7 prior to 4.7P2 and 4.8 prior to 4.8P1 are susceptible to a vulnerability which could allow a remote unauthenticated attacker to gain access as an admin user.
- CVE-2023-1140CRITICALCVSS 9.8EG 9.82023-03-27
Delta Electronics InfraSuite Device Master versions prior to 1.0.5 contain a vulnerability that could allow an attacker to achieve unauthenticated remote code execution in the context of an administrator.
- CVE-2023-1837HIGHCVSS 8.5EG 8.52023-05-23
Missing Authentication for critical function vulnerability in HYPR Server allows Authentication Bypass when using Legacy APIs.This issue affects HYPR Server: before 8.0 (with enabled Legacy APIs)
- CVE-2023-20003MEDIUMCVSS 4.7EG 4.72023-05-18
A vulnerability in the social login configuration option for the guest users of Cisco Business Wireless Access Points (APs) could allow an unauthenticated, adjacent attacker to bypass social login authentication. This vulnerability is due …
- CVE-2023-20126CRITICALCVSS 9.8EG 9.82023-05-04
A vulnerability in the web-based management interface of Cisco SPA112 2-Port Phone Adapters could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device. This vulnerability is due to a missing authenticat…
- CVE-2023-20857MEDIUMCVSS 6.8EG 6.82023-02-28
VMware Workspace ONE Content contains a passcode bypass vulnerability. A malicious actor, with access to a users rooted device, may be able to bypass the VMware Workspace ONE Content passcode.
- CVE-2023-21743MEDIUMCVSS 5.3EG 5.32023-01-10
Microsoft SharePoint Server Security Feature Bypass Vulnerability
- CVE-2023-21837HIGHCVSS 7.5EG 7.52023-01-18
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated at…
- CVE-2023-21839HIGHCVSS 7.5EG 9.0⚠ KEV2023-01-18
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated at…
- CVE-2023-21842HIGHCVSS 7.5EG 7.52023-01-18
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Web Container). Supported versions that are affected are 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthent…
- CVE-2023-21856HIGHCVSS 7.5EG 7.52023-01-18
Vulnerability in the Oracle iSetup product of Oracle E-Business Suite (component: General Ledger Update Transform, Reports). Supported versions that are affected are 12.2.3-12.2.12. Easily exploitable vulnerability allows unauthenticated …
- CVE-2023-2187MEDIUMCVSS 5.3EG 5.32023-06-07
On Triangle MicroWorks' SCADA Data Gateway version <= v5.01.03, an unauthenticated attacker can send broadcast events to any user via the WebMonitor.An unauthenticated user can use this vulnerability to forcefully log out of any currently …
- CVE-2023-21931HIGHCVSS 7.5EG 7.52023-04-18
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated at…
- CVE-2023-21979HIGHCVSS 7.5EG 7.52023-04-18
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated at…
- CVE-2023-22047HIGHCVSS 7.5EG 9.02023-07-18
Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Portal). Supported versions that are affected are 8.59 and 8.60. Easily exploitable vulnerability allows unauthenticated attacker with networ…
- CVE-2023-22069CRITICALCVSS 9.8EG 9.82023-10-17
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with …
- CVE-2023-22072CRITICALCVSS 9.8EG 9.82023-10-17
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). The supported version that is affected is 12.2.1.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access…
- CVE-2023-22087HIGHCVSS 8.8EG 8.82023-10-17
Vulnerability in the Hospitality OPERA 5 Property Services product of Oracle Hospitality Applications (component: Opera). The supported version that is affected is 5.6. Easily exploitable vulnerability allows low privileged attacker with…
- CVE-2023-22101HIGHCVSS 8.1EG 8.12023-10-17
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Difficult to exploit vulnerability allows unauthenticated attacker wit…
- CVE-2023-2231CRITICALCVSS 9.8EG 9.82023-04-21
A vulnerability, which was classified as critical, was found in MAXTECH MAX-G866ac 0.4.1_TBRO_20160314. This affects an unknown part of the component Remote Management. The manipulation leads to missing authentication. It is possible to in…
- CVE-2023-22441HIGHCVSS 8.6EG 8.62023-05-10
Missing authentication for critical function exists in Seiko Solutions SkyBridge series, which may allow a remote attacker to obtain or alter the setting information of the product or execute some critical functions without authentication,…
- CVE-2023-22650HIGHCVSS 8.8EG 8.82024-10-16
A vulnerability has been identified in which Rancher does not automatically clean up a user which has been deleted from the configured authentication provider (AP). This characteristic also applies to disabled or revoked users, Rancher wil…
- CVE-2023-22803HIGHCVSS 7.5EG 7.52023-02-15
LS ELECTRIC XBC-DN32U with operating system version 01.80 is missing authentication to perform critical functions to the PLC. This could allow an attacker to change the PLC's mode arbitrarily.
- CVE-2023-22804CRITICALCVSS 9.1EG 9.82023-02-15
LS ELECTRIC XBC-DN32U with operating system version 01.80 is missing authentication to create users on the PLC. This could allow an attacker to create and use an account with elevated privileges and take control of the device.
- CVE-2023-22906HIGHCVSS 8.8EG 8.82023-07-04
Hero Qubo HCD01_02_V1.38_20220125 devices allow TELNET access with root privileges by default, without a password.
- CVE-2023-23444HIGHCVSS 7.5EG 7.52023-05-12
Missing Authentication for Critical Function in SICK Flexi Classic and Flexi Soft Gateways with Partnumbers 1042193, 1042964, 1044078, 1044072, 1044073, 1044074, 1099830, 1099832, 1127717, 1069070, 1112296, 1051432, 1102420, 1127487, 11215…
- CVE-2023-23451CRITICALCVSS 9.8EG 9.82023-04-19
The Flexi Classic and Flexi Soft Gateways SICK UE410-EN3 FLEXI ETHERNET GATEW. with serial number <=2311xxxx all Firmware versions, SICK UE410-EN1 FLEXI ETHERNET GATEW. with serial number <=2311xxxx all Firmware versions, SICK UE410-EN3S04…
- CVE-2023-23452CRITICALCVSS 9.8EG 9.82023-02-20
Missing Authentication for Critical Function in SICK FX0-GPNT v3 Firmware Version V3.04 and V3.05 allows an unprivileged remote attacker to achieve arbitrary remote code execution via maliciously crafted RK512 commands to the listener on T…
- CVE-2023-23453CRITICALCVSS 9.8EG 9.82023-02-20
Missing Authentication for Critical Function in SICK FX0-GENT v3 Firmware Version V3.04 and V3.05 allows an unprivileged remote attacker to achieve arbitrary remote code execution via maliciously crafted RK512 commands to the listener on T…
- CVE-2023-23545MEDIUMCVSS 5.3EG 5.32023-05-23
Missing authentication for critical function exists in T&D Corporation and ESPEC MIC CORP. data logger products, which may allow a remote unauthenticated attacker to alter the product settings without authentication. Affected products and …
- CVE-2023-23906HIGHCVSS 7.5EG 7.52023-05-10
Missing authentication for critical function exists in SkyBridge MB-A100/110 firmware Ver. 4.2.0 and earlier, which may allow a remote unauthenticated attacker to execute some critical functions without authentication, e.g., rebooting the …
- CVE-2023-24526MEDIUMCVSS 5.3EG 5.32023-03-14
SAP NetWeaver Application Server Java for Classload Service - version 7.50, does not perform any authentication checks for functionalities that require user identity, resulting in escalation of privileges. This failure has a low impact on …
- CVE-2023-24527MEDIUMCVSS 5.3EG 5.32023-04-11
SAP NetWeaver AS Java for Deploy Service - version 7.5, does not perform any access control checks for functionalities that require user identity enabling an unauthenticated attacker to attach to an open interface and make use of an open n…
- CVE-2023-24838CRITICALCVSS 9.8EG 9.82023-03-27
HGiga PowerStation has a vulnerability of Information Leakage. An unauthenticated remote attacker can exploit this vulnerability to obtain the administrator's credential. This credential can then be used to login PowerStation or Secure She…
- CVE-2023-24934MEDIUMCVSS 6.2EG 6.22023-04-14
Microsoft Defender Security Feature Bypass Vulnerability
- CVE-2023-25013HIGHCVSS 8.6EG 8.62023-02-02
An issue was discovered in the femanager extension before 5.5.3, 6.x before 6.3.4, and 7.x before 7.1.0 for TYPO3. Missing access checks in the InvitationController allow an unauthenticated user to set the password of all frontend users.
Map vulnerabilities like CWE-306 to your infrastructure
EchelonGraph correlates every CVE — across CWE-306 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →