CWE-306— Missing Authentication for Critical Function
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.— MITRE CWE catalog
2,405 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-306page 26 of 49
- CVE-2024-10386CRITICALCVSS 9.8EG 9.82024-10-25
CVE-2024-10386 IMPACT An authentication vulnerability exists in the affected product. The vulnerability could allow a threat actor with network access to send crafted messages to the device, potentially resulting in database manipulatio…
- CVE-2024-10649MEDIUMCVSS 6.1EG 6.12025-02-10
wandb/openui latest commit c945bb859979659add5f490a874140ad17c56a5d contains a vulnerability where unauthenticated endpoints allow file uploads and downloads from an AWS S3 bucket. This can lead to multiple security issues including denial…
- CVE-2024-1076MEDIUMCVSS 6.5EG 6.52024-05-08
The SSL Zen WordPress plugin before 4.6.0 does not properly prevent directory listing of the private keys folder, as it only relies on the use of .htaccess to prevent visitors from accessing the site's generated private keys, which allows…
- CVE-2024-10774HIGHCVSS 7.3EG 7.32024-12-06
Unauthenticated CROWN APIs allow access to critical functions. This leads to the accessibility of large parts of the web application without authentication.
- CVE-2024-10776HIGHCVSS 8.2EG 8.22024-12-06
Lua apps can be deployed, removed, started, reloaded or stopped without authorization via AppManager. This allows an attacker to remove legitimate apps creating a DoS attack, read and write files or load apps that use all features of the p…
- CVE-2024-10924CRITICALCVSS 9.8EG 9.82024-11-15
The Really Simple Security (Free, Pro, and Pro Multisite) plugins for WordPress are vulnerable to authentication bypass in versions 9.0.0 to 9.1.1.1. This is due to improper user check error handling in the two-factor REST API actions with…
- CVE-2024-11639CRITICALCVSS 10.0EG 10.02024-12-10
An authentication bypass in the admin web console of Ivanti CSA before 5.0.3 allows a remote unauthenticated attacker to gain administrative access
- CVE-2024-11680CRITICALCVSS 9.8EG 9.8⚠ KEV2024-11-26
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Remote, unauthenticated attackers can exploit this flaw by sending crafted HTTP requests to options.php, enabling unauthorized modification of th…
- CVE-2024-11980HIGHCVSS 8.6EG 10.02024-11-29
Certain modes of routers from Billion Electric have a Missing Authentication vulnerability, allowing unauthenticated remote attackers to directly access the specific functionality to obtain partial device information, modify the WiFi SSID,…
- CVE-2024-12106CRITICALCVSS 9.4EG 9.42024-12-31
In WhatsUp Gold versions released before 2024.0.2, an unauthenticated attacker can configure LDAP settings.
- CVE-2024-12371CRITICALCVSS 9.3EG 9.32024-12-18
A device takeover vulnerability exists in the Rockwell Automation Power Monitor 1000. This vulnerability allows configuration of a new Policyholder user without any authentication via API. Policyholder user is the most privileged user that…
- CVE-2024-12511HIGHCVSS 7.6EG 7.62025-02-03
With address book access, SMB/FTP settings could be modified, redirecting scans and possibly capturing credentials. This requires enabled scan functions and printer access.
- CVE-2024-12757HIGHCVSS 8.6EG 8.62025-01-17
Nedap Librix Ecoreader is missing authentication for critical functions that could allow an unauthenticated attacker to potentially execute malicious code.
- CVE-2024-12847CRITICALCVSS 9.8EG 9.82025-01-10
NETGEAR DGN1000 before 1.1.00.48 is vulnerable to an authentication bypass vulnerability. A remote and unauthenticated attacker can execute arbitrary operating system commands as root by sending crafted HTTP requests to the setup.cgi endpo…
- CVE-2024-12857CRITICALCVSS 9.8EG 9.82025-01-22
The AdForest theme for WordPress is vulnerable to authentication bypass in all versions up to, and including, 5.1.8. This is due to the plugin not properly verifying a user's identity prior to logging them in as that user. This makes it po…
- CVE-2024-12869MEDIUMCVSS 4.3EG 4.32025-03-20
In infiniflow/ragflow version v0.12.0, there is an improper authentication vulnerability that allows a user to view another user's invite list. This can lead to a privacy breach where users' personal or private information, such as email a…
- CVE-2024-12957HIGHCVSS 8.4EG 8.42025-01-23
A file handling command vulnerability in certain versions of Armoury Crate may result in arbitrary file deletion. Refer to the '01/23/2025 Security Update for Armoury Crate App' section on the ASUS Security Advisory for more information.
- CVE-2024-13173HIGHCVSS 7.5EG 7.52025-01-08
The health module has insufficient restrictions on loading URLs, which may lead to some information leakage.
- CVE-2024-13185HIGHCVSS 7.5EG 7.52025-01-08
The MinigameCenter module has insufficient restrictions on loading URLs, which may lead to some information leakage.
- CVE-2024-13186HIGHCVSS 7.5EG 7.52025-01-08
The MinigameCenter module has insufficient restrictions on loading URLs, which may lead to some information leakage.
- CVE-2024-13553CRITICALCVSS 9.8EG 9.82025-04-01
The SMS Alert Order Notifications – WooCommerce plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.7.9. This is due to the plugin using the Host header to determine if …
- CVE-2024-13771CRITICALCVSS 9.8EG 9.82025-03-14
The Civi - Job Board & Freelance Marketplace WordPress Theme plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.1.4. This is due to a lack of user validation before changing a password. This…
- CVE-2024-13772MEDIUMCVSS 5.6EG 5.62025-03-14
The Civi - Job Board & Freelance Marketplace WordPress Theme plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.1.6.1. This is due to a lack of password randomization and user validation thr…
- CVE-2024-14007HIGHCVSS 8.7EG 8.72025-11-24
Shenzhen TVT Digital Technology Co., Ltd. NVMS-9000 firmware (used by many white-labeled DVR/NVR/IPC products) versions prior to 1.3.4 contain an authentication bypass in the NVMS-9000 control protocol. By sending a single crafted TCP payl…
- CVE-2024-1491HIGHCVSS 7.5EG 7.52024-04-18
The devices allow access to an unprotected endpoint that allows MPFS file system binary image upload without authentication. The MPFS2 file system module provides a light-weight read-only file system that can be stored in external EEPRO…
- CVE-2024-1573MEDIUMCVSS 5.9EG 5.92024-07-04
Missing Authentication for Critical Function vulnerability in the mobile monitoring feature of Mitsubishi Electric GENESIS64 versions 10.97.2 and prior, Mitsubishi Electric ICONICS Suite versions 10.97.2 and prior, Mitsubishi Electric Hype…
- CVE-2024-1662HIGHCVSS 7.5EG 7.22024-06-05
Missing Authentication for Critical Function, Missing Authorization vulnerability in PORTY Smart Tech Technology Joint Stock Company PowerBank Application allows Retrieve Embedded Sensitive Data. This issue affects PowerBank Application: …
- CVE-2024-2013CRITICALCVSS 10.0EG 10.02024-06-11
An authentication bypass vulnerability exists in the FOXMAN-UN/UNEM server / API Gateway component that if exploited allows attackers without any access to interact with the services and the post-authentication attack surface.
- CVE-2024-20391MEDIUMCVSS 6.8EG 6.82024-05-15
A vulnerability in the Network Access Manager (NAM) module of Cisco Secure Client could allow an unauthenticated attacker with physical access to an affected device to elevate privileges to SYSTEM. This vulnerability is due to a lack of…
- CVE-2024-2076MEDIUMCVSS 5.3EG 5.32024-03-01
A vulnerability was found in CodeAstro House Rental Management System 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the file booking.php/owner.php/tenant.php. The manipulation leads to missi…
- CVE-2024-21006HIGHCVSS 7.5EG 9.02024-04-16
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with …
- CVE-2024-21007HIGHCVSS 7.5EG 7.52024-04-16
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with …
- CVE-2024-21014CRITICALCVSS 9.8EG 9.82024-04-16
Vulnerability in the Oracle Hospitality Simphony product of Oracle Food and Beverage Applications (component: Simphony Enterprise Server). Supported versions that are affected are 19.1.0-19.5.4. Easily exploitable vulnerability allows una…
- CVE-2024-2104HIGHCVSS 8.8EG 8.82025-12-10
Due to improper BLE security configurations on the device's GATT server, an adjacent unauthenticated attacker can read and write device control commands through the mobile app service wich could render the device unusable.
- CVE-2024-21146HIGHCVSS 8.1EG 8.12024-07-16
Vulnerability in the Oracle Trade Management product of Oracle E-Business Suite (component: GL Accounts). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows low privileged attacker with networ…
- CVE-2024-21183HIGHCVSS 7.5EG 7.52024-07-16
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with …
- CVE-2024-21272HIGHCVSS 7.5EG 7.52024-10-15
Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/Python). Supported versions that are affected are 9.0.0 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access v…
- CVE-2024-21306MEDIUMCVSS 5.7EG 5.72024-01-09
Microsoft Bluetooth Driver Spoofing Vulnerability
- CVE-2024-21619MEDIUMCVSS 5.3EG 5.32024-01-25
A Missing Authentication for Critical Function vulnerability combined with a Generation of Error Message Containing Sensitive Information vulnerability in J-Web of Juniper Networks Junos OS on SRX Series and EX Series allows an unauthentic…
- CVE-2024-21654MEDIUMCVSS 4.8EG 4.82024-01-12
Rubygems.org is the Ruby community's gem hosting service. Rubygems.org users with MFA enabled would normally be protected from account takeover in the case of email account takeover. However, a workaround on the forgotten password form all…
- CVE-2024-21824MEDIUMCVSS 5.3EG 5.32024-03-18
Improper authentication vulnerability in exists in multiple printers and scanners which implement Web Based Management provided by BROTHER INDUSTRIES, LTD. If this vulnerability is exploited, a network-adjacent user who can access the prod…
- CVE-2024-21846MEDIUMCVSS 5.3EG 5.32024-04-18
An unauthenticated attacker can reset the board and stop transmitter operations by sending a specially-crafted GET request to the command.cgi gateway, resulting in a denial-of-service scenario.
- CVE-2024-21855CRITICALCVSS 9.8EG 9.82024-11-21
A lack of authentication vulnerability exists in the HTTP API functionality of GoCast 1.1.3. A specially crafted HTTP request can lead to arbitrary command execution. An attacker can make an unauthenticated HTTP request to trigger this vul…
- CVE-2024-22212CRITICALCVSS 9.6EG 9.62024-01-18
Nextcloud Global Site Selector is a tool which allows you to run multiple small Nextcloud instances and redirect users to the right server. A problem in the password verification method allows an attacker to authenticate as another user. I…
- CVE-2024-22326MEDIUMCVSS 5.0EG 5.02024-06-06
IBM System Storage DS8900F 89.22.19.0, 89.30.68.0, 89.32.40.0, 89.33.48.0, 89.40.83.0, and 89.40.93.0 could allow a remote user to create an LDAP connection with a valid username and empty password to establish an anonymous connection. …
- CVE-2024-22415HIGHCVSS 7.3EG 7.32024-01-18
jupyter-lsp is a coding assistance tool for JupyterLab (code navigation + hover suggestions + linters + autocompletion + rename) using Language Server Protocol. Installations of jupyter-lsp running in environments without configured file s…
- CVE-2024-22449MEDIUMCVSS 6.6EG 6.62024-02-01
Dell PowerScale OneFS versions 9.0.0.x through 9.6.0.x contains a missing authentication for critical function vulnerability. A low privileged local malicious user could potentially exploit this vulnerability to gain elevated access.
- CVE-2024-22513MEDIUMCVSS 5.5EG 5.52024-03-16
djangorestframework-simplejwt version 5.3.1 and before is vulnerable to information disclosure. A user can access web application resources even after their account has been disabled due to missing user validation checks via the for_user m…
- CVE-2024-23618CRITICALCVSS 9.6EG 9.62024-01-26
An arbitrary code execution vulnerability exists in Arris SURFboard SGB6950AC2 devices. An unauthenticated attacker can exploit this vulnerability to achieve code execution as root.
- CVE-2024-23783HIGHCVSS 8.8EG 8.82024-02-14
Improper authentication vulnerability in Energy Management Controller with Cloud Services JH-RVB1 /JH-RV11 Ver.B0.1.9.1 and earlier allows a network-adjacent unauthenticated attacker to access the affected product without authentication.
Map vulnerabilities like CWE-306 to your infrastructure
EchelonGraph correlates every CVE — across CWE-306 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →