CWE-306— Missing Authentication for Critical Function
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.— MITRE CWE catalog
2,405 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-306page 28 of 49
- CVE-2024-37368HIGHCVSS 7.5EG 7.52024-06-14
A user authentication vulnerability exists in the Rockwell Automation FactoryTalk® View SE. The vulnerability allows a user from a remote system with FTView to send a packet to the customer’s server to view an HMI project. Due to the l…
- CVE-2024-3774MEDIUMCVSS 5.3EG 5.32024-04-15
aEnrich Technology a+HRD's functionality for front-end retrieval of system configuration values lacks proper restrictions on a specific parameter, allowing attackers to modify this parameter to access certain sensitive system configuration…
- CVE-2024-37767HIGHCVSS 7.5EG 7.52024-07-05
Insecure permissions in the component /api/admin/user of 14Finger v1.1 allows attackers to access all user information via a crafted GET request.
- CVE-2024-3777CRITICALCVSS 9.8EG 9.82024-04-15
The password reset feature of Ai3 QbiBot lacks proper access control, allowing unauthenticated remote attackers to reset any user's password.
- CVE-2024-37991MEDIUMCVSS 5.3EG 5.32024-09-10
A vulnerability has been identified in SIMATIC Reader RF610R CMIIT (6GT2811-6BC10-2AA0) (All versions < V4.2), SIMATIC Reader RF610R ETSI (6GT2811-6BC10-0AA0) (All versions < V4.2), SIMATIC Reader RF610R FCC (6GT2811-6BC10-1AA0) (All versi…
- CVE-2024-38143MEDIUMCVSS 4.2EG 4.22024-08-13
Windows WLAN AutoConfig Service Elevation of Privilege Vulnerability
- CVE-2024-38279MEDIUMCVSS 4.6EG 4.62024-06-13
The affected product is vulnerable to an attacker modifying the bootloader by using custom arguments to bypass authentication and gain access to the file system and obtain password hashes.
- CVE-2024-38437CRITICALCVSS 9.8EG 9.82024-07-21
D-Link - CWE-288:Authentication Bypass Using an Alternate Path or Channel
- CVE-2024-38643CRITICALCVSS 9.8EG 9.82024-11-22
A missing authentication for critical function vulnerability has been reported to affect Notes Station 3. If exploited, the vulnerability could allow remote attackers to gain access to and execute certain functions. We have already fixed …
- CVE-2024-39273CRITICALCVSS 9.0EG 9.02025-01-14
A firmware update vulnerability exists in the fw_check.sh functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to arbitrary firmware update. An attacker can perform a man-in-the-middle attack to tri…
- CVE-2024-39300LOWCVSS 3.7EG 8.12024-08-30
Missing authentication vulnerability exists in Telnet function of WAB-I1750-PS v1.5.10 and earlier. When Telnet function of the product is enabled, a remote attacker may login to the product without authentication and alter the product's s…
- CVE-2024-39364MEDIUMCVSS 6.3EG 6.32024-09-27
Advantech ADAM-5630 has built-in commands that can be executed without authenticating the user. These commands allow for restarting the operating system, rebooting the hardware, and stopping the execution. The commands can be sent to a…
- CVE-2024-39601MEDIUMCVSS 6.5EG 6.52024-07-22
A vulnerability has been identified in CPCI85 Central Processing/Communication (All versions < V5.40), SICORE Base system (All versions < V1.4.0). Affected devices allow a remote authenticated user or an unauthenticated user with physical …
- CVE-2024-39608CRITICALCVSS 10.0EG 10.02025-01-14
A firmware update vulnerability exists in the login.cgi functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to arbitrary firmware update. An attacker can send an unauthenticated message to trigger …
- CVE-2024-39707MEDIUMCVSS 5.3EG 5.32024-11-14
Insyde IHISI function 0x49 can restore factory defaults for certain UEFI variables without further authentication by default, which could lead to a possible roll-back attack in certain platforms. This is fixed in: kernel 5.2, version 05.29…
- CVE-2024-39773MEDIUMCVSS 5.3EG 5.32025-01-14
An information disclosure vulnerability exists in the testsave.sh functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to a disclosure of sensitive information. An attacker can send an HTTP request …
- CVE-2024-40087CRITICALCVSS 9.6EG 9.62024-10-21
Vilo 5 Mesh WiFi System <= 5.16.1.33 is vulnerable to Insecure Permissions. Lack of authentication in the custom TCP service on port 5432 allows remote, unauthenticated attackers to gain administrative access over the router.
- CVE-2024-40091MEDIUMCVSS 5.3EG 5.32024-10-21
Vilo 5 Mesh WiFi System <= 5.16.1.33 lacks authentication in the Boa webserver, which allows remote, unauthenticated attackers to retrieve logs with sensitive system.
- CVE-2024-40404CRITICALCVSS 9.8EG 9.82024-11-13
Cybele Software Thinfinity Workspace before v7.0.2.113 was discovered to contain an access control issue in the API endpoint where Web Sockets connections are established.
- CVE-2024-40405HIGHCVSS 8.1EG 8.12024-11-13
Incorrect access control in Cybele Software Thinfinity Workspace before v7.0.3.109 allows attackers to gain access to a secondary broker via a crafted request.
- CVE-2024-40408HIGHCVSS 7.3EG 7.32024-11-13
Cybele Software Thinfinity Workspace before v7.0.2.113 was discovered to contain an access control issue in the Create Profile section. This vulnerability allows attackers to create arbitrary user profiles with elevated privileges.
- CVE-2024-40717HIGHCVSS 8.8EG 8.82024-12-04
A vulnerability in Veeam Backup & Replication allows a low-privileged user with certain roles to perform remote code execution (RCE) by updating existing jobs. These jobs can be configured to run pre- and post-scripts, which can be located…
- CVE-2024-41259CRITICALCVSS 9.1EG 6.52024-08-01
Use of insecure hashing algorithm in the Gravatar's service in Navidrome v0.52.3 allows attackers to manipulate a user's account information.
- CVE-2024-41791HIGHCVSS 7.3EG 7.32025-04-08
A vulnerability has been identified in SENTRON 7KT PAC1260 Data Manager (All versions). The web interface of affected devices does not authenticate report creation requests. This could allow an unauthenticated remote attacker to read or cl…
- CVE-2024-41793HIGHCVSS 8.6EG 8.62025-04-08
A vulnerability has been identified in SENTRON 7KT PAC1260 Data Manager (All versions). The web interface of affected devices provides an endpoint that allows to enable the ssh service without authentication. This could allow an unauthenti…
- CVE-2024-41967HIGHCVSS 8.1EG 8.12024-11-18
A low privileged remote attacker may modify the boot mode configuration setup of the device, leading to modification of the firmware upgrade process or a denial-of-service attack.
- CVE-2024-41968MEDIUMCVSS 5.4EG 5.42024-11-18
A low privileged remote attacker may modify the docker settings setup of the device, leading to a limited DoS.
- CVE-2024-41969HIGHCVSS 8.8EG 8.82024-11-18
A low privileged remote attacker may modify the configuration of the CODESYS V3 service through a missing authentication vulnerability which could lead to full system access and/or DoS.
- CVE-2024-41988CRITICALCVSS 9.3EG 9.32024-10-03
TEM Opera Plus FM Family Transmitter allows access to an unprotected endpoint that allows MPFS File System binary image upload without authentication. This file system serves as the basis for the HTTP2 web server module but is also used by…
- CVE-2024-42017CRITICALCVSS 10.0EG 10.02024-09-30
An issue was discovered in Atos Eviden iCare 2.7.1 through 2.7.11. The application exposes a web interface locally. In the worst-case scenario, if the application is remotely accessible, it allows an attacker to execute arbitrary commands …
- CVE-2024-42178LOWCVSS 2.5EG 2.52025-04-17
HCL MyXalytics is affected by a failure to restrict URL access vulnerability. Unauthenticated users might gain unauthorized access to potentially confidential information, creating a risk of misuse, manipulation, or unauthorized distributi…
- CVE-2024-42455HIGHCVSS 8.1EG 7.12024-12-04
A vulnerability in Veeam Backup & Replication allows a low-privileged user to connect to remoting services and exploit insecure deserialization by sending a serialized temporary file collection. This exploit allows the attacker to delete a…
- CVE-2024-42456HIGHCVSS 8.8EG 8.82024-12-04
A vulnerability in Veeam Backup & Replication platform allows a low-privileged user with a specific role to exploit a method that updates critical configuration settings, such as modifying the trusted client certificate used for authentica…
- CVE-2024-42462CRITICALCVSS 9.8EG 9.82024-08-16
Improper Authentication vulnerability in upKeeper Solutions product upKeeper Manager allows Authentication Bypass.This issue affects upKeeper Manager: through 5.1.9.
- CVE-2024-43272MEDIUMCVSS 5.3EG 5.32024-08-19
Missing Authentication for Critical Function vulnerability in icegram Icegram allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Icegram: from n/a through 3.1.24.
- CVE-2024-4332CRITICALCVSS 9.3EG 9.32024-06-03
An authentication bypass vulnerability has been identified in the REST and SOAP API components of Tripwire Enterprise (TE) 9.1.0 when TE is configured to use LDAP/Active Directory SAML authentication and its optional "Auto-synchronize LDAP…
- CVE-2024-43488HIGHCVSS 8.8EG 8.82024-10-08
Missing authentication for critical function in Visual Studio Code extension for Arduino allows an unauthenticated attacker to perform remote code execution through network attack vector.
- CVE-2024-43798HIGHCVSS 8.6EG 8.62024-08-26
Chisel is a fast TCP/UDP tunnel, transported over HTTP, secured via SSH. The Chisel server doesn't ever read the documented `AUTH` environment variable used to set credentials, which allows any unauthenticated user to connect, even if cred…
- CVE-2024-4428CRITICALCVSS 9.8EG 9.82024-08-29
Missing Authentication for Critical Function, Missing Authorization vulnerability in Menulux Information Technologies Managment Portal allows Collect Data as Provided by Users. This issue affects Managment Portal: through 21.05.2024.
- CVE-2024-45049HIGHCVSS 7.5EG 7.52024-08-27
Hydra is a Continuous Integration service for Nix based projects. It is possible to trigger evaluations in Hydra without any authentication. Depending on the size of evaluations, this can impact the availability of systems. The problem can…
- CVE-2024-45075HIGHCVSS 8.8EG 8.82024-09-04
IBM webMethods Integration 10.15 could allow an authenticated user to create scheduler tasks that would allow them to escalate their privileges to administrator due to missing authentication.
- CVE-2024-45229MEDIUMCVSS 6.6EG 6.62024-09-20
The Versa Director offers REST APIs for orchestration and management. By design, certain APIs, such as the login screen, banner display, and device registration, do not require authentication. However, it was discovered that for Directors …
- CVE-2024-45274CRITICALCVSS 9.8EG 9.82024-10-15
An unauthenticated remote attacker can execute OS commands via UDP on the device due to missing authentication.
- CVE-2024-45276HIGHCVSS 7.5EG 7.52024-10-15
An unauthenticated remote attacker can get read access to files in the "/tmp" directory due to missing authentication.
- CVE-2024-45355MEDIUMCVSS 5.5EG 5.52025-03-27
A unauthorized access vulnerability exists in the Xiaomi phone framework. The vulnerability is caused by improper validation and can be exploited by attackers to Access sensitive methods.
- CVE-2024-45356HIGHCVSS 7.3EG 7.32025-03-27
A unauthorized access vulnerability exists in the Xiaomi phone framework. The vulnerability is caused by improper validation and can be exploited by attackers to Access sensitive methods.
- CVE-2024-45438CRITICALCVSS 9.1EG 9.12025-08-21
An issue was discovered in TitanHQ SpamTitan Email Security Gateway 8.00.x before 8.00.101 and 8.01.x before 8.01.14. The file quarantine.php within the SpamTitan interface allows unauthenticated users to trigger account-level actions usin…
- CVE-2024-45483HIGHCVSS 7.0EG 7.02025-03-25
A Missing Authentication for Critical Function vulnerability in the GRUB configuration used B&R APROL <4.4-01 may allow an unauthenticated physical attacker to alter the boot configuration of the operating system.
- CVE-2024-45844HIGHCVSS 7.2EG 7.22024-10-16
BIG-IP monitor functionality may allow an attacker to bypass access control restrictions, regardless of the port lockdown settings. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
- CVE-2024-46293CRITICALCVSS 9.8EG 9.82024-09-30
Sourcecodester Online Medicine Ordering System 1.0 is vulnerable to Incorrect Access Control. There is a lack of authorization checks for admin operations. Specifically, an attacker can perform admin-level actions without possessing a vali…
Map vulnerabilities like CWE-306 to your infrastructure
EchelonGraph correlates every CVE — across CWE-306 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →