Vulnerabilities (CVE)

Filtered by CWE-306
Total 1325 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2020-26942 1 Axigen 1 Axigen Mail Server 2025-03-05 N/A 9.1 CRITICAL
An issue discovered in Axigen Mail Server 10.3.x before 10.3.1.27 and 10.3.2.x before 10.3.3.1 allows unauthenticated attackers to submit a setAdminPassword operation request, subsequently setting a new arbitrary password for the admin account.
CVE-2025-24924 2025-03-05 N/A 9.8 CRITICAL
Certain functionality within GMOD Apollo does not require authentication when passed with an administrative username
CVE-2025-24865 1 Myscada 1 Mypro 2025-03-04 N/A 10.0 CRITICAL
The administrative web interface of mySCADA myPRO Manager can be accessed without authentication which could allow an unauthorized attacker to retrieve sensitive information and upload files without the associated password.
CVE-2022-25770 1 Acquia 1 Mautic 2025-02-27 N/A 7.8 HIGH
Mautic allows you to update the application via an upgrade script. The upgrade logic isn't shielded off correctly, which may lead to vulnerable situation. This vulnerability is mitigated by the fact that Mautic needs to be installed in a certain way to be vulnerable.
CVE-2023-25589 1 Arubanetworks 1 Clearpass Policy Manager 2025-02-27 N/A 9.8 CRITICAL
A vulnerability in the web-based management interface of ClearPass Policy Manager could allow an unauthenticated remote attacker to create arbitrary users on the platform. A successful exploit allows an attacker to achieve total cluster compromise.
CVE-2023-27060 1 Lightcms Project 1 Lightcms 2025-02-26 N/A 9.8 CRITICAL
LightCMS v1.3.7 was discovered to contain a remote code execution (RCE) vulnerability via the image:make function.
CVE-2023-28470 1 Couchbase 1 Couchbase Server 2025-02-24 N/A 5.3 MEDIUM
In Couchbase Server 5 through 7 before 7.1.4, the nsstats endpoint is accessible without authentication.
CVE-2022-26925 1 Microsoft 17 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 14 more 2025-02-24 4.3 MEDIUM 8.1 HIGH
Windows LSA Spoofing Vulnerability
CVE-2024-28179 1 Jupyter 1 Jupyter Server Proxy 2025-02-21 N/A 9.0 CRITICAL
Jupyter Server Proxy allows users to run arbitrary external processes alongside their Jupyter notebook servers and provides authenticated web access. Prior to versions 3.2.3 and 4.1.1, Jupyter Server Proxy did not check user authentication appropriately when proxying websockets, allowing unauthenticated access to anyone who had network access to the Jupyter server endpoint. This vulnerability can allow unauthenticated remote access to any websocket endpoint set up to be accessible via Jupyter Server Proxy. In many cases, this leads to remote unauthenticated arbitrary code execution, due to how affected instances use websockets. The websocket endpoints exposed by `jupyter_server` itself is not affected. Projects that do not rely on websockets are also not affected. Versions 3.2.3 and 4.1.1 contain a fix for this issue.
CVE-2024-8943 1 Latepoint 1 Latepoint 2025-02-20 N/A 9.8 CRITICAL
The LatePoint plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 5.0.12. This is due to insufficient verification on the user being supplied during the booking customer step. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the user id. Note that logging in as a WordPress user is only possible if the "Use WordPress users as customers" setting is enabled, which is disabled by default. The vulnerability is partially patched in version 5.0.12 and fully patched in version 5.0.13.
CVE-2025-21355 2025-02-19 N/A 8.6 HIGH
Missing Authentication for Critical Function in Microsoft Bing allows an unauthorized attacker to execute code over a network
CVE-2024-57055 2025-02-19 N/A 5.0 MEDIUM
Server-Side Access Control Bypass vulnerability in WombatDialer before 25.02 could allow unauthorized users to potentially call certain services without the necessary access level. This issue is limited to services used by the client (not the general-use JSON services) and requires reverse engineering of the proprietary serialization protocol, making it difficult to exploit.
CVE-2025-26345 2025-02-18 N/A 9.8 CRITICAL
A CWE-306 "Missing Authentication for Critical Function" in maxprofile/menu/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to edit user group permissions via crafted HTTP requests.
CVE-2025-26344 2025-02-18 N/A 9.8 CRITICAL
A CWE-306 "Missing Authentication for Critical Function" in maxprofile/guest-mode/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to enable passwordless guest mode via crafted HTTP requests.
CVE-2024-57725 2025-02-18 N/A 6.5 MEDIUM
An issue in the Arcadyan Livebox Fibra PRV3399B_B_LT allows a remote or local attacker to modify the GPON link value without authentication, causing an internet service disruption via the /firstconnection.cgi endpoint.
CVE-2025-25224 2025-02-18 N/A 5.3 MEDIUM
The LuxCal Web Calendar prior to 5.3.3M (MySQL version) and prior to 5.3.3L (SQLite version) contains a missing authentication vulnerability in dloader.php. If this vulnerability is exploited, arbitrary files on a server may be obtained.
CVE-2024-8584 1 Learningdigital 1 Orca Hcm 2025-02-17 N/A 9.8 CRITICAL
Orca HCM from LEARNING DIGITAL has an Missing Authentication vulnerability, allowing unauthenticated remote attacker to exploit this functionality to create an account with administrator privilege and subsequently use it to log in.
CVE-2025-0896 2025-02-13 N/A 9.8 CRITICAL
Orthanc server prior to version 1.5.8 does not enable basic authentication by default when remote access is enabled. This could result in unauthorized access by an attacker.
CVE-2025-26366 2025-02-12 N/A 7.5 HIGH
A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to disable front panel authentication via crafted HTTP requests.
CVE-2025-26365 2025-02-12 N/A 7.5 HIGH
A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to enable front panel authentication via crafted HTTP requests.