Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2019-8292

Summary
Assigner-larry_cashdollar
Assigner Org ID-461b2335-328f-427d-ae3d-eff7d6814455
Published At-01 Oct, 2019 | 19:53
Updated At-04 Aug, 2024 | 21:17
Rejected At-
Credits

Online Store System v1.0 delete_product.php doesn't check to see if a user authtenticated or has administrative rights allowing arbitrary product deletion.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:larry_cashdollar
Assigner Org ID:461b2335-328f-427d-ae3d-eff7d6814455
Published At:01 Oct, 2019 | 19:53
Updated At:04 Aug, 2024 | 21:17
Rejected At:
▼CVE Numbering Authority (CNA)

Online Store System v1.0 delete_product.php doesn't check to see if a user authtenticated or has administrative rights allowing arbitrary product deletion.

Affected Products
Vendor
abcprintf
Product
Online Store
Versions
Affected
  • From unspecified through 1.0 (custom)
Problem Types
TypeCWE IDDescription
textN/Aunauthenticated arbitrary product deletions.
Type: text
CWE ID: N/A
Description: unauthenticated arbitrary product deletions.
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
http://www.vapidlabs.com/advisory.php?v=210
x_refsource_MISC
https://www.abcprintf.com/view_download.php?id=17
x_refsource_MISC
http://www.openwall.com/lists/oss-security/2019/10/02/1
mailing-list
x_refsource_MLIST
http://www.openwall.com/lists/oss-security/2019/12/23/1
mailing-list
x_refsource_MLIST
http://www.openwall.com/lists/oss-security/2019/12/23/2
mailing-list
x_refsource_MLIST
Hyperlink: http://www.vapidlabs.com/advisory.php?v=210
Resource:
x_refsource_MISC
Hyperlink: https://www.abcprintf.com/view_download.php?id=17
Resource:
x_refsource_MISC
Hyperlink: http://www.openwall.com/lists/oss-security/2019/10/02/1
Resource:
mailing-list
x_refsource_MLIST
Hyperlink: http://www.openwall.com/lists/oss-security/2019/12/23/1
Resource:
mailing-list
x_refsource_MLIST
Hyperlink: http://www.openwall.com/lists/oss-security/2019/12/23/2
Resource:
mailing-list
x_refsource_MLIST
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
http://www.vapidlabs.com/advisory.php?v=210
x_refsource_MISC
x_transferred
https://www.abcprintf.com/view_download.php?id=17
x_refsource_MISC
x_transferred
http://www.openwall.com/lists/oss-security/2019/10/02/1
mailing-list
x_refsource_MLIST
x_transferred
http://www.openwall.com/lists/oss-security/2019/12/23/1
mailing-list
x_refsource_MLIST
x_transferred
http://www.openwall.com/lists/oss-security/2019/12/23/2
mailing-list
x_refsource_MLIST
x_transferred
Hyperlink: http://www.vapidlabs.com/advisory.php?v=210
Resource:
x_refsource_MISC
x_transferred
Hyperlink: https://www.abcprintf.com/view_download.php?id=17
Resource:
x_refsource_MISC
x_transferred
Hyperlink: http://www.openwall.com/lists/oss-security/2019/10/02/1
Resource:
mailing-list
x_refsource_MLIST
x_transferred
Hyperlink: http://www.openwall.com/lists/oss-security/2019/12/23/1
Resource:
mailing-list
x_refsource_MLIST
x_transferred
Hyperlink: http://www.openwall.com/lists/oss-security/2019/12/23/2
Resource:
mailing-list
x_refsource_MLIST
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:larry0@me.com
Published At:01 Oct, 2019 | 20:15
Updated At:14 Oct, 2022 | 02:49

Online Store System v1.0 delete_product.php doesn't check to see if a user authtenticated or has administrative rights allowing arbitrary product deletion.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.15.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary2.05.0MEDIUM
AV:N/AC:L/Au:N/C:N/I:P/A:N
Type: Primary
Version: 3.1
Base score: 5.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Type: Primary
Version: 2.0
Base score: 5.0
Base severity: MEDIUM
Vector:
AV:N/AC:L/Au:N/C:N/I:P/A:N
CPE Matches

online_store_system_project
online_store_system_project
>>online_store_system>>1.0
cpe:2.3:a:online_store_system_project:online_store_system:1.0:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-306Primarynvd@nist.gov
CWE ID: CWE-306
Type: Primary
Source: nvd@nist.gov
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
http://www.openwall.com/lists/oss-security/2019/10/02/1larry0@me.com
Exploit
Mailing List
Third Party Advisory
http://www.openwall.com/lists/oss-security/2019/12/23/1larry0@me.com
Exploit
Mailing List
Third Party Advisory
http://www.openwall.com/lists/oss-security/2019/12/23/2larry0@me.com
Exploit
Mailing List
Third Party Advisory
http://www.vapidlabs.com/advisory.php?v=210larry0@me.com
Exploit
Third Party Advisory
https://www.abcprintf.com/view_download.php?id=17larry0@me.com
Product
Hyperlink: http://www.openwall.com/lists/oss-security/2019/10/02/1
Source: larry0@me.com
Resource:
Exploit
Mailing List
Third Party Advisory
Hyperlink: http://www.openwall.com/lists/oss-security/2019/12/23/1
Source: larry0@me.com
Resource:
Exploit
Mailing List
Third Party Advisory
Hyperlink: http://www.openwall.com/lists/oss-security/2019/12/23/2
Source: larry0@me.com
Resource:
Exploit
Mailing List
Third Party Advisory
Hyperlink: http://www.vapidlabs.com/advisory.php?v=210
Source: larry0@me.com
Resource:
Exploit
Third Party Advisory
Hyperlink: https://www.abcprintf.com/view_download.php?id=17
Source: larry0@me.com
Resource:
Product

Change History

0
Information is not available yet

Similar CVEs

90Records found

CVE-2015-5201
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-7.5||HIGH
EPSS-0.46% / 63.27%
||
7 Day CHG~0.00%
Published-25 Feb, 2020 | 20:16
Updated-06 Aug, 2024 | 06:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

VDSM and libvirt in Red Hat Enterprise Virtualization Hypervisor (aka RHEV-H) 7-7.x before 7-7.2-20151119.0 and 6-6.x before 6-6.7-20151117.0 as packaged in Red Hat Enterprise Virtualization before 3.5.6 when VSDM is run with -spice disable-ticketing and a VM is suspended and then restored, allows remote attackers to log in without authentication via unspecified vectors.

Action-Not Available
Vendor-Red Hat, Inc.
Product-enterprise_virtualizationenterprise_virtualization_hypervisorEnterprise Virtualization Hypervisor (aka RHEV-H)
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2021-37624
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-1.30% / 78.89%
||
7 Day CHG~0.00%
Published-25 Oct, 2021 | 16:10
Updated-04 Aug, 2024 | 01:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
FreeSWITCH does not authenticate SIP MESSAGE requests, leading to spam and message spoofing

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.10.7, FreeSWITCH does not authenticate SIP MESSAGE requests, leading to spam and message spoofing. By default, SIP requests of the type MESSAGE (RFC 3428) are not authenticated in the affected versions of FreeSWITCH. MESSAGE requests are relayed to SIP user agents registered with the FreeSWITCH server without requiring any authentication. Although this behaviour can be changed by setting the `auth-messages` parameter to `true`, it is not the default setting. Abuse of this security issue allows attackers to send SIP MESSAGE messages to any SIP user agent that is registered with the server without requiring authentication. Additionally, since no authentication is required, chat messages can be spoofed to appear to come from trusted entities. Therefore, abuse can lead to spam and enable social engineering, phishing and similar attacks. This issue is patched in version 1.10.7. Maintainers recommend that this SIP message type is authenticated by default so that FreeSWITCH administrators do not need to be explicitly set the `auth-messages` parameter. When following such a recommendation, a new parameter can be introduced to explicitly disable authentication.

Action-Not Available
Vendor-freeswitchsignalwire
Product-freeswitchfreeswitch
CWE ID-CWE-287
Improper Authentication
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2025-30126
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.05% / 15.17%
||
7 Day CHG~0.00%
Published-28 Jul, 2025 | 00:00
Updated-30 Jul, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered on Marbella KR8s Dashcam FF 2.0.8 devices. Via port 7777 without any need to pair or press a physical button, a remote attacker can disable recording, delete recordings, or even disable battery protection to cause a flat battery to essentially disable the car from being used. During the process of changing these settings, there are no indications or sounds on the dashcam to alert the dashcam owner that someone else is making those changes.

Action-Not Available
Vendor-n/a
Product-n/a
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2021-33882
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.8||MEDIUM
EPSS-0.24% / 47.21%
||
7 Day CHG~0.00%
Published-25 Aug, 2021 | 11:19
Updated-04 Aug, 2024 | 00:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A Missing Authentication for Critical Function vulnerability in B. Braun SpaceCom2 prior to 012U000062 allows a remote attacker to reconfigure the device from an unknown source because of lack of authentication on proprietary networking commands.

Action-Not Available
Vendor-n/aB. Braun
Product-spacecom2spacestation_8713142uinfusomat_large_volume_pump_871305un/a
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2018-4838
Matching Score-4
Assigner-Siemens
ShareView Details
Matching Score-4
Assigner-Siemens
CVSS Score-7.5||HIGH
EPSS-0.25% / 48.54%
||
7 Day CHG~0.00%
Published-08 Mar, 2018 | 17:00
Updated-05 Aug, 2024 | 05:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability has been identified in EN100 Ethernet module IEC 61850 variant (All versions < V4.30), EN100 Ethernet module DNP3 variant (All versions < V1.04), EN100 Ethernet module PROFINET IO variant (All versions), EN100 Ethernet module Modbus TCP variant (All versions), EN100 Ethernet module IEC 104 variant (All versions < V1.22). The web interface (TCP/80) of affected devices allows an unauthenticated user to upgrade or downgrade the firmware of the device, including to older versions with known vulnerabilities.

Action-Not Available
Vendor-Siemens AG
Product-en100_ethernet_module_iec_104_firmwareen100_ethernet_module_profinet_io_firmwareen100_ethernet_module_iec_104en100_ethernet_module_dnp3en100_ethernet_module_profinet_ioen100_ethernet_module_iec_61850_firmwareen100_ethernet_module_modbus_tcpen100_ethernet_module_modbus_tcp_firmwareen100_ethernet_module_dnp3_firmwareen100_ethernet_module_iec_61850EN100 Ethernet module IEC 104 variantEN100 Ethernet module PROFINET IO variantEN100 Ethernet module DNP3 variantEN100 Ethernet module Modbus TCP variantEN100 Ethernet module IEC 61850 variant
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2020-10079
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.08% / 23.38%
||
7 Day CHG~0.00%
Published-13 Mar, 2020 | 16:57
Updated-04 Aug, 2024 | 10:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

GitLab 7.10 through 12.8.1 has Incorrect Access Control. Under certain conditions where users should have been required to configure two-factor authentication, it was not being required.

Action-Not Available
Vendor-n/aGitLab Inc.
Product-gitlabn/a
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2020-26599
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.09% / 26.19%
||
7 Day CHG~0.00%
Published-06 Oct, 2020 | 18:32
Updated-04 Aug, 2024 | 15:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered on Samsung mobile devices with Q(10.0) software. The DynamicLockscreen Terms and Conditions can be accepted without authentication. The Samsung ID is SVE-2020-17079 (October 2020).

Action-Not Available
Vendor-n/aGoogle LLC
Product-androidn/a
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2020-10044
Matching Score-4
Assigner-Siemens
ShareView Details
Matching Score-4
Assigner-Siemens
CVSS Score-7.5||HIGH
EPSS-0.19% / 41.72%
||
7 Day CHG~0.00%
Published-14 Jul, 2020 | 13:18
Updated-04 Aug, 2024 | 10:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability has been identified in SICAM MMU (All versions < V2.05), SICAM SGU (All versions), SICAM T (All versions < V2.18). An attacker with access to the network could be able to install specially crafted firmware to the device.

Action-Not Available
Vendor-Siemens AG
Product-sicam_t_firmwaresicam_mmusicam_sgu_firmwaresicam_mmu_firmwaresicam_sgusicam_tSICAM TSICAM MMUSICAM SGU
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2025-26360
Matching Score-4
Assigner-Nozomi Networks Inc.
ShareView Details
Matching Score-4
Assigner-Nozomi Networks Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.12% / 31.44%
||
7 Day CHG~0.00%
Published-12 Feb, 2025 | 13:29
Updated-17 Feb, 2025 | 10:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A CWE-306 "Missing Authentication for Critical Function" in maxprofile/persistance/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to delete dashboards via crafted HTTP requests.

Action-Not Available
Vendor-Q-Free
Product-MaxTime
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2019-9881
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-21.59% / 95.51%
||
7 Day CHG~0.00%
Published-10 Jun, 2019 | 17:37
Updated-04 Aug, 2024 | 22:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The createComment mutation in the WPGraphQL 0.2.3 plugin for WordPress allows unauthenticated users to post comments on any article, even when 'allow comment' is disabled.

Action-Not Available
Vendor-wpenginen/a
Product-wpgraphqln/a
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2022-26971
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.17% / 39.02%
||
7 Day CHG~0.00%
Published-01 Jun, 2022 | 11:34
Updated-03 Aug, 2024 | 05:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Barco Control Room Management Suite web application, which is part of TransForm N before 3.14, is exposing a license file upload mechanism. This upload can be executed without authentication.

Action-Not Available
Vendor-barcon/a
Product-control_room_management_suiten/a
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2022-26043
Matching Score-4
Assigner-Talos
ShareView Details
Matching Score-4
Assigner-Talos
CVSS Score-7.5||HIGH
EPSS-0.25% / 48.52%
||
7 Day CHG~0.00%
Published-25 May, 2022 | 20:15
Updated-15 Apr, 2025 | 19:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An external config control vulnerability exists in the OAS Engine SecureAddSecurity functionality of Open Automation Software OAS Platform V16.00.0112. A specially-crafted series of network requests can lead to the creation of a custom Security Group. An attacker can send a sequence of requests to trigger this vulnerability.

Action-Not Available
Vendor-openautomationsoftwareOpen Automation Software
Product-oas_platformOAS Platform
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2019-13344
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-21.21% / 95.46%
||
7 Day CHG+1.40%
Published-05 Jul, 2019 | 15:33
Updated-04 Aug, 2024 | 23:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An authentication bypass vulnerability in the CRUDLab WP Like Button plugin through 1.6.0 for WordPress allows unauthenticated attackers to change settings. The contains() function in wp_like_button.php did not check if the current request is made by an authorized user, thus allowing any unauthenticated user to successfully update settings, as demonstrated by the wp-admin/admin.php?page=facebook-like-button each_page_url or code_snippet parameter.

Action-Not Available
Vendor-crudlabn/a
Product-wp_like_buttonn/a
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2022-26303
Matching Score-4
Assigner-Talos
ShareView Details
Matching Score-4
Assigner-Talos
CVSS Score-7.5||HIGH
EPSS-0.27% / 50.00%
||
7 Day CHG~0.00%
Published-25 May, 2022 | 20:15
Updated-15 Apr, 2025 | 19:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An external config control vulnerability exists in the OAS Engine SecureAddUser functionality of Open Automation Software OAS Platform V16.00.0112. A specially-crafted series of network requests can lead to the creation of an OAS user account. An attacker can send a sequence of requests to trigger this vulnerability.

Action-Not Available
Vendor-openautomationsoftwareOpen Automation Software
Product-oas_platformOAS Platform
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2022-24935
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.18% / 39.81%
||
7 Day CHG~0.00%
Published-28 Apr, 2022 | 12:42
Updated-03 Aug, 2024 | 04:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Lexmark products through 2022-02-10 have Incorrect Access Control.

Action-Not Available
Vendor-n/aLexmark International, Inc.
Product-lexmark_firmwarelexmarkn/a
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2022-23945
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-7.5||HIGH
EPSS-1.13% / 77.45%
||
7 Day CHG~0.00%
Published-25 Jan, 2022 | 13:00
Updated-03 Aug, 2024 | 03:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache ShenYu missing authentication allows gateway registration

Missing authentication on ShenYu Admin when register by HTTP. This issue affected Apache ShenYu 2.4.0 and 2.4.1.

Action-Not Available
Vendor-The Apache Software Foundation
Product-shenyuApache ShenYu (incubating)
CWE ID-CWE-862
Missing Authorization
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2020-26061
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-6.78% / 90.93%
||
7 Day CHG~0.00%
Published-05 Oct, 2020 | 13:43
Updated-04 Aug, 2024 | 15:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

ClickStudios Passwordstate Password Reset Portal prior to build 8501 is affected by an authentication bypass vulnerability. The ResetPassword function does not validate whether the user has successfully authenticated using security questions. An unauthenticated, remote attacker can send a crafted HTTP request to the /account/ResetPassword page to set a new password for any registered user.

Action-Not Available
Vendor-clickstudiosn/a
Product-passwordstaten/a
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2020-20627
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.27% / 50.30%
||
7 Day CHG~0.00%
Published-31 Aug, 2020 | 16:00
Updated-04 Aug, 2024 | 14:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The includes/gateways/stripe/includes/admin/admin-actions.php in GiveWP plugin through 2.5.9 for WordPress allows unauthenticated settings change.

Action-Not Available
Vendor-n/aGiveWP
Product-givewpn/a
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2020-17475
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.19% / 41.10%
||
7 Day CHG~0.00%
Published-14 Aug, 2020 | 19:17
Updated-04 Aug, 2024 | 13:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Lack of authentication in the network relays used in MEGVII Koala 2.9.1-c3s allows attackers to grant physical access to anyone by sending packet data to UDP port 5000.

Action-Not Available
Vendor-megviin/a
Product-koala_firmwarekoalan/a
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2020-15336
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.22% / 44.30%
||
7 Day CHG~0.00%
Published-26 Jun, 2020 | 15:01
Updated-04 Aug, 2024 | 13:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has no authentication for /cnr requests.

Action-Not Available
Vendor-n/aZyxel Networks Corporation
Product-cloudcnm_secumanagern/a
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2020-15335
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.22% / 44.30%
||
7 Day CHG~0.00%
Published-26 Jun, 2020 | 15:02
Updated-04 Aug, 2024 | 13:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has no authentication for /registerCpe requests.

Action-Not Available
Vendor-n/aZyxel Networks Corporation
Product-cloudcnm_secumanagern/a
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2020-14048
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-25.01% / 95.95%
||
7 Day CHG~0.00%
Published-12 Jun, 2020 | 01:41
Updated-04 Aug, 2024 | 12:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Zoho ManageEngine ServiceDesk Plus before 11.1 build 11115 allows remote unauthenticated attackers to change the installation status of deployed agents.

Action-Not Available
Vendor-n/aZoho Corporation Pvt. Ltd.
Product-manageengine_servicedesk_plusn/a
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2025-1754
Matching Score-4
Assigner-GitLab Inc.
ShareView Details
Matching Score-4
Assigner-GitLab Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.05% / 14.38%
||
7 Day CHG~0.00%
Published-26 Jun, 2025 | 05:31
Updated-12 Aug, 2025 | 14:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Missing Authentication for Critical Function in GitLab

An issue has been discovered in GitLab CE/EE affecting all versions from 17.2 before 17.11.5, 18.0 before 18.0.3, and 18.1 before 18.1.1 that could have allowed unauthenticated attackers to upload arbitrary files to public projects by sending crafted API requests, potentially leading to resource abuse and unauthorized content storage.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2023-21743
Matching Score-4
Assigner-Microsoft Corporation
ShareView Details
Matching Score-4
Assigner-Microsoft Corporation
CVSS Score-5.3||MEDIUM
EPSS-2.23% / 83.84%
||
7 Day CHG-0.40%
Published-10 Jan, 2023 | 00:00
Updated-28 Feb, 2025 | 21:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Microsoft SharePoint Server Security Feature Bypass Vulnerability

Microsoft SharePoint Server Security Feature Bypass Vulnerability

Action-Not Available
Vendor-Microsoft Corporation
Product-sharepoint_serverMicrosoft SharePoint Server 2019Microsoft SharePoint Enterprise Server 2016Microsoft SharePoint Server Subscription Edition
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2022-0188
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-5.3||MEDIUM
EPSS-0.26% / 49.43%
||
7 Day CHG~0.00%
Published-14 Feb, 2022 | 09:20
Updated-02 Aug, 2024 | 23:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Coming Soon & Maintenance Plugin by NiteoThemes < 4.0.19 - Unauthenticated Arbitrary CSS Update

The CMP WordPress plugin before 4.0.19 allows any user, even not logged in, to arbitrarily change the coming soon page layout.

Action-Not Available
Vendor-niteothemesUnknown
Product-cmpCMP
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2024-8320
Matching Score-4
Assigner-Ivanti
ShareView Details
Matching Score-4
Assigner-Ivanti
CVSS Score-5.3||MEDIUM
EPSS-0.85% / 73.91%
||
7 Day CHG~0.00%
Published-10 Sep, 2024 | 20:52
Updated-12 Sep, 2024 | 21:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Missing authentication in Network Isolation of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to spoof Network Isolation status of managed devices.

Action-Not Available
Vendor-Ivanti Software
Product-endpoint_managerEndpoint Managerautomation
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2019-7390
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.6||HIGH
EPSS-1.02% / 76.34%
||
7 Day CHG~0.00%
Published-05 Feb, 2019 | 00:00
Updated-04 Aug, 2024 | 20:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in /bin/goahead on D-Link DIR-823G devices with firmware 1.02B03. There is incorrect access control allowing remote attackers to hijack the DNS service configuration of all clients in the WLAN, without authentication, via the SetWanSettings HNAP API.

Action-Not Available
Vendor-n/aD-Link Corporation
Product-dir-823gdir-823g_firmwaren/a
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2019-6451
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.31% / 53.37%
||
7 Day CHG~0.00%
Published-06 Jun, 2019 | 18:08
Updated-04 Aug, 2024 | 20:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

On SOYAL AR-727H and AR-829Ev5 devices, all CGI programs allow unauthenticated POST access.

Action-Not Available
Vendor-soyaln/a
Product-ar-727har-829ev5ar-829ev5_firmwarear-727h_firmwaren/a
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2017-16241
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.27% / 50.38%
||
7 Day CHG~0.00%
Published-10 Dec, 2017 | 01:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Incorrect access control in AMAG Symmetry Door Edge Network Controllers (EN-1DBC Boot App 23611 03.60 and STD App 23603 03.60; EN-2DBC Boot App 24451 01.00 and STD App 2461 01.00) enables remote attackers to execute door controller commands (e.g., lock, unlock, add ID card value) by sending unauthenticated requests to the affected devices via Serial over TCP/IP, as demonstrated by a Ud command.

Action-Not Available
Vendor-amagn/a
Product-en-1dbcstd_firmwareen-2dbc_firmwareen-2dbcstden-1dbc_firmwaren/a
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2023-36846
Matching Score-4
Assigner-Juniper Networks, Inc.
ShareView Details
Matching Score-4
Assigner-Juniper Networks, Inc.
CVSS Score-5.3||MEDIUM
EPSS-94.28% / 99.93%
||
7 Day CHG~0.00%
Published-17 Aug, 2023 | 19:18
Updated-30 Jul, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2023-11-17||Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Junos OS: SRX Series: A vulnerability in J-Web allows an unauthenticated attacker to upload arbitrary files

A Missing Authentication for Critical Function vulnerability in Juniper Networks Junos OS on SRX Series allows an unauthenticated, network-based attacker to cause limited impact to the file system integrity. With a specific request to user.php that doesn't require authentication an attacker is able to upload arbitrary files via J-Web, leading to a loss of integrity for a certain  part of the file system, which may allow chaining to other vulnerabilities. This issue affects Juniper Networks Junos OS on SRX Series: * All versions prior to 20.4R3-S8; * 21.1 versions 21.1R1 and later; * 21.2 versions prior to 21.2R3-S6; * 21.3 versions prior to 21.3R3-S5; * 21.4 versions prior to 21.4R3-S5; * 22.1 versions prior to 22.1R3-S3; * 22.2 versions prior to 22.2R3-S2; * 22.3 versions prior to 22.3R2-S2, 22.3R3; * 22.4 versions prior to 22.4R2-S1, 22.4R3.

Action-Not Available
Vendor-Juniper Networks, Inc.
Product-srx345srx110srx300srx100srx550_hmsrx3600srx240h2srx550msrx240srx1400srx4200srx5800srx380srx5400srx210srx340srx5000srx240msrx5600srx220srx3400junossrx4000srx4100srx320srx650srx4600srx1500srx550Junos OSJunos OS
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2023-36847
Matching Score-4
Assigner-Juniper Networks, Inc.
ShareView Details
Matching Score-4
Assigner-Juniper Networks, Inc.
CVSS Score-5.3||MEDIUM
EPSS-94.28% / 99.93%
||
7 Day CHG~0.00%
Published-17 Aug, 2023 | 19:16
Updated-30 Jul, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2023-11-17||Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Junos OS: EX Series: A vulnerability in J-Web allows an unauthenticated attacker to upload arbitrary files

A Missing Authentication for Critical Function vulnerability in Juniper Networks Junos OS on EX Series allows an unauthenticated, network-based attacker to cause limited impact to the file system integrity. With a specific request to installAppPackage.php that doesn't require authentication an attacker is able to upload arbitrary files via J-Web, leading to a loss of integrity for a certain part of the file system, which may allow chaining to other vulnerabilities. This issue affects Juniper Networks Junos OS on EX Series: * All versions prior to 20.4R3-S8; * 21.1 versions 21.1R1 and later; * 21.2 versions prior to 21.2R3-S6; * 21.3 versions prior to 21.3R3-S5; * 21.4 versions prior to 21.4R3-S4; * 22.1 versions prior to 22.1R3-S3; * 22.2 versions prior to 22.2R3-S1; * 22.3 versions prior to 22.3R2-S2, 22.3R3; * 22.4 versions prior to 22.4R2-S1, 22.4R3.

Action-Not Available
Vendor-Juniper Networks, Inc.
Product-ex4300-48p-sex4400ex4300mex4200ex3400ex8200-vcex4650ex4300-32f-sex4550ex2200-vcex2300-24mpex9253ex4300-48tdc-afiex2300-24tex3200ex9214ex4300-48t-dc-afiex4300-48tex4300ex4300-48mpex2200-cex2200ex4300-48tafiex4300-24pex4300-48t-sjunosex4300-32f-dcex6200ex2300-48pex2300-cex9200ex9208ex2300ex4550\/vcex4600ex8208ex4300-48tdcex3300ex4200-vcex4500-vcex4300-24tex2300mex9204ex6210ex2300-48tex8216ex4300-48t-afiex4300-48pex4300-48t-dcex2300-48mpex4300-32fex3300-vcex4550-vcex4300-mpex9250ex4600-vcex4300-24t-sex9251ex2300-24pex8200ex4300-24p-sex4300-vcex4500ex4300-48mp-sJunos OSJunos OS
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2021-43974
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.26% / 49.21%
||
7 Day CHG~0.00%
Published-11 Jan, 2022 | 19:21
Updated-04 Aug, 2024 | 04:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in SysAid ITIL 20.4.74 b10. The /enduserreg endpoint is used to register end users anonymously, but does not respect the server-side setting that determines if anonymous users are allowed to register new accounts. Configuring the server-side setting to disable anonymous user registration only hides the client-side registration form. An attacker can still post registration data to create new accounts without prior authentication.

Action-Not Available
Vendor-n/aSysAid Technologies Ltd.
Product-itiln/a
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2024-47865
Matching Score-4
Assigner-JPCERT/CC
ShareView Details
Matching Score-4
Assigner-JPCERT/CC
CVSS Score-5.3||MEDIUM
EPSS-0.16% / 37.27%
||
7 Day CHG~0.00%
Published-20 Nov, 2024 | 07:30
Updated-20 Nov, 2024 | 15:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Missing authentication for critical function vulnerability exists in Rakuten Turbo 5G firmware version V1.3.18 and earlier. If this vulnerability is exploited, a remote unauthenticated attacker may update or downgrade the firmware on the device.

Action-Not Available
Vendor-Rakuten Mobile, Inc.rakuten
Product-Rakuten Turbo 5Gturbo_5g_firmware
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2025-23194
Matching Score-4
Assigner-SAP SE
ShareView Details
Matching Score-4
Assigner-SAP SE
CVSS Score-5.3||MEDIUM
EPSS-0.09% / 25.80%
||
7 Day CHG~0.00%
Published-11 Mar, 2025 | 00:32
Updated-11 Mar, 2025 | 02:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Missing Authentication check in SAP NetWeaver Enterprise Portal (OBN component)

SAP NetWeaver Enterprise Portal OBN does not perform proper authentication check for a particular configuration setting. As result, a non-authenticated user can set it to an undesired value causing low impact on integrity. There is no impact on confidentiality or availability of the application.

Action-Not Available
Vendor-SAP SE
Product-SAP NetWeaver Enterprise Portal (OBN component)
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2021-27569
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.06% / 20.18%
||
7 Day CHG~0.00%
Published-07 May, 2021 | 16:31
Updated-03 Aug, 2024 | 21:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Emote Remote Mouse through 4.0.0.0. Attackers can maximize or minimize the window of a running process by sending the process name in a crafted packet. This information is sent in cleartext and is not protected by any authentication logic.

Action-Not Available
Vendor-remotemousen/a
Product-emote_remote_mousen/a
CWE ID-CWE-319
Cleartext Transmission of Sensitive Information
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2021-22995
Matching Score-4
Assigner-F5, Inc.
ShareView Details
Matching Score-4
Assigner-F5, Inc.
CVSS Score-7.5||HIGH
EPSS-0.24% / 46.93%
||
7 Day CHG~0.00%
Published-31 Mar, 2021 | 16:45
Updated-03 Aug, 2024 | 18:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

On all 7.x and 6.x versions (fixed in 8.0.0), BIG-IQ high availability (HA) when using a Quorum device for automatic failover does not implement any form of authentication with the Corosync daemon. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated.

Action-Not Available
Vendor-n/aF5, Inc.
Product-big-iq_centralized_managementBIG-IQ
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2021-22805
Matching Score-4
Assigner-Schneider Electric
ShareView Details
Matching Score-4
Assigner-Schneider Electric
CVSS Score-9.1||CRITICAL
EPSS-0.23% / 45.97%
||
7 Day CHG~0.00%
Published-11 Feb, 2022 | 17:40
Updated-03 Aug, 2024 | 18:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A CWE-306: Missing Authentication for Critical Function vulnerability exists that could cause deletion of arbitrary files in the context of the user running IGSS due to lack of validation of network messages. Affected Product: Interactive Graphical SCADA System Data Collector (dc.exe) (V15.0.0.21243 and prior)

Action-Not Available
Vendor-n/a
Product-interactive_graphical_scada_system_data_collectorInteractive Graphical SCADA System Data Collector (dc.exe) (V15.0.0.21243 and prior)
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2022-22809
Matching Score-4
Assigner-Schneider Electric
ShareView Details
Matching Score-4
Assigner-Schneider Electric
CVSS Score-5.3||MEDIUM
EPSS-0.39% / 59.24%
||
7 Day CHG~0.00%
Published-09 Feb, 2022 | 00:00
Updated-03 Aug, 2024 | 03:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A CWE-306: Missing Authentication for Critical Function vulnerability exists that could allow modifications of the touch configurations in an unauthorized manner when an attacker attempts to modify the touch configurations. Affected Product: spaceLYnk (V2.6.2 and prior), Wiser for KNX (formerly homeLYnk) (V2.6.2 and prior), fellerLYnk (V2.6.2 and prior)

Action-Not Available
Vendor-n/a
Product-fellerlynkwiser_for_knxspacelynkwiser_for_knx_firmwarefellerlynk_firmwarespacelynk_firmwarespaceLYnk (V2.6.2 and prior), Wiser for KNX (formerly homeLYnk) (V2.6.2 and prior), fellerLYnk (V2.6.2 and prior)
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2021-20474
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.04% / 12.62%
||
7 Day CHG~0.00%
Published-07 Jul, 2021 | 16:30
Updated-17 Sep, 2024 | 02:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM Guardium Data Encryption (GDE) 3.0.0.2 and 4.0.0.4 does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

Action-Not Available
Vendor-IBM Corporation
Product-guardium_data_encryptionGuardium Data Encryption
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2020-5780
Matching Score-4
Assigner-Tenable Network Security, Inc.
ShareView Details
Matching Score-4
Assigner-Tenable Network Security, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.32% / 54.16%
||
7 Day CHG~0.00%
Published-10 Sep, 2020 | 14:10
Updated-04 Aug, 2024 | 08:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Missing Authentication for Critical Function in Icegram Email Subscribers & Newsletters Plugin for WordPress prior to version 4.5.6 allows a remote, unauthenticated attacker to conduct unauthenticated email forgery/spoofing.

Action-Not Available
Vendor-icegramn/a
Product-email_subscribers_\&_newslettersIcegram Email Subscribers & Newsletters Plugin for WordPress
CWE ID-CWE-306
Missing Authentication for Critical Function
  • Previous
  • 1
  • 2
  • Next
Details not found