Vulnerabilities (CVE)

Filtered by CWE-306
Total 945 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2019-12105 1 Supervisord 1 Supervisor 2024-06-11 6.4 MEDIUM 8.2 HIGH
In Supervisor through 4.0.2, an unauthenticated user can read log files or restart a service. Note: The maintainer responded that the affected component, inet_http_server, is not enabled by default but if the user enables it and does not set a password, Supervisor logs a warning message. The maintainer indicated the ability to run an open server will not be removed but an additional warning was added to the documentation
CVE-2020-25966 1 Sectona 1 Spectra 2024-06-11 5.0 MEDIUM 7.5 HIGH
Sectona Spectra before 3.4.0 has a vulnerable SOAP API endpoint that leaks sensitive information about the configured assets without proper authentication. This could be used by unauthorized parties to get configured login credentials of the assets via a modified pAccountID value. NOTE: The vendor has indicated this is not a vulnerability and states "This vulnerability occurred due to wrong configuration of system.
CVE-2024-21306 1 Microsoft 7 Windows 10 21h2, Windows 10 22h2, Windows 11 21h2 and 4 more 2024-06-11 N/A 5.7 MEDIUM
Microsoft Bluetooth Driver Spoofing Vulnerability
CVE-2024-34800 2024-06-10 N/A 7.6 HIGH
Missing Authentication for Critical Function vulnerability in Aruphash Crafthemes Demo Import allows Functionality Misuse.This issue affects Crafthemes Demo Import: from n/a through 3.3.
CVE-2024-37152 2024-06-07 N/A 5.3 MEDIUM
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The vulnerability allows unauthorized access to the sensitive settings exposed by /api/v1/settings endpoint without authentication. All sensitive settings are hidden except passwordPattern. This vulnerability is fixed in 2.11.3, 2.10.12, and 2.9.17.
CVE-2024-32752 2024-06-07 N/A N/A
Under certain circumstances communications between the ICU tool and an iSTAR Pro door controller is susceptible to Machine-in-the-Middle attacks which could impact door control and configuration.
CVE-2024-22326 2024-06-07 N/A 5.0 MEDIUM
IBM System Storage DS8900F,,,,, and could allow a remote user to create an LDAP connection with a valid username and empty password to establish an anonymous connection.   IBM X-Force ID: 279518.
CVE-2022-45378 1 Apache 1 Soap 2024-06-04 N/A 9.8 CRITICAL
In the default configuration of Apache SOAP, an RPCRouterServlet is available without authentication. This gives an attacker the possibility to invoke methods on the classpath that meet certain criteria. Depending on what classes are available on the classpath this might even lead to arbitrary remote code execution. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
CVE-2021-26928 1 Nic 1 Bird 2024-06-04 4.9 MEDIUM 6.8 MEDIUM
BIRD through 2.0.7 does not provide functionality for password authentication of BGP peers. Because of this, products that use BIRD (which may, for example, include Tigera products in some configurations, as well as products of other vendors) may have been susceptible to route redirection for Denial of Service and/or Information Disclosure. NOTE: a researcher has asserted that the behavior is within Tigera’s area of responsibility; however, Tigera disagrees
CVE-2020-27986 1 Sonarsource 1 Sonarqube 2024-06-04 5.0 MEDIUM 7.5 HIGH
SonarQube allows remote attackers to discover cleartext SMTP, SVN, and GitLab credentials via the api/settings/values URI. NOTE: reportedly, the vendor's position for SMTP and SVN is "it is the administrator's responsibility to configure it.
CVE-2023-21743 1 Microsoft 1 Sharepoint Server 2024-05-29 N/A 5.3 MEDIUM
Microsoft SharePoint Server Security Feature Bypass Vulnerability
CVE-2023-38186 1 Microsoft 5 Windows 10 21h2, Windows 10 22h2, Windows 11 21h2 and 2 more 2024-05-29 N/A 9.8 CRITICAL
Windows Mobile Device Management Elevation of Privilege Vulnerability
CVE-2023-24934 1 Microsoft 1 Malware Protection Platform 2024-05-29 N/A 5.5 MEDIUM
Microsoft Defender Security Feature Bypass Vulnerability
CVE-2024-21846 2024-05-28 N/A 5.3 MEDIUM
An unauthenticated attacker can reset the board and stop transmitter operations by sending a specially-crafted GET request to the command.cgi gateway, resulting in a denial-of-service scenario.
CVE-2024-1491 2024-05-28 N/A 7.5 HIGH
The devices allow access to an unprotected endpoint that allows MPFS file system binary image upload without authentication. The MPFS2 file system module provides a light-weight read-only file system that can be stored in external EEPROM, external serial flash, or internal flash program memory. This file system serves as the basis for the HTTP2 web server module, but is also used by the SNMP module and is available to other applications that require basic read-only storage capabilities. This can be exploited to overwrite the flash program memory that holds the web server's main interfaces and execute arbitrary code.
CVE-2023-5935 2024-05-28 N/A 7.4 HIGH
When configuring Arc (e.g. during the first setup), a local web interface is provided to ease the configuration process. Such web interface lacks authentication and may thus be abused by a local attacker or malware running on the machine itself. A malicious local user or process, during a window of opportunity when the local web interface is active, may be able to extract sensitive information or change Arc's configuration. This could also lead to arbitrary code execution if a malicious update package is installed.
CVE-2023-5253 1 Nozominetworks 2 Cmc, Guardian 2024-05-28 N/A 7.5 HIGH
A missing authentication check in the WebSocket channel used for the Check Point IoT integration in Nozomi Networks Guardian and CMC, may allow an unauthenticated attacker to obtain assets data without authentication. Malicious unauthenticated users with knowledge on the underlying system may be able to extract asset information.
CVE-2024-2076 2024-05-17 5.0 MEDIUM 5.3 MEDIUM
A vulnerability was found in CodeAstro House Rental Management System 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the file booking.php/owner.php/tenant.php. The manipulation leads to missing authentication. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-255392.
CVE-2023-6949 2024-05-17 N/A 5.2 MEDIUM
A Missing Authentication for Critical Function issue affecting the HTTP service running on the DJI Mavic Mini 3 Pro on the standard port 80 could allow an attacker to enumerate and download videos and pictures saved on the drone internal or external memory without requiring any kind of authentication.
CVE-2023-6221 1 Machinesense 2 Feverwarn, Feverwarn Firmware 2024-05-17 N/A 6.5 MEDIUM
The cloud provider MachineSense uses for integration and deployment for multiple MachineSense devices, such as the programmable logic controller (PLC), PumpSense, PowerAnalyzer, FeverWarn, and others is insufficiently protected against unauthorized access. An attacker with access to the internal procedures could view source code, secret credentials, and more.