Vulnerabilities (CVE)

Filtered by CWE-306
Total 954 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2023-36851 1 Juniper 92 Ex2200, Ex2200-c, Ex2200-vc and 89 more 2024-06-26 N/A 5.3 MEDIUM
A Missing Authentication for Critical Function vulnerability in Juniper Networks Junos OS on SRX Series allows an unauthenticated, network-based attacker to cause limited impact to the file system integrity. With a specific request to webauth_operation.php that doesn't require authentication, an attacker is able to upload and download arbitrary files via J-Web, leading to a loss of integrity or confidentiality, which may allow chaining to other vulnerabilities. This issue affects Juniper Networks Junos OS on SRX Series: * 21.2 versions prior to 21.2R3-S8; * 21.4 versions prior to 21.4R3-S6; * 22.1 versions prior to 22.1R3-S5; * 22.2 versions prior to 22.2R3-S3; * 22.3 versions prior to 22.3R3-S2; * 22.4 versions prior to 22,4R2-S2, 22.4R3; * 23.2 versions prior to 23.2R1-S2, 23.2R2.
CVE-2024-5951 2024-06-17 N/A 7.1 HIGH
Deep Sea Electronics DSE855 Factory Reset Missing Authentication Denial-of-Service Vulnerability. This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of Deep Sea Electronics DSE855 devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the web-based UI. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage this vulnerability to create a denial-of-service condition on the system. Was ZDI-CAN-23173.
CVE-2024-5947 2024-06-17 N/A 6.5 MEDIUM
Deep Sea Electronics DSE855 Configuration Backup Missing Authentication Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of Deep Sea Electronics DSE855 devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the web-based UI. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-22679.
CVE-2024-5952 2024-06-17 N/A 4.3 MEDIUM
Deep Sea Electronics DSE855 Restart Missing Authentication Denial-of-Service Vulnerability. This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of Deep Sea Electronics DSE855 devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the web-based UI. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage this vulnerability to create a denial-of-service condition on the system. Was ZDI-CAN-23174.
CVE-2019-12105 1 Supervisord 1 Supervisor 2024-06-11 6.4 MEDIUM 8.2 HIGH
In Supervisor through 4.0.2, an unauthenticated user can read log files or restart a service. Note: The maintainer responded that the affected component, inet_http_server, is not enabled by default but if the user enables it and does not set a password, Supervisor logs a warning message. The maintainer indicated the ability to run an open server will not be removed but an additional warning was added to the documentation
CVE-2020-25966 1 Sectona 1 Spectra 2024-06-11 5.0 MEDIUM 7.5 HIGH
Sectona Spectra before 3.4.0 has a vulnerable SOAP API endpoint that leaks sensitive information about the configured assets without proper authentication. This could be used by unauthorized parties to get configured login credentials of the assets via a modified pAccountID value. NOTE: The vendor has indicated this is not a vulnerability and states "This vulnerability occurred due to wrong configuration of system.
CVE-2024-21306 1 Microsoft 7 Windows 10 21h2, Windows 10 22h2, Windows 11 21h2 and 4 more 2024-06-11 N/A 5.7 MEDIUM
Microsoft Bluetooth Driver Spoofing Vulnerability
CVE-2024-34800 2024-06-10 N/A 7.6 HIGH
Missing Authentication for Critical Function vulnerability in Aruphash Crafthemes Demo Import allows Functionality Misuse.This issue affects Crafthemes Demo Import: from n/a through 3.3.
CVE-2024-37152 2024-06-07 N/A 5.3 MEDIUM
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The vulnerability allows unauthorized access to the sensitive settings exposed by /api/v1/settings endpoint without authentication. All sensitive settings are hidden except passwordPattern. This vulnerability is fixed in 2.11.3, 2.10.12, and 2.9.17.
CVE-2024-22326 2024-06-07 N/A 5.0 MEDIUM
IBM System Storage DS8900F 89.22.19.0, 89.30.68.0, 89.32.40.0, 89.33.48.0, 89.40.83.0, and 89.40.93.0 could allow a remote user to create an LDAP connection with a valid username and empty password to establish an anonymous connection.   IBM X-Force ID: 279518.
CVE-2023-21743 1 Microsoft 1 Sharepoint Server 2024-05-29 N/A 5.3 MEDIUM
Microsoft SharePoint Server Security Feature Bypass Vulnerability
CVE-2023-38186 1 Microsoft 5 Windows 10 21h2, Windows 10 22h2, Windows 11 21h2 and 2 more 2024-05-29 N/A 9.8 CRITICAL
Windows Mobile Device Management Elevation of Privilege Vulnerability
CVE-2023-24934 1 Microsoft 1 Malware Protection Platform 2024-05-29 N/A 5.5 MEDIUM
Microsoft Defender Security Feature Bypass Vulnerability
CVE-2024-21846 2024-05-28 N/A 5.3 MEDIUM
An unauthenticated attacker can reset the board and stop transmitter operations by sending a specially-crafted GET request to the command.cgi gateway, resulting in a denial-of-service scenario.
CVE-2024-1491 2024-05-28 N/A 7.5 HIGH
The devices allow access to an unprotected endpoint that allows MPFS file system binary image upload without authentication. The MPFS2 file system module provides a light-weight read-only file system that can be stored in external EEPROM, external serial flash, or internal flash program memory. This file system serves as the basis for the HTTP2 web server module, but is also used by the SNMP module and is available to other applications that require basic read-only storage capabilities. This can be exploited to overwrite the flash program memory that holds the web server's main interfaces and execute arbitrary code.
CVE-2023-5935 2024-05-28 N/A 7.4 HIGH
When configuring Arc (e.g. during the first setup), a local web interface is provided to ease the configuration process. Such web interface lacks authentication and may thus be abused by a local attacker or malware running on the machine itself. A malicious local user or process, during a window of opportunity when the local web interface is active, may be able to extract sensitive information or change Arc's configuration. This could also lead to arbitrary code execution if a malicious update package is installed.
CVE-2023-5253 1 Nozominetworks 2 Cmc, Guardian 2024-05-28 N/A 7.5 HIGH
A missing authentication check in the WebSocket channel used for the Check Point IoT integration in Nozomi Networks Guardian and CMC, may allow an unauthenticated attacker to obtain assets data without authentication. Malicious unauthenticated users with knowledge on the underlying system may be able to extract asset information.
CVE-2024-2076 2024-05-17 5.0 MEDIUM 5.3 MEDIUM
A vulnerability was found in CodeAstro House Rental Management System 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the file booking.php/owner.php/tenant.php. The manipulation leads to missing authentication. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-255392.
CVE-2023-6949 2024-05-17 N/A 5.2 MEDIUM
A Missing Authentication for Critical Function issue affecting the HTTP service running on the DJI Mavic Mini 3 Pro on the standard port 80 could allow an attacker to enumerate and download videos and pictures saved on the drone internal or external memory without requiring any kind of authentication.
CVE-2023-6221 1 Machinesense 2 Feverwarn, Feverwarn Firmware 2024-05-17 N/A 6.5 MEDIUM
The cloud provider MachineSense uses for integration and deployment for multiple MachineSense devices, such as the programmable logic controller (PLC), PumpSense, PowerAnalyzer, FeverWarn, and others is insufficiently protected against unauthorized access. An attacker with access to the internal procedures could view source code, secret credentials, and more.