Vulnerabilities (CVE)

Filtered by CWE-306
Total 1228 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2022-25245 1 Zohocorp 1 Manageengine Servicedesk Plus 2024-11-21 5.0 MEDIUM 5.3 MEDIUM
Zoho ManageEngine ServiceDesk Plus before 13001 allows anyone to know the organisation's default currency name.
CVE-2022-25008 1 Totolink 4 Ex1200t, Ex1200t Firmware, Ex300 V2 and 1 more 2024-11-21 5.8 MEDIUM 8.8 HIGH
totolink EX300_v2 V4.0.3c.140_B20210429 and EX1200T V4.1.2cu.5230_B20210706 does not contain an authentication mechanism.
CVE-2022-24990 1 Terra-master 30 F2-210, F2-221, F2-223 and 27 more 2024-11-21 N/A 7.5 HIGH
TerraMaster NAS 4.2.29 and earlier allows remote attackers to discover the administrative password by sending "User-Agent: TNAS" to module/api.php?mobile/webNasIPS and then reading the PWD field in the response.
CVE-2022-24935 1 Lexmark 2 Lexmark, Lexmark Firmware 2024-11-21 5.0 MEDIUM 7.5 HIGH
Lexmark products through 2022-02-10 have Incorrect Access Control.
CVE-2022-24829 1 Garden 1 Garden 2024-11-21 4.3 MEDIUM 8.1 HIGH
Garden is an automation platform for Kubernetes development and testing. In versions prior to 0.12.39 multiple endpoints did not require authentication. In some operating modes this allows for an attacker to gain access to the application erroneously. The configuration is leaked through the /api endpoint on the local server that is responsible for serving the Garden dashboard. At the moment, this server is accessible to 0.0.0.0 which makes it accessible to anyone on the same network (or anyone on the internet if they are on a public, static IP). This may lead to the ability to compromise credentials, secrets or environment variables. Users are advised to upgrade to version 0.12.39 as soon as possible. Users unable to upgrade should use a firewall blocking access to port 9777 from all untrusted network machines.
CVE-2022-24820 1 Xwiki 1 Xwiki 2024-11-21 4.3 MEDIUM 5.3 MEDIUM
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. A guest user without the right to view pages of the wiki can still list documents by rendering some velocity documents. The problem has been patched in XWiki versions 12.10.11, 13.4.4, and 13.9-rc-1. There is no known workaround for this problem.
CVE-2022-24562 1 Iobit 1 Iotransfer 2024-11-21 10.0 HIGH 9.8 CRITICAL
In IOBit IOTransfer 4.3.1.1561, an unauthenticated attacker can send GET and POST requests to Airserv and gain arbitrary read/write access to the entire file-system (with admin privileges) on the victim's endpoint, which can result in data theft and remote code execution.
CVE-2022-24396 1 Sap 1 Simple Diagnostics Agent 2024-11-21 7.2 HIGH 7.8 HIGH
The Simple Diagnostics Agent - versions 1.0 up to version 1.57, does not perform any authentication checks for functionalities that can be accessed via localhost on http port 3005. Due to lack of authentication checks, an attacker could access administrative or other privileged functionalities and read, modify, or delete sensitive information and configurations.
CVE-2022-24190 1 Sz-fujia 1 Ourphoto 2024-11-21 N/A 7.5 HIGH
The /device/acceptBind end-point for Ourphoto App version 1.4.1 does not require authentication or authorization. The user_token header is not implemented or present on this end-point. An attacker can send a request to bind their account to any users picture frame, then send a POST request to accept their own bind request, without the end-users approval or interaction.
CVE-2022-24111 1 Mahara 1 Mahara 2024-11-21 5.0 MEDIUM 5.3 MEDIUM
In Mahara 21.04 before 21.04.3 and 21.10 before 21.10.1, portfolios created in groups that have not been shared with non-group members and portfolios created on the site and institution levels can be viewed without requiring a login if the URL to these portfolios is known.
CVE-2022-23945 1 Apache 1 Shenyu 2024-11-21 5.0 MEDIUM 7.5 HIGH
Missing authentication on ShenYu Admin when register by HTTP. This issue affected Apache ShenYu 2.4.0 and 2.4.1.
CVE-2022-23944 1 Apache 1 Shenyu 2024-11-21 6.4 MEDIUM 9.1 CRITICAL
User can access /plugin api without authentication. This issue affected Apache ShenYu 2.4.0 and 2.4.1.
CVE-2022-23719 1 Pingidentity 1 Pingid Integration For Windows Login 2024-11-21 6.9 MEDIUM 7.2 HIGH
PingID Windows Login prior to 2.8 does not authenticate communication with a local Java service used to capture security key requests. An attacker with the ability to execute code on the target machine maybe able to exploit and spoof the local Java service using multiple attack vectors. A successful attack can lead to code executed as SYSTEM by the PingID Windows Login application, or even a denial of service for offline security key authentication.
CVE-2022-23345 1 Bigantsoft 1 Bigant Server 2024-11-21 5.0 MEDIUM 7.5 HIGH
BigAnt Software BigAnt Server v5.6.06 was discovered to contain incorrect access control.
CVE-2022-23227 1 Nuuo 2 Nvrmini2, Nvrmini2 Firmware 2024-11-21 10.0 HIGH 9.8 CRITICAL
NUUO NVRmini2 through 3.11 allows an unauthenticated attacker to upload an encrypted TAR archive, which can be abused to add arbitrary users because of the lack of handle_import_user.php authentication. When combined with another flaw (CVE-2011-5325), it is possible to overwrite arbitrary files under the web root and achieve code execution as root.
CVE-2022-23220 4 Canonical, Debian, Gentoo and 1 more 4 Ubuntu Linux, Debian Linux, Linux and 1 more 2024-11-21 7.2 HIGH 7.8 HIGH
USBView 2.1 before 2.2 allows some local users (e.g., ones logged in via SSH) to execute arbitrary code as root because certain Polkit settings (e.g., allow_any=yes) for pkexec disable the authentication requirement. Code execution can, for example, use the --gtk-module option. This affects Ubuntu, Debian, and Gentoo.
CVE-2022-22809 1 Schneider-electric 6 Fellerlynk, Fellerlynk Firmware, Spacelynk and 3 more 2024-11-21 5.0 MEDIUM 5.3 MEDIUM
A CWE-306: Missing Authentication for Critical Function vulnerability exists that could allow modifications of the touch configurations in an unauthorized manner when an attacker attempts to modify the touch configurations. Affected Product: spaceLYnk (V2.6.2 and prior), Wiser for KNX (formerly homeLYnk) (V2.6.2 and prior), fellerLYnk (V2.6.2 and prior)
CVE-2022-22652 1 Apple 2 Ipados, Iphone Os 2024-11-21 3.6 LOW 6.1 MEDIUM
The GSMA authentication panel could be presented on the lock screen. The issue was resolved by requiring device unlock to interact with the GSMA authentication panel. This issue is fixed in iOS 15.4 and iPadOS 15.4. A person with physical access may be able to view and modify the carrier account information and settings from the lock screen.
CVE-2022-22576 5 Brocade, Debian, Haxx and 2 more 17 Fabric Operating System, Debian Linux, Curl and 14 more 2024-11-21 5.5 MEDIUM 8.1 HIGH
An improper authentication vulnerability exists in curl 7.33.0 to and including 7.82.0 which might allow reuse OAUTH2-authenticated connections without properly making sure that the connection was authenticated with the same credentials as set for this transfer. This affects SASL-enabled protocols: SMPTP(S), IMAP(S), POP3(S) and LDAP(S) (openldap only).
CVE-2022-22526 1 Gavazziautomation 3 Cpy Car Park Server, Uwp 3.0 Monitoring Gateway And Controller, Uwp 3.0 Monitoring Gateway And Controller Firmware 2024-11-21 N/A 9.8 CRITICAL
In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in Version 2.8.3 a missing authentication allows for full access via API.