Filtered by CWE-306
Total 1493 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2022-25247 1 Ptc 2 Axeda Agent, Axeda Desktop Server 2025-04-16 9.8 Critical
Axeda agent (All versions) and Axeda Desktop Server for Windows (All versions) may allow an attacker to send certain commands to a specific port without authentication. Successful exploitation of this vulnerability could allow a remote unauthenticated attacker to obtain full file-system access and remote code execution.
CVE-2022-25250 1 Ptc 2 Axeda Agent, Axeda Desktop Server 2025-04-16 7.5 High
When connecting to a certain port Axeda agent (All versions) and Axeda Desktop Server for Windows (All versions) may allow an attacker to send a certain command to a specific port without authentication. Successful exploitation of this vulnerability could allow a remote unauthenticated attacker to shut down a specific service.
CVE-2022-25251 1 Ptc 2 Axeda Agent, Axeda Desktop Server 2025-04-16 9.8 Critical
When connecting to a certain port Axeda agent (All versions) and Axeda Desktop Server for Windows (All versions) may allow an attacker to send certain XML messages to a specific port without proper authentication. Successful exploitation of this vulnerability could allow a remote unauthenticated attacker to read and modify the affected product’s configuration.
CVE-2022-0922 1 Philips 2 E-alert, E-alert Firmware 2025-04-16 6.5 Medium
The software does not perform any authentication for critical system functionality.
CVE-2020-14479 1 Inductiveautomation 1 Ignition 2025-04-16 5.3 Medium
Sensitive information can be obtained through the handling of serialized data. The issue results from the lack of proper authentication required to query the server
CVE-2022-1521 1 Illumina 8 Iseq 100, Local Run Manager, Miniseq and 5 more 2025-04-16 9.1 Critical
LRM does not implement authentication or authorization by default. A malicious actor can inject, replay, modify, and/or intercept sensitive data.
CVE-2022-2141 1 Micodus 2 Mv720, Mv720 Firmware 2025-04-16 9.8 Critical
SMS-based GPS commands can be executed by MiCODUS MV720 GPS tracker without authentication.
CVE-2022-2138 1 Advantech 1 Iview 2025-04-16 8.2 High
The affected product is vulnerable due to missing authentication, which may allow an attacker to read or modify sensitive data and execute arbitrary code, resulting in a denial-of-service condition.
CVE-2022-1368 1 Cognex 2 3d-a1000 Dimensioning System, 3d-a1000 Dimensioning System Firmware 2025-04-16 9.8 Critical
The Cognex 3D-A1000 Dimensioning System in firmware version 1.0.3 (3354) and prior is vulnerable to CWE-306: Missing Authentication for Critical Function, which allows unauthorized users to change the operator account password via webserver commands by monitoring web socket communications from an unauthenticated session. This could allow an attacker to escalate privileges to match those of the compromised account.
CVE-2022-2474 1 Haascnc 2 Haas Controller, Haas Controller Firmware 2025-04-16 9.8 Critical
Authentication is currently unsupported in Haas Controller version 100.20.000.1110 when using the “Ethernet Q Commands” service, which allows any user on the same network segment as the controller (even while connected remotely) to access the service and write unauthorized macros to the device.
CVE-2022-40202 1 Deltaww 1 Infrasuite Device Master 2025-04-16 9.8 Critical
The database backup function in Delta Electronics InfraSuite Device Master Versions 00.00.01a and prior lacks proper authentication. An attacker could provide malicious serialized objects which, when deserialized, could activate an opcode for a backup scheduling function without authentication. This function allows the user to designate all function arguments and the file to be executed. This could allow the attacker to start any new process and achieve remote code execution.
CVE-2022-41688 1 Deltaww 1 Infrasuite Device Master 2025-04-16 9.8 Critical
Delta Electronics InfraSuite Device Master versions 00.00.01a and prior lack proper authentication for functions that create and modify user groups. An attacker could provide malicious serialized objects that could run these functions without authentication to create a new user and add them to the administrator group.
CVE-2022-41776 1 Deltaww 1 Infrasuite Device Master 2025-04-16 7.5 High
Delta Electronics InfraSuite Device Master versions 00.00.01a and prior allow unauthenticated users to trigger the WriteConfiguration method, which could allow an attacker to provide new values for user configuration files such as UserListInfo.xml. This could lead to the changing of administrative passwords.
CVE-2022-41629 1 Deltaww 1 Infrasuite Device Master 2025-04-16 7.5 High
Delta Electronics InfraSuite Device Master versions 00.00.01a and prior allow unauthenticated users to access the aprunning endpoint, which could allow an attacker to retrieve any file from the “RunningConfigs” directory. The attacker could then view and modify configuration files such as UserListInfo.xml, which would allow them to see existing administrative passwords.
CVE-2025-27642 1 Printerlogic 2 Vasion Print, Virtual Appliance 2025-04-16 9.8 Critical
Vasion Print (formerly PrinterLogic) before Virtual Appliance Host 22.0.933 Application 20.0.2368 allows Unauthenticated Driver Package Editing V-2024-008.
CVE-2025-32782 2025-04-16 5.3 Medium
Ash Authentication provides authentication for the Ash framework. The confirmation flow for account creation currently uses a GET request triggered by clicking a link sent via email. Some email clients and security tools (e.g., Outlook, virus scanners, and email previewers) may automatically follow these links, unintentionally confirming the account. This allows an attacker to register an account using another user’s email and potentially have it auto-confirmed by the victim’s email client. This does not allow attackers to take over or access existing accounts or private data. It is limited to account confirmation of new accounts only. This vulnerability is fixed in 4.7.0.
CVE-2022-47377 1 Sick 2 Sim2000 Firmware, Sim2000st 2025-04-16 9.8 Critical
Password recovery vulnerability in SICK SIM2000ST Partnumber 2086502 with firmware version <1.13.4 allows an unprivileged remote attacker to gain access to the userlevel defined as RecoverableUserLevel by invocating the password recovery mechanism method. This leads to an increase in their privileges on the system and thereby affecting the confidentiality integrity and availability of the system. An attacker can expect repeatable success by exploiting the vulnerability. The recommended solution is to update the firmware to a version >= 1.13.4 as soon as possible (available in SICK Support Portal).
CVE-2025-27538 2025-04-16 2.2 Low
Mattermost versions 10.5.x <= 10.5.1, 9.11.x <= 9.11.9 fail to enforce MFA checks in PUT /api/v4/users/user-id/mfa when the requesting user differs from the target user ID, which allows users with edit_other_users permission to activate or deactivate MFA for other users, even if those users have not set up MFA.
CVE-2025-2567 2025-04-16 9.8 Critical
An attacker could modify or disable settings, disrupt fuel monitoring and supply chain operations, leading to disabling of ATG monitoring. This would result in potential safety hazards in fuel storage and transportation.
CVE-2025-27647 1 Printerlogic 2 Vasion Print, Virtual Appliance 2025-04-15 9.8 Critical
Vasion Print (formerly PrinterLogic) before Virtual Appliance Host 22.0.913 Application 20.0.2253 allows Addition of Partial Admin Users Without Authentication V-2024-002.