CWE-304
Missing Critical Step in Authentication
BaseDraft
Description
The product implements an authentication technique, but it skips a step that weakens the technique.
Authentication techniques should follow the algorithms that define them exactly, otherwise authentication can be bypassed or more easily subjected to brute force attacks.
Hierarchy (View 1000)
CVEs mapped to this weakness (8)
| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-2172 | Cri | 0.64 | 9.8 | 0.01 | Mar 13, 2024 | The Malware Scanner plugin and the Web Application Firewall plugin for WordPress (both by MiniOrange) are vulnerable to privilege escalation due to a missing capability check on the mo_wpns_init() function in all versions up to, and including, 4.7.2 (for Malware Scanner) and 2.1.1 (for Web Application Firewall). This makes it possible for unauthenticated attackers to escalate their privileges to that of an administrator. | |
| CVE-2026-44547 | Cri | 0.62 | 9.6 | 0.00 | May 12, 2026 | ChurchCRM is an open-source church management system. From 7.2.0 to 7.2.2, The fix for CVE-2026-4058 is incomplete. The hardening commit was merged and then silently stripped from src/api/routes/public/public-user.php by an unrelated PR before any 7.2.x tag was cut. Every shipped 7.2.x release therefore remains exploitable by the PoC published with the original advisory. This vulnerability is fixed in 7.3.1. | |
| CVE-2026-42452 | Hig | 0.53 | 8.1 | 0.00 | May 8, 2026 | Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to version 2.1.0, /users/login issues a temporary JWT (temp_token) for TOTP-enabled accounts. That token carries a pendingTOTP state and should only be valid for the second-factor flow. However, the auth middleware accepts this token on regular authenticated endpoints. This effectively turns 2FA into single-factor (password) for impacted accounts. This issue has been patched in version 2.1.0. | |
| CVE-2024-11302 | Hig | 0.52 | 8.0 | 0.00 | Mar 20, 2025 | A missing check_access() function in the lollms_binding_infos module of the parisneo/lollms repository, version V14, allows attackers to add, modify, and remove bindings arbitrarily. This vulnerability affects the /install_binding and /reinstall_binding endpoints, among others, enabling unauthorized access and manipulation of binding settings without requiring the client_id value. | |
| CVE-2025-55138 | Hig | 0.48 | 7.4 | 0.00 | Aug 7, 2025 | LinkJoin through 882f196 mishandles token ownership in password reset. | |
| CVE-2023-52424 | Hig | 0.48 | 7.4 | 0.00 | May 17, 2024 | The IEEE 802.11 standard sometimes enables an adversary to trick a victim into connecting to an unintended or untrusted network with Home WEP, Home WPA3 SAE-loop. Enterprise 802.1X/EAP, Mesh AMPE, or FILS, aka an "SSID Confusion" issue. This occurs because the SSID is not always used to derive the pairwise master key or session keys, and because there is not a protected exchange of an SSID during a 4-way handshake. | |
| CVE-2026-40542 | Hig | 0.40 | 7.3 | 0.00 | Apr 22, 2026 | Missing critical step in authentication in Apache HttpClient 5.6 allows an attacker to cause the client to accept SCRAM-SHA-256 authentication without proper mutual authentication verification. Users are recommended to upgrade to version 5.6.1, which fixes this issue. | |
| CVE-2025-5715 | Low | 0.25 | 3.8 | 0.00 | Jun 6, 2025 | A vulnerability was found in Signal App 7.41.4 on Android. It has been declared as problematic. This vulnerability affects unknown code of the component Biometric Authentication Handler. The manipulation leads to missing critical step in authentication. It is possible to launch the attack on the physical device. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. |