Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-304 (认证中关键步骤缺失) — Vulnerability Class 28

28 vulnerabilities classified as CWE-304 (认证中关键步骤缺失). AI Chinese analysis included.

CWE-304 represents a critical implementation flaw where an authentication mechanism omits a necessary verification step, effectively weakening the security posture. This weakness typically arises when developers deviate from standardized algorithms or prematurely bypass checks, allowing attackers to circumvent identity validation entirely. Exploitation often involves manipulating the authentication flow to skip multi-factor verification or password complexity checks, granting unauthorized access without valid credentials. To mitigate this risk, developers must strictly adhere to defined authentication protocols, ensuring every mandatory step is executed in the correct sequence. Implementing comprehensive unit tests that simulate incomplete authentication flows can help identify these gaps early. Additionally, using established, vetted authentication libraries reduces the likelihood of custom implementation errors, ensuring that no critical security checks are inadvertently skipped during the user verification process.

MITRE CWE Description
The product implements an authentication technique, but it skips a step that weakens the technique. Authentication techniques should follow the algorithms that define them exactly, otherwise authentication can be bypassed or more easily subjected to brute force attacks.
Common Consequences (1)
Access Control, Integrity, ConfidentialityBypass Protection Mechanism, Gain Privileges or Assume Identity, Read Application Data, Execute Unauthorized Code or Commands
This weakness can lead to the exposure of resources or functionality to unintended actors, possibly providing attackers with sensitive information or allowing attackers to execute arbitrary code.
CVE IDTitleCVSSSeverityPublished
CVE-2026-42452 Termix: Pending-TOTP temporary token can regenerate backup codes and neutralize TOTP — Termix 8.1 High2026-05-08
CVE-2026-40542 Apache HttpClient: SCRAM-SHA-256 mutual authentication bypass may cause the client to accept authentication without proper mutual authentication verification — Apache HttpClient 9.1AICriticalAI2026-04-22
CVE-2025-43798 Liferay DXP 安全漏洞 — DXP 8.8AIHighAI2025-09-15
CVE-2025-24322 Tenda AC6 安全漏洞 — AC6 V5.0 8.1 High2025-08-20
CVE-2025-55138 LinkJoin 安全漏洞 — LinkJoin 7.4 High2025-08-07
CVE-2024-52965 Fortinet FortiOS和Fortinet FortiProxy 安全漏洞 — FortiOS 6.8 High2025-07-08
CVE-2025-5715 Signal App Biometric Authentication missing critical step in authentication — App 3.8 Low2025-06-06
CVE-2025-43014 JetBrains Toolbox App 安全漏洞 — Toolbox App 6.1 Medium2025-04-17
CVE-2024-9216 Authentication Bypass in gaizhenbiao/ChuanhuChatGPT — gaizhenbiao/chuanhuchatgpt 7.1 -2025-03-20
CVE-2024-12048 IDOR Vulnerability in transformeroptimus/superagi — transformeroptimus/superagi 8.2 -2025-03-20
CVE-2024-8954 Authentication Bypass in composiohq/composio — composiohq/composio 9.8 -2025-03-20
CVE-2024-11302 Missing check_access in lollms_binding_infos in parisneo/lollms — parisneo/lollms 9.1 -2025-03-20
CVE-2024-12136 Improper Access Control in Elfatek Elektronics' ANKA JPD-00028 — ANKA JPD-00028 6.9 Medium2025-03-19
CVE-2024-20153 MediaTek Chipsets 安全漏洞 — MT2737, MT6989, MT6991, MT7925, MT8365, MT8518S, MT8532, MT8666, MT8667, MT8673, MT8676, MT8678, MT8755, MT8766, MT8768, MT8775, MT8781, MT8786, MT8788, MT8796, MT8798, MT8893 7.5 -2025-01-06
CVE-2024-45764 Dell Enterprise SONiC OS 安全漏洞 — Enterprise SONiC OS 9.0 Critical2024-11-08
CVE-2024-7745 Multi-Factor Authentication Bypass in Progress WS_FTP Server — WS_FTP Server 6.5 Medium2024-08-28
CVE-2024-2172 Malware Scanner <= 4.7.2 and Web Application Firewall <= 2.1.1 - Unauthenticated Privilege Escalation — Web Application Firewall – website security 9.8 Critical2024-03-13
CVE-2023-3629 Infinispan: non-admins should not be able to get cache config via rest api — Red Hat Data Grid 8.4.4 4.3 Medium2023-12-18
CVE-2023-3628 Infispan: rest bulk ops don't check permissions — Red Hat Data Grid 8.4.4 6.5 Medium2023-12-18
CVE-2023-22833 Mandatory control bypass in Lime2 — com.palantir.lime:lime2 7.6 High2023-06-06
CVE-2022-39360 Metabase SSO users able to circumvent IdP login by doing password reset — metabase 6.5 Medium2022-10-26
CVE-2022-40622 WAVLINK Quantum D4G (WN531G3) Session Management by IP Address — WN531G3 8.8 -2022-09-13
CVE-2022-2821 Missing Critical Step in Authentication in namelessmc/nameless — namelessmc/nameless 7.5 -2022-08-15
CVE-2022-2302 LENZE: Missing password verification in authorisation procedure — cabinet c520 9.8 Critical2022-07-11
CVE-2022-1065 Multi Factor Authentication Bypass in various versions of Abacus ERP — Abacus ERP 8.1 High2022-04-19
CVE-2021-41179 Two-Factor Authentication not enforced for pages marked as public — security-advisories 6.5 Medium2021-10-25
CVE-2019-16766 2FA bypass in Wagtail through new device path — wagtail-2fa 8.7 High2019-11-29
CVE-2011-3172 unix2_chkpwd do not check for a valid account — SUSE Linux Enterprise 9.8 -2018-06-08

Vulnerabilities classified as CWE-304 (认证中关键步骤缺失) represent 28 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.