Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CVEs (5,077)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2025-61541 1Webmin 1Webmin Nov 6, 2025 Oct 16, 2025 N/A· v4 7.1 HIGH· v3 N/A· v2 Webmin 2.510 is vulnerable to a Host Header Injection in the password reset functionality (forgot_send.cgi). The reset link sent to users is constructed using the HTTP Host header via get_webmin_email_url(). An attacker...Show more Webmin 2.510 is vulnerable to a Host Header Injection in the password reset functionality (forgot_send.cgi). The reset link sent to users is constructed using the HTTP Host header via get_webmin_email_url(). An attacker can manipulate the Host header to inject a malicious domain into the reset email. If a victim follows the poisoned link, the attacker can intercept the reset token and gain full control of the target account.Show less
CVE-2025-9804 1Wso2 15Api Control Plane Api ManagerApi Manager Analytics+12 more Nov 21, 2025 Oct 16, 2025 N/A· v4 6.5 MEDIUM· v3 N/A· v2 An improper access control vulnerability exists in multiple WSO2 products due to insufficient permission enforcement in certain internal SOAP Admin Services and System REST APIs. A low-privileged user may exploit this fl...Show more An improper access control vulnerability exists in multiple WSO2 products due to insufficient permission enforcement in certain internal SOAP Admin Services and System REST APIs. A low-privileged user may exploit this flaw to perform unauthorized operations, including accessing server-level information. This vulnerability affects only internal administrative interfaces. APIs exposed through the WSO2 API Manager's API Gateway remain unaffected.Show less
CVE-2025-43313 1Apple 1Macos Apr 2, 2026 Oct 15, 2025 N/A· v4 5.5 MEDIUM· v3 N/A· v2 A logic issue was addressed with improved restrictions. This issue is fixed in macOS Sequoia 15.6, macOS Sonoma 14.7.7, macOS Ventura 13.7.7. An app may be able to access sensitive user data.
CVE-2025-59494 1Microsoft 1Azure Monitor Agent Oct 22, 2025 Oct 14, 2025 N/A· v4 7.8 HIGH· v3 N/A· v2 Improper access control in Azure Monitor Agent allows an authorized attacker to elevate privileges locally.
CVE-2025-59253 1Microsoft 15Windows 10 1507 Windows 10 1607Windows 10 1809+12 more Oct 17, 2025 Oct 14, 2025 N/A· v4 5.5 MEDIUM· v3 N/A· v2 Improper access control in Microsoft Windows Search Component allows an authorized attacker to deny service locally.
CVE-2025-59230 1Microsoft 16Windows 10 1507 Windows 10 1607Windows 10 1809+13 more Dec 3, 2025 Oct 14, 2025 N/A· v4 7.8 HIGH· v3 N/A· v2 Improper access control in Windows Remote Access Connection Manager allows an authorized attacker to elevate privileges locally.
CVE-2025-59201 1Microsoft 16Windows 10 1507 Windows 10 1607Windows 10 1809+13 more Oct 17, 2025 Oct 14, 2025 N/A· v4 7.8 HIGH· v3 N/A· v2 Improper access control in Network Connection Status Indicator (NCSI) allows an authorized attacker to elevate privileges locally.
CVE-2025-59199 1Microsoft 11Windows 10 1809 Windows 10 21h2Windows 10 22h2+8 more Oct 30, 2025 Oct 14, 2025 N/A· v4 7.8 HIGH· v3 N/A· v2 Improper access control in Software Protection Platform (SPP) allows an authorized attacker to elevate privileges locally.
CVE-2025-58726 1Microsoft 16Windows 10 1507 Windows 10 1607Windows 10 1809+13 more Nov 11, 2025 Oct 14, 2025 N/A· v4 7.5 HIGH· v3 N/A· v2 Improper access control in Windows SMB Server allows an authorized attacker to elevate privileges over a network.
CVE-2025-58724 1Microsoft 1Azure Connected Machine Agent Oct 20, 2025 Oct 14, 2025 N/A· v4 7.8 HIGH· v3 N/A· v2 Improper access control in Azure Connected Machine Agent allows an authorized attacker to elevate privileges locally.
CVE-2025-58714 1Microsoft 16Windows 10 1507 Windows 10 1607Windows 10 1809+13 more Oct 31, 2025 Oct 14, 2025 N/A· v4 7.8 HIGH· v3 N/A· v2 Improper access control in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.
CVE-2025-55694 1Microsoft 3Windows 11 24h2 Windows 11 25h2Windows Server 2025 Oct 30, 2025 Oct 14, 2025 N/A· v4 7.8 HIGH· v3 N/A· v2 Improper access control in Windows Error Reporting allows an authorized attacker to elevate privileges locally.
CVE-2025-55240 1Microsoft 3Visual Studio 2017 Visual Studio 2019Visual Studio 2022 Oct 17, 2025 Oct 14, 2025 N/A· v4 7.3 HIGH· v3 N/A· v2 Improper access control in Visual Studio allows an authorized attacker to elevate privileges locally.
CVE-2025-54603 - - Oct 14, 2025 Oct 14, 2025 N/A· v4 6.5 MEDIUM· v3 N/A· v2 An incorrect OIDC authentication flow in Claroty Secure Access 3.3.0 through 4.0.2 can result in unauthorized user creation or impersonation of existing OIDC users.
CVE-2025-47989 1Microsoft 1Azure Connected Machine Agent Oct 20, 2025 Oct 14, 2025 N/A· v4 7.0 HIGH· v3 N/A· v2 Improper access control in Azure Connected Machine Agent allows an authorized attacker to elevate privileges locally.
CVE-2025-37143 1Arubanetworks 1Arubaos Nov 12, 2025 Oct 14, 2025 N/A· v4 4.9 MEDIUM· v3 N/A· v2 An arbitrary file download vulnerability exists in the web-based management interface of AOS-10 GW and AOS-8 Controller/Mobility Conductor operating systems. Successful exploitation could allow an Authenticated malicious...Show more An arbitrary file download vulnerability exists in the web-based management interface of AOS-10 GW and AOS-8 Controller/Mobility Conductor operating systems. Successful exploitation could allow an Authenticated malicious actor to download arbitrary files through carefully constructed exploits.Show less
CVE-2025-37142 1Arubanetworks 1Arubaos Nov 12, 2025 Oct 14, 2025 N/A· v4 4.9 MEDIUM· v3 N/A· v2 Arbitrary file download vulnerabilities exist in the CLI binary of AOS-10 GW and AOS-8 Controller/Mobility Conductor operating systems. Successful exploitation could allow an authenticated malicious actor to download arb...Show more Arbitrary file download vulnerabilities exist in the CLI binary of AOS-10 GW and AOS-8 Controller/Mobility Conductor operating systems. Successful exploitation could allow an authenticated malicious actor to download arbitrary files through carefully constructed exploits.Show less
CVE-2025-37141 1Arubanetworks 1Arubaos Nov 12, 2025 Oct 14, 2025 N/A· v4 4.9 MEDIUM· v3 N/A· v2 Arbitrary file download vulnerabilities exist in the CLI binary of AOS-10 GW and AOS-8 Controller/Mobility Conductor operating systems. Successful exploitation could allow an authenticated malicious actor to download arb...Show more Arbitrary file download vulnerabilities exist in the CLI binary of AOS-10 GW and AOS-8 Controller/Mobility Conductor operating systems. Successful exploitation could allow an authenticated malicious actor to download arbitrary files through carefully constructed exploits.Show less
CVE-2025-37140 1Arubanetworks 1Arubaos Nov 12, 2025 Oct 14, 2025 N/A· v4 4.9 MEDIUM· v3 N/A· v2 Arbitrary file download vulnerabilities exist in the CLI binary of AOS-10 GW and AOS-8 Controller/Mobility Conductor operating systems. Successful exploitation could allow an authenticated malicious actor to download arb...Show more Arbitrary file download vulnerabilities exist in the CLI binary of AOS-10 GW and AOS-8 Controller/Mobility Conductor operating systems. Successful exploitation could allow an authenticated malicious actor to download arbitrary files through carefully constructed exploits.Show less
CVE-2025-37137 1Arubanetworks 1Arubaos Nov 12, 2025 Oct 14, 2025 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Arbitrary file deletion vulnerabilities have been identified in the command-line interface of an AOS-8 Controller/Mobility Conductor. Successful exploitation of these vulnerabilities could allow an authenticated remote m...Show more Arbitrary file deletion vulnerabilities have been identified in the command-line interface of an AOS-8 Controller/Mobility Conductor. Successful exploitation of these vulnerabilities could allow an authenticated remote malicious actor to delete arbitrary files within the affected system.Show less

Previous 1...545556...254 Next