Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CVEs (5,081)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2025-31698 1Apache 1Traffic Server Jul 1, 2025 Jun 19, 2025 N/A· v4 7.5 HIGH· v3 N/A· v2 ACL configured in ip_allow.config or remap.config does not use IP addresses that are provided by PROXY protocol. Users can use a new setting (proxy.config.acl.subjects) to choose which IP addresses to use for the ACL if...Show more ACL configured in ip_allow.config or remap.config does not use IP addresses that are provided by PROXY protocol. Users can use a new setting (proxy.config.acl.subjects) to choose which IP addresses to use for the ACL if Apache Traffic Server is configured to accept PROXY protocol. This issue affects undefined: from 10.0.0 through 10.0.6, from 9.0.0 through 9.2.10. Users are recommended to upgrade to version 9.2.11 or 10.0.6, which fixes the issue.Show less
CVE-2024-45208 - - Jun 23, 2025 Jun 19, 2025 N/A· v4 9.8 CRITICAL· v3 N/A· v2 The Versa Director SD-WAN orchestration platform which makes use of Cisco NCS application service. Active and Standby Directors communicate over TCP ports 4566 and 4570 to exchange High Availability (HA) information usin...Show more The Versa Director SD-WAN orchestration platform which makes use of Cisco NCS application service. Active and Standby Directors communicate over TCP ports 4566 and 4570 to exchange High Availability (HA) information using a shared password. Affected versions of Versa Director bound to these ports on all interfaces. An attacker that can access the Versa Director could access the NCS service on port 4566 and exploit it to perform unauthorized administrative actions and perform remote code execution. Customers are recommended to follow the hardening guide. Versa Networks is not aware of any reported instance where this vulnerability was exploited. Proof of concept for this vulnerability has been disclosed by third party security researchers.Show less
CVE-2025-49591 1Xwiki 1Cryptpad Aug 11, 2025 Jun 18, 2025 7.4 HIGH· v4 9.1 CRITICAL· v3 N/A· v2 CryptPad is a collaboration suite. Prior to version 2025.3.0, enforcement of Two-Factor Authentication (2FA) in CryptPad can be trivially bypassed, due to weak implementation of access controls. An attacker that compromi...Show more CryptPad is a collaboration suite. Prior to version 2025.3.0, enforcement of Two-Factor Authentication (2FA) in CryptPad can be trivially bypassed, due to weak implementation of access controls. An attacker that compromises a user's credentials can gain access to the victim's account, even if the victim has 2FA set up. This is due to 2FA not being enforced if the path parameter is not 44 characters long, which can be bypassed by simply URL encoding a single character in the path. This issue has been patched in version 2025.3.0.Show less
CVE-2025-49154 1Trendmicro 3Apex One Worry Free Business SecurityWorry Free Business Security Services Oct 6, 2025 Jun 17, 2025 N/A· v4 7.8 HIGH· v3 N/A· v2 An insecure access control vulnerability in Trend Micro Apex One and Trend Micro Worry-Free Business Security could allow a local attacker to overwrite key memory-mapped files which could then have severe consequences fo...Show more An insecure access control vulnerability in Trend Micro Apex One and Trend Micro Worry-Free Business Security could allow a local attacker to overwrite key memory-mapped files which could then have severe consequences for the security and stability of affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.Show less
CVE-2025-6161 1Fabian 1Simple Food Ordering System Apr 29, 2026 Jun 17, 2025 5.5 MEDIUM· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 A vulnerability, which was classified as critical, was found in SourceCodester Simple Food Ordering System 1.0. Affected is an unknown function of the file /editproduct.php. The manipulation of the argument photo leads t...Show more A vulnerability, which was classified as critical, was found in SourceCodester Simple Food Ordering System 1.0. Affected is an unknown function of the file /editproduct.php. The manipulation of the argument photo leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.Show less
CVE-2025-27689 1Dell 1Idrac Tools Jan 13, 2026 Jun 12, 2025 N/A· v4 7.8 HIGH· v3 N/A· v2 Dell iDRAC Tools, version(s) prior to 11.3.0.0, contain(s) an Improper Access Control vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of privi...Show more Dell iDRAC Tools, version(s) prior to 11.3.0.0, contain(s) an Improper Access Control vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of privileges.Show less
CVE-2025-46889 1Adobe 1Experience Manager Jun 16, 2025 Jun 10, 2025 N/A· v4 5.4 MEDIUM· v3 N/A· v2 Adobe Experience Manager versions 6.5.22 and earlier are affected by an Improper Access Control vulnerability that could result in privilege escalation. A low privileged attacker could leverage this vulnerability to bypa...Show more Adobe Experience Manager versions 6.5.22 and earlier are affected by an Improper Access Control vulnerability that could result in privilege escalation. A low privileged attacker could leverage this vulnerability to bypass security measures and gain limited unauthorized elevated access. Exploitation of this issue does not require user interaction.Show less
CVE-2025-47962 1Microsoft 1Windows Software Development Kit Jul 9, 2025 Jun 10, 2025 N/A· v4 7.8 HIGH· v3 N/A· v2 Improper access control in Windows SDK allows an authorized attacker to elevate privileges locally.
CVE-2025-33073 1Microsoft 15Windows 10 1507 Windows 10 1607Windows 10 1809+12 more Oct 27, 2025 Jun 10, 2025 N/A· v4 8.8 HIGH· v3 N/A· v2 Improper access control in Windows SMB allows an authorized attacker to elevate privileges over a network.
CVE-2025-33056 1Microsoft 15Windows 10 1507 Windows 10 1607Windows 10 1809+12 more Jul 10, 2025 Jun 10, 2025 N/A· v4 7.5 HIGH· v3 N/A· v2 Improper access control in Microsoft Local Security Authority Server (lsasrv) allows an unauthorized attacker to deny service over a network.
CVE-2025-32722 1Microsoft 14Windows 10 1507 Windows 10 1607Windows 10 1809+11 more Jul 10, 2025 Jun 10, 2025 N/A· v4 5.5 MEDIUM· v3 N/A· v2 Improper access control in Windows Storage Port Driver allows an authorized attacker to disclose information locally.
CVE-2025-32714 1Microsoft 15Windows 10 1507 Windows 10 1607Windows 10 1809+12 more Jul 10, 2025 Jun 10, 2025 N/A· v4 7.8 HIGH· v3 N/A· v2 Improper access control in Windows Installer allows an authorized attacker to elevate privileges locally.
CVE-2024-57190 1Erxes 1Erxes Jun 20, 2025 Jun 10, 2025 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Erxes <1.6.1 is vulnerable to Incorrect Access Control. An attacker can bypass authentication by providing a "User" HTTP header that contains any user, allowing them to talk to any GraphQL endpoint.
CVE-2025-43586 1Adobe 3Commerce Commerce B2bMagento Jun 23, 2025 Jun 10, 2025 N/A· v4 8.1 HIGH· v3 N/A· v2 Adobe Commerce versions 2.4.8, 2.4.7-p5, 2.4.6-p10, 2.4.5-p12, 2.4.4-p13 and earlier are affected by an Improper Access Control vulnerability that could result in privilege escalation. A low privileged attacker could lev...Show more Adobe Commerce versions 2.4.8, 2.4.7-p5, 2.4.6-p10, 2.4.5-p12, 2.4.4-p13 and earlier are affected by an Improper Access Control vulnerability that could result in privilege escalation. A low privileged attacker could leverage this vulnerability to bypass security measures and gain unauthorized elevated access. Exploitation of this issue does not require user interaction.Show less
CVE-2025-27207 1Adobe 1Commerce B2b Jul 11, 2025 Jun 10, 2025 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Adobe Commerce versions 2.4.8, 2.4.7-p5, 2.4.6-p10, 2.4.5-p12, 2.4.4-p13 and earlier are affected by an Improper Access Control vulnerability that could result in privilege escalation. A low privileged attacker could lev...Show more Adobe Commerce versions 2.4.8, 2.4.7-p5, 2.4.6-p10, 2.4.5-p12, 2.4.4-p13 and earlier are affected by an Improper Access Control vulnerability that could result in privilege escalation. A low privileged attacker could leverage this vulnerability to bypass security measures and gain unauthorized read access. Exploitation of this issue does not require user interaction.Show less
CVE-2025-27206 1Adobe 3Commerce Commerce B2bMagento Jun 23, 2025 Jun 10, 2025 N/A· v4 5.3 MEDIUM· v3 N/A· v2 Adobe Commerce versions 2.4.8, 2.4.7-p5, 2.4.6-p10, 2.4.5-p12, 2.4.4-p13 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage thi...Show more Adobe Commerce versions 2.4.8, 2.4.7-p5, 2.4.6-p10, 2.4.5-p12, 2.4.4-p13 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain limited write access. Exploitation of this issue does not require user interaction.Show less
CVE-2025-5873 - - Apr 29, 2026 Jun 9, 2025 2.1 LOW· v4 6.3 MEDIUM· v3 6.5 MEDIUM· v2 A vulnerability was detected in eCharge Hardy Barth Salia PLCC up to 2.3.81. Affected by this issue is some unknown functionality of the file /firmware.php of the component Web UI. Performing a manipulation of the argume...Show more A vulnerability was detected in eCharge Hardy Barth Salia PLCC up to 2.3.81. Affected by this issue is some unknown functionality of the file /firmware.php of the component Web UI. Performing a manipulation of the argument media results in unrestricted upload. The attack can be initiated remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.Show less
CVE-2025-5840 1Lerouxyxchire 1Client Database Management System Jun 10, 2025 Jun 7, 2025 6.9 MEDIUM· v4 7.3 HIGH· v3 7.5 HIGH· v2 A vulnerability, which was classified as critical, was found in SourceCodester Client Database Management System 1.0. This affects an unknown part of the file /user_update_customer_order.php. The manipulation of the argu...Show more A vulnerability, which was classified as critical, was found in SourceCodester Client Database Management System 1.0. This affects an unknown part of the file /user_update_customer_order.php. The manipulation of the argument uploaded_file leads to unrestricted upload. It is possible to initiate the attack remotely.Show less
CVE-2025-5728 1Nikhil Bhalerao 1Open Source Clinic Management System Apr 29, 2026 Jun 6, 2025 2.1 LOW· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 A vulnerability classified as critical was found in SourceCodester Open Source Clinic Management System 1.0. This vulnerability affects unknown code of the file /manage_website.php. The manipulation of the argument websi...Show more A vulnerability classified as critical was found in SourceCodester Open Source Clinic Management System 1.0. This vulnerability affects unknown code of the file /manage_website.php. The manipulation of the argument website_image leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.Show less
CVE-2025-5382 1Devolutions 1Devolutions Server Jul 2, 2025 Jun 5, 2025 N/A· v4 6.8 MEDIUM· v3 N/A· v2 Improper access control in users MFA feature in Devolutions Server 2025.1.7.0 and earlier allows a user with user management permission to remove or change administrators MFA.

Previous 1...757677...255 Next