Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CVEs (5,081)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2025-30436 1Apple 2Ipados Iphone Os May 27, 2025 May 12, 2025 N/A· v4 9.1 CRITICAL· v3 N/A· v2 This issue was addressed by restricting options offered on a locked device. This issue is fixed in iOS 18.4 and iPadOS 18.4. An attacker may be able to use Siri to enable Auto-Answer Calls.
CVE-2025-4538 1Keking 1Kkfileview Jun 16, 2025 May 11, 2025 5.3 MEDIUM· v4 9.8 CRITICAL· v3 6.5 MEDIUM· v2 A vulnerability was found in kkFileView 4.4.0. It has been classified as critical. This affects an unknown part of the file /fileUpload. The manipulation of the argument File leads to unrestricted upload. It is possible...Show more A vulnerability was found in kkFileView 4.4.0. It has been classified as critical. This affects an unknown part of the file /fileUpload. The manipulation of the argument File leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.Show less
CVE-2025-4536 1Gosuncntech 1Group Audio Visual Integrated Management Jul 8, 2025 May 11, 2025 6.9 MEDIUM· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 A vulnerability has been found in Gosuncn Technology Group Audio-Visual Integrated Management Platform 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /sysmgr/user/l...Show more A vulnerability has been found in Gosuncn Technology Group Audio-Visual Integrated Management Platform 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /sysmgr/user/listByPage. The manipulation leads to information disclosure. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.Show less
CVE-2025-4535 1Gosuncntech 1Group Audio Visual Integrated Management Jul 8, 2025 May 11, 2025 6.9 MEDIUM· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 A vulnerability, which was classified as problematic, was found in Gosuncn Technology Group Audio-Visual Integrated Management Platform 4.0. Affected is an unknown function of the file /config/config.properties of the co...Show more A vulnerability, which was classified as problematic, was found in Gosuncn Technology Group Audio-Visual Integrated Management Platform 4.0. Affected is an unknown function of the file /config/config.properties of the component Configuration File Handler. The manipulation leads to information disclosure. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.Show less
CVE-2025-28201 1Govicture 1Rx1800 Firmware Jun 12, 2025 May 9, 2025 N/A· v4 6.8 MEDIUM· v3 N/A· v2 An issue in Victure RX1800 EN_V1.0.0_r12_110933 allows physically proximate attackers to execute arbitrary code or gain root access.
CVE-2025-4468 1Senior Walter 1Online Student Clearance System May 14, 2025 May 9, 2025 6.9 MEDIUM· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 A vulnerability was found in SourceCodester Online Student Clearance System 1.0. It has been rated as critical. This issue affects some unknown processing of the file /edit-photo.php. The manipulation of the argument use...Show more A vulnerability was found in SourceCodester Online Student Clearance System 1.0. It has been rated as critical. This issue affects some unknown processing of the file /edit-photo.php. The manipulation of the argument userImage leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.Show less
CVE-2025-33072 1Microsoft 1Msagsfeedback.azurewebsites.net May 21, 2025 May 8, 2025 N/A· v4 7.5 HIGH· v3 N/A· v2 Improper access control in Azure allows an unauthorized attacker to disclose information over a network.
CVE-2025-20223 1Cisco 1Catalyst Center Jul 23, 2025 May 7, 2025 N/A· v4 4.7 MEDIUM· v3 N/A· v2 A vulnerability in Cisco Catalyst Center, formerly Cisco DNA Center, could allow an authenticated, remote attacker to read and modify data in a repository that belongs to an internal service of an affected device. Thi...Show more A vulnerability in Cisco Catalyst Center, formerly Cisco DNA Center, could allow an authenticated, remote attacker to read and modify data in a repository that belongs to an internal service of an affected device. This vulnerability is due to insufficient enforcement of access control on HTTP requests. An attacker could exploit this vulnerability by submitting a crafted HTTP request to an affected device. A successful exploit could allow the attacker to read and modify data that is handled by an internal service on the affected device.Show less
CVE-2025-20190 1Cisco 1Ios Xe Jul 31, 2025 May 7, 2025 N/A· v4 6.5 MEDIUM· v3 N/A· v2 A vulnerability in the lobby ambassador web interface of Cisco IOS XE Wireless Controller Software could allow an authenticated, remote attacker to remove arbitrary users that are defined on an affected device. This v...Show more A vulnerability in the lobby ambassador web interface of Cisco IOS XE Wireless Controller Software could allow an authenticated, remote attacker to remove arbitrary users that are defined on an affected device. This vulnerability is due to insufficient access control of actions executed by lobby ambassador users. An attacker could exploit this vulnerability by logging in to an affected device with a lobby ambassador user account and sending crafted HTTP requests to the API. A successful exploit could allow the attacker to delete arbitrary user accounts on the device, including users with administrative privileges. Note: This vulnerability is exploitable only if the attacker obtains the credentials for a lobby ambassador account. This account is not configured by default.Show less
CVE-2025-20137 1Cisco 1Ios Aug 5, 2025 May 7, 2025 N/A· v4 4.7 MEDIUM· v3 N/A· v2 A vulnerability in the access control list (ACL) programming of Cisco IOS Software that is running on Cisco Catalyst 1000 Switches and Cisco Catalyst 2960L Switches could allow an unauthenticated, remote attacker to bypa...Show more A vulnerability in the access control list (ACL) programming of Cisco IOS Software that is running on Cisco Catalyst 1000 Switches and Cisco Catalyst 2960L Switches could allow an unauthenticated, remote attacker to bypass a configured ACL. This vulnerability is due to the use of both an IPv4 ACL and a dynamic ACL of IP Source Guard on the same interface, which is an unsupported configuration. An attacker could exploit this vulnerability by attempting to send traffic through an affected device. A successful exploit could allow the attacker to bypass an ACL on the affected device. Note: Cisco documentation has been updated to reflect that this is an unsupported configuration. However, Cisco is publishing this advisory because the device will not prevent an administrator from configuring both features on the same interface. There are no plans to implement the ability to configure both features on the same interface on Cisco Catalyst 1000 or Catalyst 2960L Switches.Show less
CVE-2025-29448 1Easyappointments 1Easy!appointments Jan 28, 2026 May 7, 2025 N/A· v4 7.5 HIGH· v3 N/A· v2 Booking logic flaw in Easy!Appointments v1.5.1 allows unauthenticated attackers to create appointments with excessively long durations, causing a denial of service by blocking all future booking availability.
CVE-2025-46816 - - May 7, 2025 May 6, 2025 N/A· v4 9.4 CRITICAL· v3 N/A· v2 goshs is a SimpleHTTPServer written in Go. Starting in version 0.3.4 and prior to version 1.0.5, running goshs without arguments makes it possible for anyone to execute commands on the server. The function `dispatchReadP...Show more goshs is a SimpleHTTPServer written in Go. Starting in version 0.3.4 and prior to version 1.0.5, running goshs without arguments makes it possible for anyone to execute commands on the server. The function `dispatchReadPump` does not checks the option cli `-c`, thus allowing anyone to execute arbitrary command through the use of websockets. Version 1.0.5 fixes the issue.Show less
CVE-2025-21470 1Qualcomm 33Aqt1000 Firmware Fastconnect 6200 FirmwareFastconnect 6700 Firmware+30 more Aug 11, 2025 May 6, 2025 N/A· v4 7.8 HIGH· v3 N/A· v2 Memory corruption while processing image encoding, when configuration is NULL in IOCTL parameter.
CVE-2025-21469 1Qualcomm 20Fastconnect 6700 Firmware Fastconnect 6900 FirmwareFastconnect 7800 Firmware+17 more Aug 11, 2025 May 6, 2025 N/A· v4 7.8 HIGH· v3 N/A· v2 Memory corruption while processing image encoding, when input buffer length is 0 in IOCTL call.
CVE-2024-49842 1Qualcomm 176Aqt1000 Firmware Ar8035 FirmwareFastconnect 6200 Firmware+173 more Aug 11, 2025 May 6, 2025 N/A· v4 7.8 HIGH· v3 N/A· v2 Memory corruption during memory mapping into protected VM address space due to incorrect API restrictions.
CVE-2025-4333 - - May 7, 2025 May 6, 2025 5.3 MEDIUM· v4 6.3 MEDIUM· v3 6.5 MEDIUM· v2 A vulnerability was found in feng_ha_ha/megagao ssm-erp and production_ssm up to 0.0.1. It has been classified as critical. This affects the function uploadFile of the file src/main/java/com/megagao/production/ssm/servic...Show more A vulnerability was found in feng_ha_ha/megagao ssm-erp and production_ssm up to 0.0.1. It has been classified as critical. This affects the function uploadFile of the file src/main/java/com/megagao/production/ssm/service/impl/FileServiceImpl.java. The manipulation of the argument uploadFile leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. This product is distributed under two entirely different names.Show less
CVE-2025-46589 1Huawei 1Harmonyos Sep 26, 2025 May 6, 2025 N/A· v4 7.1 HIGH· v3 N/A· v2 Vulnerability of unauthorized access in the app lock module Impact: Successful exploitation of this vulnerability will affect integrity and confidentiality.
CVE-2025-46588 1Huawei 1Harmonyos Sep 26, 2025 May 6, 2025 N/A· v4 7.7 HIGH· v3 N/A· v2 Vulnerability of unauthorized access in the app lock module Impact: Successful exploitation of this vulnerability will affect integrity and confidentiality.
CVE-2025-4310 1Emiloi 1Content Management System May 13, 2025 May 6, 2025 5.1 MEDIUM· v4 6.3 MEDIUM· v3 5.8 MEDIUM· v2 A vulnerability classified as critical has been found in itsourcecode Content Management System 1.0. This affects an unknown part of the file /admin/add_topic.php?category=BBS. The manipulation of the argument Cover Imag...Show more A vulnerability classified as critical has been found in itsourcecode Content Management System 1.0. This affects an unknown part of the file /admin/add_topic.php?category=BBS. The manipulation of the argument Cover Image leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.Show less
CVE-2025-4305 - - May 7, 2025 May 6, 2025 5.3 MEDIUM· v4 6.3 MEDIUM· v3 6.5 MEDIUM· v2 A vulnerability has been found in kefaming mayi up to 1.3.9 and classified as critical. This vulnerability affects the function Upload of the file app/tools/controller/File.php. The manipulation of the argument File lead...Show more A vulnerability has been found in kefaming mayi up to 1.3.9 and classified as critical. This vulnerability affects the function Upload of the file app/tools/controller/File.php. The manipulation of the argument File leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.Show less

Previous 1...808182...255 Next