Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CVEs (5,081)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2025-4291 1Ideacms 1Ideacms Oct 3, 2025 May 5, 2025 5.3 MEDIUM· v4 9.8 CRITICAL· v3 6.5 MEDIUM· v2 A vulnerability, which was classified as critical, was found in IdeaCMS up to 1.6. Affected is the function saveUpload. The manipulation leads to unrestricted upload. It is possible to launch the attack remotely. The exp...Show more A vulnerability, which was classified as critical, was found in IdeaCMS up to 1.6. Affected is the function saveUpload. The manipulation leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.Show less
CVE-2025-45618 1Huangjian888 1Jeeweb Mybatis Springboot Oct 21, 2025 May 5, 2025 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Incorrect access control in the component /admin/sys/datasource/ajaxList of jeeweb-mybatis-springboot v0.0.1.RELEASE allows attackers to access sensitive information via a crafted payload.
CVE-2025-45617 1Megagao 1Production Ssm Oct 17, 2025 May 5, 2025 N/A· v4 7.5 HIGH· v3 N/A· v2 Incorrect access control in the component /user/list of production_ssm v0.0.1-SNAPSHOT allows attackers to access sensitive information via a crafted payload.
CVE-2025-45616 1Baidu 1Brcc Oct 17, 2025 May 5, 2025 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Incorrect access control in the /admin/** API of brcc v1.2.0 allows attackers to gain access to Admin rights via a crafted request.
CVE-2025-45615 1User Xiangpeng 1Yaoqishan Oct 17, 2025 May 5, 2025 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Incorrect access control in the /admin/ API of yaoqishan v0.0.1-SNAPSHOT allows attackers to gain access to Admin rights via a crafted request.
CVE-2025-45614 1Lcw2004 1One Oct 14, 2025 May 5, 2025 N/A· v4 7.5 HIGH· v3 N/A· v2 Incorrect access control in the component /api/user/manager of One v1.0 allows attackers to access sensitive information via a crafted payload.
CVE-2025-45613 1Zhaojun1998 1Shiro Action Oct 14, 2025 May 5, 2025 N/A· v4 7.5 HIGH· v3 N/A· v2 Incorrect access control in the component /user/list of Shiro-Action v0.6 allows attackers to access sensitive information via a crafted payload.
CVE-2025-45612 1Exrick 1Xmall Jun 16, 2025 May 5, 2025 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Incorrect access control in xmall v1.1 allows attackers to bypass authentication via a crafted GET request to /index.
CVE-2025-45611 1Java Aodeng 1Hope Boot Oct 14, 2025 May 5, 2025 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Incorrect access control in the /user/edit/ component of hope-boot v1.0.0 allows attackers to bypass authentication via a crafted GET request.
CVE-2025-45610 1Passjava 1Passjava Oct 10, 2025 May 5, 2025 N/A· v4 7.5 HIGH· v3 N/A· v2 Incorrect access control in the component /scheduleLog/info/1 of PassJava-Platform v3.0.0 allows attackers to access sensitive information via a crafted payload.
CVE-2025-45609 1Ke 1Kob Oct 10, 2025 May 5, 2025 N/A· v4 7.5 HIGH· v3 N/A· v2 Incorrect access control in the doFilter function of kob latest v1.0.0-SNAPSHOT allows attackers to access sensitive information via a crafted payload.
CVE-2025-45608 1Zykzhangyukang 1Xinguan Oct 10, 2025 May 5, 2025 N/A· v4 7.5 HIGH· v3 N/A· v2 Incorrect access control in the /system/user/findUserList API of Xinguan v0.0.1-SNAPSHOT allows attackers to access sensitive information via a crafted payload.
CVE-2025-4051 1Google 1Chrome May 28, 2025 May 5, 2025 N/A· v4 6.3 MEDIUM· v3 N/A· v2 Insufficient data validation in DevTools in Google Chrome prior to 136.0.7103.59 allowed a remote attacker who convinced a user to engage in specific UI gestures to bypass discretionary access control via a crafted HTML...Show more Insufficient data validation in DevTools in Google Chrome prior to 136.0.7103.59 allowed a remote attacker who convinced a user to engage in specific UI gestures to bypass discretionary access control via a crafted HTML page. (Chromium security severity: Medium)Show less
CVE-2025-45237 1Dbsyncer Project 1Dbsyncer Nov 18, 2025 May 5, 2025 N/A· v4 7.5 HIGH· v3 N/A· v2 Incorrect access control in the component /config/download of DBSyncer v2.0.6 allows attackers to access the JSON file containing sensitive account information, including the encrypted password.
CVE-2025-4281 - - May 5, 2025 May 5, 2025 5.3 MEDIUM· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 A vulnerability, which was classified as problematic, was found in Shenzhen Sixun Software Sixun Shanghui Group Business Management System 7. This affects an unknown part of the file /api/GylOperator/LoadData. The manipu...Show more A vulnerability, which was classified as problematic, was found in Shenzhen Sixun Software Sixun Shanghui Group Business Management System 7. This affects an unknown part of the file /api/GylOperator/LoadData. The manipulation leads to information disclosure. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.Show less
CVE-2025-4316 1Devolutions 1Devolutions Server Jun 17, 2025 May 5, 2025 N/A· v4 4.3 MEDIUM· v3 N/A· v2 Improper access control in PAM feature in Devolutions Server allows a PAM user to self approve their PAM requests even if disallowed by the configured policy via specific user interface actions. This issue affects D...Show more Improper access control in PAM feature in Devolutions Server allows a PAM user to self approve their PAM requests even if disallowed by the configured policy via specific user interface actions. This issue affects Devolutions Server versions from 2025.1.3.0 through 2025.1.6.0, and all versions up to 2024.3.15.0.Show less
CVE-2025-4271 1Totolink 1A720r Firmware May 7, 2025 May 5, 2025 6.9 MEDIUM· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 A vulnerability was found in TOTOLINK A720R 4.1.5cu.374. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument...Show more A vulnerability was found in TOTOLINK A720R 4.1.5cu.374. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument topicurl with the input showSyslog leads to information disclosure. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.Show less
CVE-2025-4270 1Totolink 1A720r Firmware May 7, 2025 May 5, 2025 6.9 MEDIUM· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 A vulnerability was found in TOTOLINK A720R 4.1.5cu.374. It has been classified as problematic. Affected is an unknown function of the file /cgi-bin/cstecgi.cgi of the component Config Handler. The manipulation of the ar...Show more A vulnerability was found in TOTOLINK A720R 4.1.5cu.374. It has been classified as problematic. Affected is an unknown function of the file /cgi-bin/cstecgi.cgi of the component Config Handler. The manipulation of the argument topicurl with the input getInitCfg/getSysStatusCfg leads to information disclosure. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.Show less
CVE-2025-4269 1Totolink 1A720r Firmware May 7, 2025 May 5, 2025 6.9 MEDIUM· v4 5.3 MEDIUM· v3 6.4 MEDIUM· v2 A vulnerability was found in TOTOLINK A720R 4.1.5cu.374 and classified as critical. This issue affects some unknown processing of the file /cgi-bin/cstecgi.cgi of the component Log Handler. The manipulation of the argume...Show more A vulnerability was found in TOTOLINK A720R 4.1.5cu.374 and classified as critical. This issue affects some unknown processing of the file /cgi-bin/cstecgi.cgi of the component Log Handler. The manipulation of the argument topicurl with the input clearDiagnosisLog/clearSyslog/clearTracerouteLog leads to improper access controls. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.Show less
CVE-2025-4259 1Newbee Mall Project 1Newbee Mall Oct 10, 2025 May 5, 2025 5.3 MEDIUM· v4 9.8 CRITICAL· v3 6.5 MEDIUM· v2 A vulnerability has been found in newbee-mall 1.0 and classified as critical. Affected by this vulnerability is the function Upload of the file ltd/newbee/mall/controller/common/UploadController.java. The manipulation of...Show more A vulnerability has been found in newbee-mall 1.0 and classified as critical. Affected by this vulnerability is the function Upload of the file ltd/newbee/mall/controller/common/UploadController.java. The manipulation of the argument File leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable.Show less

Previous 1...818283...255 Next