Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CVEs (5,090)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2025-31494 1Agpt 1Autogpt Platform Aug 25, 2025 Apr 15, 2025 N/A· v4 3.5 LOW· v3 N/A· v2 AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents that automate complex workflows. The AutoGPT Platform's WebSocket API transmitted node execution updates to...Show more AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents that automate complex workflows. The AutoGPT Platform's WebSocket API transmitted node execution updates to subscribers based on the graph_id+graph_version. Additionally, there was no check prohibiting users from subscribing with another user's graph_id+graph_version. As a result, node execution updates from one user's graph execution could be received by another user within the same instance. This vulnerability does not occur between different instances or between users and non-users of the platform. Single-user instances are not affected. In private instances with a user white-list, the impact is limited by the fact that all potential unintended recipients of these node execution updates must have been admitted by the administrator. This vulnerability is fixed in 0.6.1.Show less
CVE-2025-3593 1Zhenfeng13 1My Blog Layui Oct 10, 2025 Apr 14, 2025 5.3 MEDIUM· v4 9.8 CRITICAL· v3 6.5 MEDIUM· v2 A vulnerability was found in ZHENFENG13/code-projects My-Blog-layui 1.0. It has been declared as critical. This vulnerability affects the function Upload of the file /admin/upload/authorImg/. The manipulation of the argu...Show more A vulnerability was found in ZHENFENG13/code-projects My-Blog-layui 1.0. It has been declared as critical. This vulnerability affects the function Upload of the file /admin/upload/authorImg/. The manipulation of the argument File leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.Show less
CVE-2025-3585 1Westboy 1Cicadascms May 21, 2025 Apr 14, 2025 5.3 MEDIUM· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 A vulnerability classified as critical has been found in westboy CicadasCMS 1.0. This affects an unknown part of the file /upload/ of the component JSP Parser. The manipulation of the argument File leads to unrestricted...Show more A vulnerability classified as critical has been found in westboy CicadasCMS 1.0. This affects an unknown part of the file /upload/ of the component JSP Parser. The manipulation of the argument File leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.Show less
CVE-2025-3566 - - Aug 26, 2025 Apr 14, 2025 6.9 MEDIUM· v4 7.3 HIGH· v3 7.5 HIGH· v2 A vulnerability, which was classified as critical, has been found in veal98 小牛肉 Echo 开源社区系统 4.2. This issue affects the function uploadMdPic of the file /discuss/uploadMdPic. The manipulation of the argument editormd-ima...Show more A vulnerability, which was classified as critical, has been found in veal98 小牛肉 Echo 开源社区系统 4.2. This issue affects the function uploadMdPic of the file /discuss/uploadMdPic. The manipulation of the argument editormd-image-file leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.Show less
CVE-2025-3565 1Huanfenz 1Studentmanager May 21, 2025 Apr 14, 2025 5.1 MEDIUM· v4 7.2 HIGH· v3 5.8 MEDIUM· v2 A vulnerability classified as critical was found in huanfenz/code-projects StudentManager 1.0. This vulnerability affects unknown code of the file /upload/uploadArticle.do of the component Announcement Management Section...Show more A vulnerability classified as critical was found in huanfenz/code-projects StudentManager 1.0. This vulnerability affects unknown code of the file /upload/uploadArticle.do of the component Announcement Management Section. The manipulation of the argument File leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.Show less
CVE-2025-3558 1Ghostxbh 1Uzy Ssm Mall Oct 10, 2025 Apr 14, 2025 5.3 MEDIUM· v4 9.8 CRITICAL· v3 6.5 MEDIUM· v2 A vulnerability, which was classified as critical, was found in ghostxbh uzy-ssm-mall 1.0.0. This affects an unknown part of the file /mall/user/uploadUserHeadImage. The manipulation of the argument File leads to unrestr...Show more A vulnerability, which was classified as critical, was found in ghostxbh uzy-ssm-mall 1.0.0. This affects an unknown part of the file /mall/user/uploadUserHeadImage. The manipulation of the argument File leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.Show less
CVE-2025-32726 1Microsoft 1Visual Studio Code Jul 8, 2025 Apr 12, 2025 N/A· v4 6.8 MEDIUM· v3 N/A· v2 Improper access control in Visual Studio Code allows an authorized attacker to elevate privileges locally.
CVE-2023-42969 1Apple 3Ipados Iphone OsMacos Apr 29, 2025 Apr 11, 2025 N/A· v4 3.3 LOW· v3 N/A· v2 An app may be able to break out of its sandbox. This issue is fixed in iOS 17 and iPadOS 17, iOS 16.7 and iPadOS 16.7, macOS Sonoma 14, macOS Ventura 13.6, macOS Monterey 12.7. The issue was addressed with improved handl...Show more An app may be able to break out of its sandbox. This issue is fixed in iOS 17 and iPadOS 17, iOS 16.7 and iPadOS 16.7, macOS Sonoma 14, macOS Ventura 13.6, macOS Monterey 12.7. The issue was addressed with improved handling of caches.Show less
CVE-2025-23389 - - Apr 11, 2025 Apr 11, 2025 N/A· v4 8.4 HIGH· v3 N/A· v2 A Improper Access Control vulnerability in SUSE rancher allows a local user to impersonate other identities through SAML Authentication on first login. This issue affects rancher: from 2.8.0 before 2.8.13, from 2.9.0 bef...Show more A Improper Access Control vulnerability in SUSE rancher allows a local user to impersonate other identities through SAML Authentication on first login. This issue affects rancher: from 2.8.0 before 2.8.13, from 2.9.0 before 2.9.7, from 2.10.0 before 2.10.3.Show less
CVE-2025-27191 1Adobe 3Commerce Commerce B2bMagento May 20, 2025 Apr 8, 2025 N/A· v4 5.3 MEDIUM· v3 N/A· v2 Adobe Commerce versions 2.4.7-p4, 2.4.6-p9, 2.4.5-p11, 2.4.4-p12, 2.4.8-beta2 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverag...Show more Adobe Commerce versions 2.4.7-p4, 2.4.6-p9, 2.4.5-p11, 2.4.4-p12, 2.4.8-beta2 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access. Exploitation of this issue does not require user interaction.Show less
CVE-2025-27190 1Adobe 3Commerce Commerce B2bMagento Jun 23, 2025 Apr 8, 2025 N/A· v4 5.3 MEDIUM· v3 N/A· v2 Adobe Commerce versions 2.4.7-p4, 2.4.6-p9, 2.4.5-p11, 2.4.4-p12, 2.4.8-beta2 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverag...Show more Adobe Commerce versions 2.4.7-p4, 2.4.6-p9, 2.4.5-p11, 2.4.4-p12, 2.4.8-beta2 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access. Exploitation of this issue does not require user interaction.Show less
CVE-2025-30288 1Adobe 1Coldfusion Apr 21, 2025 Apr 8, 2025 N/A· v4 8.2 HIGH· v3 N/A· v2 ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. A low privileged attacker with local access could leverage...Show more ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. A low privileged attacker with local access could leverage this vulnerability to bypass security protections and execute code. Exploitation of this issue requires user interaction in that a victim must be coerced into performing actions within the application and scope is changed.Show less
CVE-2025-30281 1Adobe 1Coldfusion Jul 15, 2025 Apr 8, 2025 N/A· v4 9.1 CRITICAL· v3 N/A· v2 ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by an Improper Access Control vulnerability that could result in arbitrary code execution. A high-privileged attacker could leverage this vulnerabilit...Show more ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by an Improper Access Control vulnerability that could result in arbitrary code execution. A high-privileged attacker could leverage this vulnerability to access or modify sensitive data without proper authorization. Exploitation of this issue does not require user interaction, and scope is changed.Show less
CVE-2025-29810 1Microsoft 15Windows 10 1507 Windows 10 1607Windows 10 1809+12 more Jul 10, 2025 Apr 8, 2025 N/A· v4 7.5 HIGH· v3 N/A· v2 Improper access control in Active Directory Domain Services allows an authorized attacker to elevate privileges over a network.
CVE-2025-29804 1Microsoft 1Visual Studio 2022 Jul 10, 2025 Apr 8, 2025 N/A· v4 7.3 HIGH· v3 N/A· v2 Improper access control in Visual Studio allows an authorized attacker to elevate privileges locally.
CVE-2025-27744 1Microsoft 1Office Jul 9, 2025 Apr 8, 2025 N/A· v4 7.8 HIGH· v3 N/A· v2 Improper access control in Microsoft Office allows an authorized attacker to elevate privileges locally.
CVE-2025-27738 1Microsoft 14Windows 10 1507 Windows 10 1607Windows 10 1809+11 more Jul 10, 2025 Apr 8, 2025 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Improper access control in Windows Resilient File System (ReFS) allows an authorized attacker to disclose information over a network.
CVE-2025-26678 1Microsoft 10Windows 10 1809 Windows 10 21h2Windows 10 22h2+7 more Jul 9, 2025 Apr 8, 2025 N/A· v4 8.4 HIGH· v3 N/A· v2 Improper access control in Windows Defender Application Control (WDAC) allows an unauthorized attacker to bypass a security feature locally.
CVE-2025-21197 1Microsoft 15Windows 10 1507 Windows 10 1607Windows 10 1809+12 more Jul 10, 2025 Apr 8, 2025 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Improper access control in Windows NTFS allows an authorized attacker to disclose file path information under a folder where the attacker doesn't have permission to list content.
CVE-2025-3410 1Aias 1Aias Sep 4, 2025 Apr 8, 2025 5.3 MEDIUM· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 A vulnerability classified as critical was found in mymagicpower AIAS 20250308. This vulnerability affects unknown code of the file training_platform/train-platform/src/main/java/top/aias/training/controller/LocalStorage...Show more A vulnerability classified as critical was found in mymagicpower AIAS 20250308. This vulnerability affects unknown code of the file training_platform/train-platform/src/main/java/top/aias/training/controller/LocalStorageController.java. The manipulation of the argument File leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.Show less

Previous 1...878889...255 Next