Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CVEs (5,090)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2025-30138 1Gnetsystem 1G Onx Firmware Jul 1, 2025 Mar 18, 2025 N/A· v4 4.6 MEDIUM· v3 N/A· v2 An issue was discovered on G-Net Dashcam BB GONX devices. Managing Settings and Obtaining Sensitive Data and Sabotaging Car Battery can be performed by unauthorized persons. It allows unauthorized users to modify critica...Show more An issue was discovered on G-Net Dashcam BB GONX devices. Managing Settings and Obtaining Sensitive Data and Sabotaging Car Battery can be performed by unauthorized persons. It allows unauthorized users to modify critical system settings once connected to its network. Attackers can extract sensitive car and driver information, mute dashcam alerts to prevent detection, disable recording functionality, or even factory reset the device. Additionally, they can disable battery protection, causing the dashcam to drain the car battery when left on overnight. These actions not only compromise privacy but also pose potential physical harm by rendering the dashcam non-functional or causing vehicle battery failure.Show less
CVE-2025-26138 1Systemic Rm 1Risk Value Apr 1, 2025 Mar 18, 2025 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Systemic Risk Value <=2.8.0 is vulnerable to improper access control in /RiskValue/GroupingEntities/Controls/GetFile.aspx?ID=. Uploaded files are accessible via a predictable numerical ID parameter, allowing unauthorized...Show more Systemic Risk Value <=2.8.0 is vulnerable to improper access control in /RiskValue/GroupingEntities/Controls/GetFile.aspx?ID=. Uploaded files are accessible via a predictable numerical ID parameter, allowing unauthorized users to increment or decrement the ID to access and download files they do not have permission to view.Show less
CVE-2025-30132 - - Mar 21, 2025 Mar 18, 2025 N/A· v4 9.1 CRITICAL· v3 N/A· v2 An issue was discovered on IROAD Dashcam V devices. It uses an unregistered public domain name as an internal domain, creating a security risk. During analysis, it was found that this domain was not owned by IROAD, allow...Show more An issue was discovered on IROAD Dashcam V devices. It uses an unregistered public domain name as an internal domain, creating a security risk. During analysis, it was found that this domain was not owned by IROAD, allowing an attacker to register it and potentially intercept sensitive device traffic. If the dashcam or related services attempt to resolve this domain over the public Internet instead of locally, it could lead to data exfiltration or man-in-the-middle attacks.Show less
CVE-2025-25585 1R1bbit 1Yimioa Jun 19, 2025 Mar 18, 2025 N/A· v4 7.3 HIGH· v3 N/A· v2 Incorrect access control in the component /config/WebSecurityConfig.java of yimioa before v2024.07.04 allows unauthorized attackers to arbitrarily modify Administrator passwords.
CVE-2024-44313 1Tastyigniter 1Tastyigniter Apr 2, 2025 Mar 18, 2025 N/A· v4 8.1 HIGH· v3 N/A· v2 TastyIgniter 3.7.6 contains an Incorrect Access Control vulnerability in the invoice() function within Orders.php which allows unauthorized users to access and generate invoices due to missing permission checks.
CVE-2025-25500 1Cosmwasm 1Cosmwasm May 22, 2025 Mar 18, 2025 N/A· v4 7.5 HIGH· v3 N/A· v2 An issue in CosmWasm prior to v2.2.0 allows attackers to bypass capability restrictions in blockchains by exploiting a lack of runtime capability validation. This allows attackers to deploy a contract without capability...Show more An issue in CosmWasm prior to v2.2.0 allows attackers to bypass capability restrictions in blockchains by exploiting a lack of runtime capability validation. This allows attackers to deploy a contract without capability enforcement, and execute unauthorized actions on the blockchain.Show less
CVE-2023-47539 1Fortinet 1Fortimail Jul 24, 2025 Mar 18, 2025 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An improper access control vulnerability in FortiMail version 7.4.0 configured with RADIUS authentication and remote_wildcard enabled may allow a remote unauthenticated attacker to bypass admin login via a crafted HTTP r...Show more An improper access control vulnerability in FortiMail version 7.4.0 configured with RADIUS authentication and remote_wildcard enabled may allow a remote unauthenticated attacker to bypass admin login via a crafted HTTP request.Show less
CVE-2024-54565 1Apple 1Macos Mar 24, 2025 Mar 17, 2025 N/A· v4 6.2 MEDIUM· v3 N/A· v2 The issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.2. An app may be able to access sensitive user data.
CVE-2024-54559 1Apple 1Macos Mar 24, 2025 Mar 17, 2025 N/A· v4 5.5 MEDIUM· v3 N/A· v2 The issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.2. An app may be able to access sensitive user data.
CVE-2025-25621 1Changeweb 1Unifiedtransform Jun 24, 2025 Mar 17, 2025 N/A· v4 4.3 MEDIUM· v3 N/A· v2 Unifiedtransform 2.0 is vulnerable to Incorrect Access Control, which allows teachers to take attendance of fellow teachers. This affected endpoint is /courses/teacher/index?teacher_id=2&semester_id=1.
CVE-2025-25618 1Changeweb 1Unifiedtransform Jun 24, 2025 Mar 17, 2025 N/A· v4 3.3 LOW· v3 N/A· v2 Incorrect Access Control in Unifiedtransform 2.0 leads to Privilege Escalation allowing the change of Section Name and Room Number by Teachers.
CVE-2021-32584 1Fortinet 1Fortiwlc Jul 24, 2025 Mar 17, 2025 N/A· v4 5.3 MEDIUM· v3 N/A· v2 An improper access control (CWE-284) vulnerability in FortiWLC version 8.6.0, version 8.5.3 and below, version 8.4.8 and below, version 8.3.3 and below, version 8.2.7 to 8.2.4, version 8.1.3 may allow an unauthenticated...Show more An improper access control (CWE-284) vulnerability in FortiWLC version 8.6.0, version 8.5.3 and below, version 8.4.8 and below, version 8.3.3 and below, version 8.2.7 to 8.2.4, version 8.1.3 may allow an unauthenticated and remote attacker to access certain areas of the web management CGI functionality by just specifying the correct URL. The vulnerability applies only to limited CGI resources and might allow the unauthorized party to access configuration details.Show less
CVE-2021-22126 1Fortinet 1Fortiwlc Jul 24, 2025 Mar 17, 2025 N/A· v4 6.7 MEDIUM· v3 N/A· v2 A use of hard-coded password vulnerability in FortiWLC version 8.5.2 and below, version 8.4.8 and below, version 8.3.3 to 8.3.2, version 8.2.7 to 8.2.6 may allow a local, authenticated attacker to connect to the managed...Show more A use of hard-coded password vulnerability in FortiWLC version 8.5.2 and below, version 8.4.8 and below, version 8.3.3 to 8.3.2, version 8.2.7 to 8.2.6 may allow a local, authenticated attacker to connect to the managed Access Point (Meru AP and FortiAP-U) as root using the default hard-coded username and password.Show less
CVE-2025-2350 1Iroadau 1Fx2 Firmware Nov 6, 2025 Mar 16, 2025 5.3 MEDIUM· v4 7.8 HIGH· v3 5.8 MEDIUM· v2 A vulnerability was found in IROAD Dash Cam FX2 up to 20250308. It has been rated as critical. Affected by this issue is some unknown functionality of the file /action/upload_file. The manipulation leads to unrestricted...Show more A vulnerability was found in IROAD Dash Cam FX2 up to 20250308. It has been rated as critical. Affected by this issue is some unknown functionality of the file /action/upload_file. The manipulation leads to unrestricted upload. Access to the local network is required for this attack to succeed. The exploit has been disclosed to the public and may be used.Show less
CVE-2025-2348 1Iroadau 1Fx2 Firmware Nov 6, 2025 Mar 16, 2025 5.3 MEDIUM· v4 5.5 MEDIUM· v3 3.3 LOW· v2 A vulnerability was found in IROAD Dash Cam FX2 up to 20250308. It has been classified as problematic. Affected is an unknown function of the file /mnt/extsd/event/ of the component HTTP/RTSP. The manipulation leads to i...Show more A vulnerability was found in IROAD Dash Cam FX2 up to 20250308. It has been classified as problematic. Affected is an unknown function of the file /mnt/extsd/event/ of the component HTTP/RTSP. The manipulation leads to information disclosure. The attack needs to be initiated within the local network. The exploit has been disclosed to the public and may be used.Show less
CVE-2025-2334 1274056675 1Springboot Openai Chatgpt Oct 21, 2025 Mar 15, 2025 5.3 MEDIUM· v4 9.1 CRITICAL· v3 5.5 MEDIUM· v2 A vulnerability classified as problematic has been found in 274056675 springboot-openai-chatgpt e84f6f5. This affects the function deleteChat of the file /api/mjkj-chat/chat/ai/delete/chat of the component Chat History H...Show more A vulnerability classified as problematic has been found in 274056675 springboot-openai-chatgpt e84f6f5. This affects the function deleteChat of the file /api/mjkj-chat/chat/ai/delete/chat of the component Chat History Handler. The manipulation of the argument chatListId leads to improper access controls. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.Show less
CVE-2025-25225 1Hikashop 1Hikashop May 28, 2025 Mar 15, 2025 N/A· v4 6.5 MEDIUM· v3 N/A· v2 A privilege escalation vulnerability in the Hikashop component versions 1.0.0-5.1.3 for Joomla allows authenticated attackers (administrator) to escalate their privileges to Super Admin Permissions.
CVE-2025-25598 1Inovalogic 1Customer Monitor Apr 3, 2025 Mar 13, 2025 N/A· v4 8.8 HIGH· v3 N/A· v2 Incorrect access control in the scheduled tasks console of Inova Logic CUSTOMER MONITOR (CM) v3.1.757.1 allows attackers to escalate privileges via placing a crafted executable into a scheduled task.
CVE-2025-2280 1Devolutions 1Devolutions Server Mar 28, 2025 Mar 13, 2025 N/A· v4 8.1 HIGH· v3 N/A· v2 Improper access control in web extension restriction feature in Devolutions Server 2024.3.4.0 and earlier allows an authenticated user to bypass the browser extension restriction feature.
CVE-2025-2278 1Devolutions 1Devolutions Server Mar 28, 2025 Mar 13, 2025 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Improper access control in temporary access requests and checkout requests endpoints in Devolutions Server 2024.3.13 and earlier allows an authenticated user to access information about these requests via a known request...Show more Improper access control in temporary access requests and checkout requests endpoints in Devolutions Server 2024.3.13 and earlier allows an authenticated user to access information about these requests via a known request ID.Show less

Previous 1...939495...255 Next