Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CVEs (5,090)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2025-25683 - - Mar 12, 2025 Mar 12, 2025 N/A· v4 5.6 MEDIUM· v3 N/A· v2 AlekSIS-Core is vulnerable to Incorrect Access Control. Unauthenticated users can access all PDF files. This affects AlekSIS-Core 3.0, 3.1, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.2.0 and 3.2.1.
CVE-2025-20144 1Cisco 1Ios Xr Aug 4, 2025 Mar 12, 2025 N/A· v4 5.8 MEDIUM· v3 N/A· v2 A vulnerability in the hybrid access control list (ACL) processing of IPv4 packets in Cisco IOS XR Software could allow an unauthenticated, remote attacker to bypass a configured ACL. This vulnerability is due to inco...Show more A vulnerability in the hybrid access control list (ACL) processing of IPv4 packets in Cisco IOS XR Software could allow an unauthenticated, remote attacker to bypass a configured ACL. This vulnerability is due to incorrect handling of packets when a specific configuration of the hybrid ACL exists. An attacker could exploit this vulnerability by attempting to send traffic through an affected device. A successful exploit could allow the attacker to bypass a configured ACL on the affected device. For more information, see the section of this advisory. Cisco has released software updates that address this vulnerability. There are workarounds that address this vulnerability.Show less
CVE-2024-13430 1Pagelayer 1Pagelayer Apr 2, 2025 Mar 12, 2025 N/A· v4 4.3 MEDIUM· v3 N/A· v2 The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.9.8 via the 'pagelayer_builder_posts_shortcode' function due...Show more The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.9.8 via the 'pagelayer_builder_posts_shortcode' function due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from private posts that they should not have access to.Show less
CVE-2025-2219 1Lovecards 1Lovecards Mar 25, 2025 Mar 12, 2025 6.9 MEDIUM· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 A vulnerability was found in LoveCards LoveCardsV2 up to 2.3.2 and classified as critical. This issue affects some unknown processing of the file /api/upload/image. The manipulation of the argument file leads to unrestri...Show more A vulnerability was found in LoveCards LoveCardsV2 up to 2.3.2 and classified as critical. This issue affects some unknown processing of the file /api/upload/image. The manipulation of the argument file leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.Show less
CVE-2025-2218 1Lovecards 1Lovecards Mar 25, 2025 Mar 12, 2025 6.9 MEDIUM· v4 9.8 CRITICAL· v3 5.0 MEDIUM· v2 A vulnerability has been found in LoveCards LoveCardsV2 up to 2.3.2 and classified as critical. This vulnerability affects unknown code of the file /api/system/other of the component Setting Handler. The manipulation lea...Show more A vulnerability has been found in LoveCards LoveCardsV2 up to 2.3.2 and classified as critical. This vulnerability affects unknown code of the file /api/system/other of the component Setting Handler. The manipulation leads to improper access controls. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.Show less
CVE-2025-2216 1Zzskzy 1Warehouse Refinement Management System Mar 25, 2025 Mar 12, 2025 5.3 MEDIUM· v4 9.8 CRITICAL· v3 6.5 MEDIUM· v2 A vulnerability, which was classified as critical, has been found in zzskzy Warehouse Refinement Management System 1.3. Affected by this issue is the function UploadCrash of the file /crash/log/SaveCrash.ashx. The manipu...Show more A vulnerability, which was classified as critical, has been found in zzskzy Warehouse Refinement Management System 1.3. Affected by this issue is the function UploadCrash of the file /crash/log/SaveCrash.ashx. The manipulation of the argument file leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.Show less
CVE-2025-23243 1Nvidia 1Riva Oct 16, 2025 Mar 11, 2025 N/A· v4 9.1 CRITICAL· v3 N/A· v2 NVIDIA Riva contains a vulnerability where a user could cause an improper access control issue. A successful exploit of this vulnerability might lead to data tampering or denial of service.
CVE-2025-23242 1Nvidia 1Riva Oct 16, 2025 Mar 11, 2025 N/A· v4 9.8 CRITICAL· v3 N/A· v2 NVIDIA Riva contains a vulnerability where a user could cause an improper access control issue. A successful exploit of this vulnerability might lead to escalation of privileges, data tampering, denial of service, or inf...Show more NVIDIA Riva contains a vulnerability where a user could cause an improper access control issue. A successful exploit of this vulnerability might lead to escalation of privileges, data tampering, denial of service, or information disclosure.Show less
CVE-2025-26645 1Microsoft 16Remote Desktop Client Windows 10 1507Windows 10 1607+13 more Jul 7, 2025 Mar 11, 2025 N/A· v4 8.8 HIGH· v3 N/A· v2 Relative path traversal in Remote Desktop Client allows an unauthorized attacker to execute code over a network.
CVE-2025-24994 1Microsoft 3Windows 11 22h2 Windows 11 23h2Windows 11 24h2 Jul 3, 2025 Mar 11, 2025 N/A· v4 7.3 HIGH· v3 N/A· v2 Improper access control in Windows Cross Device Service allows an authorized attacker to elevate privileges locally.
CVE-2025-24076 1Microsoft 5Windows 11 22h2 Windows 11 23h2Windows 11 24h2+2 more Jul 7, 2025 Mar 11, 2025 N/A· v4 7.3 HIGH· v3 N/A· v2 Improper access control in Windows Cross Device Service allows an authorized attacker to elevate privileges locally.
CVE-2024-9157 - - Mar 11, 2025 Mar 11, 2025 N/A· v4 7.8 HIGH· v3 N/A· v2 UNSUPPORTED WHEN ASSIGNED A privilege escalation vulnerability in CxUIUSvc64.exe and CxUIUSvc32.exe of Synaptics audio drivers allows a local authorized attacker to load a DLL in a privileged process. Out of an...Show more UNSUPPORTED WHEN ASSIGNED A privilege escalation vulnerability in CxUIUSvc64.exe and CxUIUSvc32.exe of Synaptics audio drivers allows a local authorized attacker to load a DLL in a privileged process. Out of an abundance of caution, this CVE ID is being assigned to better serve our customers and ensure all who are still running this product understand that the product is End-of-Life and should be removed. For more information on this, refer to the CVE Record’s reference information.Show less
CVE-2025-25614 1Changeweb 1Unifiedtransform Jun 23, 2025 Mar 10, 2025 N/A· v4 8.8 HIGH· v3 N/A· v2 Incorrect Access Control in Unifiedtransform 2.0 leads to Privilege Escalation, which allows teachers to update the personal data of fellow teachers.
CVE-2025-25616 1Changeweb 1Unifiedtransform Mar 13, 2025 Mar 10, 2025 N/A· v4 4.3 MEDIUM· v3 N/A· v2 Unifiedtransform 2.0 is vulnerable to Incorrect Access Control, which allows students to modify rules for exams. The affected endpoint is /exams/edit-rule?exam_rule_id=1.
CVE-2025-25615 1Changeweb 1Unifiedtransform Mar 13, 2025 Mar 10, 2025 N/A· v4 2.7 LOW· v3 N/A· v2 Unifiedtransform 2.0 is vulnerable to Incorrect Access Control which allows viewing attendance list for all class sections.
CVE-2025-2121 1Thinkware 1F800 Pro Firmware Jul 22, 2025 Mar 9, 2025 5.3 MEDIUM· v4 8.8 HIGH· v3 5.8 MEDIUM· v2 A vulnerability classified as critical has been found in Thinkware Car Dashcam F800 Pro up to 20250226. Affected is an unknown function of the component File Storage. The manipulation leads to improper access controls. T...Show more A vulnerability classified as critical has been found in Thinkware Car Dashcam F800 Pro up to 20250226. Affected is an unknown function of the component File Storage. The manipulation leads to improper access controls. The attack can only be done within the local network. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.Show less
CVE-2025-2115 1Zzskzy 1Warehouse Refinement Management System Jun 27, 2025 Mar 9, 2025 5.3 MEDIUM· v4 9.8 CRITICAL· v3 6.5 MEDIUM· v2 A vulnerability, which was classified as critical, was found in zzskzy Warehouse Refinement Management System 3.1. Affected is the function ProcessRequest of the file /AcceptZip.ashx. The manipulation of the argument fil...Show more A vulnerability, which was classified as critical, was found in zzskzy Warehouse Refinement Management System 3.1. Affected is the function ProcessRequest of the file /AcceptZip.ashx. The manipulation of the argument file leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.Show less
CVE-2025-25617 - - Mar 7, 2025 Mar 7, 2025 N/A· v4 4.3 MEDIUM· v3 N/A· v2 Incorrect Access Control in Unifiedtransform 2.X leads to Privilege Escalation allowing teachers to create syllabus.
CVE-2025-2090 1Phpgurukul 1Pre School Enrollment System Apr 3, 2025 Mar 7, 2025 5.1 MEDIUM· v4 4.7 MEDIUM· v3 5.8 MEDIUM· v2 A vulnerability was found in PHPGurukul Pre-School Enrollment System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /admin/add-subadmin.php of the component Sub Admin Han...Show more A vulnerability was found in PHPGurukul Pre-School Enrollment System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /admin/add-subadmin.php of the component Sub Admin Handler. The manipulation leads to improper access controls. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.Show less
CVE-2025-2089 1Starsea99 1Starsea Mall Oct 10, 2025 Mar 7, 2025 5.3 MEDIUM· v4 5.4 MEDIUM· v3 5.5 MEDIUM· v2 A vulnerability has been found in StarSea99 starsea-mall 1.0/2.X and classified as critical. Affected by this vulnerability is the function updateUserInfo of the file /personal/updateInfo of the component com.siro.mall.c...Show more A vulnerability has been found in StarSea99 starsea-mall 1.0/2.X and classified as critical. Affected by this vulnerability is the function updateUserInfo of the file /personal/updateInfo of the component com.siro.mall.controller.mall.UserController. The manipulation of the argument userId leads to improper access controls. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.Show less

Previous 1...949596...255 Next