Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CVEs (5,090)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2025-1818 1Zframeworks 1Zz May 26, 2025 Mar 2, 2025 5.3 MEDIUM· v4 9.8 CRITICAL· v3 6.5 MEDIUM· v2 A vulnerability, which was classified as critical, has been found in zj1983 zz up to 2024-8. This issue affects some unknown processing of the file src/main/java/com/futvan/z/system/zfile/ZfileAction.upload. The manipula...Show more A vulnerability, which was classified as critical, has been found in zj1983 zz up to 2024-8. This issue affects some unknown processing of the file src/main/java/com/futvan/z/system/zfile/ZfileAction.upload. The manipulation of the argument file leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.Show less
CVE-2025-1791 1Skycaiji 1Skycaiji Jun 12, 2025 Mar 1, 2025 5.3 MEDIUM· v4 9.8 CRITICAL· v3 6.5 MEDIUM· v2 A vulnerability has been found in Zorlan SkyCaiji 2.9 and classified as critical. This vulnerability affects the function fileAction of the file vendor/skycaiji/app/admin/controller/Tool.php. The manipulation of the argu...Show more A vulnerability has been found in Zorlan SkyCaiji 2.9 and classified as critical. This vulnerability affects the function fileAction of the file vendor/skycaiji/app/admin/controller/Tool.php. The manipulation of the argument save_data leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.Show less
CVE-2024-37567 1Infoblox 1Nios Apr 10, 2025 Feb 27, 2025 N/A· v4 9.1 CRITICAL· v3 N/A· v2 Infoblox NIOS through 8.6.4 has Improper Access Control for Grids.
CVE-2024-37566 1Infoblox 1Nios Apr 10, 2025 Feb 27, 2025 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Infoblox NIOS through 8.6.4 has Improper Authentication for Grids.
CVE-2025-25730 - - Feb 28, 2025 Feb 27, 2025 N/A· v4 4.6 MEDIUM· v3 N/A· v2 An issue in Motorola Mobility Droid Razr HD (Model XT926) System Version: 9.18.94.XT926.Verizon.en.US allows physically proximate unauthorized attackers to access USB debugging, leading to control of the host device itse...Show more An issue in Motorola Mobility Droid Razr HD (Model XT926) System Version: 9.18.94.XT926.Verizon.en.US allows physically proximate unauthorized attackers to access USB debugging, leading to control of the host device itself.Show less
CVE-2024-38291 1Extremenetworks 1Xiq Se Jul 11, 2025 Feb 27, 2025 N/A· v4 8.8 HIGH· v3 N/A· v2 In XIQ-SE before 24.2.11, a low-privileged user may be able to access admin passwords, which could lead to privilege escalation.
CVE-2024-53573 1Changeweb 1Unifiedtransform Apr 7, 2025 Feb 26, 2025 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Unifiedtransform v2.X is vulnerable to Incorrect Access Control. Unauthorized users can access and manipulate endpoints intended exclusively for administrative use. This issue specifically affects teacher/edit/{id}.
CVE-2024-36259 1Odoo 1Odoo Feb 28, 2025 Feb 25, 2025 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Improper access control in mail module of Odoo Community 17.0 and Odoo Enterprise 17.0 allows remote authenticated attackers to extract sensitive information via an oracle-based (yes/no response) crafted attack.
CVE-2024-12368 1Odoo 1Odoo Feb 28, 2025 Feb 25, 2025 N/A· v4 8.8 HIGH· v3 N/A· v2 Improper access control in the auth_oauth module of Odoo Community 15.0 and Odoo Enterprise 15.0 allows an internal user to export the OAuth tokens of other users.
CVE-2024-13693 1Kriesi 1Enfold Feb 28, 2025 Feb 25, 2025 N/A· v4 5.3 MEDIUM· v3 N/A· v2 The Enfold theme for WordPress is vulnerable to unauthorized access of data due to a missing capability check in avia-export-class.php in all versions up to, and including, 6.0.9. This makes it possible for unauthenticat...Show more The Enfold theme for WordPress is vulnerable to unauthorized access of data due to a missing capability check in avia-export-class.php in all versions up to, and including, 6.0.9. This makes it possible for unauthenticated attackers to export all avia settings which may included sensitive information such as the Mailchimp API Key, reCAPTCHA Secret Key, or Envato private token if they are set.Show less
CVE-2025-1646 - - Feb 25, 2025 Feb 25, 2025 6.9 MEDIUM· v4 7.3 HIGH· v3 7.5 HIGH· v2 A vulnerability, which was classified as critical, has been found in Lumsoft ERP 8. Affected by this issue is some unknown functionality of the file /Api/TinyMce/UploadAjaxAPI.ashx of the component ASPX File Handler. The...Show more A vulnerability, which was classified as critical, has been found in Lumsoft ERP 8. Affected by this issue is some unknown functionality of the file /Api/TinyMce/UploadAjaxAPI.ashx of the component ASPX File Handler. The manipulation of the argument file leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.Show less
CVE-2024-53542 - - Feb 25, 2025 Feb 24, 2025 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Incorrect access control in the component /iclock/Settings?restartNCS=1 of NovaCHRON Zeitsysteme GmbH & Co. KG Smart Time Plus v8.x to v8.6 allows attackers to arbitrarily restart the NCServiceManger via a crafted GET re...Show more Incorrect access control in the component /iclock/Settings?restartNCS=1 of NovaCHRON Zeitsysteme GmbH & Co. KG Smart Time Plus v8.x to v8.6 allows attackers to arbitrarily restart the NCServiceManger via a crafted GET request.Show less
CVE-2025-27140 1Wegia 1Wegia Feb 28, 2025 Feb 24, 2025 10.0 CRITICAL· v4 9.8 CRITICAL· v3 N/A· v2 WeGIA is a Web manager for charitable institutions. An OS Command Injection vulnerability was discovered in versions prior to 3.2.15 of the WeGIA application, `importar_dump.php` endpoint. This vulnerability could allow...Show more WeGIA is a Web manager for charitable institutions. An OS Command Injection vulnerability was discovered in versions prior to 3.2.15 of the WeGIA application, `importar_dump.php` endpoint. This vulnerability could allow an attacker to execute arbitrary code remotely. The command is basically a command to move a temporary file, so a webshell upload is also possible. Version 3.2.15 contains a patch for the issue.Show less
CVE-2025-1606 1Mayurik 1Best Employee Management System Feb 28, 2025 Feb 24, 2025 5.3 MEDIUM· v4 7.5 HIGH· v3 4.0 MEDIUM· v2 A vulnerability classified as problematic was found in SourceCodester Best Employee Management System 1.0. This vulnerability affects unknown code of the file /admin/backup/backups.php. The manipulation leads to informat...Show more A vulnerability classified as problematic was found in SourceCodester Best Employee Management System 1.0. This vulnerability affects unknown code of the file /admin/backup/backups.php. The manipulation leads to information disclosure. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.Show less
CVE-2025-1598 1Mayurik 1Best Church Management Software Feb 28, 2025 Feb 24, 2025 5.3 MEDIUM· v4 9.8 CRITICAL· v3 6.5 MEDIUM· v2 A vulnerability was found in SourceCodester Best Church Management Software 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /admin/app/asset_crud.php. The man...Show more A vulnerability was found in SourceCodester Best Church Management Software 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /admin/app/asset_crud.php. The manipulation of the argument photo1 leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.Show less
CVE-2025-1595 - - Feb 23, 2025 Feb 23, 2025 6.9 MEDIUM· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 A vulnerability has been found in Anhui Xufan Information Technology EasyCVR up to 2.7.0 and classified as problematic. This vulnerability affects unknown code of the file /api/v1/getbaseconfig. The manipulation leads to...Show more A vulnerability has been found in Anhui Xufan Information Technology EasyCVR up to 2.7.0 and classified as problematic. This vulnerability affects unknown code of the file /api/v1/getbaseconfig. The manipulation leads to information disclosure. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.Show less
CVE-2025-1593 1Mayurik 1Best Employee Management System Feb 28, 2025 Feb 23, 2025 5.1 MEDIUM· v4 9.8 CRITICAL· v3 5.8 MEDIUM· v2 A vulnerability classified as critical has been found in SourceCodester Best Employee Management System 1.0. This affects an unknown part of the file /_hr_soft/assets/uploadImage/Profile/ of the component Profile Picture...Show more A vulnerability classified as critical has been found in SourceCodester Best Employee Management System 1.0. This affects an unknown part of the file /_hr_soft/assets/uploadImage/Profile/ of the component Profile Picture Handler. The manipulation leads to unrestricted upload. It is possible to initiate the attack remotely.Show less
CVE-2025-1590 1Janobe 1E Learning System Feb 28, 2025 Feb 23, 2025 5.1 MEDIUM· v4 7.2 HIGH· v3 5.8 MEDIUM· v2 A vulnerability was found in SourceCodester E-Learning System 1.0. It has been classified as critical. Affected is an unknown function of the file /admin/modules/lesson/index.php of the component List of Lessons Page. Th...Show more A vulnerability was found in SourceCodester E-Learning System 1.0. It has been classified as critical. Affected is an unknown function of the file /admin/modules/lesson/index.php of the component List of Lessons Page. The manipulation leads to unrestricted upload. It is possible to launch the attack remotely.Show less
CVE-2025-1555 1Hzmanyun 1Education And Training System Jan 29, 2026 Feb 21, 2025 6.9 MEDIUM· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 A vulnerability classified as critical was found in hzmanyun Education and Training System 3.1.1. This vulnerability affects the function saveImage. The manipulation of the argument file leads to unrestricted upload. The...Show more A vulnerability classified as critical was found in hzmanyun Education and Training System 3.1.1. This vulnerability affects the function saveImage. The manipulation of the argument file leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.Show less
CVE-2025-25968 1Ddsn 1Cm3 Acora Content Management System Sep 30, 2025 Feb 20, 2025 N/A· v4 6.0 MEDIUM· v3 N/A· v2 DDSN Interactive cm3 Acora CMS version 10.1.1 contains an improper access control vulnerability. An editor-privileged user can access sensitive information, such as system administrator credentials, by force browsing the...Show more DDSN Interactive cm3 Acora CMS version 10.1.1 contains an improper access control vulnerability. An editor-privileged user can access sensitive information, such as system administrator credentials, by force browsing the endpoint and exploiting the 'file' parameter. By referencing specific files (e.g., cm3.xml), attackers can bypass access controls, leading to account takeover and potential privilege escalation.Show less

Previous 1...969798...255 Next