Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CVEs (5,090)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2024-57032 1Wegia 1Wegia Mar 19, 2025 Jan 17, 2025 N/A· v4 9.8 CRITICAL· v3 N/A· v2 WeGIA < 3.2.0 is vulnerable to Incorrect Access Control in controle/control.php. The application does not validate the value of the old password, so it is possible to change the password by placing any value in the senha...Show more WeGIA < 3.2.0 is vulnerable to Incorrect Access Control in controle/control.php. The application does not validate the value of the old password, so it is possible to change the password by placing any value in the senha_antiga field.Show less
CVE-2024-12370 1Thimpress 1Wp Hotel Booking Feb 11, 2025 Jan 17, 2025 N/A· v4 5.3 MEDIUM· v3 N/A· v2 The WP Hotel Booking plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check when adding rooms in all versions up to, and including, 2.1.5. This makes it possible for una...Show more The WP Hotel Booking plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check when adding rooms in all versions up to, and including, 2.1.5. This makes it possible for unauthenticated attackers to add rooms with custom prices.Show less
CVE-2024-55954 - - Jan 16, 2025 Jan 16, 2025 N/A· v4 8.7 HIGH· v3 N/A· v2 OpenObserve is a cloud-native observability platform. A vulnerability in the user management endpoint `/api/{org_id}/users/{email_id}` allows an "Admin" role user to remove a "Root" user from the organization. This viola...Show more OpenObserve is a cloud-native observability platform. A vulnerability in the user management endpoint `/api/{org_id}/users/{email_id}` allows an "Admin" role user to remove a "Root" user from the organization. This violates the intended privilege hierarchy, enabling a non-root user to remove the highest-privileged account. Due to insufficient role checks, the `remove_user_from_org` function does not prevent an "Admin" user from removing a "Root" user. As a result, an attacker with an "Admin" role can remove critical "Root" users, potentially gaining effective full control by eliminating the highest-privileged accounts. The `DELETE /api/{org_id}/users/{email_id}` endpoint is affected. This issue has been addressed in release version `0.14.1` and all users are advised to upgrade. There are no known workarounds for this vulnerability.Show less
CVE-2025-0481 1Dlink 1Dir 878 Firmware Jul 16, 2025 Jan 15, 2025 6.9 MEDIUM· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 A vulnerability classified as problematic has been found in D-Link DIR-878 1.03. Affected is an unknown function of the file /dllog.cgi of the component HTTP POST Request Handler. The manipulation leads to information di...Show more A vulnerability classified as problematic has been found in D-Link DIR-878 1.03. Affected is an unknown function of the file /dllog.cgi of the component HTTP POST Request Handler. The manipulation leads to information disclosure. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.Show less
CVE-2025-21405 1Microsoft 1Visual Studio 2022 Jan 17, 2025 Jan 14, 2025 N/A· v4 7.3 HIGH· v3 N/A· v2 Visual Studio Elevation of Privilege Vulnerability
CVE-2025-21340 1Microsoft 10Windows 10 1809 Windows 10 21h2Windows 10 22h2+7 more Jan 21, 2025 Jan 14, 2025 N/A· v4 5.5 MEDIUM· v3 N/A· v2 Windows Virtualization-Based Security (VBS) Security Feature Bypass Vulnerability
CVE-2025-21301 1Microsoft 13Windows 10 1507 Windows 10 1607Windows 10 1809+10 more Jan 24, 2025 Jan 14, 2025 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Windows Geolocation Service Information Disclosure Vulnerability
CVE-2025-21293 1Microsoft 14Windows 10 1507 Windows 10 1607Windows 10 1809+11 more Jan 24, 2025 Jan 14, 2025 N/A· v4 8.8 HIGH· v3 N/A· v2 Active Directory Domain Services Elevation of Privilege Vulnerability
CVE-2025-21213 1Microsoft 14Windows 10 1507 Windows 10 1607Windows 10 1809+11 more Jan 27, 2025 Jan 14, 2025 N/A· v4 4.6 MEDIUM· v3 N/A· v2 Secure Boot Security Feature Bypass Vulnerability
CVE-2025-21202 1Microsoft 13Windows 10 1507 Windows 10 1607Windows 10 1809+10 more Jan 27, 2025 Jan 14, 2025 N/A· v4 6.1 MEDIUM· v3 N/A· v2 Windows Recovery Environment Agent Elevation of Privilege Vulnerability
CVE-2025-0463 151mis 1Lingdang Crm Aug 28, 2025 Jan 14, 2025 5.3 MEDIUM· v4 9.8 CRITICAL· v3 6.5 MEDIUM· v2 A vulnerability was found in Shanghai Lingdang Information Technology Lingdang CRM up to 8.6.0.0. It has been classified as critical. Affected is an unknown function of the file /crm/weixinmp/index.php?userid=123&module=...Show more A vulnerability was found in Shanghai Lingdang Information Technology Lingdang CRM up to 8.6.0.0. It has been classified as critical. Affected is an unknown function of the file /crm/weixinmp/index.php?userid=123&module=Users&usid=1&action=UsersAjax&minipro_const_type=1&related_module=Singin. The manipulation of the argument name leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.Show less
CVE-2025-0460 - - Jan 14, 2025 Jan 14, 2025 6.9 MEDIUM· v4 7.3 HIGH· v3 7.5 HIGH· v2 A vulnerability, which was classified as critical, was found in Blog Botz for Journal Theme 1.0 on OpenCart. This affects an unknown part of the file /index.php?route=extension/module/blog_add. The manipulation of the ar...Show more A vulnerability, which was classified as critical, was found in Blog Botz for Journal Theme 1.0 on OpenCart. This affects an unknown part of the file /index.php?route=extension/module/blog_add. The manipulation of the argument image leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.Show less
CVE-2024-45326 1Fortinet 1Fortideceptor Feb 4, 2026 Jan 14, 2025 N/A· v4 4.3 MEDIUM· v3 N/A· v2 An Improper Access Control vulnerability [CWE-284] vulnerability in Fortinet FortiDeceptor 6.0.0, FortiDeceptor 5.3 all versions, FortiDeceptor 5.2 all versions, FortiDeceptor 5.1 all versions, FortiDeceptor 5.0 all vers...Show more An Improper Access Control vulnerability [CWE-284] vulnerability in Fortinet FortiDeceptor 6.0.0, FortiDeceptor 5.3 all versions, FortiDeceptor 5.2 all versions, FortiDeceptor 5.1 all versions, FortiDeceptor 5.0 all versions may allow an authenticated attacker with none privileges to perform operations on the central management appliance via crafted requests.Show less
CVE-2025-0403 11902756969 1Reggie Oct 21, 2025 Jan 13, 2025 6.9 MEDIUM· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 A vulnerability, which was classified as problematic, has been found in 1902756969 reggie 1.0. Affected by this issue is some unknown functionality of the file /user/sendMsg of the component Phone Number Validation Handl...Show more A vulnerability, which was classified as problematic, has been found in 1902756969 reggie 1.0. Affected by this issue is some unknown functionality of the file /user/sendMsg of the component Phone Number Validation Handler. The manipulation of the argument code leads to information disclosure. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.Show less
CVE-2025-0402 11902756969 1Reggie Oct 21, 2025 Jan 13, 2025 5.3 MEDIUM· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 A vulnerability classified as critical was found in 1902756969 reggie 1.0. Affected by this vulnerability is the function upload of the file src/main/java/com/itheima/reggie/controller/CommonController.java. The manipula...Show more A vulnerability classified as critical was found in 1902756969 reggie 1.0. Affected by this vulnerability is the function upload of the file src/main/java/com/itheima/reggie/controller/CommonController.java. The manipulation of the argument file leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.Show less
CVE-2025-0399 1Starsea99 1Starsea Mall Oct 10, 2025 Jan 12, 2025 5.1 MEDIUM· v4 7.2 HIGH· v3 5.8 MEDIUM· v2 A vulnerability was found in StarSea99 starsea-mall 1.0. It has been declared as critical. This vulnerability affects the function UploadController of the file src/main/java/com/siro/mall/controller/common/uploadControll...Show more A vulnerability was found in StarSea99 starsea-mall 1.0. It has been declared as critical. This vulnerability affects the function UploadController of the file src/main/java/com/siro/mall/controller/common/uploadController.java. The manipulation of the argument file leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.Show less
CVE-2025-21380 1Microsoft 1Azure Marketplace Feb 5, 2025 Jan 9, 2025 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Improper access control in Azure SaaS Resources allows an authorized attacker to disclose information over a network.
CVE-2024-13240 1Getopensocial 1Open Social Jun 4, 2025 Jan 9, 2025 N/A· v4 7.5 HIGH· v3 N/A· v2 Improper Access Control vulnerability in Drupal Open Social allows Collect Data from Common Resource Locations.This issue affects Open Social: from 0.0.0 before 12.05.
CVE-2025-0346 1Code Projects 1Content Management System Feb 27, 2025 Jan 9, 2025 5.1 MEDIUM· v4 7.2 HIGH· v3 5.8 MEDIUM· v2 A vulnerability was found in code-projects Content Management System 1.0. It has been classified as critical. This affects an unknown part of the file /admin/publishnews.php of the component Publish News Page. The manipu...Show more A vulnerability was found in code-projects Content Management System 1.0. It has been classified as critical. This affects an unknown part of the file /admin/publishnews.php of the component Publish News Page. The manipulation of the argument image leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.Show less
CVE-2025-0341 1Campcodes 1Computer Laboratory Management System Mar 4, 2025 Jan 9, 2025 5.3 MEDIUM· v4 9.8 CRITICAL· v3 6.5 MEDIUM· v2 A vulnerability, which was classified as critical, has been found in CampCodes Computer Laboratory Management System 1.0. Affected by this issue is some unknown functionality of the file /class/edit/edit. The manipulatio...Show more A vulnerability, which was classified as critical, has been found in CampCodes Computer Laboratory Management System 1.0. Affected by this issue is some unknown functionality of the file /class/edit/edit. The manipulation of the argument e_photo leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.Show less

Previous 1...101102103...255 Next