Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CVEs (5,090)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2024-9503 - - Apr 8, 2026 Dec 20, 2024 N/A· v4 4.3 MEDIUM· v3 N/A· v2 The Maintenance & Coming Soon Redirect Animation plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wploti_add_whitelisted_roles_option', 'wploti_remove_whi...Show more The Maintenance & Coming Soon Redirect Animation plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wploti_add_whitelisted_roles_option', 'wploti_remove_whitelisted_roles_option', 'wploti_add_whitelisted_users_option', 'wploti_remove_whitelisted_users_option', and 'wploti_uploaded_animation_save_option' functions in all versions up to, and including, 2.1.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify certain plugin settings.Show less
CVE-2024-11358 1Mattermost 1Mattermost Mobile Sep 24, 2025 Dec 16, 2024 N/A· v4 5.5 MEDIUM· v3 N/A· v2 Mattermost Android Mobile Apps versions <=2.21.0 fail to properly configure file providers which allows an attacker with local access to access files via file provider.
CVE-2024-12478 1Invoiceplane 1Invoiceplane Oct 15, 2025 Dec 16, 2024 5.3 MEDIUM· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 A vulnerability was found in InvoicePlane up to 1.6.1. It has been declared as critical. This vulnerability affects the function upload_file of the file /index.php/upload/upload_file/1/1. The manipulation of the argument...Show more A vulnerability was found in InvoicePlane up to 1.6.1. It has been declared as critical. This vulnerability affects the function upload_file of the file /index.php/upload/upload_file/1/1. The manipulation of the argument file leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.6.2-beta-1 is able to address this issue. It is recommended to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.Show less
CVE-2024-24902 1Dell 1Recoverpoint For Virtual Machines Feb 4, 2025 Dec 13, 2024 N/A· v4 5.5 MEDIUM· v3 N/A· v2 Dell RecoverPoint for Virtual Machines 6.0.x contains an Improper access control vulnerability. A low privileged local attacker could potentially exploit this vulnerability leading to gaining access to unauthorized data...Show more Dell RecoverPoint for Virtual Machines 6.0.x contains an Improper access control vulnerability. A low privileged local attacker could potentially exploit this vulnerability leading to gaining access to unauthorized data for a limited time.Show less
CVE-2024-54096 1Huawei 2Emui Harmonyos Jan 10, 2025 Dec 12, 2024 N/A· v4 5.5 MEDIUM· v3 N/A· v2 Vulnerability of improper access control in the MTP module Impact: Successful exploitation of this vulnerability may affect integrity and accuracy.
CVE-2024-10124 - - Dec 12, 2024 Dec 12, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 The Vayu Blocks – Gutenberg Blocks for WordPress & WooCommerce plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation and activation due to a missing capability check on the tp_install() functio...Show more The Vayu Blocks – Gutenberg Blocks for WordPress & WooCommerce plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation and activation due to a missing capability check on the tp_install() function in all versions up to, and including, 1.1.1. This makes it possible for unauthenticated attackers to install and activate arbitrary plugins which can be leveraged to achieve remote code execution if another vulnerable plugin is installed and activated. This vulnerability was partially patched in version 1.1.1.Show less
CVE-2024-49107 1Microsoft 13Windows 10 1507 Windows 10 1607Windows 10 1809+10 more Jan 8, 2025 Dec 12, 2024 N/A· v4 7.3 HIGH· v3 N/A· v2 WmsRepair Service Elevation of Privilege Vulnerability
CVE-2024-49105 1Microsoft 17Remote Desktop Client Windows 10 1507Windows 10 1607+14 more Jul 7, 2025 Dec 12, 2024 N/A· v4 8.4 HIGH· v3 N/A· v2 Remote Desktop Client Remote Code Execution Vulnerability
CVE-2024-49068 1Microsoft 1Sharepoint Server Jan 8, 2025 Dec 12, 2024 N/A· v4 8.2 HIGH· v3 N/A· v2 Microsoft SharePoint Elevation of Privilege Vulnerability
CVE-2024-43600 1Microsoft 1Office Jan 8, 2025 Dec 12, 2024 N/A· v4 7.8 HIGH· v3 N/A· v2 Microsoft Office Elevation of Privilege Vulnerability
CVE-2024-43594 1Microsoft 3System Center 2019 System Center 2022System Center 2025 Jan 8, 2025 Dec 12, 2024 N/A· v4 7.3 HIGH· v3 N/A· v2 Microsoft System Center Elevation of Privilege Vulnerability
CVE-2024-48912 1Glpi Project 1Glpi Jan 10, 2025 Dec 11, 2024 7.2 HIGH· v4 8.1 HIGH· v3 N/A· v2 GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.17, an authenticated user can use an application endpoint to delete any user account. Version 10.0.17 contains...Show more GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.17, an authenticated user can use an application endpoint to delete any user account. Version 10.0.17 contains a patch for this issue.Show less
CVE-2024-47760 1Glpi Project 1Glpi Jan 23, 2025 Dec 11, 2024 7.5 HIGH· v4 8.8 HIGH· v3 N/A· v2 GLPI is a free asset and IT management software package. Starting in version 9.1.0 and prior to version 10.0.17, a technician with an access to the API can take control of an account with higher privileges. Version 10.0....Show more GLPI is a free asset and IT management software package. Starting in version 9.1.0 and prior to version 10.0.17, a technician with an access to the API can take control of an account with higher privileges. Version 10.0.17 contains a patch for this issue.Show less
CVE-2024-47758 1Glpi Project 1Glpi Feb 6, 2025 Dec 11, 2024 7.6 HIGH· v4 8.8 HIGH· v3 N/A· v2 GLPI is a free asset and IT management software package. Starting in version 9.3.0 and prior to version 10.0.17, an authenticated user can use the API to take control of any user that have the same or a lower level of pr...Show more GLPI is a free asset and IT management software package. Starting in version 9.3.0 and prior to version 10.0.17, an authenticated user can use the API to take control of any user that have the same or a lower level of privileges. Version 10.0.17 contains a patch for this issue.Show less
CVE-2024-12294 - - Dec 11, 2024 Dec 11, 2024 N/A· v4 5.3 MEDIUM· v3 N/A· v2 The Last Viewed Posts by WPBeginner plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.1 via the 'get_legacy_cookies' function. This makes it possible for unaut...Show more The Last Viewed Posts by WPBeginner plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.1 via the 'get_legacy_cookies' function. This makes it possible for unauthenticated attackers to extract sensitive data including titles and permalinks of private, password-protected, pending, and draft posts.Show less
CVE-2024-43717 1Adobe 1Experience Manager Jan 15, 2025 Dec 10, 2024 N/A· v4 4.3 MEDIUM· v3 N/A· v2 Adobe Experience Manager versions 6.5.21 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to...Show more Adobe Experience Manager versions 6.5.21 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and have a low impact on confidentiality. Exploitation of this issue does not require user interaction.Show less
CVE-2024-43716 1Adobe 1Experience Manager Jan 15, 2025 Dec 10, 2024 N/A· v4 4.3 MEDIUM· v3 N/A· v2 Adobe Experience Manager versions 6.5.21 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to...Show more Adobe Experience Manager versions 6.5.21 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and have a low impact on confidentiality. Exploitation of this issue does not require user interaction.Show less
CVE-2024-54038 1Adobe 1Connect Jan 15, 2025 Dec 10, 2024 N/A· v4 4.3 MEDIUM· v3 N/A· v2 Adobe Connect versions 12.6, 11.4.7 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypa...Show more Adobe Connect versions 12.6, 11.4.7 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and have a low impact on confidentiality. Exploitation of this issue does not require user interaction.Show less
CVE-2024-11868 1Thimpress 1Learnpress Apr 8, 2026 Dec 10, 2024 N/A· v4 5.3 MEDIUM· v3 N/A· v2 The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.2.7.3 via class-lp-rest-material-controller.php. This makes it possible f...Show more The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.2.7.3 via class-lp-rest-material-controller.php. This makes it possible for unauthenticated attackers to extract potentially sensitive paid course material.Show less
CVE-2024-49600 1Dell 1Power Manager Feb 4, 2025 Dec 9, 2024 N/A· v4 7.8 HIGH· v3 N/A· v2 Dell Power Manager (DPM), versions prior to 3.17, contain an improper access control vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Code execution and...Show more Dell Power Manager (DPM), versions prior to 3.17, contain an improper access control vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Code execution and Elevation of Privileges.Show less

Previous 1...104105106...255 Next