Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CVEs (5,090)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2024-52509 1Nextcloud 1Mail Sep 4, 2025 Nov 15, 2024 N/A· v4 5.7 MEDIUM· v3 N/A· v2 Nextcloud Mail is the mail app for Nextcloud, a self-hosted productivity platform. The Nextcloud mail app incorrectly allowed attaching shared files without download permissions as attachments. This allowed users to send...Show more Nextcloud Mail is the mail app for Nextcloud, a self-hosted productivity platform. The Nextcloud mail app incorrectly allowed attaching shared files without download permissions as attachments. This allowed users to send them the files to themselves and then downloading it from their mail clients. It is recommended that the Nextcloud Mail is upgraded to 2.2.10, 3.6.2 or 3.7.2.Show less
CVE-2024-50653 1Crmeb 1Crmeb Mar 13, 2025 Nov 15, 2024 N/A· v4 7.5 HIGH· v3 N/A· v2 CRMEB <=5.4.0 is vulnerable to Incorrect Access Control. Users can bypass the front-end restriction of only being able to claim coupons once by capturing packets and sending a large number of data packets for coupon coll...Show more CRMEB <=5.4.0 is vulnerable to Incorrect Access Control. Users can bypass the front-end restriction of only being able to claim coupons once by capturing packets and sending a large number of data packets for coupon collection, achieving unlimited coupon collection.Show less
CVE-2021-34753 1Cisco 1Firepower Threat Defense Software Aug 7, 2025 Nov 15, 2024 N/A· v4 5.3 MEDIUM· v3 N/A· v2 A vulnerability in the payload inspection for Ethernet Industrial Protocol (ENIP) traffic for Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to bypass configured rules for E...Show more A vulnerability in the payload inspection for Ethernet Industrial Protocol (ENIP) traffic for Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to bypass configured rules for ENIP traffic. This vulnerability is due to incomplete processing during deep packet inspection for ENIP packets. An attacker could exploit this vulnerability by sending a crafted ENIP packet to the targeted interface. A successful exploit could allow the attacker to bypass configured access control and intrusion policies that should trigger and drop for the ENIP packet.Show less
CVE-2024-20373 1Cisco 1Ios Xe Sd Wan Aug 1, 2025 Nov 15, 2024 N/A· v4 5.3 MEDIUM· v3 N/A· v2 A vulnerability in the implementation of the Simple Network Management Protocol (SNMP) IPv4 access control list (ACL) feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacke...Show more A vulnerability in the implementation of the Simple Network Management Protocol (SNMP) IPv4 access control list (ACL) feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to perform SNMP polling of an affected device, even if it is configured to deny SNMP traffic.  This vulnerability exists because Cisco IOS Software and Cisco IOS XE Software do not support extended IPv4 ACLs for SNMP, but they do allow administrators to configure extended named IPv4 ACLs that are attached to the SNMP server configuration without a warning message. This can result in no ACL being applied to the SNMP listening process. An attacker could exploit this vulnerability by performing SNMP polling of an affected device. A successful exploit could allow the attacker to perform SNMP operations that should be denied. The attacker has no control of the SNMP ACL configuration and would still need a valid SNMP version 2c (SNMPv2c) community string or SNMP version 3 (SNMPv3) user credentials. SNMP with IPv6 ACL configurations is not affected. For more information, see the section of this advisory.Show less
CVE-2021-3987 1Janeczku 1Calibre Web Nov 19, 2024 Nov 15, 2024 N/A· v4 4.3 MEDIUM· v3 N/A· v2 An improper access control vulnerability exists in janeczku/calibre-web. The affected version allows users without public shelf permissions to create public shelves. The vulnerability is due to the `create_shelf` method...Show more An improper access control vulnerability exists in janeczku/calibre-web. The affected version allows users without public shelf permissions to create public shelves. The vulnerability is due to the `create_shelf` method in `shelf.py` not verifying if the user has the necessary permissions to create a public shelf. This issue can lead to unauthorized actions being performed by users.Show less
CVE-2024-11214 1Mayurik 1Best Employee Management System Nov 19, 2024 Nov 14, 2024 5.1 MEDIUM· v4 7.2 HIGH· v3 5.8 MEDIUM· v2 A vulnerability has been found in SourceCodester Best Employee Management System 1.0 and classified as critical. This vulnerability affects unknown code of the file /admin/profile.php. The manipulation of the argument we...Show more A vulnerability has been found in SourceCodester Best Employee Management System 1.0 and classified as critical. This vulnerability affects unknown code of the file /admin/profile.php. The manipulation of the argument website_image leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The initial researcher disclosure contains confusing vulnerability classes.Show less
CVE-2024-11211 1Eyoucms 1Eyoucms Nov 19, 2024 Nov 14, 2024 5.1 MEDIUM· v4 7.2 HIGH· v3 5.8 MEDIUM· v2 A vulnerability classified as critical has been found in EyouCMS up to 1.6.7. Affected is an unknown function of the component Website Logo Handler. The manipulation leads to unrestricted upload. It is possible to launch...Show more A vulnerability classified as critical has been found in EyouCMS up to 1.6.7. Affected is an unknown function of the component Website Logo Handler. The manipulation leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.Show less
CVE-2024-39609 1Intel 1Server Board M70klp2sb Firmware Nov 19, 2024 Nov 13, 2024 8.7 HIGH· v4 6.7 MEDIUM· v3 N/A· v2 Improper Access Control in UEFI firmware for some Intel(R) Server Board M70KLP may allow a privileged user to potentially enable escalation of privilege via local access.
CVE-2024-39285 - - Nov 15, 2024 Nov 13, 2024 5.6 MEDIUM· v4 5.3 MEDIUM· v3 N/A· v2 Improper access control in UEFI firmware in some Intel(R) Server M20NTP Family may allow a privileged user to potentially enable information disclosure via local access.
CVE-2024-36488 1Intel 1Driver & Support Assistant Feb 4, 2025 Nov 13, 2024 5.4 MEDIUM· v4 7.8 HIGH· v3 N/A· v2 Improper Access Control in some Intel(R) DSA before version 24.3.26.8 may allow an authenticated user to potentially enable escalation of privilege via local access.
CVE-2024-34022 - - Nov 15, 2024 Nov 13, 2024 5.4 MEDIUM· v4 6.7 MEDIUM· v3 N/A· v2 Improper Access Control in some Thunderbolt(TM) Share software before version 1.0.49.9 may allow an authenticated user to potentially enable escalation of privilege via local access.
CVE-2024-32483 1Intel 1Endpoint Management Assistant Sep 2, 2025 Nov 13, 2024 7.0 HIGH· v4 8.2 HIGH· v3 N/A· v2 Improper access control for some Intel(R) EMA software before version 1.13.1.0 may allow an authenticated user to potentially enable escalation of privilege via local access.
CVE-2024-32044 - - Nov 15, 2024 Nov 13, 2024 5.4 MEDIUM· v4 6.8 MEDIUM· v3 N/A· v2 Improper access control for some Intel(R) Arc(TM) Pro Graphics for Windows drivers before version 31.0.101.5319 may allow an authenticated user to potentially enable escalation of privilege via adjacent access.
CVE-2024-29085 - - Nov 15, 2024 Nov 13, 2024 5.1 MEDIUM· v4 5.5 MEDIUM· v3 N/A· v2 Improper access control for some BigDL software maintained by Intel(R) before version 2.5.0 may allow an authenticated user to potentially enable escalation of privilege via adjacent access.
CVE-2024-29077 - - Nov 15, 2024 Nov 13, 2024 5.4 MEDIUM· v4 6.7 MEDIUM· v3 N/A· v2 Improper access control in some JAM STAPL Player software before version 2.6.1 may allow an authenticated user to potentially enable escalation of privilege via local access.
CVE-2024-27200 - - Nov 15, 2024 Nov 13, 2024 4.8 MEDIUM· v4 4.4 MEDIUM· v3 N/A· v2 Improper access control in some Intel(R) Granulate(TM) software before version 4.30.1 may allow a authenticated user to potentially enable escalation of privilege via local access.
CVE-2024-49049 1Microsoft 1Remote Ssh Nov 18, 2024 Nov 12, 2024 N/A· v4 7.1 HIGH· v3 N/A· v2 Visual Studio Code Remote Extension Elevation of Privilege Vulnerability
CVE-2024-49044 1Microsoft 1Visual Studio 2022 Nov 16, 2024 Nov 12, 2024 N/A· v4 6.7 MEDIUM· v3 N/A· v2 Visual Studio Elevation of Privilege Vulnerability
CVE-2024-43530 1Microsoft 5Windows 10 21h2 Windows 10 22h2Windows 11 22h2+2 more Nov 19, 2024 Nov 12, 2024 N/A· v4 7.8 HIGH· v3 N/A· v2 Windows Update Stack Elevation of Privilege Vulnerability
CVE-2024-11138 1Dedecms 1Dedecms Dec 10, 2024 Nov 12, 2024 5.1 MEDIUM· v4 9.8 CRITICAL· v3 3.3 LOW· v2 A vulnerability classified as problematic has been found in DedeCMS 5.7.116. This affects an unknown part of the file /dede/uploads/dede/friendlink_add.php. The manipulation of the argument logoimg leads to unrestricted...Show more A vulnerability classified as problematic has been found in DedeCMS 5.7.116. This affects an unknown part of the file /dede/uploads/dede/friendlink_add.php. The manipulation of the argument logoimg leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.Show less

Previous 1...106107108...255 Next