Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CVEs (5,090)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2024-45870 1Bandisoft 1Bandiview Apr 28, 2025 Oct 3, 2024 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Bandisoft BandiView 7.05 is vulnerable to Incorrect Access Control in sub_0x3d80fc via a crafted POC file.
CVE-2024-42514 1Mitel 1Micontact Center Business May 30, 2025 Oct 1, 2024 N/A· v4 8.1 HIGH· v3 N/A· v2 A vulnerability in the legacy chat component of Mitel MiContact Center Business through 10.1.0.4 could allow an unauthenticated attacker to conduct an unauthorized access attack due to inadequate access control checks. A...Show more A vulnerability in the legacy chat component of Mitel MiContact Center Business through 10.1.0.4 could allow an unauthenticated attacker to conduct an unauthorized access attack due to inadequate access control checks. A successful exploit requires user interaction and could allow an attacker to access sensitive information and send unauthorized messages during an active chat session.Show less
CVE-2024-45408 1Elabftw 1Elabftw Feb 28, 2025 Oct 1, 2024 N/A· v4 6.5 MEDIUM· v3 N/A· v2 eLabFTW is an open source electronic lab notebook for research labs. An incorrect permission check has been found that could allow an authenticated user to access several kinds of otherwise restricted information. If ano...Show more eLabFTW is an open source electronic lab notebook for research labs. An incorrect permission check has been found that could allow an authenticated user to access several kinds of otherwise restricted information. If anonymous access is allowed (something disabled by default), this extends to anyone. Users are advised to upgrade to at least version 5.1.0. System administrators can disable anonymous access in the System configuration panel.Show less
CVE-2024-46280 - - Oct 4, 2024 Sep 30, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 PIX-LINK LV-WR22 RE3002-P1-01_V117.0 is vulnerable to Improper Access Control. The TELNET service is enabled with weak credentials for a root-level account, without the possibility of changing them.
CVE-2024-9321 1Oretnom23 1Railway Reservation System Oct 1, 2024 Sep 29, 2024 6.9 MEDIUM· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 A vulnerability was found in SourceCodester Online Railway Reservation System 1.0 and classified as critical. This issue affects some unknown processing of the file /admin/inquiries/view_details.php. The manipulation of...Show more A vulnerability was found in SourceCodester Online Railway Reservation System 1.0 and classified as critical. This issue affects some unknown processing of the file /admin/inquiries/view_details.php. The manipulation of the argument id leads to improper access controls. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.Show less
CVE-2024-9298 1Oretnom23 1Railway Reservation System Oct 1, 2024 Sep 28, 2024 5.3 MEDIUM· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 A vulnerability was found in SourceCodester Online Railway Reservation System 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /?page=tickets of the component Ticket...Show more A vulnerability was found in SourceCodester Online Railway Reservation System 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /?page=tickets of the component Ticket Handler. The manipulation of the argument id leads to improper access controls. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.Show less
CVE-2024-46097 1Testlink 1Testlink Jul 10, 2025 Sep 27, 2024 N/A· v4 8.1 HIGH· v3 N/A· v2 TestLink 1.9.20 is vulnerable to Incorrect Access Control in the TestPlan editing section. When a new TestPlan is created, an ID with an incremental value is automatically generated. Using the edit function you can chang...Show more TestLink 1.9.20 is vulnerable to Incorrect Access Control in the TestPlan editing section. When a new TestPlan is created, an ID with an incremental value is automatically generated. Using the edit function you can change the tplan_id parameter to another ID. The application does not carry out a check on the user's permissions maing it possible to recover the IDs of all the TestPlans (even the administrative ones) and modify them even with minimal privileges.Show less
CVE-2024-46627 - - Sep 30, 2024 Sep 26, 2024 N/A· v4 9.1 CRITICAL· v3 N/A· v2 Incorrect access control in BECN DATAGERRY v2.2 allows attackers to execute arbitrary commands via crafted web requests.
CVE-2024-45982 - - Sep 30, 2024 Sep 26, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 A host header injection vulnerability in scheduleR v0.0.18 allows attackers to obtain the password reset token via user interaction with a crafted password reset link. This allows attackers to arbitrarily reset other use...Show more A host header injection vulnerability in scheduleR v0.0.18 allows attackers to obtain the password reset token via user interaction with a crafted password reset link. This allows attackers to arbitrarily reset other users' passwords and compromise their accounts.Show less
CVE-2024-44860 1Solvait 1Solvait Jul 10, 2025 Sep 26, 2024 N/A· v4 7.5 HIGH· v3 N/A· v2 An information disclosure vulnerability in the /Letter/PrintQr/ endpoint of Solvait v24.4.2 allows attackers to access sensitive data via a crafted request.
CVE-2024-41605 - - Sep 30, 2024 Sep 26, 2024 N/A· v4 8.4 HIGH· v3 N/A· v2 In Foxit PDF Reader before 2024.3, and PDF Editor before 2024.3 and 13.x before 13.1.4, an attacker can replace an update file with a Trojan horse via side loading, because the update service lacks integrity validation f...Show more In Foxit PDF Reader before 2024.3, and PDF Editor before 2024.3 and 13.x before 13.1.4, an attacker can replace an update file with a Trojan horse via side loading, because the update service lacks integrity validation for the updater. Attacker-controlled code may thus be executed.Show less
CVE-2024-47145 1Mattermost 1Mattermost Server Sep 26, 2024 Sep 26, 2024 N/A· v4 4.3 MEDIUM· v3 N/A· v2 Mattermost versions 9.5.x <= 9.5.8 fail to properly authorize access to archived channels when viewing archived channels is disabled, which allows an attacker to view posts and files of archived channels via file links.
CVE-2024-42406 1Mattermost 1Mattermost Server Oct 1, 2024 Sep 26, 2024 N/A· v4 5.4 MEDIUM· v3 N/A· v2 Mattermost versions 9.11.x <= 9.11.0, 9.10.x <= 9.10.1, 9.9.x <= 9.9.2 and 9.5.x <= 9.5.8 fail to properly authorize requests when viewing archived channels is disabled, which allows an attacker to retrieve post and file...Show more Mattermost versions 9.11.x <= 9.11.0, 9.10.x <= 9.10.1, 9.9.x <= 9.9.2 and 9.5.x <= 9.5.8 fail to properly authorize requests when viewing archived channels is disabled, which allows an attacker to retrieve post and file information about archived channels. Examples are flagged or unread posts as well as files.Show less
CVE-2024-20465 1Cisco 1Ios Oct 24, 2024 Sep 25, 2024 N/A· v4 5.8 MEDIUM· v3 N/A· v2 A vulnerability in the access control list (ACL) programming of Cisco IOS Software running on Cisco Industrial Ethernet 4000, 4010, and 5000 Series Switches could allow an unauthenticated, remote attacker to bypass a con...Show more A vulnerability in the access control list (ACL) programming of Cisco IOS Software running on Cisco Industrial Ethernet 4000, 4010, and 5000 Series Switches could allow an unauthenticated, remote attacker to bypass a configured ACL. This vulnerability is due to the incorrect handling of IPv4 ACLs on switched virtual interfaces when an administrator enables and disables Resilient Ethernet Protocol (REP). An attacker could exploit this vulnerability by attempting to send traffic through an affected device. A successful exploit could allow the attacker to bypass an ACL on the affected device.Show less
CVE-2024-46610 1Thecosy 1Icecms Nov 21, 2024 Sep 25, 2024 N/A· v4 7.5 HIGH· v3 N/A· v2 An access control issue in IceCMS v3.4.7 and before allows attackers to arbitrarily modify users' information, including username and password, via a crafted POST request sent to the endpoint /User/ChangeUser/s in the Ch...Show more An access control issue in IceCMS v3.4.7 and before allows attackers to arbitrarily modify users' information, including username and password, via a crafted POST request sent to the endpoint /User/ChangeUser/s in the ChangeUser function in UserController.javaShow less
CVE-2024-46609 1Thecosy 1Icecms Apr 28, 2025 Sep 25, 2024 N/A· v4 7.5 HIGH· v3 N/A· v2 An access control issue in the CheckVip function in UserController.java of IceCMS v3.4.7 and before allows unauthenticated attackers to access and returns all user information, including passwords
CVE-2024-46607 1Thecosy 1Icecms Apr 28, 2025 Sep 25, 2024 N/A· v4 7.6 HIGH· v3 N/A· v2 Incorrect access control in IceCMS v3.4.7 and before allows attackers to authenticate by entering any arbitrary values as the username and password via the loginAdmin method in the UserController.java file.
CVE-2024-42797 1Lopalopa 1Music Management System Apr 28, 2025 Sep 25, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An Incorrect Access Control vulnerability was found in /music/ajax.php?action=delete_playlist in Kashipara Music Management System v1.0. This vulnerability allows an unauthenticated attacker to delete the valid music pla...Show more An Incorrect Access Control vulnerability was found in /music/ajax.php?action=delete_playlist in Kashipara Music Management System v1.0. This vulnerability allows an unauthenticated attacker to delete the valid music playlist entries.Show less
CVE-2024-45489 - - Sep 26, 2024 Sep 20, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Arc before 2024-08-26 allows remote code execution in JavaScript boosts. Boosts that run JavaScript cannot be shared by default; however (because of misconfigured Firebase ACLs), it is possible to create or update a boos...Show more Arc before 2024-08-26 allows remote code execution in JavaScript boosts. Boosts that run JavaScript cannot be shared by default; however (because of misconfigured Firebase ACLs), it is possible to create or update a boost using another user's ID. This installs the boost in the victim's browser and runs arbitrary Javascript on that browser in a privileged context. NOTE: this is a no-action cloud vulnerability with zero affected users.Show less
CVE-2024-9003 1Jflow Project 1Jflow Sep 25, 2024 Sep 19, 2024 5.3 MEDIUM· v4 5.3 MEDIUM· v3 4.0 MEDIUM· v2 A vulnerability was found in Jinan Chicheng Company JFlow 2.0.0. It has been rated as problematic. This issue affects the function AttachmentUploadController of the file /WF/Ath/EntityMutliFile_Load.do of the component A...Show more A vulnerability was found in Jinan Chicheng Company JFlow 2.0.0. It has been rated as problematic. This issue affects the function AttachmentUploadController of the file /WF/Ath/EntityMutliFile_Load.do of the component Attachment Handler. The manipulation of the argument oid leads to improper access controls. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.Show less

Previous 1...110111112...255 Next