Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CVEs (5,090)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2024-38016 1Microsoft 4365 Apps OfficeOffice Long Term Servicing Channel+1 more Sep 24, 2024 Sep 19, 2024 N/A· v4 7.8 HIGH· v3 N/A· v2 Microsoft Office Visio Remote Code Execution Vulnerability
CVE-2024-46990 1Monospace 1Directus Nov 17, 2025 Sep 18, 2024 N/A· v4 5.0 MEDIUM· v3 N/A· v2 Directus is a real-time API and App dashboard for managing SQL database content. When relying on blocking access to localhost using the default `0.0.0.0` filter a user may bypass this block by using other registered loop...Show more Directus is a real-time API and App dashboard for managing SQL database content. When relying on blocking access to localhost using the default `0.0.0.0` filter a user may bypass this block by using other registered loopback devices (like `127.0.0.2` - `127.127.127.127`). This issue has been addressed in release versions 10.13.3 and 11.1.0. Users are advised to upgrade. Users unable to upgrade may block this bypass by manually adding the `127.0.0.0/8` CIDR range which will block access to any `127.X.X.X` ip instead of just `127.0.0.1`.Show less
CVE-2024-45811 - - Sep 20, 2024 Sep 17, 2024 N/A· v4 4.8 MEDIUM· v3 N/A· v2 Vite a frontend build tooling framework for javascript. In affected versions the contents of arbitrary files can be returned to the browser. `@fs` denies access to files outside of Vite serving allow list. Adding `?impor...Show more Vite a frontend build tooling framework for javascript. In affected versions the contents of arbitrary files can be returned to the browser. `@fs` denies access to files outside of Vite serving allow list. Adding `?import&raw` to the URL bypasses this limitation and returns the file content if it exists. This issue has been patched in versions 5.4.6, 5.3.6, 5.2.14, 4.5.5, and 3.2.11. Users are advised to upgrade. There are no known workarounds for this vulnerability.Show less
CVE-2024-40825 1Apple 2Macos Visionos Apr 2, 2026 Sep 17, 2024 N/A· v4 4.4 MEDIUM· v3 N/A· v2 The issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15, visionOS 2. A malicious app with root privileges may be able to modify the contents of system files.
CVE-2024-42796 1Lopalopa 1Music Management System Apr 28, 2025 Sep 16, 2024 N/A· v4 5.9 MEDIUM· v3 N/A· v2 An Incorrect Access Control vulnerability was found in /music/ajax.php?action=delete_genre in Kashipara Music Management System v1.0. This vulnerability allows an unauthenticated attacker to delete the valid music genre...Show more An Incorrect Access Control vulnerability was found in /music/ajax.php?action=delete_genre in Kashipara Music Management System v1.0. This vulnerability allows an unauthenticated attacker to delete the valid music genre entries.Show less
CVE-2024-42795 1Lopalopa 1Music Management System Apr 28, 2025 Sep 16, 2024 N/A· v4 4.2 MEDIUM· v3 N/A· v2 An Incorrect Access Control vulnerability was found in /music/view_user.php?id=3 and /music/controller.php?page=edit_user&id=3 in Kashipara Music Management System v1.0. This vulnerability allows an unauthenticated attac...Show more An Incorrect Access Control vulnerability was found in /music/view_user.php?id=3 and /music/controller.php?page=edit_user&id=3 in Kashipara Music Management System v1.0. This vulnerability allows an unauthenticated attacker to view valid user details.Show less
CVE-2024-42794 1Lopalopa 1Music Management System Apr 28, 2025 Sep 16, 2024 N/A· v4 4.7 MEDIUM· v3 N/A· v2 Kashipara Music Management System v1.0 is vulnerable to Incorrect Access Control via /music/ajax.php?action=save_user.
CVE-2024-36261 1Intel 1Raid Web Console Sep 23, 2024 Sep 16, 2024 N/A· v4 5.7 MEDIUM· v3 N/A· v2 Improper access control in Intel(R) RAID Web Console software all versions may allow an authenticated user to potentially enable denial of service via adjacent access.
CVE-2024-36247 1Intel 1Raid Web Console Sep 23, 2024 Sep 16, 2024 N/A· v4 5.7 MEDIUM· v3 N/A· v2 Improper access control in Intel(R) RAID Web Console all versions may allow an authenticated user to potentially enable denial of service via adjacent access.
CVE-2024-34543 1Intel 1Raid Web Console Sep 23, 2024 Sep 16, 2024 N/A· v4 7.8 HIGH· v3 N/A· v2 Improper access control in Intel(R) RAID Web Console software for all versions may allow an authenticated user to potentially enable escalation of privilege via local access.
CVE-2024-32940 1Intel 1Raid Web Console Sep 23, 2024 Sep 16, 2024 N/A· v4 5.7 MEDIUM· v3 N/A· v2 Improper access control in Intel(R) RAID Web Console software for all versions may allow an authenticated user to potentially enable denial of service via adjacent access.
CVE-2024-28170 1Intel 1Raid Web Console Sep 23, 2024 Sep 16, 2024 N/A· v4 5.5 MEDIUM· v3 N/A· v2 Improper access control in Intel(R) RAID Web Console all versions may allow an authenticated user to potentially enable information disclosure via local access.
CVE-2023-43626 - - Nov 3, 2025 Sep 16, 2024 8.7 HIGH· v4 7.5 HIGH· v3 N/A· v2 Improper access control in UEFI firmware for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via local access.
CVE-2024-39772 1Mattermost 1Mattermost Desktop Nov 1, 2024 Sep 16, 2024 N/A· v4 5.3 MEDIUM· v3 N/A· v2 Mattermost Desktop App versions <=5.8.0 fail to safeguard screen capture functionality which allows an attacker to silently capture high-quality screenshots via JavaScript APIs.
CVE-2024-8779 1Syscomgo 1Omflow Sep 17, 2024 Sep 16, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 OMFLOW from The SYSCOM Group does not properly restrict access to the system settings modification functionality, allowing remote attackers with regular privileges to update system settings or create accounts with admini...Show more OMFLOW from The SYSCOM Group does not properly restrict access to the system settings modification functionality, allowing remote attackers with regular privileges to update system settings or create accounts with administrator privileges, thereby gaining control of the server.Show less
CVE-2024-8269 1Inspireui 1Mstore Api Sep 18, 2024 Sep 13, 2024 N/A· v4 6.5 MEDIUM· v3 N/A· v2 The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to unauthorized user registration in all versions up to, and including, 4.15.3. This is due to the plugin not checking tha...Show more The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to unauthorized user registration in all versions up to, and including, 4.15.3. This is due to the plugin not checking that user registration is enabled prior to creating a user account through the register() function. This makes it possible for unauthenticated attackers to create user accounts on sites, even when user registration is disabled and plugin functionality is not activated.Show less
CVE-2024-44571 1Relyum 1Rely Pcie Firmware Apr 28, 2025 Sep 11, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 RELY-PCIe v22.2.1 to v23.1.0 was discovered to contain incorrect access control in the mService function at phpinf.php.
CVE-2024-20343 1Cisco 1Ios Xr Oct 7, 2024 Sep 11, 2024 N/A· v4 5.5 MEDIUM· v3 N/A· v2 A vulnerability in the CLI of Cisco IOS XR Software could allow an authenticated, local attacker to read any file in the file system of the underlying Linux operating system. The attacker must have valid credentials on t...Show more A vulnerability in the CLI of Cisco IOS XR Software could allow an authenticated, local attacker to read any file in the file system of the underlying Linux operating system. The attacker must have valid credentials on the affected device. This vulnerability is due to incorrect validation of the arguments that are passed to a specific CLI command. An attacker could exploit this vulnerability by logging in to an affected device with low-privileged credentials and using the affected command. A successful exploit could allow the attacker access files in read-only mode on the Linux file system.Show less
CVE-2024-43492 1Microsoft 1Autoupdate Sep 18, 2024 Sep 10, 2024 N/A· v4 7.8 HIGH· v3 N/A· v2 Microsoft AutoUpdate (MAU) Elevation of Privilege Vulnerability
CVE-2024-43479 1Microsoft 1Power Automate Sep 13, 2024 Sep 10, 2024 N/A· v4 8.5 HIGH· v3 N/A· v2 Microsoft Power Automate Desktop Remote Code Execution Vulnerability

Previous 1...111112113...255 Next