Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CVEs (5,090)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2024-44914 1Irfanview 1Exr May 23, 2025 Aug 28, 2024 N/A· v4 5.5 MEDIUM· v3 N/A· v2 An issue in the component EXR!ReadEXR+0x3df50 of Irfanview v4.67.1.0 allows attackers to cause an access violation via a crafted EXR file. This vulnerability can lead to a Denial of Service (DoS).
CVE-2024-44913 1Irfanview 1Exr May 23, 2025 Aug 28, 2024 N/A· v4 5.5 MEDIUM· v3 N/A· v2 An issue in the component EXR!ReadEXR+0x40ef1 of Irfanview v4.67.1.0 allows attackers to cause an access violation via a crafted EXR file. This vulnerability can lead to a Denial of Service (DoS).
CVE-2024-20279 1Cisco 1Application Policy Infrastructure Controller Aug 1, 2025 Aug 28, 2024 N/A· v4 4.3 MEDIUM· v3 N/A· v2 A vulnerability in the restricted security domain implementation of Cisco Application Policy Infrastructure Controller (APIC) could allow an authenticated, remote attacker to modify the behavior of default system policie...Show more A vulnerability in the restricted security domain implementation of Cisco Application Policy Infrastructure Controller (APIC) could allow an authenticated, remote attacker to modify the behavior of default system policies, such as quality of service (QoS) policies, on an affected system. This vulnerability is due to improper access control when restricted security domains are used to implement multi-tenancy. An attacker with a valid user account associated with a restricted security domain could exploit this vulnerability. A successful exploit could allow the attacker to read, modify, or delete child policies created under default system policies, which are implicitly used by all tenants in the fabric, resulting in disruption of network traffic. Exploitation is not possible for policies under tenants that an attacker has no authorization to access.Show less
CVE-2024-8216 1Nafisulbari 1Life Insurance Management System Apr 22, 2025 Aug 27, 2024 5.3 MEDIUM· v4 5.4 MEDIUM· v3 5.5 MEDIUM· v2 A vulnerability, which was classified as critical, has been found in nafisulbari/itsourcecode Insurance Management System 1.0. Affected by this issue is some unknown functionality of the file editPayment.php of the compo...Show more A vulnerability, which was classified as critical, has been found in nafisulbari/itsourcecode Insurance Management System 1.0. Affected by this issue is some unknown functionality of the file editPayment.php of the component Payment Handler. The manipulation of the argument recipt_no leads to improper access controls. The attack may be launched remotely. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.Show less
CVE-2024-5814 1Wolfssl 1Wolfssl Dec 6, 2025 Aug 27, 2024 5.1 MEDIUM· v4 5.3 MEDIUM· v3 N/A· v2 A malicious TLS1.2 server can force a TLS1.3 client with downgrade capability to use a ciphersuite that it did not agree to and achieve a successful connection. This is because, aside from the extensions, the client was...Show more A malicious TLS1.2 server can force a TLS1.3 client with downgrade capability to use a ciphersuite that it did not agree to and achieve a successful connection. This is because, aside from the extensions, the client was skipping fully parsing the server hello. https://doi.org/10.46586/tches.v2024.i1.457-500Show less
CVE-2024-36068 1Rubrik 1Cloud Data Management Sep 5, 2024 Aug 27, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An incorrect access control vulnerability in Rubrik CDM versions prior to 9.1.2-p1, 9.0.3-p6 and 8.1.3-p12, allows an attacker with network access to execute arbitrary code.
CVE-2024-8164 1Beikeshop 1Beikeshop Apr 29, 2026 Aug 26, 2024 2.1 LOW· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 A vulnerability was determined in Chengdu Everbrite Network Technology BeikeShop up to 1.5.5. This affects the function rename of the file /Admin/Http/Controllers/FileManagerController.php. This manipulation of the argum...Show more A vulnerability was determined in Chengdu Everbrite Network Technology BeikeShop up to 1.5.5. This affects the function rename of the file /Admin/Http/Controllers/FileManagerController.php. This manipulation of the argument new_name causes unrestricted upload. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. Upgrading to version 1.6.0 is able to mitigate this issue. The affected component should be upgraded.Show less
CVE-2024-43031 1Autman 1Autman Sep 3, 2025 Aug 23, 2024 N/A· v4 4.3 MEDIUM· v3 N/A· v2 autMan v2.9.6 was discovered to contain an access control issue.
CVE-2024-42766 1Kjayvik 1Bus Ticket Reservation System Aug 26, 2024 Aug 23, 2024 N/A· v4 5.4 MEDIUM· v3 N/A· v2 Kashipara Bus Ticket Reservation System v1.0 0 is vulnerable to Incorrect Access Control via /deleteTicket.php.
CVE-2024-40766 1Sonicwall 1Sonicos Oct 31, 2025 Aug 23, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An improper access control vulnerability has been identified in the SonicWall SonicOS management access, potentially leading to unauthorized resource access and in specific conditions, causing the firewall to crash. This...Show more An improper access control vulnerability has been identified in the SonicWall SonicOS management access, potentially leading to unauthorized resource access and in specific conditions, causing the firewall to crash. This issue affects SonicWall Firewall Gen 5 and Gen 6 devices, as well as Gen 7 devices running SonicOS 7.0.1-5035 and older versions.Show less
CVE-2024-43477 1Microsoft 1Entra Id Jan 29, 2025 Aug 23, 2024 N/A· v4 7.5 HIGH· v3 N/A· v2 Improper access control in Decentralized Identity Services resulted in a vulnerability that allows an unauthenticated attacker to disable Verifiable ID's on another tenant.
CVE-2024-42776 1Jayesh 1Hotel Management System Apr 30, 2025 Aug 22, 2024 N/A· v4 7.2 HIGH· v3 N/A· v2 Kashipara Hotel Management System v1.0 is vulnerable to Incorrect Access Control via /admin/users.php.
CVE-2024-42775 1Jayesh 1Hotel Management System Apr 30, 2025 Aug 22, 2024 N/A· v4 9.1 CRITICAL· v3 N/A· v2 An Incorrect Access Control vulnerability was found in /admin/add_room_controller.php in Kashipara Hotel Management System v1.0, which allows an unauthenticated attacker to add the valid hotel room entries in the adminis...Show more An Incorrect Access Control vulnerability was found in /admin/add_room_controller.php in Kashipara Hotel Management System v1.0, which allows an unauthenticated attacker to add the valid hotel room entries in the administrator section via the direct URL access.Show less
CVE-2024-42772 1Jayesh 1Hotel Management System Apr 30, 2025 Aug 22, 2024 N/A· v4 7.5 HIGH· v3 N/A· v2 An Incorrect Access Control vulnerability was found in /admin/rooms.php in Kashipara Hotel Management System v1.0, which allows an unauthenticated attacker to view valid hotel room entries in administrator section.
CVE-2024-43780 1Mattermost 1Mattermost Server Oct 16, 2024 Aug 22, 2024 N/A· v4 4.3 MEDIUM· v3 N/A· v2 Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.0, 9.8.x <= 9.8.2 fail to enforce permissions which allows a guest user with read access to upload files to a channel.
CVE-2024-42497 1Mattermost 1Mattermost Server Oct 16, 2024 Aug 22, 2024 N/A· v4 4.9 MEDIUM· v3 N/A· v2 Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0, 9.8.x <= 9.8.2 fail to properly enforce permissions which allows a user with systems manager role with read-only access to teams to perform write oper...Show more Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0, 9.8.x <= 9.8.2 fail to properly enforce permissions which allows a user with systems manager role with read-only access to teams to perform write operations on teams.Show less
CVE-2024-40884 1Mattermost 1Mattermost Server Oct 17, 2024 Aug 22, 2024 N/A· v4 2.7 LOW· v3 N/A· v2 Mattermost versions 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 fail to properly enforce permissions which allows a team admin user without "Add Team Members" permission to disable the invite URL.
CVE-2024-3127 1Gitlab 1Gitlab Dec 13, 2024 Aug 22, 2024 N/A· v4 4.3 MEDIUM· v3 N/A· v2 An issue has been discovered in GitLab EE affecting all versions starting from 12.5 before 17.1.6, all versions starting from 17.2 before 17.2.4, all versions starting from 17.3 before 17.3.1. Under certain conditions it...Show more An issue has been discovered in GitLab EE affecting all versions starting from 12.5 before 17.1.6, all versions starting from 17.2 before 17.2.4, all versions starting from 17.3 before 17.3.1. Under certain conditions it may be possible to bypass the IP restriction for groups through GraphQL allowing unauthorised users to perform some actions at the group level.Show less
CVE-2024-36441 - - Nov 21, 2024 Aug 22, 2024 N/A· v4 5.4 MEDIUM· v3 N/A· v2 Swissphone DiCal-RED 4009 devices allow an unauthenticated attacker use a port-2101 TCP connection to gain access to operation messages that are received by the device.
CVE-2024-36443 - - Nov 21, 2024 Aug 22, 2024 N/A· v4 7.6 HIGH· v3 N/A· v2 Swissphone DiCal-RED 4009 devices allow a remote attacker to gain read access to almost the whole file system via anonymous FTP.

Previous 1...113114115...255 Next