Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CVEs (5,090)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2024-8071 1Mattermost 1Mattermost Aug 23, 2024 Aug 22, 2024 N/A· v4 7.2 HIGH· v3 N/A· v2 Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 and 9.8.x <= 9.8.2 fail to restrict which roles can promote a user as system admin which allows a System Role with edit access to the permissions secti...Show more Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 and 9.8.x <= 9.8.2 fail to restrict which roles can promote a user as system admin which allows a System Role with edit access to the permissions section of system console to update their role (e.g. member) to include the `manage_system` permission, effectively becoming a System Admin.Show less
CVE-2024-43813 1Mattermost 1Mattermost Aug 23, 2024 Aug 22, 2024 N/A· v4 4.3 MEDIUM· v3 N/A· v2 Mattermost versions 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 fail to enforce proper access controls which allows any authenticated user, including guests, to mark any channel inside any team as read for any user.
CVE-2024-32939 1Mattermost 1Mattermost Aug 23, 2024 Aug 22, 2024 N/A· v4 3.7 LOW· v3 N/A· v2 Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0, 9.8.x <= 9.8.2, when shared channels are enabled, fail to redact remote users' original email addresses stored in user props when email addresses are...Show more Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0, 9.8.x <= 9.8.2, when shared channels are enabled, fail to redact remote users' original email addresses stored in user props when email addresses are otherwise configured not to be visible in the local server."Show less
CVE-2024-38175 1Microsoft 1Azure Managed Instance For Apache Cassandra Jan 29, 2025 Aug 20, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 An improper access control vulnerability in the Azure Managed Instance for Apache Cassandra allows an authenticated attacker to elevate privileges over a network.
CVE-2024-42919 1Escanav 1Escan Management Console Nov 12, 2025 Aug 20, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 eScan Management Console 14.0.1400.2281 is vulnerable to Incorrect Access Control via acteScanAVReport.
CVE-2024-27187 1Joomla 1Joomla Jun 4, 2025 Aug 20, 2024 N/A· v4 7.5 HIGH· v3 N/A· v2 Improper Access Controls allows backend users to overwrite their username when disallowed.
CVE-2024-43409 1Ghost 1Ghost Aug 26, 2024 Aug 20, 2024 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Ghost is a Node.js content management system. Improper authentication on some endpoints used for member actions would allow an attacker to perform member-only actions, and read member information. This security vulnerabi...Show more Ghost is a Node.js content management system. Improper authentication on some endpoints used for member actions would allow an attacker to perform member-only actions, and read member information. This security vulnerability is present in Ghost v4.46.0-v5.89.4. v5.89.5 contains a fix for this issue.Show less
CVE-2024-43397 1Apolloconfig 1Apollo Aug 26, 2024 Aug 20, 2024 N/A· v4 4.3 MEDIUM· v3 N/A· v2 Apollo is a configuration management system. A vulnerability exists in the synchronization configuration feature that allows users to craft specific requests to bypass permission checks. This exploit enables them to modi...Show more Apollo is a configuration management system. A vulnerability exists in the synchronization configuration feature that allows users to craft specific requests to bypass permission checks. This exploit enables them to modify a namespace without the necessary permissions. The issue was addressed with an input parameter check which was released in version 2.3.0.Show less
CVE-2024-43377 1Umbraco 1Umbraco Cms Aug 26, 2024 Aug 20, 2024 N/A· v4 4.3 MEDIUM· v3 N/A· v2 Umbraco CMS is an ASP.NET CMS. An authenticated user can access a few unintended endpoints. This issue is fixed in 14.1.2.
CVE-2024-42559 - - Aug 20, 2024 Aug 20, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An issue in the login component (process_login.php) of Hotel Management System commit 79d688 allows attackers to authenticate without providing a valid password.
CVE-2024-7921 1Jielink+ Jsotc2016 Project 1Jielink+ Jsotc2016 Aug 21, 2024 Aug 19, 2024 5.3 MEDIUM· v4 9.8 CRITICAL· v3 4.0 MEDIUM· v2 A vulnerability has been found in Anhui Deshun Intelligent Technology Jieshun JieLink+ JSOTC2016 up to 20240805 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /repor...Show more A vulnerability has been found in Anhui Deshun Intelligent Technology Jieshun JieLink+ JSOTC2016 up to 20240805 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /report/ParkOutRecord/GetDataList. The manipulation leads to improper access controls. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.Show less
CVE-2024-7920 1Jielink+ Jsotc2016 Project 1Jielink+ Jsotc2016 Aug 21, 2024 Aug 19, 2024 5.3 MEDIUM· v4 9.8 CRITICAL· v3 4.0 MEDIUM· v2 A vulnerability, which was classified as problematic, was found in Anhui Deshun Intelligent Technology Jieshun JieLink+ JSOTC2016 up to 20240805. Affected is an unknown function of the file /Report/ParkCommon/GetParkInTh...Show more A vulnerability, which was classified as problematic, was found in Anhui Deshun Intelligent Technology Jieshun JieLink+ JSOTC2016 up to 20240805. Affected is an unknown function of the file /Report/ParkCommon/GetParkInThroughDeivces. The manipulation leads to improper access controls. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.Show less
CVE-2024-7919 1Jielink+ Jsotc2016 Project 1Jielink+ Jsotc2016 Aug 21, 2024 Aug 19, 2024 6.9 MEDIUM· v4 9.8 CRITICAL· v3 5.0 MEDIUM· v2 A vulnerability, which was classified as critical, has been found in Anhui Deshun Intelligent Technology Jieshun JieLink+ JSOTC2016 up to 20240805. This issue affects some unknown processing of the file /report/ParkCharg...Show more A vulnerability, which was classified as critical, has been found in Anhui Deshun Intelligent Technology Jieshun JieLink+ JSOTC2016 up to 20240805. This issue affects some unknown processing of the file /report/ParkChargeRecord/GetDataList. The manipulation leads to improper access controls. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.Show less
CVE-2024-6221 1Corydolphin 1Flask Cors Apr 7, 2025 Aug 18, 2024 N/A· v4 7.5 HIGH· v3 N/A· v2 A vulnerability in corydolphin/flask-cors version 4.0.1 allows the `Access-Control-Allow-Private-Network` CORS header to be set to true by default. This behavior can expose private network resources to unauthorized exter...Show more A vulnerability in corydolphin/flask-cors version 4.0.1 allows the `Access-Control-Allow-Private-Network` CORS header to be set to true by default. This behavior can expose private network resources to unauthorized external access, leading to significant security risks such as data breaches, unauthorized access to sensitive information, and potential network intrusions.Show less
CVE-2024-42967 1Totolink 1Lr350 Firmware Mar 13, 2025 Aug 15, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Incorrect access control in TOTOLINK LR350 V9.3.5u.6369_B20220309 allows attackers to obtain the apmib configuration file, which contains the username and the password, via a crafted request to /cgi-bin/ExportSettings.sh...Show more Incorrect access control in TOTOLINK LR350 V9.3.5u.6369_B20220309 allows attackers to obtain the apmib configuration file, which contains the username and the password, via a crafted request to /cgi-bin/ExportSettings.sh.Show less
CVE-2024-28050 1Intel 2Arc A Graphics Iris Xe Graphics Sep 6, 2024 Aug 14, 2024 5.1 MEDIUM· v4 5.5 MEDIUM· v3 N/A· v2 Improper access control in some Intel(R) Arc(TM) & Iris(R) Xe Graphics software before version 31.0.101.4824 may allow an authenticated user to potentially enable denial of service via local access.
CVE-2024-26022 1Intel 1Aptio V Uefi Firmware Integrator Tools Sep 6, 2024 Aug 14, 2024 8.5 HIGH· v4 7.8 HIGH· v3 N/A· v2 Improper access control in some Intel(R) UEFI Integrator Tools on Aptio V for Intel(R) NUC may allow an authenticated user to potentially enable escalation of privilege via local access.
CVE-2024-25576 1Intel 1Agilex 7 Fpga Firmware Sep 6, 2024 Aug 14, 2024 8.5 HIGH· v4 7.9 HIGH· v3 N/A· v2 improper access control in firmware for some Intel(R) FPGA products before version 24.1 may allow a privileged user to enable escalation of privilege via local access.
CVE-2024-24986 1Intel 1Ethernet 800 Series Controllers Driver Sep 6, 2024 Aug 14, 2024 9.3 CRITICAL· v4 8.8 HIGH· v3 N/A· v2 Improper access control in Linux kernel mode driver for some Intel(R) Ethernet Network Controllers and Adapters before version 28.3 may allow an authenticated user to potentially enable escalation of privilege via local...Show more Improper access control in Linux kernel mode driver for some Intel(R) Ethernet Network Controllers and Adapters before version 28.3 may allow an authenticated user to potentially enable escalation of privilege via local access.Show less
CVE-2023-43489 1Intel 1Computing Improvement Program Feb 4, 2025 Aug 14, 2024 6.8 MEDIUM· v4 5.5 MEDIUM· v3 N/A· v2 Improper access control for some Intel(R) CIP software before version 2.4.10717 may allow an authenticated user to potentially enable denial of service via local access.

Previous 1...114115116...255 Next