Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CVEs (5,090)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2024-41144 1Mattermost 1Mattermost Server Sep 4, 2024 Aug 1, 2024 N/A· v4 7.1 HIGH· v3 N/A· v2 Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, 9.8.x <= 9.8.1 fail to properly validate synced posts, when shared channels are enabled, which allows a malicious remote to create/update/delete arbitr...Show more Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, 9.8.x <= 9.8.1 fail to properly validate synced posts, when shared channels are enabled, which allows a malicious remote to create/update/delete arbitrary posts in arbitrary channelsShow less
CVE-2024-39839 1Mattermost 1Mattermost Server Sep 4, 2024 Aug 1, 2024 N/A· v4 4.3 MEDIUM· v3 N/A· v2 Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, 9.8.x <= 9.8.1 fail to disallow users to set their own remote username, when shared channels were enabled, which allows a user on a remote to set their...Show more Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, 9.8.x <= 9.8.1 fail to disallow users to set their own remote username, when shared channels were enabled, which allows a user on a remote to set their remote username prop to an arbitrary string, which would be then synced to the local server as long as the user hadn't been synced before.Show less
CVE-2024-39837 1Mattermost 1Mattermost Server Sep 4, 2024 Aug 1, 2024 N/A· v4 5.4 MEDIUM· v3 N/A· v2 Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6 fail to properly restrict channel creation which allows a malicious remote to create arbitrary channels, when shared channels were enabled.
CVE-2024-39777 1Mattermost 1Mattermost Aug 23, 2024 Aug 1, 2024 N/A· v4 9.6 CRITICAL· v3 N/A· v2 Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5 and 9.8.x <= 9.8.1 fail to disallow unsolicited invites to expose access to local channels, when shared channels are enabled, which allows a malicious re...Show more Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5 and 9.8.x <= 9.8.1 fail to disallow unsolicited invites to expose access to local channels, when shared channels are enabled, which allows a malicious remote to send an invite with the ID of an existing local channel, and that local channel will then become shared without the consent of the local admin.Show less
CVE-2024-39274 1Mattermost 1Mattermost Aug 23, 2024 Aug 1, 2024 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5 and 9.8.x <= 9.8.1 fail to properly validate that the channel that comes from the sync message is a shared channel, when shared channels are enabled, whi...Show more Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5 and 9.8.x <= 9.8.1 fail to properly validate that the channel that comes from the sync message is a shared channel, when shared channels are enabled, which allows a malicious remote to add users to arbitrary teams and channelsShow less
CVE-2024-36492 1Mattermost 1Mattermost Aug 23, 2024 Aug 1, 2024 N/A· v4 6.4 MEDIUM· v3 N/A· v2 Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, 9.8.x <= 9.8.1 fail to disallow the modification of local users when syncing users in shared channels. which allows a malicious remote to overwrite an e...Show more Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, 9.8.x <= 9.8.1 fail to disallow the modification of local users when syncing users in shared channels. which allows a malicious remote to overwrite an existing local user.Show less
CVE-2024-29977 1Mattermost 1Mattermost Aug 23, 2024 Aug 1, 2024 N/A· v4 4.3 MEDIUM· v3 N/A· v2 Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6 fail to properly validate synced reactions, when shared channels are enabled, which allows a malicious remote to create arbitrary reactions on arbitrary posts
CVE-2024-5331 1Soflyy 1Breakdance Nov 21, 2024 Aug 1, 2024 N/A· v4 4.3 MEDIUM· v3 N/A· v2 The Breakdance plugin for WordPress is vulnerable to unauthorized access of data in all versions up to, and including, 1.7.2. This makes it possible for authenticated attackers, with Contributor-level access and above, t...Show more The Breakdance plugin for WordPress is vulnerable to unauthorized access of data in all versions up to, and including, 1.7.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to export form submissions.Show less
CVE-2024-38909 1Std42 1Elfinder Apr 28, 2025 Jul 30, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Studio 42 elFinder 2.1.64 is vulnerable to Incorrect Access Control. Copying files with an unauthorized extension between server directories allows an arbitrary attacker to expose secrets, perform RCE, etc.
CVE-2024-40822 1Apple 4Ipados Iphone OsMacos+1 more Apr 2, 2026 Jul 29, 2024 N/A· v4 2.4 LOW· v3 N/A· v2 This issue was addressed by restricting options offered on a locked device. This issue is fixed in iOS 16.7.9 and iPadOS 16.7.9, iOS 17.6 and iPadOS 17.6, macOS Sonoma 14.6, watchOS 10.6. An attacker with physical access...Show more This issue was addressed by restricting options offered on a locked device. This issue is fixed in iOS 16.7.9 and iPadOS 16.7.9, iOS 17.6 and iPadOS 17.6, macOS Sonoma 14.6, watchOS 10.6. An attacker with physical access to a device may be able to access contacts from the lock screen.Show less
CVE-2024-40812 1Apple 5Ipados Iphone OsMacos+2 more Apr 2, 2026 Jul 29, 2024 N/A· v4 7.8 HIGH· v3 N/A· v2 A logic issue was addressed with improved checks. This issue is fixed in iOS 16.7.9 and iPadOS 16.7.9, iOS 17.6 and iPadOS 17.6, macOS Monterey 12.7.6, macOS Sonoma 14.6, macOS Ventura 13.6.8, visionOS 1.3, watchOS 10.6....Show more A logic issue was addressed with improved checks. This issue is fixed in iOS 16.7.9 and iPadOS 16.7.9, iOS 17.6 and iPadOS 17.6, macOS Monterey 12.7.6, macOS Sonoma 14.6, macOS Ventura 13.6.8, visionOS 1.3, watchOS 10.6. A shortcut may be able to bypass Internet permission requirements.Show less
CVE-2024-40786 1Apple 3Ipados Iphone OsMacos Apr 2, 2026 Jul 29, 2024 N/A· v4 7.5 HIGH· v3 N/A· v2 This issue was addressed through improved state management. This issue is fixed in iOS 16.7.9 and iPadOS 16.7.9, iOS 17.6 and iPadOS 17.6, macOS Ventura 13.6.8. An attacker may be able to view sensitive user information.
CVE-2023-42957 1Apple 4Ipados Iphone OsMacos+1 more Mar 19, 2025 Jul 29, 2024 N/A· v4 3.3 LOW· v3 N/A· v2 A permissions issue was addressed with additional restrictions. This issue is fixed in iOS 17 and iPadOS 17, macOS Sonoma 14, watchOS 10. An app may be able to read sensitive location information.
CVE-2024-28805 1Italtel 1I Mcs Nfv Oct 14, 2025 Jul 29, 2024 N/A· v4 9.1 CRITICAL· v3 N/A· v2 An issue was discovered in Italtel i-MCS NFV 12.1.0-20211215. There is Incorrect Access Control.
CVE-2024-6727 - - Nov 21, 2024 Jul 29, 2024 N/A· v4 5.4 MEDIUM· v3 N/A· v2 A flaw in versions of Delphix Data Control Tower (DCT) prior to 19.0.0 results in broken authentication through the enable-scale-testing functionality of the application.
CVE-2024-7154 1Totolink 1A3700r Firmware Nov 21, 2024 Jul 28, 2024 5.3 MEDIUM· v4 7.5 HIGH· v3 4.0 MEDIUM· v2 A vulnerability, which was classified as problematic, was found in TOTOLINK A3700R 9.1.2u.5822_B20200513. Affected is an unknown function of the file /wizard.html of the component Password Reset Handler. The manipulation...Show more A vulnerability, which was classified as problematic, was found in TOTOLINK A3700R 9.1.2u.5822_B20200513. Affected is an unknown function of the file /wizard.html of the component Password Reset Handler. The manipulation leads to improper access controls. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-272568. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.Show less
CVE-2024-40117 - - Nov 21, 2024 Jul 26, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Incorrect access control in Solar-Log 1000 before v2.8.2 and build 52- 23.04.2013 allows attackers to obtain Administrative privileges via connecting to the web administration server. Not existing for SL 200, 500, 1000 /...Show more Incorrect access control in Solar-Log 1000 before v2.8.2 and build 52- 23.04.2013 allows attackers to obtain Administrative privileges via connecting to the web administration server. Not existing for SL 200, 500, 1000 / fixed in 4.2.8 for SL 250, 300, 1200, 2000, SL 50 Gateway / fixed in 5.1.2 / 6.0.0 for SL Base.Show less
CVE-2024-41806 - - Nov 21, 2024 Jul 25, 2024 N/A· v4 5.3 MEDIUM· v3 N/A· v2 The Open edX Platform is a learning management platform. Instructors can upload csv files containing learner information to create cohorts in the instructor dashboard. These files are uploaded using the django default st...Show more The Open edX Platform is a learning management platform. Instructors can upload csv files containing learner information to create cohorts in the instructor dashboard. These files are uploaded using the django default storage. With certain storage backends, uploads may become publicly available when the uploader uses versions master, palm, olive, nutmeg, maple, lilac, koa, or juniper. The patch in commit cb729a3ced0404736dfa0ae768526c82b608657b ensures that cohorts data uploaded to AWS S3 buckets is written with a private ACL. Beyond patching, deployers should also ensure that existing cohorts uploads have a private ACL, or that other precautions are taken to avoid public access.Show less
CVE-2024-7057 1Gitlab 1Gitlab Nov 21, 2024 Jul 25, 2024 N/A· v4 4.3 MEDIUM· v3 N/A· v2 An information disclosure vulnerability in GitLab CE/EE affecting all versions starting from 16.7 prior to 17.0.5, starting from 17.1 prior to 17.1.3, and starting from 17.2 prior to 17.2.1 where job artifacts can be ina...Show more An information disclosure vulnerability in GitLab CE/EE affecting all versions starting from 16.7 prior to 17.0.5, starting from 17.1 prior to 17.1.3, and starting from 17.2 prior to 17.2.1 where job artifacts can be inappropriately exposed to users lacking the proper authorization level.Show less
CVE-2024-36535 1Layer5 1Meshery Sep 3, 2025 Jul 24, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Insecure permissions in meshery v0.7.51 allows attackers to access sensitive data and escalate privileges by obtaining the service account's token.

Previous 1...117118119...255 Next