Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CVEs (5,090)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2024-2191 1Gitlab 1Gitlab Nov 21, 2024 Jun 27, 2024 N/A· v4 5.3 MEDIUM· v3 N/A· v2 An issue was discovered in GitLab CE/EE affecting all versions starting from 16.9 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows merge request title to be visib...Show more An issue was discovered in GitLab CE/EE affecting all versions starting from 16.9 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows merge request title to be visible publicly despite being set as project members only.Show less
CVE-2024-37742 - - Nov 21, 2024 Jun 25, 2024 N/A· v4 8.2 HIGH· v3 N/A· v2 Insecure Access Control in Safe Exam Browser (SEB) = 3.5.0 on Windows. The vulnerability allows an attacker to share clipboard data between the SEB kiosk mode and the underlying system, compromising exam integrity. By ex...Show more Insecure Access Control in Safe Exam Browser (SEB) = 3.5.0 on Windows. The vulnerability allows an attacker to share clipboard data between the SEB kiosk mode and the underlying system, compromising exam integrity. By exploiting this flaw, an attacker can bypass exam controls and gain an unfair advantage during exams.Show less
CVE-2024-21741 - - Mar 13, 2025 Jun 25, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 GigaDevice GD32E103C8T6 devices have Incorrect Access Control.
CVE-2024-21740 - - Nov 21, 2024 Jun 25, 2024 N/A· v4 7.4 HIGH· v3 N/A· v2 Artery AT32F415CBT7 and AT32F421C8T7 devices have Incorrect Access Control.
CVE-2024-33898 - - Feb 6, 2025 Jun 24, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Axiros AXESS Auto Configuration Server (ACS) 4.x and 5.0.0 is affected by an Incorrect Access Control vulnerability. An authorization bypass allows remote attackers to achieve unauthenticated remote code execution.
CVE-2024-37677 1Access Management Specialist Project 1Access Management Specialist Nov 21, 2024 Jun 24, 2024 N/A· v4 7.5 HIGH· v3 N/A· v2 An issue in Shenzhen Weitillage Industrial Co., Ltd the access management specialist V6.62.51215 allows a remote attacker to obtain sensitive information.
CVE-2024-38873 - - Mar 14, 2025 Jun 21, 2024 N/A· v4 5.3 MEDIUM· v3 N/A· v2 An issue was discovered in the friendlycaptcha_official (aka Integration of Friendly Captcha) extension before 0.1.4 for TYPO3. The extension fails to check the requirement of the captcha field in submitted form data, al...Show more An issue was discovered in the friendlycaptcha_official (aka Integration of Friendly Captcha) extension before 0.1.4 for TYPO3. The extension fails to check the requirement of the captcha field in submitted form data, allowing a remote user to bypass the captcha check. This only affects the captcha integration for the ext:form extension.Show less
CVE-2022-45929 - - Nov 21, 2024 Jun 20, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 Northern.tech Mender 3.3.x before 3.3.2, 3.5.x before 3.5.0, and 3.6.x before 3.6.0 has Incorrect Access Control and allows users to change their roles and could allow privilege escalation from a low-privileged read-only...Show more Northern.tech Mender 3.3.x before 3.3.2, 3.5.x before 3.5.0, and 3.6.x before 3.6.0 has Incorrect Access Control and allows users to change their roles and could allow privilege escalation from a low-privileged read-only user to a high-privileged user.Show less
CVE-2022-41324 - - Mar 14, 2025 Jun 20, 2024 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Northern.tech Mender 3.3.x before 3.3.2 and 3.4.x before 3.4.0 has Incorrect Access Control and allows low-privileged users default read access to some sensitive device information.
CVE-2024-38273 2Fedoraproject Moodle 2Fedora Moodle Aug 7, 2025 Jun 18, 2024 N/A· v4 5.4 MEDIUM· v3 N/A· v2 Insufficient capability checks meant it was possible for users to gain access to BigBlueButton join URLs they did not have permission to access.
CVE-2022-23829 - - Nov 21, 2024 Jun 18, 2024 N/A· v4 8.2 HIGH· v3 N/A· v2 A potential weakness in AMD SPI protection features may allow a malicious attacker with Ring0 (kernel mode) access to bypass the native System Management Mode (SMM) ROM protections.
CVE-2024-5650 - - Nov 21, 2024 Jun 17, 2024 N/A· v4 8.5 HIGH· v3 N/A· v2 DLL Hijacking vulnerability has been found in CENTUM CAMS Log server provided by Yokogawa Electric Corporation. If an attacker is somehow able to intrude into a computer that installed affected product or access to a sha...Show more DLL Hijacking vulnerability has been found in CENTUM CAMS Log server provided by Yokogawa Electric Corporation. If an attacker is somehow able to intrude into a computer that installed affected product or access to a shared folder, by replacing the DLL file with a tampered one, it is possible to execute arbitrary programs with the authority of the SYSTEM account. The affected products and versions are as follows: CENTUM CS 3000 R3.08.10 to R3.09.50 CENTUM VP R4.01.00 to R4.03.00, R5.01.00 to R5.04.20, R6.01.00 to R6.11.10.Show less
CVE-2024-37887 1Nextcloud 1Nextcloud Server Oct 2, 2025 Jun 14, 2024 N/A· v4 3.5 LOW· v3 N/A· v2 Nextcloud Server is a self hosted personal cloud system. Private shared calendar events' recurrence exceptions can be read by sharees. It is recommended that the Nextcloud Server is upgraded to 27.1.10 or 28.0.6 or 29.0....Show more Nextcloud Server is a self hosted personal cloud system. Private shared calendar events' recurrence exceptions can be read by sharees. It is recommended that the Nextcloud Server is upgraded to 27.1.10 or 28.0.6 or 29.0.1 and that the Nextcloud Enterprise Server is upgraded to 27.1.10 or 28.0.6 or 29.0.1.Show less
CVE-2024-37884 1Nextcloud 1Nextcloud Server Nov 21, 2024 Jun 14, 2024 N/A· v4 5.4 MEDIUM· v3 N/A· v2 Nextcloud Server is a self hosted personal cloud system. A malicious user was able to send delete requests for old versions of files they only got shared with read permissions. It is recommended that the Nextcloud Server...Show more Nextcloud Server is a self hosted personal cloud system. A malicious user was able to send delete requests for old versions of files they only got shared with read permissions. It is recommended that the Nextcloud Server is upgraded to 26.0.12 or 27.1.7 or 28.0.3 and that the Nextcloud Enterprise Server is upgraded to 26.0.12 or 27.1.7 or 28.0.3.Show less
CVE-2024-37883 1Nextcloud 1Deck Nov 21, 2024 Jun 14, 2024 N/A· v4 4.3 MEDIUM· v3 N/A· v2 Nextcloud Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. A user with access to a deck board was able to access comments and attachments o...Show more Nextcloud Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. A user with access to a deck board was able to access comments and attachments of already deleted cards. It is recommended that the Nextcloud Deck app is upgraded to 1.6.6 or 1.7.5 or 1.8.7 or 1.9.6 or 1.11.3 or 1.12.1.Show less
CVE-2024-37882 1Nextcloud 1Nextcloud Server Nov 21, 2024 Jun 14, 2024 N/A· v4 8.1 HIGH· v3 N/A· v2 Nextcloud Server is a self hosted personal cloud system. A recipient of a share with read&share permissions could reshare the item with more permissions. It is recommended that the Nextcloud Server is upgraded to 26.0.13...Show more Nextcloud Server is a self hosted personal cloud system. A recipient of a share with read&share permissions could reshare the item with more permissions. It is recommended that the Nextcloud Server is upgraded to 26.0.13 or 27.1.8 or 28.0.4 and that the Nextcloud Enterprise Server is upgraded to 26.0.13 or 27.1.8 or 28.0.4.Show less
CVE-2024-37317 1Nextcloud 1Notes Nov 21, 2024 Jun 14, 2024 N/A· v4 4.6 MEDIUM· v3 N/A· v2 The Nextcloud Notes app is a distraction free notes taking app for Nextcloud. If an attacker managed to share a folder called `Notes/` with a newly created user before they logged in, the Notes app would use that folder...Show more The Nextcloud Notes app is a distraction free notes taking app for Nextcloud. If an attacker managed to share a folder called `Notes/` with a newly created user before they logged in, the Notes app would use that folder store the personal notes. It is recommended that the Nextcloud Notes app is upgraded to 4.9.3.Show less
CVE-2024-37315 1Nextcloud 1Nextcloud Server Nov 21, 2024 Jun 14, 2024 N/A· v4 4.3 MEDIUM· v3 N/A· v2 Nextcloud Server is a self hosted personal cloud system. An attacker with read-only access to a file is able to restore older versions of a document when the files_versions app is enabled. It is recommended that the Next...Show more Nextcloud Server is a self hosted personal cloud system. An attacker with read-only access to a file is able to restore older versions of a document when the files_versions app is enabled. It is recommended that the Nextcloud Server is upgraded to 26.0.12, 27.1.7 or 28.0.3 and that the Nextcloud Enterprise Server is upgraded to 23.0.12.16, 24.0.12.12, 25.0.13.6, 26.0.12, 27.1.7 or 28.0.3.Show less
CVE-2024-37314 1Nextcloud 1Nextcloud Server Nov 21, 2024 Jun 14, 2024 N/A· v4 3.5 LOW· v3 N/A· v2 Nextcloud Photos is a photo management app. Users can remove photos from the album of registered users. It is recommended that the Nextcloud Server is upgraded to 25.0.7 or 26.0.2 and the Nextcloud Enterprise Server is u...Show more Nextcloud Photos is a photo management app. Users can remove photos from the album of registered users. It is recommended that the Nextcloud Server is upgraded to 25.0.7 or 26.0.2 and the Nextcloud Enterprise Server is upgraded to 25.0.7 or 26.0.2.Show less
CVE-2024-37312 1Nextcloud 1User Oidc Aug 14, 2025 Jun 14, 2024 N/A· v4 6.3 MEDIUM· v3 N/A· v2 user_oidc app is an OpenID Connect user backend for Nextcloud. Missing access control on the ID4me endpoint allows an attacker to register an account eventually getting access to data that is available to all registered...Show more user_oidc app is an OpenID Connect user backend for Nextcloud. Missing access control on the ID4me endpoint allows an attacker to register an account eventually getting access to data that is available to all registered users. It is recommended that the OpenID Connect user backend is upgraded to 3.0.0 (Nextcloud 20-23), 4.0.0 (Nexcloud 24) or 5.0.0 (Nextcloud 25-28). Show less

Previous 1...120121122...255 Next