Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CVEs (5,090)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2024-37279 1Elastic 1Kibana Mar 13, 2025 Jun 13, 2024 N/A· v4 4.3 MEDIUM· v3 N/A· v2 A flaw was discovered in Kibana, allowing view-only users of alerting to use the run_soon API making the alerting rule run continuously, potentially affecting the system availability if the alerting rule is running compl...Show more A flaw was discovered in Kibana, allowing view-only users of alerting to use the run_soon API making the alerting rule run continuously, potentially affecting the system availability if the alerting rule is running complex queries.Show less
CVE-2024-28969 1Dell 1Secure Connect Gateway Nov 21, 2024 Jun 13, 2024 N/A· v4 4.3 MEDIUM· v3 N/A· v2 Dell SCG, versions prior to 5.24.00.00, contain an Improper Access Control vulnerability in the SCG exposed for an internal update REST API (if enabled by Admin user from UI). A remote low privileged attacker could poten...Show more Dell SCG, versions prior to 5.24.00.00, contain an Improper Access Control vulnerability in the SCG exposed for an internal update REST API (if enabled by Admin user from UI). A remote low privileged attacker could potentially exploit this vulnerability, leading to the execution of certain APIs applicable only for Admin Users on the application's backend database that could potentially allow an unauthorized user access to restricted resources.Show less
CVE-2024-28968 1Dell 1Secure Connect Gateway Nov 21, 2024 Jun 13, 2024 N/A· v4 5.4 MEDIUM· v3 N/A· v2 Dell SCG, versions prior to 5.24.00.00, contain an Improper Access Control vulnerability in the SCG exposed for internal email and collection settings REST APIs (if enabled by Admin user from UI). A remote low privileged...Show more Dell SCG, versions prior to 5.24.00.00, contain an Improper Access Control vulnerability in the SCG exposed for internal email and collection settings REST APIs (if enabled by Admin user from UI). A remote low privileged attacker could potentially exploit this vulnerability, leading to the execution of certain APIs applicable only for Admin Users on the application's backend database that could potentially allow an unauthorized user access to restricted resources and change of state.Show less
CVE-2024-28967 1Dell 1Secure Connect Gateway Nov 21, 2024 Jun 13, 2024 N/A· v4 5.4 MEDIUM· v3 N/A· v2 Dell SCG, versions prior to 5.24.00.00, contain an Improper Access Control vulnerability in the SCG exposed for an internal maintenance REST API (if enabled by Admin user from UI). A remote low privileged attacker could...Show more Dell SCG, versions prior to 5.24.00.00, contain an Improper Access Control vulnerability in the SCG exposed for an internal maintenance REST API (if enabled by Admin user from UI). A remote low privileged attacker could potentially exploit this vulnerability, leading to the execution of certain APIs applicable only for Admin Users on the application's backend database that could potentially allow an unauthorized user access to restricted resources and change of state.Show less
CVE-2024-28966 1Dell 1Secure Connect Gateway Nov 21, 2024 Jun 13, 2024 N/A· v4 5.4 MEDIUM· v3 N/A· v2 Dell SCG, versions prior to 5.24.00.00, contain an Improper Access Control vulnerability in the SCG exposed for an internal update REST API (if enabled by Admin user from UI). A remote low privileged attacker could poten...Show more Dell SCG, versions prior to 5.24.00.00, contain an Improper Access Control vulnerability in the SCG exposed for an internal update REST API (if enabled by Admin user from UI). A remote low privileged attacker could potentially exploit this vulnerability, leading to the execution of certain APIs applicable only for Admin Users on the application's backend database that could potentially allow an unauthorized user access to restricted resources and change of state.Show less
CVE-2024-28965 1Dell 1Secure Connect Gateway Nov 21, 2024 Jun 13, 2024 N/A· v4 5.4 MEDIUM· v3 N/A· v2 Dell SCG, versions prior to 5.24.00.00, contain an Improper Access Control vulnerability in the SCG exposed for an internal enable REST API (if enabled by Admin user from UI). A remote low privileged attacker could poten...Show more Dell SCG, versions prior to 5.24.00.00, contain an Improper Access Control vulnerability in the SCG exposed for an internal enable REST API (if enabled by Admin user from UI). A remote low privileged attacker could potentially exploit this vulnerability, leading to the execution of certain Internal APIs applicable only for Admin Users on the application's backend database that could potentially allow an unauthorized user access to restricted resources and change of state.Show less
CVE-2024-34112 1Adobe 1Coldfusion Dec 3, 2024 Jun 13, 2024 N/A· v4 7.5 HIGH· v3 N/A· v2 ColdFusion versions 2023u7, 2021u13 and earlier are affected by an Improper Access Control vulnerability that could result in arbitrary file system read. An attacker could exploit this vulnerability to gain unauthorized...Show more ColdFusion versions 2023u7, 2021u13 and earlier are affected by an Improper Access Control vulnerability that could result in arbitrary file system read. An attacker could exploit this vulnerability to gain unauthorized access to sensitive files or data. Exploitation of this issue does not require user interaction.Show less
CVE-2024-34107 1Adobe 3Commerce Commerce WebhooksMagento Nov 21, 2024 Jun 13, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerabili...Show more Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and view minor unauthorised information. Exploitation of this issue does not require user interaction.Show less
CVE-2024-26029 1Adobe 1Experience Manager Nov 21, 2024 Jun 13, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Adobe Experience Manager versions 6.5.20 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass securi...Show more Adobe Experience Manager versions 6.5.20 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain disclose information. Exploitation of this issue does not require user interaction.Show less
CVE-2024-5840 2Fedoraproject Google 2Chrome Fedora Mar 13, 2025 Jun 11, 2024 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Policy bypass in CORS in Google Chrome prior to 126.0.6478.54 allowed a remote attacker to bypass discretionary access control via a crafted HTML page. (Chromium security severity: Medium)
CVE-2024-29060 1Microsoft 3Visual Studio 2017 Visual Studio 2019Visual Studio 2022 Nov 21, 2024 Jun 11, 2024 N/A· v4 6.7 MEDIUM· v3 N/A· v2 Visual Studio Elevation of Privilege Vulnerability
CVE-2024-5687 1Mozilla 1Firefox Mar 27, 2025 Jun 11, 2024 N/A· v4 5.3 MEDIUM· v3 N/A· v2 If a specific sequence of actions is performed when opening a new tab, the triggering principal associated with the new tab may have been incorrect. The triggering principal is used to calculate many values, including th...Show more If a specific sequence of actions is performed when opening a new tab, the triggering principal associated with the new tab may have been incorrect. The triggering principal is used to calculate many values, including the `Referer` and `Sec-` headers, meaning there is the potential for incorrect security checks within the browser in addition to incorrect or misleading information sent to remote websites. This bug only affects Firefox for Android. Other versions of Firefox are unaffected.* This vulnerability affects Firefox < 127.Show less
CVE-2024-37289 1Trendmicro 1Apex One Jun 16, 2025 Jun 10, 2024 N/A· v4 7.8 HIGH· v3 N/A· v2 An improper access control vulnerability in Trend Micro Apex One could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-pri...Show more An improper access control vulnerability in Trend Micro Apex One could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.Show less
CVE-2024-27855 1Apple 3Ipados Iphone OsMacos Apr 2, 2026 Jun 10, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 The issue was addressed with improved checks. This issue is fixed in iOS 16.7.8 and iPadOS 16.7.8, iOS 17.5 and iPadOS 17.5, macOS Sonoma 14.5, macOS Ventura 13.6.7. A shortcut may be able to use sensitive data with cert...Show more The issue was addressed with improved checks. This issue is fixed in iOS 16.7.8 and iPadOS 16.7.8, iOS 17.5 and iPadOS 17.5, macOS Sonoma 14.5, macOS Ventura 13.6.7. A shortcut may be able to use sensitive data with certain actions without prompting the user.Show less
CVE-2024-27819 1Apple 2Ipados Iphone Os Apr 2, 2026 Jun 10, 2024 N/A· v4 2.4 LOW· v3 N/A· v2 The issue was addressed by restricting options offered on a locked device. This issue is fixed in iOS 17.5 and iPadOS 17.5. An attacker with physical access may be able to access contacts from the lock screen.
CVE-2024-27792 1Apple 1Macos Apr 2, 2026 Jun 10, 2024 N/A· v4 5.5 MEDIUM· v3 N/A· v2 This issue was addressed by adding an additional prompt for user consent. This issue is fixed in macOS Sonoma 14.4. An app may be able to access user-sensitive data.
CVE-2022-48683 1Apple 1Macos Nov 21, 2024 Jun 10, 2024 N/A· v4 7.8 HIGH· v3 N/A· v2 An access issue was addressed with additional sandbox restrictions. This issue is fixed in macOS Ventura 13. An app may be able to break out of its sandbox.
CVE-2024-37568 1Authlib 1Authlib Nov 3, 2025 Jun 9, 2024 N/A· v4 7.5 HIGH· v3 N/A· v2 lepture Authlib before 1.3.1 has algorithm confusion with asymmetric public keys. Unless an algorithm is specified in a jwt.decode call, HMAC verification is allowed with any asymmetric public key. (This is similar to CV...Show more lepture Authlib before 1.3.1 has algorithm confusion with asymmetric public keys. Unless an algorithm is specified in a jwt.decode call, HMAC verification is allowed with any asymmetric public key. (This is similar to CVE-2022-29217 and CVE-2024-33663.)Show less
CVE-2024-30481 1Jch Optimize Project 1Jch Optimize Mar 14, 2025 Jun 9, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 Broken Access Control vulnerability in Samuel Marshall JCH Optimize.This issue affects JCH Optimize: from n/a through 4.0.0.
CVE-2023-6491 1Wpchill 1Strong Testimonials Apr 8, 2026 Jun 7, 2024 N/A· v4 4.3 MEDIUM· v3 N/A· v2 The Strong Testimonials plugin for WordPress is vulnerable to unauthorized modification of data due to an improper capability check on the wpmtst_save_view_sticky function in all versions up to, and including, 3.1.12. Th...Show more The Strong Testimonials plugin for WordPress is vulnerable to unauthorized modification of data due to an improper capability check on the wpmtst_save_view_sticky function in all versions up to, and including, 3.1.12. This makes it possible for authenticated attackers, with contributor access and above, to modify favorite views.Show less

Previous 1...121122123...255 Next