Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CVEs (5,090)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2024-22074 1Dynamsoft 1Dynamsoft Service Mar 18, 2025 Jun 6, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Dynamsoft Service 1.8.1025 through 1.8.2013, 1.7.0330 through 1.7.2531, 1.6.0428 through 1.6.1112, 1.5.0625 through 1.5.3116, 1.4.0618 through 1.4.1230, and 1.0.516 through 1.3.0115 has Incorrect Access Control. This is...Show more Dynamsoft Service 1.8.1025 through 1.8.2013, 1.7.0330 through 1.7.2531, 1.6.0428 through 1.6.1112, 1.5.0625 through 1.5.3116, 1.4.0618 through 1.4.1230, and 1.0.516 through 1.3.0115 has Incorrect Access Control. This is fixed in 1.8.2014, 1.7.4212, 1.6.3212, 1.5.31212, 1.4.3212, and 1.3.3212.Show less
CVE-2024-36399 1Kanboard 1Kanboard Nov 21, 2024 Jun 6, 2024 N/A· v4 6.3 MEDIUM· v3 N/A· v2 Kanboard is project management software that focuses on the Kanban methodology. The vuln is in app/Controller/ProjectPermissionController.php function addUser(). The users permission to add users to a project only get ch...Show more Kanboard is project management software that focuses on the Kanban methodology. The vuln is in app/Controller/ProjectPermissionController.php function addUser(). The users permission to add users to a project only get checked on the URL parameter project_id. If the user is authorized to add users to this project the request gets processed. The users permission for the POST BODY parameter project_id does not get checked again while processing. An attacker with the 'Project Manager' on a single project may take over any other project. The vulnerability is fixed in 1.2.37.Show less
CVE-2024-0972 1Membersonly 1Buddypress Members Only Apr 8, 2026 Jun 6, 2024 N/A· v4 5.3 MEDIUM· v3 N/A· v2 The BuddyPress Members Only plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.4.9 via the REST API. This makes it possible for unauthenticated attackers to bypas...Show more The BuddyPress Members Only plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.4.9 via the REST API. This makes it possible for unauthenticated attackers to bypass the plugin's "All Other Sections On Your Site Will be Opened to Guest" feature (when unset) and view restricted page and post content.Show less
CVE-2023-6968 1Themoneytizer 1The Moneytizer Apr 8, 2026 Jun 6, 2024 N/A· v4 5.4 MEDIUM· v3 N/A· v2 The The Moneytizer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 9.6.3. This is due to missing or incorrect nonce validation on multiple AJAX functions. This makes...Show more The The Moneytizer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 9.6.3. This is due to missing or incorrect nonce validation on multiple AJAX functions. This makes it possible for unauthenticated attackers to to update and retrieve billing and bank details, update and reset the plugin's settings, and update languages as well as other lower-severity actions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.Show less
CVE-2023-6966 1Themoneytizer 1The Moneytizer Apr 8, 2026 Jun 6, 2024 N/A· v4 8.1 HIGH· v3 N/A· v2 The The Moneytizer plugin for WordPress is vulnerable to unauthorized access of data, modification of data, and loss of data due to a missing capability check on multiple AJAX functions in the /core/core_ajax.php file in...Show more The The Moneytizer plugin for WordPress is vulnerable to unauthorized access of data, modification of data, and loss of data due to a missing capability check on multiple AJAX functions in the /core/core_ajax.php file in all versions up to, and including, 9.6.3. This makes it possible for authenticated attackers, with subscriber access and above, to update and retrieve billing and bank details, update and reset the plugin's settings, and update languages as well as other lower-severity actions.Show less
CVE-2024-28818 1Samsung 11Exynos 1080 Firmware Exynos 1280 FirmwareExynos 1330 Firmware+8 more Mar 14, 2025 Jun 5, 2024 N/A· v4 7.5 HIGH· v3 N/A· v2 An issue was discovered in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, Exynos 990, Exynos 1080, Exynos 2100, Exynos 2200, Exynos 1280, Exynos 1380, Exynos 1330, Exynos 2400, Exynos Modem 5123, Exy...Show more An issue was discovered in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, Exynos 990, Exynos 1080, Exynos 2100, Exynos 2200, Exynos 1280, Exynos 1380, Exynos 1330, Exynos 2400, Exynos Modem 5123, Exynos Modem 5300. The baseband software does not properly check states specified by the RRC (Radio Resource Control) module. This can lead to disclosure of sensitive information.Show less
CVE-2024-2019 - - Apr 8, 2026 Jun 4, 2024 N/A· v4 7.5 HIGH· v3 N/A· v2 The WP-DB-Table-Editor plugin for WordPress is vulnerable to unauthorized access of data, modification of data, and loss of data due to lack of a default capability requirement on the 'dbte_render' function in all versio...Show more The WP-DB-Table-Editor plugin for WordPress is vulnerable to unauthorized access of data, modification of data, and loss of data due to lack of a default capability requirement on the 'dbte_render' function in all versions up to, and including, 1.8.4. This makes it possible for authenticated attackers, with contributor access and above, to modify database tables that the theme has been configured to use the plugin to edit.Show less
CVE-2024-23360 1Qualcomm 13Fastconnect 6700 Firmware Fastconnect 6900 FirmwareFastconnect 7800 Firmware+10 more Jan 9, 2025 Jun 3, 2024 N/A· v4 7.8 HIGH· v3 N/A· v2 Memory corruption while creating a LPAC client as LPAC engine was allowed to access GPU registers.
CVE-2024-20065 1Google 1Android Apr 25, 2025 Jun 3, 2024 N/A· v4 4.0 MEDIUM· v3 N/A· v2 In telephony, there is a possible information disclosure due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed f...Show more In telephony, there is a possible information disclosure due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08698617; Issue ID: MSV-1394.Show less
CVE-2024-35433 1Zkteco 1Zkbio Cvsecurity Jun 17, 2025 May 30, 2024 N/A· v4 8.1 HIGH· v3 N/A· v2 ZKTeco ZKBio CVSecurity 6.1.1 is vulnerable to Incorrect Access Control. An authenticated user, without the permissions of managing users, can create a new admin user.
CVE-2024-0434 - - Apr 8, 2026 May 29, 2024 N/A· v4 5.3 MEDIUM· v3 N/A· v2 The WordPress Tour & Travel Booking Plugin for WooCommerce – WpTravelly plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ttbm_new_place_save' function in a...Show more The WordPress Tour & Travel Booking Plugin for WooCommerce – WpTravelly plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ttbm_new_place_save' function in all versions up to, and including, 1.7.1. This makes it possible for unauthenticated attackers to create and publish new place posts. This function is also vulnerable to CSRF.Show less
CVE-2023-43849 1Aten 1Pe6208 Firmware May 30, 2025 May 28, 2024 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Incorrect access control in firmware upgrade function of web interface in Aten PE6208 2.3.228 and 2.4.232 allows remote authenticated users to submit a firmware image via HTTP POST requests. This may result in DoS or rem...Show more Incorrect access control in firmware upgrade function of web interface in Aten PE6208 2.3.228 and 2.4.232 allows remote authenticated users to submit a firmware image via HTTP POST requests. This may result in DoS or remote code execution.Show less
CVE-2023-43848 1Aten 1Pe6208 Firmware May 30, 2025 May 28, 2024 N/A· v4 8.0 HIGH· v3 N/A· v2 Incorrect access control in the firewall management function of web interface in Aten PE6208 2.3.228 and 2.4.232 allows remote authenticated users to alter local firewall settings of the device as if they were the admini...Show more Incorrect access control in the firewall management function of web interface in Aten PE6208 2.3.228 and 2.4.232 allows remote authenticated users to alter local firewall settings of the device as if they were the administrator via HTTP POST request.Show less
CVE-2023-43847 1Aten 1Pe6208 Firmware May 30, 2025 May 28, 2024 N/A· v4 5.3 MEDIUM· v3 N/A· v2 Incorrect access control in the outlet control function of web interface in Aten PE6208 2.3.228 and 2.4.232 allows remote authenticated users to control all the outlets as if they were the administrator via HTTP POST req...Show more Incorrect access control in the outlet control function of web interface in Aten PE6208 2.3.228 and 2.4.232 allows remote authenticated users to control all the outlets as if they were the administrator via HTTP POST requests.Show less
CVE-2024-23315 1Automationdirect 6P1 540 Firmware P1 550 FirmwareP2 550 Firmware+3 more Feb 12, 2025 May 28, 2024 N/A· v4 7.5 HIGH· v3 N/A· v2 A read-what-where vulnerability exists in the Programming Software Connection IMM 01A1 Memory Read functionality of AutomationDirect P3-550E 1.2.10.9. A specially crafted network packet can lead to a disclosure of sensit...Show more A read-what-where vulnerability exists in the Programming Software Connection IMM 01A1 Memory Read functionality of AutomationDirect P3-550E 1.2.10.9. A specially crafted network packet can lead to a disclosure of sensitive information. An attacker can send an unauthenticated packet to trigger this vulnerability.Show less
CVE-2024-22187 1Automationdirect 6P1 540 Firmware P1 550 FirmwareP2 550 Firmware+3 more Feb 12, 2025 May 28, 2024 N/A· v4 9.1 CRITICAL· v3 N/A· v2 A write-what-where vulnerability exists in the Programming Software Connection Remote Memory Diagnostics functionality of AutomationDirect P3-550E 1.2.10.9. A specially crafted network packet can lead to an arbitrary wri...Show more A write-what-where vulnerability exists in the Programming Software Connection Remote Memory Diagnostics functionality of AutomationDirect P3-550E 1.2.10.9. A specially crafted network packet can lead to an arbitrary write. An attacker can send an unauthenticated packet to trigger this vulnerability.Show less
CVE-2023-52712 1Huawei 1Curiem Wfg9b Firmware Jan 17, 2025 May 28, 2024 N/A· v4 7.8 HIGH· v3 N/A· v2 Various Issues Due To Exposed SMI Handler in AmdPspP2CmboxV2. The first issue can be leveraged to bypass the protections that have been put in place by previous UEFI phases to prevent direct access to the SPI flash. The...Show more Various Issues Due To Exposed SMI Handler in AmdPspP2CmboxV2. The first issue can be leveraged to bypass the protections that have been put in place by previous UEFI phases to prevent direct access to the SPI flash. The second issue can be used to both leak and corrupt SMM memory, thus potentially leading code execution in SMMShow less
CVE-2023-52711 1Huawei 1Curiem Wfg9b Firmware Jan 17, 2025 May 28, 2024 N/A· v4 7.8 HIGH· v3 N/A· v2 Various Issues Due To Exposed SMI Handler in AmdPspP2CmboxV2. The first issue can be leveraged to bypass the protections that have been put in place by previous UEFI phases to prevent direct access to the SPI flash. The...Show more Various Issues Due To Exposed SMI Handler in AmdPspP2CmboxV2. The first issue can be leveraged to bypass the protections that have been put in place by previous UEFI phases to prevent direct access to the SPI flash. The second issue can be used to both leak and corrupt SMM memory thus potentially leading code execution in SMMShow less
CVE-2024-5272 1Mattermost 1Mattermost Server Sep 30, 2025 May 26, 2024 N/A· v4 4.3 MEDIUM· v3 N/A· v2 Mattermost versions 9.5.x <= 9.5.3, 9.6.x <= 9.6.1, 8.1.x <= 8.1.12 fail to restrict the audience of the "custom_playbooks_playbook_run_updated" webhook event, which allows a guest on a channel with a playbook run linked...Show more Mattermost versions 9.5.x <= 9.5.3, 9.6.x <= 9.6.1, 8.1.x <= 8.1.12 fail to restrict the audience of the "custom_playbooks_playbook_run_updated" webhook event, which allows a guest on a channel with a playbook run linked to see all the details of the playbook run when the run is marked by finished.Show less
CVE-2024-5270 1Mattermost 1Mattermost Server Sep 30, 2025 May 26, 2024 N/A· v4 4.3 MEDIUM· v3 N/A· v2 Mattermost versions 9.5.x <= 9.5.3, 9.7.x <= 9.7.1, 9.6.x <= 9.6.1 and 8.1.x <= 8.1.12 fail to check if the email signup configuration option is enabled when a user requests to switch from SAML to Email. This allows the...Show more Mattermost versions 9.5.x <= 9.5.3, 9.7.x <= 9.7.1, 9.6.x <= 9.6.1 and 8.1.x <= 8.1.12 fail to check if the email signup configuration option is enabled when a user requests to switch from SAML to Email. This allows the user to switch their authentication mail from SAML to email and possibly edit personal details that were otherwise non-editable and provided by the SAML provider.Show less

Previous 1...122123124...255 Next