Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CVEs (5,090)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2024-29842 1Cs Technologies 1Evolution Dec 10, 2025 Apr 15, 2024 N/A· v4 7.5 HIGH· v3 N/A· v2 The Web interface of Evolution Controller Versions 2.04.560.31.03.2024 and below contains poorly configured access control on DESKTOP_EDIT_USER_GET_ABACARD_FIELDS, allowing for an unauthenticated attacker to return the a...Show more The Web interface of Evolution Controller Versions 2.04.560.31.03.2024 and below contains poorly configured access control on DESKTOP_EDIT_USER_GET_ABACARD_FIELDS, allowing for an unauthenticated attacker to return the abacard field of any userShow less
CVE-2024-29841 1Cs Technologies 1Evolution Dec 10, 2025 Apr 15, 2024 N/A· v4 7.5 HIGH· v3 N/A· v2 The Web interface of Evolution Controller Versions 2.04.560.31.03.2024 and below contains poorly configured access control on DESKTOP_EDIT_USER_GET_KEYS_FIELDS, allowing for an unauthenticated attacker to return the keys...Show more The Web interface of Evolution Controller Versions 2.04.560.31.03.2024 and below contains poorly configured access control on DESKTOP_EDIT_USER_GET_KEYS_FIELDS, allowing for an unauthenticated attacker to return the keys value of any userShow less
CVE-2024-29840 1Cs Technologies 1Evolution Dec 10, 2025 Apr 15, 2024 N/A· v4 7.5 HIGH· v3 N/A· v2 The Web interface of Evolution Controller Versions 2.04.560.31.03.2024 and below contains poorly configured access control on DESKTOP_EDIT_USER_GET_PIN_FIELDS, allowing for an unauthenticated attacker to return the pin v...Show more The Web interface of Evolution Controller Versions 2.04.560.31.03.2024 and below contains poorly configured access control on DESKTOP_EDIT_USER_GET_PIN_FIELDS, allowing for an unauthenticated attacker to return the pin value of any user Show less
CVE-2024-29839 1Cs Technologies 1Evolution Dec 10, 2025 Apr 15, 2024 N/A· v4 7.5 HIGH· v3 N/A· v2 The Web interface of Evolution Controller Versions 2.04.560.31.03.2024 and below contains poorly configured access control on DESKTOP_EDIT_USER_GET_CARD, allowing for an unauthenticated attacker to return the card value...Show more The Web interface of Evolution Controller Versions 2.04.560.31.03.2024 and below contains poorly configured access control on DESKTOP_EDIT_USER_GET_CARD, allowing for an unauthenticated attacker to return the card value data of any user Show less
CVE-2024-29837 1Cs Technologies 1Evolution Dec 10, 2025 Apr 15, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 The Web interface of Evolution Controller Versions 2.04.560.31.03.2024 and below uses poor session management, allowing for an unauthenticated attacker to access administrator functionality if any other user is already s...Show more The Web interface of Evolution Controller Versions 2.04.560.31.03.2024 and below uses poor session management, allowing for an unauthenticated attacker to access administrator functionality if any other user is already signed in.Show less
CVE-2024-29836 1Cs Technologies 1Evolution Dec 10, 2025 Apr 15, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 The Web interface of Evolution Controller Versions 2.04.560.31.03.2024 and below contains poorly configured access control, allowing for an unauthenticated attacker to update and add user profiles within the application,...Show more The Web interface of Evolution Controller Versions 2.04.560.31.03.2024 and below contains poorly configured access control, allowing for an unauthenticated attacker to update and add user profiles within the application, and gain full access of the site.Show less
CVE-2024-3765 - - Nov 21, 2024 Apr 14, 2024 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 A vulnerability classified as critical was found in Xiongmai AHB7804R-MH-V2, AHB8004T-GL, AHB8008T-GL, AHB7004T-GS-V3, AHB7004T-MHV2, AHB8032F-LME and XM530_R80X30-PQ_8M. Affected by this vulnerability is an unknown func...Show more A vulnerability classified as critical was found in Xiongmai AHB7804R-MH-V2, AHB8004T-GL, AHB8008T-GL, AHB7004T-GS-V3, AHB7004T-MHV2, AHB8032F-LME and XM530_R80X30-PQ_8M. Affected by this vulnerability is an unknown functionality of the component Sofia Service. The manipulation with the input ff00000000000000000000000000f103250000007b202252657422203a203130302c202253657373696f6e494422203a202230783022207d0a leads to improper access controls. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-260605 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.Show less
CVE-2024-25852 1Linksys 1Re7000 Firmware Jun 17, 2025 Apr 11, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 Linksys RE7000 v2.0.9, v2.0.11, and v2.0.15 have a command execution vulnerability in the "AccessControlList" parameter of the access control function point. An attacker can use the vulnerability to obtain device adminis...Show more Linksys RE7000 v2.0.9, v2.0.11, and v2.0.15 have a command execution vulnerability in the "AccessControlList" parameter of the access control function point. An attacker can use the vulnerability to obtain device administrator rights.Show less
CVE-2024-2217 1Gaizhenbiao 1Chuanhuchatgpt Jul 29, 2025 Apr 10, 2024 N/A· v4 7.5 HIGH· v3 N/A· v2 gaizhenbiao/chuanhuchatgpt is vulnerable to improper access control, allowing unauthorized access to the `config.json` file. This vulnerability is present in both authenticated and unauthenticated versions of the applica...Show more gaizhenbiao/chuanhuchatgpt is vulnerable to improper access control, allowing unauthorized access to the `config.json` file. This vulnerability is present in both authenticated and unauthenticated versions of the application, enabling attackers to obtain sensitive information such as API keys (`openai_api_key`, `google_palm_api_key`, `xmchat_api_key`, etc.), configuration details, and user credentials. The issue stems from the application's handling of HTTP requests for the `config.json` file, which does not properly restrict access based on user authentication.Show less
CVE-2024-2731 - - Nov 21, 2024 Apr 10, 2024 N/A· v4 5.4 MEDIUM· v3 N/A· v2 Users with low privileges (all permissions deselected in the administrator permissions settings) can view certain pages that expose sensitive information such as company names, users' names and surnames, stage names, and...Show more Users with low privileges (all permissions deselected in the administrator permissions settings) can view certain pages that expose sensitive information such as company names, users' names and surnames, stage names, and monitoring campaigns and their descriptions. In addition, unprivileged users can see and edit the descriptions of tags. At the time of publication of the CVE no patch is available. Show less
CVE-2024-1308 - - Apr 8, 2026 Apr 9, 2024 N/A· v4 7.5 HIGH· v3 N/A· v2 The WooCommerce Cloak Affiliate Links plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'permalink_settings_save' function in all versions up to, and includi...Show more The WooCommerce Cloak Affiliate Links plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'permalink_settings_save' function in all versions up to, and including, 1.0.33. This makes it possible for unauthenticated attackers to modify the affiliate permalink base, driving traffic to malicious sites via the plugin's affiliate links.Show less
CVE-2024-0899 - - Apr 8, 2026 Apr 9, 2024 N/A· v4 5.3 MEDIUM· v3 N/A· v2 The s2Member – Best Membership Plugin for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions plugin for WordPress is vulnerable to Information Exposure in all versions up to, and includi...Show more The s2Member – Best Membership Plugin for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 230815 via the API. This makes it possible for unauthenticated attackers to see the contents of those posts and pages.Show less
CVE-2024-0626 - - Apr 8, 2026 Apr 9, 2024 N/A· v4 5.3 MEDIUM· v3 N/A· v2 The WooCommerce Clover Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the callback_handler function in all versions up to, and including, 1.3....Show more The WooCommerce Clover Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the callback_handler function in all versions up to, and including, 1.3.1. This makes it possible for unauthenticated attackers to mark orders as paid.Show less
CVE-2024-29993 1Microsoft 1Azure Cyclecloud Jan 9, 2025 Apr 9, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 Azure CycleCloud Elevation of Privilege Vulnerability
CVE-2024-29990 1Microsoft 1Azure Kubernetes Service Confidential Containers Jan 9, 2025 Apr 9, 2024 N/A· v4 9.0 CRITICAL· v3 N/A· v2 Microsoft Azure Kubernetes Service Confidential Container Elevation of Privilege Vulnerability
CVE-2024-29055 1Microsoft 1Defender For Iot Nov 21, 2024 Apr 9, 2024 N/A· v4 7.2 HIGH· v3 N/A· v2 Microsoft Defender for IoT Elevation of Privilege Vulnerability
CVE-2024-29054 1Microsoft 1Defender For Iot Nov 21, 2024 Apr 9, 2024 N/A· v4 7.2 HIGH· v3 N/A· v2 Microsoft Defender for IoT Elevation of Privilege Vulnerability
CVE-2024-28922 1Microsoft 13Windows 10 1507 Windows 10 1607Windows 10 1809+10 more Jan 8, 2025 Apr 9, 2024 N/A· v4 4.1 MEDIUM· v3 N/A· v2 Secure Boot Security Feature Bypass Vulnerability
CVE-2024-28917 1Microsoft 7Azure Arc Extension Microsoft.azstackhci.operator Azure Arc Extension Microsoft.azure.hybridnetworkAzure Arc Extension Microsoft.azurekeyvaultsecretsprovider+4 more Jan 7, 2025 Apr 9, 2024 N/A· v4 6.2 MEDIUM· v3 N/A· v2 Azure Arc-enabled Kubernetes Extension Cluster-Scope Elevation of Privilege Vulnerability
CVE-2024-26234 1Microsoft 14Windows 10 1507 Windows 10 1607Windows 10 1809+11 more Jan 8, 2025 Apr 9, 2024 N/A· v4 6.7 MEDIUM· v3 N/A· v2 Proxy Driver Spoofing Vulnerability

Previous 1...128129130...255 Next