Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CVEs (5,090)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2024-21424 1Microsoft 1Azure Compute Gallery Jan 8, 2025 Apr 9, 2024 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Azure Compute Gallery Elevation of Privilege Vulnerability
CVE-2024-31805 1Totolink 1Ex200 Firmware Mar 18, 2025 Apr 8, 2024 N/A· v4 6.5 MEDIUM· v3 N/A· v2 TOTOLINK EX200 V4.0.3c.7646_B20201211 allows attackers to start the Telnet service without authorization via the telnet_enabled parameter in the setTelnetCfg function.
CVE-2024-27895 1Huawei 1Harmonyos Mar 28, 2025 Apr 8, 2024 N/A· v4 7.5 HIGH· v3 N/A· v2 Vulnerability of permission control in the window module. Successful exploitation of this vulnerability may affect confidentiality.
CVE-2023-52537 1Huawei 2Emui Harmonyos Mar 13, 2025 Apr 8, 2024 N/A· v4 7.5 HIGH· v3 N/A· v2 Vulnerability of package name verification being bypassed in the HwIms module. Impact: Successful exploitation of this vulnerability will affect availability.
CVE-2024-30418 1Huawei 2Emui Harmonyos Mar 13, 2025 Apr 7, 2024 N/A· v4 7.5 HIGH· v3 N/A· v2 Vulnerability of insufficient permission verification in the app management module. Impact: Successful exploitation of this vulnerability will affect availability.
CVE-2024-2447 1Mattermost 1Mattermost Server Dec 13, 2024 Apr 5, 2024 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Mattermost versions 8.1.x before 8.1.11, 9.3.x before 9.3.3, 9.4.x before 9.4.4, and 9.5.x before 9.5.2 fail to authenticate the source of certain types of post actions, allowing an authenticated attacker to create posts...Show more Mattermost versions 8.1.x before 8.1.11, 9.3.x before 9.3.3, 9.4.x before 9.4.4, and 9.5.x before 9.5.2 fail to authenticate the source of certain types of post actions, allowing an authenticated attacker to create posts as other users via a crafted post action. Show less
CVE-2024-29221 1Mattermost 1Mattermost Server Dec 13, 2024 Apr 5, 2024 N/A· v4 3.8 LOW· v3 N/A· v2 Improper Access Control in Mattermost Server versions 9.5.x before 9.5.2, 9.4.x before 9.4.4, 9.3.x before 9.3.3, 8.1.x before 8.1.11 lacked proper access control in the `/api/v4/users/me/teams` endpoint allowing a team...Show more Improper Access Control in Mattermost Server versions 9.5.x before 9.5.2, 9.4.x before 9.4.4, 9.3.x before 9.3.3, 8.1.x before 8.1.11 lacked proper access control in the `/api/v4/users/me/teams` endpoint allowing a team admin to get the invite ID of their team, thus allowing them to invite users, even if the "Add Members" permission was explicitly removed from team admins. Show less
CVE-2024-21848 1Mattermost 1Mattermost Server Dec 13, 2024 Apr 5, 2024 N/A· v4 3.1 LOW· v3 N/A· v2 Improper Access Control in Mattermost Server versions 8.1.x before 8.1.11 allows an attacker that is in a channel with an active call to keep participating in the call even if they are removed from the channel
CVE-2024-31207 - - Nov 21, 2024 Apr 4, 2024 N/A· v4 5.9 MEDIUM· v3 N/A· v2 Vite (French word for "quick", pronounced /vit/, like "veet") is a frontend build tooling to improve the frontend development experience.`server.fs.deny` does not deny requests for patterns with directories. This vulnera...Show more Vite (French word for "quick", pronounced /vit/, like "veet") is a frontend build tooling to improve the frontend development experience.`server.fs.deny` does not deny requests for patterns with directories. This vulnerability has been patched in version(s) 5.2.6, 5.1.7, 5.0.13, 4.5.3, 3.2.10 and 2.9.18.Show less
CVE-2024-30261 2Fedoraproject Nodejs 2Fedora Undici Nov 4, 2025 Apr 4, 2024 N/A· v4 3.5 LOW· v3 N/A· v2 Undici is an HTTP/1.1 client, written from scratch for Node.js. An attacker can alter the `integrity` option passed to `fetch()`, allowing `fetch()` to accept requests as valid even if they have been tampered. This vulne...Show more Undici is an HTTP/1.1 client, written from scratch for Node.js. An attacker can alter the `integrity` option passed to `fetch()`, allowing `fetch()` to accept requests as valid even if they have been tampered. This vulnerability was patched in version(s) 5.28.4 and 6.11.1.Show less
CVE-2023-36644 1Itb Pim 1Tradepro Apr 24, 2025 Apr 4, 2024 N/A· v4 5.3 MEDIUM· v3 N/A· v2 Incorrect Access Control in ITB-GmbH TradePro v9.5, allows remote attackers to receive all order confirmations from the online shop via the printmail plugin.
CVE-2023-36643 1Itb Pim 1Tradepro Apr 24, 2025 Apr 4, 2024 N/A· v4 5.3 MEDIUM· v3 N/A· v2 Incorrect Access Control in ITB-GmbH TradePro v9.5, allows remote attackers to receive all orders from the online shop via oordershow component in customer function.
CVE-2024-1418 - - Apr 8, 2026 Apr 4, 2024 N/A· v4 5.3 MEDIUM· v3 N/A· v2 The CGC Maintenance Mode plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.2 via the REST API. This makes it possible for unauthenticated attackers to view prote...Show more The CGC Maintenance Mode plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.2 via the REST API. This makes it possible for unauthenticated attackers to view protected posts via REST API even when maintenance mode is enabled.Show less
CVE-2024-3270 1Thingsboard 1Thingsboard Feb 7, 2025 Apr 3, 2024 N/A· v4 6.5 MEDIUM· v3 4.7 MEDIUM· v2 A vulnerability classified as problematic was found in ThingsBoard up to 3.6.2. This vulnerability affects unknown code of the component AdvancedFeature. The manipulation leads to improper access controls. The attack can...Show more A vulnerability classified as problematic was found in ThingsBoard up to 3.6.2. This vulnerability affects unknown code of the component AdvancedFeature. The manipulation leads to improper access controls. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-259282 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure and replied to be planning to fix this issue in version 3.7.Show less
CVE-2024-20302 1Cisco 1Nexus Dashboard Orchestrator Apr 11, 2025 Apr 3, 2024 N/A· v4 4.3 MEDIUM· v3 N/A· v2 A vulnerability in the tenant security implementation of Cisco Nexus Dashboard Orchestrator (NDO) could allow an authenticated, remote attacker to modify or delete tenant templates on an affected system. This vulner...Show more A vulnerability in the tenant security implementation of Cisco Nexus Dashboard Orchestrator (NDO) could allow an authenticated, remote attacker to modify or delete tenant templates on an affected system. This vulnerability is due to improper access controls within tenant security. An attacker who is using a valid user account with write privileges and either a Site Manager or Tenant Manager role could exploit this vulnerability. A successful exploit could allow the attacker to modify or delete tenant templates under non-associated tenants, which could disrupt network traffic.Show less
CVE-2024-20283 1Cisco 1Nexus Dashboard May 7, 2025 Apr 3, 2024 N/A· v4 4.3 MEDIUM· v3 N/A· v2 A vulnerability in Cisco Nexus Dashboard could allow an authenticated, remote attacker to learn cluster deployment information on an affected device. This vulnerability is due to improper access controls on a specific...Show more A vulnerability in Cisco Nexus Dashboard could allow an authenticated, remote attacker to learn cluster deployment information on an affected device. This vulnerability is due to improper access controls on a specific API endpoint. An attacker could exploit this vulnerability by sending queries to the API endpoint. A successful exploit could allow an attacker to access metrics and information about devices in the Nexus Dashboard cluster.Show less
CVE-2024-27605 1Alldata 1Alldata Mar 28, 2025 Apr 2, 2024 N/A· v4 7.5 HIGH· v3 N/A· v2 Alldata V0.4.6 is vulnerable to Insecure Permissions. Using users (test) can query information about the users in the system.
CVE-2024-27602 1Alldata 1Alldata Apr 30, 2025 Apr 2, 2024 N/A· v4 9.1 CRITICAL· v3 N/A· v2 Alldata V0.4.6 is vulnerable to Incorrect Access Control. A total of many modules interface documents have been leaked.For example, the /api/system/v2/api-docs module.
CVE-2024-3164 1Dotcms 1Dotcms Jun 27, 2025 Apr 1, 2024 N/A· v4 4.5 MEDIUM· v3 N/A· v2 In dotCMS dashboard, the Tools and Log Files tabs under System → Maintenance Portlet, which is and always has been an Admin portlet, is accessible to anyone with that portlet and not just to CMS Admins. Users that get si...Show more In dotCMS dashboard, the Tools and Log Files tabs under System → Maintenance Portlet, which is and always has been an Admin portlet, is accessible to anyone with that portlet and not just to CMS Admins. Users that get site admin but not a system admin, should not have access to the System Maintenance → Tools portlet. This would share database username and password under Log Files and download DB Dump and other dotCMS Content under Tools. Nothing in the System → Maintenance should be displayed for users with site admin role. Only system admins must have access to System Maintenance. OWASP Top 10 - A01) Broken Access Control OWASP Top 10 - A04) Insecure DesignShow less
CVE-2024-28405 1Sem Cms 1Semcms Apr 4, 2025 Mar 29, 2024 N/A· v4 7.2 HIGH· v3 N/A· v2 SEMCMS 4.8 is vulnerable to Incorrect Access Control. The code installs SEMCMS_Funtion.php before checking if the admin is a valid user in the admin page because authentication function is called from there, users gain a...Show more SEMCMS 4.8 is vulnerable to Incorrect Access Control. The code installs SEMCMS_Funtion.php before checking if the admin is a valid user in the admin page because authentication function is called from there, users gain admin privileges.Show less

Previous 1...129130131...255 Next