Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CVEs (5,090)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2024-28960 3Arm FedoraprojectTrustedfirmware 4Fedora Mbed CryptoMbed Tls+1 more Jun 5, 2026 Mar 29, 2024 N/A· v4 8.2 HIGH· v3 N/A· v2 An issue was discovered in Mbed TLS 2.18.0 through 2.28.x before 2.28.8 and 3.x before 3.6.0, and Mbed Crypto. The PSA Crypto API mishandles shared memory.
CVE-2024-28016 1Nec 59Aterm Cr2500p Firmware Aterm Mr01ln FirmwareAterm Mr02ln Firmware+56 more Sep 29, 2025 Mar 28, 2024 N/A· v4 6.0 MEDIUM· v3 N/A· v2 Improper Access Controlvulnerability in NEC Corporation Aterm WG1800HP4, WG1200HS3, WG1900HP2, WG1200HP3, WG1800HP3, WG1200HS2, WG1900HP, WG1200HP2, W1200EX(-MS), WG1200HS, WG1200HP, WF300HP2, W300P, WF800HP, WR8165N, WG...Show more Improper Access Controlvulnerability in NEC Corporation Aterm WG1800HP4, WG1200HS3, WG1900HP2, WG1200HP3, WG1800HP3, WG1200HS2, WG1900HP, WG1200HP2, W1200EX(-MS), WG1200HS, WG1200HP, WF300HP2, W300P, WF800HP, WR8165N, WG2200HP, WF1200HP2, WG1800HP2, WF1200HP, WG600HP, WG300HP, WF300HP, WG1800HP, WG1400HP, WR8175N, WR9300N, WR8750N, WR8160N, WR9500N, WR8600N, WR8370N, WR8170N, WR8700N, WR8300N, WR8150N, WR4100N, WR4500N, WR8100N, WR8500N, CR2500P, WR8400N, WR8200N, WR1200H, WR7870S, WR6670S, WR7850S, WR6650S, WR6600H, WR7800H, WM3400RN, WM3450RN, WM3500R, WM3600R, WM3800R, WR8166N, MR01LN MR02LN, WG1810HP(JE) and WG1810HP(MF) all versions allows a attacker to get device informations via the internet.Show less
CVE-2024-25962 1Dell 1Insightiq Jan 28, 2025 Mar 27, 2024 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Dell InsightIQ, version 5.0, contains an improper access control vulnerability. A remote low privileged attacker could potentially exploit this vulnerability, leading to unauthorized access to monitoring data.
CVE-2024-25736 1Wyrestorm 1Apollo Vx20 Firmware Nov 4, 2025 Mar 27, 2024 N/A· v4 7.5 HIGH· v3 N/A· v2 An issue was discovered on WyreStorm Apollo VX20 devices before 1.3.58. Remote attackers can restart the device via a /device/reboot GET request.
CVE-2023-50702 - - Nov 21, 2024 Mar 26, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 Sikka SSCWindowsService 5 2023-09-14 executes a program as LocalSystem but allows full control by low-privileged users (and low-privileged users have write access to %PROGRAMDATA%\SSCService). Consequently, low-privilege...Show more Sikka SSCWindowsService 5 2023-09-14 executes a program as LocalSystem but allows full control by low-privileged users (and low-privileged users have write access to %PROGRAMDATA%\SSCService). Consequently, low-privileged users can execute arbitrary code as LocalSystem.Show less
CVE-2024-29866 1Datalust 1Seq Jun 17, 2025 Mar 21, 2024 N/A· v4 9.1 CRITICAL· v3 N/A· v2 Datalust Seq before 2023.4.11151 and 2024 before 2024.1.11146 has Incorrect Access Control because a Project Owner or Organization Owner can escalate to System privileges.
CVE-2024-25811 1Iteachyou 1Dreamer Cms Apr 4, 2025 Mar 21, 2024 N/A· v4 6.5 MEDIUM· v3 N/A· v2 An access control issue in Dreamer CMS v4.0.1 allows attackers to download backup files and leak sensitive information.
CVE-2023-49978 1Oretnom23 1Customer Support System Mar 5, 2025 Mar 21, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 Incorrect access control in Customer Support System v1 allows non-administrator users to access administrative pages and execute actions reserved for administrators.
CVE-2020-26942 1Axigen 1Axigen Mail Server Mar 5, 2025 Mar 21, 2024 N/A· v4 9.1 CRITICAL· v3 N/A· v2 An issue discovered in Axigen Mail Server 10.3.x before 10.3.1.27 and 10.3.2.x before 10.3.3.1 allows unauthenticated attackers to submit a setAdminPassword operation request, subsequently setting a new arbitrary passwor...Show more An issue discovered in Axigen Mail Server 10.3.x before 10.3.1.27 and 10.3.2.x before 10.3.3.1 allows unauthenticated attackers to submit a setAdminPassword operation request, subsequently setting a new arbitrary password for the admin account.Show less
CVE-2024-1473 1Colorlib 1Coming Soon & Maintenance Mode Apr 8, 2026 Mar 20, 2024 N/A· v4 5.3 MEDIUM· v3 N/A· v2 The Coming Soon & Maintenance Mode by Colorlib plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.0.99 via the REST API. This makes it possible for unauthenticated attacker...Show more The Coming Soon & Maintenance Mode by Colorlib plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.0.99 via the REST API. This makes it possible for unauthenticated attackers to obtain post and page contents via REST API thus bypassing maintenance mode protection provided by the plugin.Show less
CVE-2024-1144 1Alma 1Alma Blog Oct 15, 2025 Mar 19, 2024 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Improper access control vulnerability in Devklan's Alma Blog that affects versions 2.1.10 and earlier. This vulnerability could allow an unauthenticated user to access the application's functionalities without the need f...Show more Improper access control vulnerability in Devklan's Alma Blog that affects versions 2.1.10 and earlier. This vulnerability could allow an unauthenticated user to access the application's functionalities without the need for credentials.Show less
CVE-2024-20767 1Adobe 1Coldfusion Oct 23, 2025 Mar 18, 2024 N/A· v4 7.4 HIGH· v3 N/A· v2 ColdFusion versions 2023.6, 2021.12 and earlier are affected by an Improper Access Control vulnerability that could result in arbitrary file system read. An attacker could leverage this vulnerability to access or modify...Show more ColdFusion versions 2023.6, 2021.12 and earlier are affected by an Improper Access Control vulnerability that could result in arbitrary file system read. An attacker could leverage this vulnerability to access or modify restricted files. Exploitation of this issue does not require user interaction. Exploitation of this issue requires the admin panel be exposed to the internet.Show less
CVE-2021-47155 - - Nov 21, 2024 Mar 18, 2024 N/A· v4 9.1 CRITICAL· v3 N/A· v2 The Net::IPV4Addr module 0.10 for Perl does not properly consider extraneous zero characters in an IP address string, which (in some situations) allows attackers to bypass access control that is based on IP addresses.
CVE-2022-47037 1Siklu 1Tg Firmware Nov 21, 2024 Mar 18, 2024 N/A· v4 7.5 HIGH· v3 N/A· v2 Siklu TG Terragraph devices before 2.1.1 allow attackers to discover valid, randomly generated credentials via GetCredentials.
CVE-2022-47036 - - Nov 21, 2024 Mar 18, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Siklu TG Terragraph devices before approximately 2.1.1 have a hardcoded root password that has been revealed via a brute force attack on an MD5 hash. It can be used for "debug login" by an admin. NOTE: the vulnerability...Show more Siklu TG Terragraph devices before approximately 2.1.1 have a hardcoded root password that has been revealed via a brute force attack on an MD5 hash. It can be used for "debug login" by an admin. NOTE: the vulnerability is not fixed by the 2.1.1 firmware; instead, it is fixed in newer hardware, which would typically be used with firmware 2.1.1 or later.Show less
CVE-2024-2481 1Surya2developer 1Hostel Management System Jan 23, 2025 Mar 15, 2024 N/A· v4 6.5 MEDIUM· v3 6.4 MEDIUM· v2 A vulnerability, which was classified as critical, was found in Surya2Developer Hostel Management System 1.0. Affected is an unknown function of the file /admin/manage-students.php. The manipulation of the argument del l...Show more A vulnerability, which was classified as critical, was found in Surya2Developer Hostel Management System 1.0. Affected is an unknown function of the file /admin/manage-students.php. The manipulation of the argument del leads to improper access controls. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-256890 is the identifier assigned to this vulnerability.Show less
CVE-2024-28390 1Advancedplugins 1Ultimateimagetool Nov 19, 2025 Mar 14, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An issue in Advanced Plugins ultimateimagetool module for PrestaShop before v.2.2.01, allows a remote attacker to escalate privileges and obtain sensitive information via Improper Access Control.
CVE-2024-25653 1Delinea 1Secret Server Oct 14, 2025 Mar 14, 2024 N/A· v4 4.3 MEDIUM· v3 N/A· v2 Broken Access Control in the Report functionality of Delinea PAM Secret Server 11.4 allows unprivileged users, when Unlimited Admin Mode is enabled, to view system reports and modify custom reports via the Report functio...Show more Broken Access Control in the Report functionality of Delinea PAM Secret Server 11.4 allows unprivileged users, when Unlimited Admin Mode is enabled, to view system reports and modify custom reports via the Report functionality in the Web UI.Show less
CVE-2024-20322 1Cisco 1Ios Xr Aug 5, 2025 Mar 13, 2024 N/A· v4 5.8 MEDIUM· v3 N/A· v2 A vulnerability in the access control list (ACL) processing on Pseudowire interfaces in the ingress direction of Cisco IOS XR Software could allow an unauthenticated, remote attacker to bypass a configured ACL. This v...Show more A vulnerability in the access control list (ACL) processing on Pseudowire interfaces in the ingress direction of Cisco IOS XR Software could allow an unauthenticated, remote attacker to bypass a configured ACL. This vulnerability is due to improper assignment of lookup keys to internal interface contexts. An attacker could exploit this vulnerability by attempting to send traffic through an affected device. A successful exploit could allow the attacker to access resources behind the affected device that were supposed to be protected by a configured ACL.Show less
CVE-2024-20319 1Cisco 1Ios Xr Jul 7, 2025 Mar 13, 2024 N/A· v4 4.3 MEDIUM· v3 N/A· v2 A vulnerability in the UDP forwarding code of Cisco IOS XR Software could allow an unauthenticated, adjacent attacker to bypass configured management plane protection policies and access the Simple Network Management Pla...Show more A vulnerability in the UDP forwarding code of Cisco IOS XR Software could allow an unauthenticated, adjacent attacker to bypass configured management plane protection policies and access the Simple Network Management Plane (SNMP) server of an affected device. This vulnerability is due to incorrect UDP forwarding programming when using SNMP with management plane protection. An attacker could exploit this vulnerability by attempting to perform an SNMP operation using broadcast as the destination address that could be processed by an affected device that is configured with an SNMP server. A successful exploit could allow the attacker to communicate to the device on the configured SNMP ports. Although an unauthenticated attacker could send UDP datagrams to the configured SNMP port, only an authenticated user can retrieve or modify data using SNMP requests.Show less

Previous 1...130131132...255 Next