Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CVEs (5,090)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2024-2281 1Boyiddha 1Automated Mess Management System Mar 12, 2025 Mar 8, 2024 N/A· v4 9.8 CRITICAL· v3 6.5 MEDIUM· v2 A vulnerability was found in boyiddha Automated-Mess-Management-System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /admin/index.php of the component Setting Handler. The man...Show more A vulnerability was found in boyiddha Automated-Mess-Management-System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /admin/index.php of the component Setting Handler. The manipulation leads to improper access controls. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-256048. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.Show less
CVE-2024-23267 1Apple 1Macos Apr 2, 2026 Mar 8, 2024 N/A· v4 5.5 MEDIUM· v3 N/A· v2 The issue was addressed with improved checks. This issue is fixed in macOS Monterey 12.7.4, macOS Sonoma 14.4, macOS Ventura 13.6.5. An app may be able to bypass certain Privacy preferences.
CVE-2024-23266 1Apple 1Macos Apr 2, 2026 Mar 8, 2024 N/A· v4 5.5 MEDIUM· v3 N/A· v2 The issue was addressed with improved checks. This issue is fixed in macOS Monterey 12.7.4, macOS Sonoma 14.4, macOS Ventura 13.6.5. An app may be able to modify protected parts of the file system.
CVE-2024-23238 1Apple 1Macos Apr 2, 2026 Mar 8, 2024 N/A· v4 3.3 LOW· v3 N/A· v2 An access issue was addressed with improved access restrictions. This issue is fixed in macOS Sonoma 14.4. An app may be able to edit NVRAM variables.
CVE-2024-0258 1Apple 5Ipad Os Iphone OsMacos+2 more Apr 2, 2026 Mar 8, 2024 N/A· v4 8.6 HIGH· v3 N/A· v2 The issue was addressed with improved memory handling. This issue is fixed in iOS 17.4 and iPadOS 17.4, macOS Sonoma 14.4, tvOS 17.4, watchOS 10.4. An app may be able to execute arbitrary code out of its sandbox or with...Show more The issue was addressed with improved memory handling. This issue is fixed in iOS 17.4 and iPadOS 17.4, macOS Sonoma 14.4, tvOS 17.4, watchOS 10.4. An app may be able to execute arbitrary code out of its sandbox or with certain elevated privileges.Show less
CVE-2024-28115 1Amazon 1Freertos Nov 21, 2024 Mar 7, 2024 N/A· v4 7.8 HIGH· v3 N/A· v2 FreeRTOS is a real-time operating system for microcontrollers. FreeRTOS Kernel versions through 10.6.1 do not sufficiently protect against local privilege escalation via Return Oriented Programming techniques should a vu...Show more FreeRTOS is a real-time operating system for microcontrollers. FreeRTOS Kernel versions through 10.6.1 do not sufficiently protect against local privilege escalation via Return Oriented Programming techniques should a vulnerability exist that allows code injection and execution. These issues affect ARMv7-M MPU ports, and ARMv8-M ports with Memory Protected Unit (MPU) support enabled (i.e. `configENABLE_MPU` set to 1). These issues are fixed in version 10.6.2 with a new MPU wrapper. Show less
CVE-2023-51786 - - Nov 21, 2024 Mar 7, 2024 N/A· v4 9.1 CRITICAL· v3 N/A· v2 An issue was discovered in Lustre versions 2.13.x, 2.14.x, and 2.15.x before 2.15.4, allows attackers to escalate privileges and obtain sensitive information via Incorrect Access Control.
CVE-2023-43318 1Tp Link 1Tl Sg2210p Firmware Nov 4, 2025 Mar 6, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 TP-Link JetStream Smart Switch TL-SG2210P 5.0 Build 20211201 allows attackers to escalate privileges via modification of the 'tid' and 'usrlvl' values in GET requests.
CVE-2023-38946 1Multilaser 1Re160 Firmware Jan 7, 2025 Mar 6, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 An issue in Multilaser RE160 firmware v5.07.51_pt_MTL01 and v5.07.52_pt_MTL01 allows attackers to bypass the access control and gain complete access to the application via supplying a crafted cookie.
CVE-2023-38945 1Multilaser 3Re160 Firmware Re160v FirmwareRe163v Firmware Nov 4, 2025 Mar 6, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Multilaser RE160 v5.07.51_pt_MTL01 and v5.07.52_pt_MTL01, Multilaser RE160V v12.03.01.08_pt and V12.03.01.09_pt, and Multilaser RE163V v12.03.01.08_pt allows attackers to bypass the access control and gain complete acces...Show more Multilaser RE160 v5.07.51_pt_MTL01 and v5.07.52_pt_MTL01, Multilaser RE160V v12.03.01.08_pt and V12.03.01.09_pt, and Multilaser RE163V v12.03.01.08_pt allows attackers to bypass the access control and gain complete access to the application via supplying a crafted URL.Show less
CVE-2024-1898 1Devolutions 1Devolutions Server Mar 14, 2025 Mar 5, 2024 N/A· v4 4.3 MEDIUM· v3 N/A· v2 Improper access control in the notification feature in Devolutions Server 2023.3.14.0 and earlier allows a low privileged user to change notifications settings configured by an administrator.
CVE-2024-1478 1Helderk 1Maintenance Mode Apr 8, 2026 Mar 5, 2024 N/A· v4 5.3 MEDIUM· v3 N/A· v2 The Maintenance Mode plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.0.1 via the REST API. This makes it possible for unauthenticated attackers to obtain post...Show more The Maintenance Mode plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.0.1 via the REST API. This makes it possible for unauthenticated attackers to obtain post and page content via API thus bypassing the content protection provided by the plugin.Show less
CVE-2024-1088 1Rajkakadiya 1Password Protected Store For Woocommerce Apr 8, 2026 Mar 5, 2024 N/A· v4 5.3 MEDIUM· v3 N/A· v2 The Password Protected Store for WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.2 via the REST API. This makes it possible for unauthenticated att...Show more The Password Protected Store for WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.2 via the REST API. This makes it possible for unauthenticated attackers to extract sensitive data including post titles and content.Show less
CVE-2024-20036 1Google 1Android Apr 22, 2025 Mar 4, 2024 N/A· v4 4.4 MEDIUM· v3 N/A· v2 In vdec, there is a possible permission bypass due to a permissions bypass. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch...Show more In vdec, there is a possible permission bypass due to a permissions bypass. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08509508; Issue ID: ALPS08509508.Show less
CVE-2024-0795 1Mintplexlabs 1Anythingllm Jan 21, 2025 Mar 2, 2024 N/A· v4 7.2 HIGH· v3 N/A· v2 If an attacked was given access to an instance with the admin or manager role there is no backend authentication that would prevent the attacked from creating a new user with an `admin` role and then be able to use this...Show more If an attacked was given access to an instance with the admin or manager role there is no backend authentication that would prevent the attacked from creating a new user with an `admin` role and then be able to use this new account to have elevated privileges on the instanceShow less
CVE-2023-49545 1Oretnom23 1Customer Support System Mar 28, 2025 Mar 1, 2024 N/A· v4 7.5 HIGH· v3 N/A· v2 A directory listing vulnerability in Customer Support System v1 allows attackers to list directories and sensitive files within the application without requiring authorization.
CVE-2023-49543 1Book Store Management System Project 1Book Store Management System Apr 18, 2025 Mar 1, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Incorrect access control in Book Store Management System v1 allows attackers to access unauthorized pages and execute administrative functions without authenticating.
CVE-2024-21767 - - Nov 21, 2024 Mar 1, 2024 N/A· v4 9.4 CRITICAL· v3 N/A· v2 A remote attacker may be able to bypass access control of Commend WS203VICM by creating a malicious request.
CVE-2024-27497 1Linksys 1E2000 Firmware Jun 27, 2025 Mar 1, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 Linksys E2000 Ver.1.0.06 build 1 is vulnerable to authentication bypass via the position.js file.
CVE-2024-1942 1Mattermost 1Mattermost Server Dec 13, 2024 Feb 29, 2024 N/A· v4 4.3 MEDIUM· v3 N/A· v2 Mattermost versions 8.1.x before 8.1.9, 9.2.x before 9.2.5, and 9.3.0 fail to sanitize the metadata on posts containing permalinks under specific conditions, which allows an authenticated attacker to access the contents...Show more Mattermost versions 8.1.x before 8.1.9, 9.2.x before 9.2.5, and 9.3.0 fail to sanitize the metadata on posts containing permalinks under specific conditions, which allows an authenticated attacker to access the contents of individual posts in channels they are not a member of. Show less

Previous 1...132133134...255 Next