Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CVEs (5,090)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2024-1888 1Mattermost 1Mattermost Server May 12, 2025 Feb 29, 2024 N/A· v4 4.3 MEDIUM· v3 N/A· v2 Mattermost fails to check the "invite_guest" permission when inviting guests of other teams to a team, allowing a member with permissions to add other members but not to add guests to add a guest to a team as long as the...Show more Mattermost fails to check the "invite_guest" permission when inviting guests of other teams to a team, allowing a member with permissions to add other members but not to add guests to add a guest to a team as long as the guest was already a guest in another team of the server Show less
CVE-2024-23488 1Mattermost 1Mattermost Server May 12, 2025 Feb 29, 2024 N/A· v4 4.3 MEDIUM· v3 N/A· v2 Mattermost fails to properly restrict the access of files attached to posts in an archived channel, resulting in members being able to access files of archived channels even if the “Allow users to view archived channels”...Show more Mattermost fails to properly restrict the access of files attached to posts in an archived channel, resulting in members being able to access files of archived channels even if the “Allow users to view archived channels” option is disabled. Show less
CVE-2024-1887 1Mattermost 1Mattermost Server May 12, 2025 Feb 29, 2024 N/A· v4 4.3 MEDIUM· v3 N/A· v2 Mattermost fails to check if compliance export is enabled when fetching posts of public channels allowing a user that is not a member of the public channel to fetch the posts, which will not be audited in the compliance...Show more Mattermost fails to check if compliance export is enabled when fetching posts of public channels allowing a user that is not a member of the public channel to fetch the posts, which will not be audited in the compliance export. Show less
CVE-2024-25830 1F Logic 1Datacube3 Firmware Jun 10, 2025 Feb 29, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 F-logic DataCube3 v1.0 is vulnerable to Incorrect Access Control due to an improper directory access restriction. An unauthenticated, remote attacker can exploit this, by sending a URI that contains the path of the confi...Show more F-logic DataCube3 v1.0 is vulnerable to Incorrect Access Control due to an improper directory access restriction. An unauthenticated, remote attacker can exploit this, by sending a URI that contains the path of the configuration file. A successful exploit could allow the attacker to extract the root and admin password.Show less
CVE-2024-20291 1Cisco 1Nx Os Apr 30, 2025 Feb 29, 2024 N/A· v4 5.8 MEDIUM· v3 N/A· v2 A vulnerability in the access control list (ACL) programming for port channel subinterfaces of Cisco Nexus 3000 and 9000 Series Switches in standalone NX-OS mode could allow an unauthenticated, remote attacker to send tr...Show more A vulnerability in the access control list (ACL) programming for port channel subinterfaces of Cisco Nexus 3000 and 9000 Series Switches in standalone NX-OS mode could allow an unauthenticated, remote attacker to send traffic that should be blocked through an affected device. This vulnerability is due to incorrect hardware programming that occurs when configuration changes are made to port channel member ports. An attacker could exploit this vulnerability by attempting to send traffic through an affected device. A successful exploit could allow the attacker to access network resources that should be protected by an ACL that was applied on port channel subinterfaces.Show less
CVE-2024-1492 1Wpify 1Woo Czech Apr 8, 2026 Feb 29, 2024 N/A· v4 5.3 MEDIUM· v3 N/A· v2 The WPify Woo Czech plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the maybe_send_to_packeta function in all versions up to, and including, 4.0.8. This makes it pos...Show more The WPify Woo Czech plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the maybe_send_to_packeta function in all versions up to, and including, 4.0.8. This makes it possible for unauthenticated attackers to obtain shipping details for orders as long as the order number is known.Show less
CVE-2024-1475 1Awplife 1Coming Soon Maintenance Mode Apr 8, 2026 Feb 29, 2024 N/A· v4 5.3 MEDIUM· v3 N/A· v2 The Coming Soon Maintenance Mode plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.5 via the REST API. This makes it possible for unauthenticated attackers to...Show more The Coming Soon Maintenance Mode plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.5 via the REST API. This makes it possible for unauthenticated attackers to obtain post and page content thus bypassing the protection provided by the plugin.Show less
CVE-2024-1472 1Restezconnectes 1Wp Maintenance Apr 8, 2026 Feb 29, 2024 N/A· v4 5.3 MEDIUM· v3 N/A· v2 The WP Maintenance plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 6.1.6 via the REST API. This makes it possible for unauthenticated attackers to bypass the plugin's main...Show more The WP Maintenance plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 6.1.6 via the REST API. This makes it possible for unauthenticated attackers to bypass the plugin's maintenance mode obtain post and page content via REST API.Show less
CVE-2024-1294 1Sunshinephotocart 1Sunshine Photo Cart Apr 8, 2026 Feb 29, 2024 N/A· v4 5.3 MEDIUM· v3 N/A· v2 The Sunshine Photo Cart: Free Client Galleries for Photographers plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.0.24 via the 'invoice'. This makes it possible...Show more The Sunshine Photo Cart: Free Client Galleries for Photographers plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.0.24 via the 'invoice'. This makes it possible for unauthenticated attackers to extract sensitive data including customer email and physical addresses.Show less
CVE-2024-1288 1Magazine3 1Schema & Structured Data For Wp & Amp Apr 8, 2026 Feb 29, 2024 N/A· v4 4.3 MEDIUM· v3 N/A· v2 The Schema & Structured Data for WP & AMP plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'saswp_reviews_form_render' function in all versions up to, and i...Show more The Schema & Structured Data for WP & AMP plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'saswp_reviews_form_render' function in all versions up to, and including, 1.26. This makes it possible for authenticated attackers, with contributor access and above, to modify the plugin's stored reCaptcha site and secret keys, potentially breaking the reCaptcha functionality.Show less
CVE-2024-1044 1Cusrev 1Customer Reviews For Woocommerce Apr 8, 2026 Feb 29, 2024 N/A· v4 5.3 MEDIUM· v3 N/A· v2 The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'submit_review' function in all versions up to, and including, 5.38.12...Show more The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'submit_review' function in all versions up to, and including, 5.38.12. This makes it possible for unauthenticated attackers to submit reviews with arbitrary email addresses regardless of whether reviews are globally enabled.Show less
CVE-2024-0978 1Zatzlabs 1My Private Site Apr 8, 2026 Feb 29, 2024 N/A· v4 5.3 MEDIUM· v3 N/A· v2 The My Private Site plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.0.14 via the REST API. This makes it possible for unauthenticated attackers to bypass the p...Show more The My Private Site plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.0.14 via the REST API. This makes it possible for unauthenticated attackers to bypass the plugin's site privacy feature and view restricted page and post content.Show less
CVE-2023-51774 1Json Jwt Project 1Json Jwt May 8, 2025 Feb 29, 2024 N/A· v4 8.4 HIGH· v3 N/A· v2 The json-jwt (aka JSON::JWT) gem 1.16.3 for Ruby sometimes allows bypass of identity checks via a sign/encryption confusion attack. For example, JWE can sometimes be used to bypass JSON::JWT.decode.
CVE-2023-49931 1Couchbase 1Couchbase Server Apr 8, 2025 Feb 29, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An issue was discovered in Couchbase Server before 7.2.4. SQL++ cURL calls to /diag/eval are not sufficiently restricted.
CVE-2023-49930 1Couchbase 1Couchbase Server Mar 28, 2025 Feb 29, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An issue was discovered in Couchbase Server before 7.2.4. cURL calls to /diag/eval are not sufficiently restricted.
CVE-2022-34270 1Rws 1Worldserver Apr 16, 2025 Feb 29, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An issue was discovered in RWS WorldServer before 11.7.3. Regular users can create users with the Administrator role via UserWSUserManager.
CVE-2024-25169 1Jupo 1Mezzanine Mar 28, 2025 Feb 28, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An issue in Mezzanine v6.0.0 allows attackers to bypass access control mechanisms in the admin panel via a crafted request.
CVE-2024-1632 1Progress 1Sitefinity Dec 16, 2024 Feb 28, 2024 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Low-privileged users with access to the Sitefinity backend may obtain sensitive information from the site's administrative area.
CVE-2024-22459 1Dell 1Elastic Cloud Storage Feb 4, 2025 Feb 28, 2024 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Dell ECS, versions 3.6 through 3.6.2.5, and 3.7 through 3.7.0.6, and 3.8 through 3.8.0.4 versions, contain an improper access control vulnerability. A remote high privileged attacker could potentially exploit this vulner...Show more Dell ECS, versions 3.6 through 3.6.2.5, and 3.7 through 3.7.0.6, and 3.8 through 3.8.0.4 versions, contain an improper access control vulnerability. A remote high privileged attacker could potentially exploit this vulnerability, leading to unauthorized access to all buckets and their data within a namespaceShow less
CVE-2024-1476 1Acurax 1Under Construction / Maintenance Mode Apr 8, 2026 Feb 28, 2024 N/A· v4 5.3 MEDIUM· v3 N/A· v2 The Under Construction / Maintenance Mode from Acurax plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.6 via the REST API. This makes it possible for unauthenti...Show more The Under Construction / Maintenance Mode from Acurax plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.6 via the REST API. This makes it possible for unauthenticated attackers to obtain the contents of posts and pages when maintenance mode is active thus bypassing the protection provided by the plugin.Show less

Previous 1...133134135...255 Next