Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CVEs (5,090)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2023-31019 1Nvidia 1Virtual Gpu Nov 21, 2024 Nov 2, 2023 N/A· v4 7.1 HIGH· v3 N/A· v2 NVIDIA GPU Display Driver for Windows contains a vulnerability in wksServicePlugin.dll, where the driver implementation does not restrict or incorrectly restricts access from the named pipe server to a connecting client,...Show more NVIDIA GPU Display Driver for Windows contains a vulnerability in wksServicePlugin.dll, where the driver implementation does not restrict or incorrectly restricts access from the named pipe server to a connecting client, which may lead to potential impersonation to the client's secure context.Show less
CVE-2023-43336 1Sangoma 1Freepbx Nov 21, 2024 Nov 2, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 Sangoma Technologies FreePBX before cdr 15.0.18, 16.0.40, 15.0.16, and 16.0.17 was discovered to contain an access control issue via a modified parameter value, e.g., changing extension=self to extension=101.
CVE-2023-5916 1Dashy 1Dashy Nov 21, 2024 Nov 2, 2023 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 A vulnerability classified as critical has been found in Lissy93 Dashy 2.1.1. This affects an unknown part of the file /config-manager/save of the component Configuration Handler. The manipulation of the argument config...Show more A vulnerability classified as critical has been found in Lissy93 Dashy 2.1.1. This affects an unknown part of the file /config-manager/save of the component Configuration Handler. The manipulation of the argument config leads to improper access controls. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-244305 was assigned to this vulnerability.Show less
CVE-2023-20267 1Cisco 1Firepower Threat Defense Nov 21, 2024 Nov 1, 2023 N/A· v4 5.3 MEDIUM· v3 N/A· v2 A vulnerability in the IP geolocation rules of Snort 3 could allow an unauthenticated, remote attacker to potentially bypass IP address restrictions. This vulnerability exists because the configuration for IP geolocation...Show more A vulnerability in the IP geolocation rules of Snort 3 could allow an unauthenticated, remote attacker to potentially bypass IP address restrictions. This vulnerability exists because the configuration for IP geolocation rules is not parsed properly. An attacker could exploit this vulnerability by spoofing an IP address until they bypass the restriction. A successful exploit could allow the attacker to bypass location-based IP address restrictions.Show less
CVE-2023-5833 1Mintplexlabs 1Anythingllm Nov 21, 2024 Oct 30, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 Improper Access Control in GitHub repository mintplex-labs/anything-llm prior to 0.1.0.
CVE-2018-17559 1Abus 47Tvip 10000 Firmware Tvip 10001 FirmwareTvip 10005 Firmware+44 more Nov 21, 2024 Oct 26, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 Due to incorrect access control, unauthenticated remote attackers can view the /video.mjpg video stream of certain ABUS TVIP cameras.
CVE-2023-46665 1Sielco 3Polyeco1000 Firmware Polyeco300 FirmwarePolyeco500 Firmware Nov 21, 2024 Oct 26, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Sielco PolyEco1000 is vulnerable to an authentication bypass vulnerability due to an attacker modifying passwords in a POST request and gain unauthorized access to the affected device with administrative...Show more Sielco PolyEco1000 is vulnerable to an authentication bypass vulnerability due to an attacker modifying passwords in a POST request and gain unauthorized access to the affected device with administrative privileges. Show less
CVE-2023-46664 1Sielco 3Polyeco1000 Firmware Polyeco300 FirmwarePolyeco500 Firmware Nov 21, 2024 Oct 26, 2023 N/A· v4 9.1 CRITICAL· v3 N/A· v2 Sielco PolyEco1000 is vulnerable to an improper access control vulnerability when the application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers c...Show more Sielco PolyEco1000 is vulnerable to an improper access control vulnerability when the application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources behind protected pages. Show less
CVE-2023-46663 1Sielco 3Polyeco1000 Firmware Polyeco300 FirmwarePolyeco500 Firmware Nov 21, 2024 Oct 26, 2023 N/A· v4 8.1 HIGH· v3 N/A· v2 Sielco PolyEco1000 is vulnerable to an attacker bypassing authorization and accessing resources behind protected pages. The application interface allows users to perform certain actions via HTTP requests without...Show more Sielco PolyEco1000 is vulnerable to an attacker bypassing authorization and accessing resources behind protected pages. The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. Show less
CVE-2023-46662 1Sielco 3Polyeco1000 Firmware Polyeco300 FirmwarePolyeco500 Firmware Nov 21, 2024 Oct 26, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 Sielco PolyEco1000 is vulnerable to an information disclosure vulnerability due to improper access control enforcement. An unauthenticated remote attacker can exploit this via a specially crafted request to gain acc...Show more Sielco PolyEco1000 is vulnerable to an information disclosure vulnerability due to improper access control enforcement. An unauthenticated remote attacker can exploit this via a specially crafted request to gain access to sensitive information. Show less
CVE-2023-46661 1Sielco 3Polyeco1000 Firmware Polyeco300 FirmwarePolyeco500 Firmware Nov 21, 2024 Oct 26, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Sielco PolyEco1000 is vulnerable to an attacker escalating their privileges by modifying passwords in POST requests.
CVE-2023-46666 1Elastic 1Elastic Sharepoint Online Python Connector Nov 21, 2024 Oct 26, 2023 N/A· v4 6.5 MEDIUM· v3 N/A· v2 An issue was discovered when using Document Level Security and the SPO "Limited Access" functionality in Elastic Sharepoint Online Python Connector. If a user is assigned limited access permissions to an item on a Sharep...Show more An issue was discovered when using Document Level Security and the SPO "Limited Access" functionality in Elastic Sharepoint Online Python Connector. If a user is assigned limited access permissions to an item on a Sharepoint site then that user would have read permissions to all content on the Sharepoint site through Elasticsearch.Show less
CVE-2023-45228 1Sielco 15Analog Fm Transmitter Exc1000gt Firmware Analog Fm Transmitter Exc1000gx FirmwareAnalog Fm Transmitter Exc100gt Firmware+12 more Nov 21, 2024 Oct 26, 2023 N/A· v4 6.5 MEDIUM· v3 N/A· v2 The application suffers from improper access control when editing users. A user with read permissions can manipulate users, passwords, and permissions by sending a single HTTP POST request with modified parameters....Show more The application suffers from improper access control when editing users. A user with read permissions can manipulate users, passwords, and permissions by sending a single HTTP POST request with modified parameters. Show less
CVE-2023-42769 1Sielco 15Analog Fm Transmitter Exc1000gt Firmware Analog Fm Transmitter Exc1000gx FirmwareAnalog Fm Transmitter Exc100gt Firmware+12 more Nov 21, 2024 Oct 26, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 The cookie session ID is of insufficient length and can be exploited by brute force, which may allow a remote attacker to obtain a valid session, bypass authentication, and manipulate the transmitter.
CVE-2023-30969 1Palantir 1Tiles Nov 21, 2024 Oct 26, 2023 N/A· v4 6.5 MEDIUM· v3 N/A· v2 The Palantir Tiles1 service was found to be vulnerable to an API wide issue where the service was not performing authentication/authorization on all the endpoints.
CVE-2023-38848 1Linecorp 1Line Nov 21, 2024 Oct 25, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 An issue in rmc R Beauty CLINIC Line v.13.6.1 allows a remote attacker to obtain sensitive information via crafted GET request.
CVE-2023-45844 1Boschrexroth 3Ctrlx Hmi Web Panel Wr2107 Firmware Ctrlx Hmi Web Panel Wr2110 FirmwareCtrlx Hmi Web Panel Wr2115 Firmware Nov 21, 2024 Oct 25, 2023 N/A· v4 6.8 MEDIUM· v3 N/A· v2 The vulnerability allows a low privileged user that have access to the device when locked in Kiosk mode to install an arbitrary Android application and leverage it to have access to critical device settings such as the d...Show more The vulnerability allows a low privileged user that have access to the device when locked in Kiosk mode to install an arbitrary Android application and leverage it to have access to critical device settings such as the device power management or eventually the device secure settings (ADB debug).Show less
CVE-2023-44794 1Dromara 1Sa Token Nov 21, 2024 Oct 25, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An issue in Dromara SaToken version 1.36.0 and before allows a remote attacker to escalate privileges via a crafted payload to the URL.
CVE-2023-41721 1Ui 1Unifi Network Application Nov 21, 2024 Oct 25, 2023 N/A· v4 5.3 MEDIUM· v3 N/A· v2 Instances of UniFi Network Application that (i) are run on a UniFi Gateway Console, and (ii) are versions 7.5.176. and earlier, implement device adoption with improper access control logic, creating a risk of access to d...Show more Instances of UniFi Network Application that (i) are run on a UniFi Gateway Console, and (ii) are versions 7.5.176. and earlier, implement device adoption with improper access control logic, creating a risk of access to device configuration information by a malicious actor with preexisting access to the network. Affected Products: UDM UDM-PRO UDM-SE UDR UDW Mitigation: Update UniFi Network to Version 7.5.187 or later. Show less
CVE-2023-39731 1Line 1Kaibutsunosato Nov 21, 2024 Oct 20, 2023 N/A· v4 5.3 MEDIUM· v3 N/A· v2 The leakage of the client secret in Kaibutsunosato v13.6.1 allows attackers to obtain the channel access token and send crafted broadcast messages.

Previous 1...147148149...255 Next