Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CVEs (5,090)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2023-46033 1Dlink 2Dsl 2730u Firmware Dsl 2750u Firmware Nov 21, 2024 Oct 19, 2023 N/A· v4 6.8 MEDIUM· v3 N/A· v2 D-Link (Non-US) DSL-2750U N300 ADSL2+ and (Non-US) DSL-2730U N150 ADSL2+ are vulnerable to Incorrect Access Control. The UART/Serial interface on the PCB, provides log output and a root terminal without proper access con...Show more D-Link (Non-US) DSL-2750U N300 ADSL2+ and (Non-US) DSL-2730U N150 ADSL2+ are vulnerable to Incorrect Access Control. The UART/Serial interface on the PCB, provides log output and a root terminal without proper access control.Show less
CVE-2023-20261 1Cisco 1Catalyst Sd Wan Manager Nov 21, 2024 Oct 18, 2023 N/A· v4 6.5 MEDIUM· v3 N/A· v2 A vulnerability in the web UI of Cisco Catalyst SD-WAN Manager could allow an authenticated, remote attacker to retrieve arbitrary files from an affected system. This vulnerability is due to improper validation of par...Show more A vulnerability in the web UI of Cisco Catalyst SD-WAN Manager could allow an authenticated, remote attacker to retrieve arbitrary files from an affected system. This vulnerability is due to improper validation of parameters that are sent to the web UI. An attacker could exploit this vulnerability by logging in to Cisco Catalyst SD-WAN Manager and issuing crafted requests using the web UI. A successful exploit could allow the attacker to obtain arbitrary files from the underlying Linux file system of an affected system. To exploit this vulnerability, the attacker must be an authenticated user.Show less
CVE-2023-22102 2Netapp Oracle 2Mysql Connector/j Oncommand Insight Mar 6, 2025 Oct 17, 2023 N/A· v4 8.3 HIGH· v3 N/A· v2 Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.1.0 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with n...Show more Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.1.0 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Connectors, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.1 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).Show less
CVE-2023-43814 1Discourse 1Discourse Nov 21, 2024 Oct 16, 2023 N/A· v4 3.7 LOW· v3 N/A· v2 Discourse is an open source platform for community discussion. Attackers with details specific to a poll in a topic can use the `/polls/grouped_poll_results` endpoint to view the content of options in the poll and the nu...Show more Discourse is an open source platform for community discussion. Attackers with details specific to a poll in a topic can use the `/polls/grouped_poll_results` endpoint to view the content of options in the poll and the number of votes for groups of poll participants. This impacts private polls where the results were intended to only be viewable by authorized users. This issue is patched in the 3.1.1 stable and 3.2.0.beta2 versions of Discourse. There is no workaround for this issue apart from upgrading to the fixed version. Show less
CVE-2023-43119 1Extremenetworks 1Exos Nov 21, 2024 Oct 16, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An Access Control issue discovered in Extreme Networks Switch Engine (EXOS) before 32.5.1.5, also fixed in 22.7, 31.7.2 allows attackers to gain escalated privileges using crafted telnet commands via Redis server.
CVE-2023-5240 1Devolutions 1Devolutions Server Nov 21, 2024 Oct 13, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 Improper access control in PAM propagation scripts in Devolutions Server 2023.2.8.0 and ealier allows an attack with permission to manage PAM propagation scripts to retrieve passwords stored in it via a GET request.
CVE-2023-43079 1Dell 1Emc Openmanage Server Administrator Nov 21, 2024 Oct 13, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 Dell OpenManage Server Administrator, versions 11.0.0.0 and prior, contains an Improper Access Control vulnerability. A local low-privileged malicious user could potentially exploit this vulnerability to execute arbitra...Show more Dell OpenManage Server Administrator, versions 11.0.0.0 and prior, contains an Improper Access Control vulnerability. A local low-privileged malicious user could potentially exploit this vulnerability to execute arbitrary code in order to elevate privileges on the system. Exploitation may lead to a complete system compromise. Show less
CVE-2023-41882 1Vantage6 1Vantage6 Nov 21, 2024 Oct 11, 2023 N/A· v4 4.3 MEDIUM· v3 N/A· v2 vantage6 is privacy preserving federated learning infrastructure. The endpoint /api/collaboration/{id}/task is used to collect all tasks from a certain collaboration. To get such tasks, a user should have permission to v...Show more vantage6 is privacy preserving federated learning infrastructure. The endpoint /api/collaboration/{id}/task is used to collect all tasks from a certain collaboration. To get such tasks, a user should have permission to view the collaboration and to view the tasks in it. However, prior to version 4.0.0, it is only checked if the user has permission to view the collaboration. Version 4.0.0 contains a patch. There are no known workarounds.Show less
CVE-2023-32632 1Yifanwireless 1Yf325 Firmware Nov 4, 2025 Oct 11, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 A command execution vulnerability exists in the validate.so diag_ping_start functionality of Yifan YF325 v1.0_20221108. A specially crafted network request can lead to command execution. An attacker can send a network re...Show more A command execution vulnerability exists in the validate.so diag_ping_start functionality of Yifan YF325 v1.0_20221108. A specially crafted network request can lead to command execution. An attacker can send a network request to trigger this vulnerability.Show less
CVE-2023-24479 1Yifanwireless 1Yf325 Firmware Nov 21, 2024 Oct 11, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An authentication bypass vulnerability exists in the httpd nvram.cgi functionality of Yifan YF325 v1.0_20221108. A specially crafted network request can lead to arbitrary command execution. An attacker can send a network...Show more An authentication bypass vulnerability exists in the httpd nvram.cgi functionality of Yifan YF325 v1.0_20221108. A specially crafted network request can lead to arbitrary command execution. An attacker can send a network request to trigger this vulnerability.Show less
CVE-2023-44118 1Huawei 2Emui Harmonyos Nov 21, 2024 Oct 11, 2023 N/A· v4 9.1 CRITICAL· v3 N/A· v2 Vulnerability of undefined permissions in the MeeTime module.Successful exploitation of this vulnerability will affect availability and confidentiality.
CVE-2023-41772 1Microsoft 7Windows 10 1809 Windows 10 21h2Windows 10 22h2+4 more Nov 21, 2024 Oct 10, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 Win32k Elevation of Privilege Vulnerability
CVE-2023-36790 1Microsoft 1Windows Server 2008 Nov 21, 2024 Oct 10, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 Windows RDP Encoder Mirror Driver Elevation of Privilege Vulnerability
CVE-2023-36725 1Microsoft 7Windows 10 1809 Windows 10 21h2Windows 10 22h2+4 more Nov 21, 2024 Oct 10, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 Windows Kernel Elevation of Privilege Vulnerability
CVE-2023-36722 1Microsoft 12Windows 10 1507 Windows 10 1607Windows 10 1809+9 more Nov 21, 2024 Oct 10, 2023 N/A· v4 4.4 MEDIUM· v3 N/A· v2 Active Directory Domain Services Information Disclosure Vulnerability
CVE-2023-36561 1Microsoft 1Azure Devops Server Nov 21, 2024 Oct 10, 2023 N/A· v4 7.3 HIGH· v3 N/A· v2 Azure DevOps Server Elevation of Privilege Vulnerability
CVE-2023-41679 1Fortinet 1Fortimanager Nov 21, 2024 Oct 10, 2023 N/A· v4 9.6 CRITICAL· v3 N/A· v2 An improper access control vulnerability [CWE-284] in FortiManager management interface 7.2.0 through 7.2.2, 7.0.0 through 7.0.7, 6.4.0 through 6.4.11, 6.2 all versions, 6.0 all versions may allow a remote and authentica...Show more An improper access control vulnerability [CWE-284] in FortiManager management interface 7.2.0 through 7.2.2, 7.0.0 through 7.0.7, 6.4.0 through 6.4.11, 6.2 all versions, 6.0 all versions may allow a remote and authenticated attacker with at least "device management" permission on his profile and belonging to a specific ADOM to add and delete CLI script on other ADOMsShow less
CVE-2023-33301 1Fortinet 1Fortios Nov 21, 2024 Oct 10, 2023 N/A· v4 4.3 MEDIUM· v3 N/A· v2 An improper access control vulnerability in Fortinet FortiOS 7.2.0 - 7.2.4 and 7.4.0 allows an attacker to access a restricted resource from a non trusted host.
CVE-2023-37194 1Siemens 5Simatic Cp 1604 Firmware Simatic Cp 1616 FirmwareSimatic Cp 1623 Firmware+2 more Nov 21, 2024 Oct 10, 2023 N/A· v4 6.7 MEDIUM· v3 N/A· v2 A vulnerability has been identified in SIMATIC CP 1604 (All versions), SIMATIC CP 1616 (All versions), SIMATIC CP 1623 (All versions), SIMATIC CP 1626 (All versions), SIMATIC CP 1628 (All versions). The kernel memory of...Show more A vulnerability has been identified in SIMATIC CP 1604 (All versions), SIMATIC CP 1616 (All versions), SIMATIC CP 1623 (All versions), SIMATIC CP 1626 (All versions), SIMATIC CP 1628 (All versions). The kernel memory of affected devices is exposed to user-mode via direct memory access (DMA) which could allow a local attacker with administrative privileges to execute arbitrary code on the host system without any restrictions.Show less
CVE-2023-5365 1Hp 1Life Nov 21, 2024 Oct 9, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 HP LIFE Android Mobile application is potentially vulnerable to escalation of privilege and/or information disclosure.

Previous 1...148149150...255 Next