Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CVEs (5,090)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2023-36820 1Objectcomputing 1Micronaut Security Nov 21, 2024 Oct 9, 2023 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Micronaut Security is a security solution for applications. Prior to versions 3.1.2, 3.2.4, 3.3.2, 3.4.3, 3.5.3, 3.6.6, 3.7.4, 3.8.4, 3.9.6, 3.10.2, and 3.11.1, IdTokenClaimsValidator skips `aud` claim validation if toke...Show more Micronaut Security is a security solution for applications. Prior to versions 3.1.2, 3.2.4, 3.3.2, 3.4.3, 3.5.3, 3.6.6, 3.7.4, 3.8.4, 3.9.6, 3.10.2, and 3.11.1, IdTokenClaimsValidator skips `aud` claim validation if token is issued by same identity issuer/provider. Any OIDC setup using Micronaut where multiple OIDC applications exists for the same issuer but token auth are not meant to be shared. This issue has been patched in versions 3.1.2, 3.2.4, 3.3.2, 3.4.3, 3.5.3, 3.6.6, 3.7.4, 3.8.4, 3.9.6, 3.10.2, and 3.11.1. Show less
CVE-2023-43696 1Sick 1Apu0200 Firmware Nov 21, 2024 Oct 9, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Improper Access Control in SICK APU allows an unprivileged remote attacker to download as well as upload arbitrary files via anonymous access to the FTP server.
CVE-2023-36465 1Decidim 1Decidim Nov 21, 2024 Oct 6, 2023 N/A· v4 7.1 HIGH· v3 N/A· v2 Decidim is a participatory democracy framework, written in Ruby on Rails, originally developed for the Barcelona City government online and offline participation website. The `templates` module doesn't enforce the correc...Show more Decidim is a participatory democracy framework, written in Ruby on Rails, originally developed for the Barcelona City government online and offline participation website. The `templates` module doesn't enforce the correct permissions, allowing any logged-in user to access to this functionality in the administration panel. An attacker could use this vulnerability to change, create or delete templates of surveys. This issue has been patched in version 0.26.8 and 0.27.4.Show less
CVE-2023-43072 1Dell 1Smartfabric Storage Software Nov 21, 2024 Oct 5, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 Dell SmartFabric Storage Software v1.4 (and earlier) contains an improper access control vulnerability in the CLI. A local possibly unauthenticated attacker could potentially exploit this vulnerability, leading to abili...Show more Dell SmartFabric Storage Software v1.4 (and earlier) contains an improper access control vulnerability in the CLI. A local possibly unauthenticated attacker could potentially exploit this vulnerability, leading to ability to execute arbritrary shell commands. Show less
CVE-2023-1832 2Candlepinproject Redhat 2Candlepin Satellite Nov 21, 2024 Oct 4, 2023 N/A· v4 8.1 HIGH· v3 N/A· v2 An improper access control flaw was found in Candlepin. An attacker can create data scoped under another customer/tenant, which can result in loss of confidentiality and availability for the affected customer/tenant.
CVE-2023-22618 1Nokia 6Wavelite Metro 200 And F2b Fans Firmware Wavelite Metro 200 And Fan FirmwareWavelite Metro 200 Ne And F2b Fans Firmware+3 more Nov 21, 2024 Oct 4, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 If Security Hardening guide rules are not followed, then Nokia WaveLite products allow a local user to create new users with administrative privileges by manipulating a web request. This affects (for example) WaveLite Me...Show more If Security Hardening guide rules are not followed, then Nokia WaveLite products allow a local user to create new users with administrative privileges by manipulating a web request. This affects (for example) WaveLite Metro 200 and Fan, WaveLite Metro 200 OPS and Fans, WaveLite Metro 200 and F2B fans, WaveLite Metro 200 OPS and F2B fans, WaveLite Metro 200 NE and F2B fans, and WaveLite Metro 200 NE OPS and F2B fans.Show less
CVE-2023-0506 1Bydemes 1Airspace Cctv Web Service Nov 21, 2024 Oct 3, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 The web service of ByDemes Group Airspace CCTV Web Service in its 2.616.BY00.11 version, contains a privilege escalation vulnerability, detected in the Camera Control Panel, whose exploitation could allow a low-privilege...Show more The web service of ByDemes Group Airspace CCTV Web Service in its 2.616.BY00.11 version, contains a privilege escalation vulnerability, detected in the Camera Control Panel, whose exploitation could allow a low-privileged attacker to gain administrator access.Show less
CVE-2023-5353 1Salesagility 1Suitecrm Nov 21, 2024 Oct 3, 2023 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Improper Access Control in GitHub repository salesagility/suitecrm prior to 7.14.1.
CVE-2023-24844 1Qualcomm 42Ar8035 Firmware Fastconnect 6700 FirmwareFastconnect 6900 Firmware+39 more Nov 21, 2024 Oct 3, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 Memory Corruption in Core while invoking a call to Access Control core library with hardware protected address range.
CVE-2023-21673 1Qualcomm 161Aqt1000 Firmware Ar8035 FirmwareFastconnect 6200 Firmware+158 more Aug 11, 2025 Oct 3, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 Improper Access to the VM resource manager can lead to Memory Corruption.
CVE-2023-32572 1Purestorage 1Purity//fa Nov 21, 2024 Oct 3, 2023 N/A· v4 4.9 MEDIUM· v3 N/A· v2 A flaw exists in FlashArray Purity wherein under limited circumstances, an array administrator can alter the retention lock of a pgroup and disable pgroup SafeMode protection.
CVE-2023-28372 1Purestorage 1Purity Nov 21, 2024 Oct 2, 2023 N/A· v4 2.7 LOW· v3 N/A· v2 A flaw exists in FlashBlade Purity (OE) Version 4.1.0 whereby a user with privileges to extend an object’s retention period can affect the availability of the object lock.
CVE-2023-5288 1Sick 1Sim1012 0p0g200 Firmware Nov 21, 2024 Sep 29, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 A remote unauthorized attacker may connect to the SIM1012, interact with the device and change configuration settings. The adversary may also reset the SIM and in the worst case upload a new firmware version to the devi...Show more A remote unauthorized attacker may connect to the SIM1012, interact with the device and change configuration settings. The adversary may also reset the SIM and in the worst case upload a new firmware version to the device. Show less
CVE-2023-32477 1Dell 1Common Event Enabler Nov 21, 2024 Sep 29, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 Dell Common Event Enabler 8.9.8.2 for Windows and prior, contain an improper access control vulnerability. A local low-privileged malicious user may potentially exploit this vulnerability to gain elevated privileges.
CVE-2023-20223 1Cisco 1Dna Center Nov 21, 2024 Sep 27, 2023 N/A· v4 8.2 HIGH· v3 N/A· v2 A vulnerability in Cisco DNA Center could allow an unauthenticated, remote attacker to read and modify data in a repository that belongs to an internal service on an affected device. This vulnerability is due to insuf...Show more A vulnerability in Cisco DNA Center could allow an unauthenticated, remote attacker to read and modify data in a repository that belongs to an internal service on an affected device. This vulnerability is due to insufficient access control enforcement on API requests. An attacker could exploit this vulnerability by sending a crafted API request to an affected device. A successful exploit could allow the attacker to read and modify data that is handled by an internal service on the affected device.Show less
CVE-2023-32458 1Emc 1Appsync Nov 21, 2024 Sep 27, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 Dell AppSync, versions 4.4.0.0 to 4.6.0.0 including Service Pack releases, contains an improper access control vulnerability in Embedded Service Enabler component. A local malicious user could potentially exploit this v...Show more Dell AppSync, versions 4.4.0.0 to 4.6.0.0 including Service Pack releases, contains an improper access control vulnerability in Embedded Service Enabler component. A local malicious user could potentially exploit this vulnerability during installation leading to a privilege escalation. Show less
CVE-2023-41322 1Glpi Project 1Glpi Nov 21, 2024 Sep 27, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. A user with write access to a...Show more GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. A user with write access to another user can make requests to change the latter's password and then take control of their account. Users are advised to upgrade to version 10.0.10. There are no known work around for this vulnerability.Show less
CVE-2023-41311 1Huawei 2Emui Harmonyos Nov 21, 2024 Sep 27, 2023 N/A· v4 5.3 MEDIUM· v3 N/A· v2 Permission control vulnerability in the audio module. Successful exploitation of this vulnerability may cause an app to be activated automatically.
CVE-2023-39376 1Siberiancms 1Siberiancms Nov 21, 2024 Sep 27, 2023 N/A· v4 6.5 MEDIUM· v3 N/A· v2 SiberianCMS - CWE-284 Improper Access Control Authorized user may disable a security feature over the network
CVE-2023-43141 1Totolink 2A3700r Firmware N600r Firmware Nov 21, 2024 Sep 25, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 TOTOLINK A3700R V9.1.2u.6134_B20201202 and N600R V5.3c.5137 are vulnerable to Incorrect Access Control.

Previous 1...149150151...255 Next