Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CVEs (5,090)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2023-25525 1Nvidia 1Cumulus Linux Nov 21, 2024 Sep 20, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 NVIDIA Cumulus Linux contains a vulnerability in forwarding where a VxLAN-encapsulated IPv6 packet received on an SVI interface with DMAC/DIPv6 set to the link-local address of the SVI interface may be incorrectly forwar...Show more NVIDIA Cumulus Linux contains a vulnerability in forwarding where a VxLAN-encapsulated IPv6 packet received on an SVI interface with DMAC/DIPv6 set to the link-local address of the SVI interface may be incorrectly forwarded. A successful exploit may lead to information disclosure.Show less
CVE-2022-47558 1Ormazabal 2Ekorccp Firmware Ekorrci Firmware Nov 21, 2024 Sep 19, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Devices ekorCCP and ekorRCI are vulnerable due to access to the FTP service using default credentials. Exploitation of this vulnerability can allow an attacker to modify critical files that could allow the creation of ne...Show more Devices ekorCCP and ekorRCI are vulnerable due to access to the FTP service using default credentials. Exploitation of this vulnerability can allow an attacker to modify critical files that could allow the creation of new users, delete or modify existing users, modify configuration files, install rootkits or backdoors.Show less
CVE-2023-38206 1Adobe 1Coldfusion Nov 21, 2024 Sep 14, 2023 N/A· v4 5.3 MEDIUM· v3 N/A· v2 Adobe ColdFusion versions 2018u18 (and earlier), 2021u8 (and earlier) and 2023u2 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could le...Show more Adobe ColdFusion versions 2018u18 (and earlier), 2021u8 (and earlier) and 2023u2 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to access the administration CFM and CFC endpoints resulting in a low-confidentiality impact. Exploitation of this issue does not require user interaction.Show less
CVE-2023-38205 1Adobe 1Coldfusion Oct 23, 2025 Sep 14, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 Adobe ColdFusion versions 2018u18 (and earlier), 2021u8 (and earlier) and 2023u2 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could le...Show more Adobe ColdFusion versions 2018u18 (and earlier), 2021u8 (and earlier) and 2023u2 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to access the administration CFM and CFC endpoints. Exploitation of this issue does not require user interaction.Show less
CVE-2023-40850 1Netentsec 1Ns Asg Firmware Nov 21, 2024 Sep 13, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 netentsec NS-ASG 6.3 is vulnerable to Incorrect Access Control. There is a file leak in the website source code of the application security gateway.
CVE-2023-20191 1Cisco 1Ios Xr Nov 21, 2024 Sep 13, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 A vulnerability in the access control list (ACL) processing on MPLS interfaces in the ingress direction of Cisco IOS XR Software could allow an unauthenticated, remote attacker to bypass a configured ACL. This vulnera...Show more A vulnerability in the access control list (ACL) processing on MPLS interfaces in the ingress direction of Cisco IOS XR Software could allow an unauthenticated, remote attacker to bypass a configured ACL. This vulnerability is due to incomplete support for this feature. An attacker could exploit this vulnerability by attempting to send traffic through an affected device. A successful exploit could allow the attacker to bypass an ACL on the affected device. There are workarounds that address this vulnerability. This advisory is part of the September 2023 release of the Cisco IOS XR Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see Cisco Event Response: September 2023 Semiannual Cisco IOS XR Software Security Advisory Bundled Publication .Show less
CVE-2023-36638 1Fortinet 2Fortianalyzer Fortimanager Nov 21, 2024 Sep 13, 2023 N/A· v4 4.3 MEDIUM· v3 N/A· v2 An improper privilege management vulnerability [CWE-269] in FortiManager 7.2.0 through 7.2.2, 7.0.0 through 7.0.7, 6.4.0 through 6.4.11, 6.2 all versions, 6.0 all versions and FortiAnalyzer 7.2.0 through 7.2.2, 7.0.0 thr...Show more An improper privilege management vulnerability [CWE-269] in FortiManager 7.2.0 through 7.2.2, 7.0.0 through 7.0.7, 6.4.0 through 6.4.11, 6.2 all versions, 6.0 all versions and FortiAnalyzer 7.2.0 through 7.2.2, 7.0.0 through 7.0.7, 6.4.0 through 6.4.11, 6.2 all versions, 6.0 all versions API may allow a remote and authenticated API admin user to access some system settings such as the mail server settings through the API via a stolen GUI session ID.Show less
CVE-2023-34470 1Ami 1Aptio V Nov 21, 2024 Sep 12, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 AMI AptioV contains a vulnerability in BIOS where an Attacker may use an improper access control via the local network. A successful exploit of this vulnerability may lead to a loss of confidentiality, integrity and ava...Show more AMI AptioV contains a vulnerability in BIOS where an Attacker may use an improper access control via the local network. A successful exploit of this vulnerability may lead to a loss of confidentiality, integrity and availability. Show less
CVE-2023-34469 1Ami 1Aptio V Nov 21, 2024 Sep 12, 2023 N/A· v4 4.6 MEDIUM· v3 N/A· v2 AMI AptioV contains a vulnerability in BIOS where an Attacker may use an improper access control via the physical network. A successful exploit of this vulnerability may lead to a loss of confidentiality.
CVE-2023-40730 1Siemens 1Qms Automotive Nov 21, 2024 Sep 12, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 A vulnerability has been identified in QMS Automotive (All versions < V12.39). The QMS.Mobile module of the affected application lacks sufficient authorization checks. This could allow an attacker to access confidential...Show more A vulnerability has been identified in QMS Automotive (All versions < V12.39). The QMS.Mobile module of the affected application lacks sufficient authorization checks. This could allow an attacker to access confidential information, perform administrative functions, or lead to a denial-of-service condition.Show less
CVE-2023-3039 1Dell 1Sd Rom Utility Nov 21, 2024 Sep 12, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 SD ROM Utility, versions prior to 1.0.2.0 contain an Improper Access Control vulnerability. A low-privileged malicious user may potentially exploit this vulnerability to perform arbitrary code execution with limited acc...Show more SD ROM Utility, versions prior to 1.0.2.0 contain an Improper Access Control vulnerability. A low-privileged malicious user may potentially exploit this vulnerability to perform arbitrary code execution with limited access. Show less
CVE-2023-40039 1Arris 3Tg1672g Firmware Tg852g FirmwareTg862g Firmware Nov 21, 2024 Sep 11, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An issue was discovered on ARRIS TG852G, TG862G, and TG1672G devices. A remote attacker (in proximity to a Wi-Fi network) can derive the default WPA2-PSK value by observing a beacon frame.
CVE-2023-37759 1Trendylogics 1Crypto Currency Tracker Nov 21, 2024 Sep 8, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Incorrect access control in the User Registration page of Crypto Currency Tracker (CCT) before v9.5 allows unauthenticated attackers to register as an Admin account via a crafted POST request.
CVE-2023-40060 1Solarwinds 1Serv U Nov 21, 2024 Sep 7, 2023 N/A· v4 7.2 HIGH· v3 N/A· v2 A vulnerability has been identified within Serv-U 15.4 and 15.4 Hotfix 1 that, if exploited, allows an actor to bypass multi-factor/two-factor authentication. The actor must have administrator-level access to Serv-U to p...Show more A vulnerability has been identified within Serv-U 15.4 and 15.4 Hotfix 1 that, if exploited, allows an actor to bypass multi-factor/two-factor authentication. The actor must have administrator-level access to Serv-U to perform this action. 15.4. SolarWinds found that the issue was not completely fixed in 15.4 Hotfix 1. Show less
CVE-2023-36635 1Fortinet 1Fortiswitchmanager Nov 21, 2024 Sep 7, 2023 N/A· v4 4.3 MEDIUM· v3 N/A· v2 An improper access control in Fortinet FortiSwitchManager version 7.2.0 through 7.2.2 7.0.0 through 7.0.1 may allow a remote authenticated read-only user to modify the interface settings via the API.
CVE-2021-40699 1Adobe 1Coldfusion Nov 21, 2024 Sep 7, 2023 N/A· v4 7.4 HIGH· v3 N/A· v2 ColdFusion version 2021 update 1 (and earlier) and versions 2018.10 (and earlier) are impacted by an improper access control vulnerability when checking permissions in the CFIDE path. An authenticated attacker could leve...Show more ColdFusion version 2021 update 1 (and earlier) and versions 2018.10 (and earlier) are impacted by an improper access control vulnerability when checking permissions in the CFIDE path. An authenticated attacker could leverage this vulnerability to access and manipulate arbitrary data on the environment. Show less
CVE-2021-36036 1Magento 1Magento Nov 21, 2024 Sep 6, 2023 N/A· v4 7.2 HIGH· v3 N/A· v2 Magento versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper access control vulnerability within Magento's Media Gallery Upload workflow. By storing a specially crafted...Show more Magento versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper access control vulnerability within Magento's Media Gallery Upload workflow. By storing a specially crafted file in the website gallery, an authenticated attacker with administrative privilege can gain access to delete the .htaccess file. This could result in the attacker achieving remote code execution.Show less
CVE-2023-31242 1Openautomationsoftware 1Oas Platform Nov 21, 2024 Sep 5, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An authentication bypass vulnerability exists in the OAS Engine functionality of Open Automation Software OAS Platform v18.00.0072. A specially-crafted series of network requests can lead to arbitrary authentication. An...Show more An authentication bypass vulnerability exists in the OAS Engine functionality of Open Automation Software OAS Platform v18.00.0072. A specially-crafted series of network requests can lead to arbitrary authentication. An attacker can send a sequence of requests to trigger this vulnerability.Show less
CVE-2023-4696 1Usememos 1Memos Nov 21, 2024 Sep 1, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Improper Access Control in GitHub repository usememos/memos prior to 0.13.2.
CVE-2023-4650 1Instantcms 1Instantcms Nov 21, 2024 Aug 31, 2023 N/A· v4 4.7 MEDIUM· v3 N/A· v2 Improper Access Control in GitHub repository instantsoft/icms2 prior to 2.16.1-git.

Previous 1...150151152...255 Next