Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CVEs (5,090)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2023-4640 1Yugabyte 1Yugabytedb Nov 21, 2024 Aug 30, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 The controller responsible for setting the logging level does not include any authorization checks to ensure the user is authenticated. This can be seen by noting that it extends Controller rather than AuthenticatedContr...Show more The controller responsible for setting the logging level does not include any authorization checks to ensure the user is authenticated. This can be seen by noting that it extends Controller rather than AuthenticatedController and includes no further checks. This issue affects YugabyteDB Anywhere: from 2.0.0 through 2.17.3 Show less
CVE-2023-40170 1Jupyter 1Jupyter Server Nov 21, 2024 Aug 28, 2023 N/A· v4 6.1 MEDIUM· v3 N/A· v2 jupyter-server is the backend for Jupyter web applications. Improper cross-site credential checks on `/files/` URLs could allow exposure of certain file contents, or accessing files when opening untrusted files via "Ope...Show more jupyter-server is the backend for Jupyter web applications. Improper cross-site credential checks on `/files/` URLs could allow exposure of certain file contents, or accessing files when opening untrusted files via "Open image in new tab". This issue has been addressed in commit `87a49272728` which has been included in release `2.7.2`. Users are advised to upgrade. Users unable to upgrade may use the lower performance `--ContentsManager.files_handler_class=jupyter_server.files.handlers.FilesHandler`, which implements the correct checks.Show less
CVE-2023-4546 1Byzoro 1Smart S85f Management Platform Nov 21, 2024 Aug 26, 2023 N/A· v4 6.5 MEDIUM· v3 2.7 LOW· v2 A vulnerability was found in Byzoro Smart S85F Management Platform up to 20230816. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /sysmanage/licence.php. The m...Show more A vulnerability was found in Byzoro Smart S85F Management Platform up to 20230816. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /sysmanage/licence.php. The manipulation leads to improper access controls. The exploit has been disclosed to the public and may be used. The identifier VDB-238057 was assigned to this vulnerability.Show less
CVE-2023-40579 1Openfga 1Openfga Nov 21, 2024 Aug 25, 2023 N/A· v4 6.5 MEDIUM· v3 N/A· v2 OpenFGA is an authorization/permission engine built for developers and inspired by Google Zanzibar. Some end users of OpenFGA v1.3.0 or earlier are vulnerable to authorization bypass when calling the ListObjects API. The...Show more OpenFGA is an authorization/permission engine built for developers and inspired by Google Zanzibar. Some end users of OpenFGA v1.3.0 or earlier are vulnerable to authorization bypass when calling the ListObjects API. The vulnerability affects customers using `ListObjects` with specific models. The affected models contain expressions of type `rel1 from type1`. This issue has been patched in version 1.3.1.Show less
CVE-2023-40573 1Xwiki 1Xwiki Nov 21, 2024 Aug 24, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki supports scheduled jobs that contain Groovy scripts. Currently, the job checks the content author of the job...Show more XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki supports scheduled jobs that contain Groovy scripts. Currently, the job checks the content author of the job for programming right. However, modifying or adding a job script to a document doesn't modify the content author. Together with a CSRF vulnerability in the job scheduler, this can be exploited for remote code execution by an attacker with edit right on the wiki. If the attack is successful, an error log entry with "Job content executed" will be produced. This vulnerability has been patched in XWiki 14.10.9 and 15.4RC1.Show less
CVE-2022-3746 1Lenovo 87Ideapad 1 14ijl7 Firmware Ideapad 1 15ijl7 FirmwareIdeapad 1 14iau7 Firmware+84 more Nov 21, 2024 Aug 23, 2023 N/A· v4 6.7 MEDIUM· v3 N/A· v2 A potential vulnerability was discovered in LCFC BIOS for some Lenovo consumer notebook models that could allow a local attacker with elevated privileges to cause some peripherals to work abnormally due to an exposed Emb...Show more A potential vulnerability was discovered in LCFC BIOS for some Lenovo consumer notebook models that could allow a local attacker with elevated privileges to cause some peripherals to work abnormally due to an exposed Embedded Controller (EC) interface.Show less
CVE-2023-20230 1Cisco 1Application Policy Infrastructure Controller Nov 21, 2024 Aug 23, 2023 N/A· v4 5.4 MEDIUM· v3 N/A· v2 A vulnerability in the restricted security domain implementation of Cisco Application Policy Infrastructure Controller (APIC) could allow an authenticated, remote attacker to read, modify, or delete non-tenant policies (...Show more A vulnerability in the restricted security domain implementation of Cisco Application Policy Infrastructure Controller (APIC) could allow an authenticated, remote attacker to read, modify, or delete non-tenant policies (for example, access policies) created by users associated with a different security domain on an affected system. This vulnerability is due to improper access control when restricted security domains are used to implement multi-tenancy for policies outside the tenant boundaries. An attacker with a valid user account associated with a restricted security domain could exploit this vulnerability. A successful exploit could allow the attacker to read, modify, or delete policies created by users associated with a different security domain. Exploitation is not possible for policies under tenants that an attacker has no authorization to access.Show less
CVE-2023-38132 1Elecom 1Lan W451ngr Firmware Nov 21, 2024 Aug 18, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 LAN-W451NGR all versions provided by LOGITEC CORPORATION contains an improper access control vulnerability, which allows an unauthenticated attacker to log in to telnet service.
CVE-2023-39973 1Acymailing 1Acymailing Nov 21, 2024 Aug 17, 2023 N/A· v4 4.3 MEDIUM· v3 N/A· v2 Improper Access Control vulnerability in AcyMailing Enterprise component for Joomla. It allows the unauthorized removal of attachments from campaigns.
CVE-2023-39972 1Acymailing 1Acymailing Nov 21, 2024 Aug 17, 2023 N/A· v4 4.3 MEDIUM· v3 N/A· v2 Improper Access Control vulnerability in AcyMailing Enterprise component for Joomla. It allows unauthorized users to create new mailing lists.
CVE-2023-36106 1Powerjob 1Powerjob Nov 21, 2024 Aug 17, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 An incorrect access control vulnerability in powerjob 4.3.2 and earlier allows remote attackers to obtain sensitive information via the interface for querying via appId parameter to /container/list.
CVE-2023-39743 1Pete4abw 1Lzma Software Development Kit Nov 21, 2024 Aug 17, 2023 N/A· v4 5.3 MEDIUM· v3 N/A· v2 lrzip-next LZMA v23.01 was discovered to contain an access violation via the component /bz3_decode_block src/libbz3.c.
CVE-2023-20237 1Cisco 1Intersight Virtual Appliance Nov 21, 2024 Aug 16, 2023 N/A· v4 4.3 MEDIUM· v3 N/A· v2 A vulnerability in Cisco Intersight Virtual Appliance could allow an unauthenticated, adjacent attacker to access internal HTTP services that are otherwise inaccessible. This vulnerability is due to insufficient restr...Show more A vulnerability in Cisco Intersight Virtual Appliance could allow an unauthenticated, adjacent attacker to access internal HTTP services that are otherwise inaccessible. This vulnerability is due to insufficient restrictions on internally accessible http proxies. An attacker could exploit this vulnerability by submitting a crafted CLI command. A successful exploit could allow the attacker access to internal subnets beyond the sphere of their intended access level.Show less
CVE-2023-20224 1Cisco 1Thousandeyes Enterprise Agent Nov 21, 2024 Aug 16, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 A vulnerability in the CLI of Cisco ThousandEyes Enterprise Agent, Virtual Appliance installation type, could allow an authenticated, local attacker to elevate privileges to root on an affected device. This vulnerabil...Show more A vulnerability in the CLI of Cisco ThousandEyes Enterprise Agent, Virtual Appliance installation type, could allow an authenticated, local attacker to elevate privileges to root on an affected device. This vulnerability is due to insufficient input validation of user-supplied CLI arguments. An attacker could exploit this vulnerability by authenticating to an affected device and using crafted commands at the prompt. A successful exploit could allow the attacker to execute arbitrary commands as root. The attacker must have valid credentials on the affected device.Show less
CVE-2023-32609 1Intel 1Unite Nov 21, 2024 Aug 11, 2023 N/A· v4 5.5 MEDIUM· v3 N/A· v2 Improper access control in the Intel Unite(R) android application before version 4.2.3504 may allow an authenticated user to potentially enable information disclosure via local access.
CVE-2023-32285 1Intel 67Compute Element Stk2mv64cc Firmware Nuc Board Nuc7i3bnb FirmwareNuc Board Nuc7i3bnh Firmware+64 more Nov 21, 2024 Aug 11, 2023 N/A· v4 4.4 MEDIUM· v3 N/A· v2 Improper access control in some Intel(R) NUC BIOS firmware may allow a privileged user to potentially enable denial of service via local access.
CVE-2023-28714 1Intel 1Proset/wireless Wifi Nov 21, 2024 Aug 11, 2023 N/A· v4 6.7 MEDIUM· v3 N/A· v2 Improper access control in firmware for some Intel(R) PROSet/Wireless WiFi software for Windows before version 22.220 HF (Hot Fix) may allow a privileged user to potentially enable escalation of privilege via local acces...Show more Improper access control in firmware for some Intel(R) PROSet/Wireless WiFi software for Windows before version 22.220 HF (Hot Fix) may allow a privileged user to potentially enable escalation of privilege via local access.Show less
CVE-2023-27509 1Intel 1Ispc Software Installer Nov 21, 2024 Aug 11, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 Improper access control in some Intel(R) ISPC software installers before version 1.19.0 may allow an authenticated user to potentially enable escalation of privileges via local access.
CVE-2023-27391 1Intel 29Advisor For Oneapi Cpu Runtime For Opencl ApplicationsDistribution For Python Programming Language+26 more Nov 21, 2024 Aug 11, 2023 N/A· v4 6.7 MEDIUM· v3 N/A· v2 Improper access control in some Intel(R) oneAPI Toolkit and component software installers before version 4.3.1.493 may allow a privileged user to potentially enable escalation of privilege via local access.
CVE-2023-25775 1Intel 1Ethernet Controller Rdma Driver For Linux Nov 21, 2024 Aug 11, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Improper access control in the Intel(R) Ethernet Controller RDMA driver for linux before version 1.9.30 may allow an unauthenticated user to potentially enable escalation of privilege via network access.

Previous 1...151152153...255 Next