Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CVEs (5,090)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2023-30539 1Nextcloud 2Nextcloud Files Automated Tagging Nextcloud Server Nov 21, 2024 Apr 17, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 Nextcloud is a personal home server system. Depending on the set up tags and other workflows this issue can be used to limit access of others or being able to grant them access when there are system tag based files acces...Show more Nextcloud is a personal home server system. Depending on the set up tags and other workflows this issue can be used to limit access of others or being able to grant them access when there are system tag based files access control or files retention rules. It is recommended that the Nextcloud Server is upgraded to 24.0.11 or 25.0.5, the Nextcloud Enterprise Server to 21.0.9.11, 22.2.10.11, 23.0.12.6, 24.0.11 or 25.0.5, and the Nextcloud Files automated tagging app to 1.11.1, 1.12.1, 1.13.1, 1.14.2, 1.15.3 or 1.16.1. Users unable to upgrade should disable all workflow related apps. Users are advised to upgrade.Show less
CVE-2023-2104 1Easyappointments 1Easy!appointments Feb 6, 2025 Apr 15, 2023 N/A· v4 5.4 MEDIUM· v3 N/A· v2 Improper Access Control in GitHub repository alextselegidis/easyappointments prior to 1.5.0.
CVE-2023-26408 1Adobe 4Acrobat Acrobat DcAcrobat Reader+1 more Nov 21, 2024 Apr 12, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 Adobe Acrobat Reader versions 23.001.20093 (and earlier) and 20.005.30441 (and earlier) are affected by an Improper Access Control vulnerability that could result in arbitrary code execution in the context of the current...Show more Adobe Acrobat Reader versions 23.001.20093 (and earlier) and 20.005.30441 (and earlier) are affected by an Improper Access Control vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.Show less
CVE-2023-26406 1Adobe 4Acrobat Acrobat DcAcrobat Reader+1 more Nov 21, 2024 Apr 12, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 Adobe Acrobat Reader versions 23.001.20093 (and earlier) and 20.005.30441 (and earlier) are affected by an Improper Access Control vulnerability that could result in arbitrary code execution in the context of the current...Show more Adobe Acrobat Reader versions 23.001.20093 (and earlier) and 20.005.30441 (and earlier) are affected by an Improper Access Control vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.Show less
CVE-2023-28808 1Hikvision 10Ds A71024 Firmware Ds A71048 FirmwareDs A71048r Cvs Firmware+7 more Nov 21, 2024 Apr 11, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Some Hikvision Hybrid SAN/Cluster Storage products have an access control vulnerability which can be used to obtain the admin permission. The attacker can exploit the vulnerability by sending crafted messages to the affe...Show more Some Hikvision Hybrid SAN/Cluster Storage products have an access control vulnerability which can be used to obtain the admin permission. The attacker can exploit the vulnerability by sending crafted messages to the affected devices.Show less
CVE-2023-28312 1Microsoft 1Azure Machine Learning Nov 21, 2024 Apr 11, 2023 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Azure Machine Learning Information Disclosure Vulnerability
CVE-2023-28300 1Microsoft 1Azure Service Connector Nov 21, 2024 Apr 11, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 Azure Service Connector Security Feature Bypass Vulnerability
CVE-2023-28246 1Microsoft 3Windows 11 21h2 Windows 11 22h2Windows Server 2022 Nov 21, 2024 Apr 11, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 Windows Registry Elevation of Privilege Vulnerability
CVE-2023-24544 1Buffalo 12Bs Gs2008 Firmware Bs Gs2008p FirmwareBs Gs2016 Firmware+9 more Feb 11, 2025 Apr 11, 2023 N/A· v4 8.1 HIGH· v3 N/A· v2 Improper access control vulnerability in Buffalo network devices allows a network-adjacent attacker to obtain specific files of the product. As a result, the product settings may be altered. The affected products and ver...Show more Improper access control vulnerability in Buffalo network devices allows a network-adjacent attacker to obtain specific files of the product. As a result, the product settings may be altered. The affected products and versions are as follows: BS-GSL2024 firmware Ver. 1.10-0.03 and earlier, BS-GSL2016P firmware Ver. 1.10-0.03 and earlier, BS-GSL2016 firmware Ver. 1.10-0.03 and earlier, BS-GS2008 firmware Ver. 1.0.10.01 and earlier, BS-GS2016 firmware Ver. 1.0.10.01 and earlier, BS-GS2024 firmware Ver. 1.0.10.01 and earlier, BS-GS2048 firmware Ver. 1.0.10.01 and earlier, BS-GS2008P firmware Ver. 1.0.10.01 and earlier, BS-GS2016P firmware Ver. 1.0.10.01 and earlier, and BS-GS2024P firmware Ver. 1.0.10.01 and earlierShow less
CVE-2023-23575 1Contec 19Cps Mc341 A1 111 Firmware Cps Mc341 Adsc1 111 FirmwareCps Mc341 Adsc1 931 Firmware+16 more Feb 11, 2025 Apr 11, 2023 N/A· v4 4.3 MEDIUM· v3 N/A· v2 Improper access control vulnerability in CONPROSYS IoT Gateway products allows a remote authenticated attacker to bypass access restriction and access Network Maintenance page, which may result in obtaining the network i...Show more Improper access control vulnerability in CONPROSYS IoT Gateway products allows a remote authenticated attacker to bypass access restriction and access Network Maintenance page, which may result in obtaining the network information of the product. The affected products and versions are as follows: M2M Gateway with the firmware Ver.3.7.10 and earlier (CPS-MG341-ADSC1-111, CPS-MG341-ADSC1-931, CPS-MG341G-ADSC1-111, CPS-MG341G-ADSC1-930, and CPS-MG341G5-ADSC1-931), M2M Controller Integrated Type with firmware Ver.3.7.6 and earlier versions (CPS-MC341-ADSC1-111, CPS-MC341-ADSC1-931, CPS-MC341-ADSC2-111, CPS-MC341G-ADSC1-110, CPS-MC341Q-ADSC1-111, CPS-MC341-DS1-111, CPS-MC341-DS11-111, CPS-MC341-DS2-911, and CPS-MC341-A1-111), and M2M Controller Configurable Type with firmware Ver.3.8.8 and earlier versions (CPS-MCS341-DS1-111, CPS-MCS341-DS1-131, CPS-MCS341G-DS1-130, CPS-MCS341G5-DS1-130, and CPS-MCS341Q-DS1-131).Show less
CVE-2023-28051 1Dell 1Power Manager Nov 21, 2024 Apr 7, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 Dell Power Manager, versions 3.10 and prior, contains an Improper Access Control vulnerability. A low-privileged attacker could potentially exploit this vulnerability to elevate privileges on the system.
CVE-2023-0319 1Gitlab 1Gitlab Feb 11, 2025 Apr 5, 2023 N/A· v4 5.3 MEDIUM· v3 N/A· v2 An issue has been discovered in GitLab affecting all versions starting from 13.6 before 15.8.5, all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1, allowing to read environment...Show more An issue has been discovered in GitLab affecting all versions starting from 13.6 before 15.8.5, all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1, allowing to read environment names supposed to be restricted to project memebers only.Show less
CVE-2023-1883 1Phpmyfaq 1Phpmyfaq Nov 21, 2024 Apr 5, 2023 N/A· v4 5.4 MEDIUM· v3 N/A· v2 Improper Access Control in GitHub repository thorsten/phpmyfaq prior to 3.1.12.
CVE-2023-28845 1Nextcloud 1Talk Nov 21, 2024 Mar 31, 2023 N/A· v4 3.5 LOW· v3 N/A· v2 Nextcloud talk is a video & audio conferencing app for Nextcloud. In affected versions the talk app does not properly filter access to a conversations member list. As a result an attacker could use this vulnerability to...Show more Nextcloud talk is a video & audio conferencing app for Nextcloud. In affected versions the talk app does not properly filter access to a conversations member list. As a result an attacker could use this vulnerability to gain information about the members of a Talk conversation, even if they themselves are not members. It is recommended that the Nextcloud Talk is upgraded to 14.0.9 or 15.0.4. There are no known workarounds for this vulnerability.Show less
CVE-2023-28844 1Nextcloud 1Nextcloud Server Nov 21, 2024 Mar 31, 2023 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Nextcloud server is an open source home cloud implementation. In affected versions users that should not be able to download a file can still download an older version and use that for uncontrolled distribution. This iss...Show more Nextcloud server is an open source home cloud implementation. In affected versions users that should not be able to download a file can still download an older version and use that for uncontrolled distribution. This issue has been addressed in versions 24.0.10 and 25.0.4. Users are advised to upgrade. There are no known workarounds for this vulnerability.Show less
CVE-2023-28645 1Nextcloud 1Richdocuments Nov 21, 2024 Mar 31, 2023 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Nextcloud richdocuments is a Nextcloud app integrating the office suit Collabora Online. In affected versions the secure view feature of the rich documents app can be bypassed by using unprotected internal API endpoint o...Show more Nextcloud richdocuments is a Nextcloud app integrating the office suit Collabora Online. In affected versions the secure view feature of the rich documents app can be bypassed by using unprotected internal API endpoint of the rich documents app. It is recommended that the Nextcloud Office app (richdocuments) is upgraded to 8.0.0-beta.1, 7.0.2 or 6.3.2. Users unable to upgrade may mitigate the issue by taking steps to restrict the ability to download documents. This includes ensuring that the `WOPI configuration` is configured to only serve documents between Nextcloud and Collabora. It is highly recommended to define the list of Collabora server IPs as the allow list within the Office admin settings of Nextcloud.Show less
CVE-2023-29140 1Mediawiki 1Mediawiki Feb 18, 2025 Mar 31, 2023 N/A· v4 5.3 MEDIUM· v3 N/A· v2 An issue was discovered in the GrowthExperiments extension for MediaWiki through 1.39.3. Attackers might be able to see edits for which the username has been hidden, because there is no check for rev_deleted.
CVE-2023-28877 1Vtex 1Apps Graphql Feb 14, 2025 Mar 31, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 The VTEX apps-graphql@2.x GraphQL API module does not properly restrict unauthorized access to private configuration data. (apps-graphql@3.x is unaffected by this issue.)
CVE-2022-47542 1Red Gate 1Sql Monitor Feb 18, 2025 Mar 30, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 Red Gate SQL Monitor 11.0.14 through 12.1.46 has Incorrect Access Control, exploitable remotely for Escalation of Privileges.
CVE-2022-24972 1Tp Link 1Tl Wr940n Firmware Nov 21, 2024 Mar 28, 2023 N/A· v4 6.5 MEDIUM· v3 N/A· v2 This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of TP-Link TL-WR940N 3.20.1 Build 200316 Rel.34392n (5553) routers. Authentication is not required to explo...Show more This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of TP-Link TL-WR940N 3.20.1 Build 200316 Rel.34392n (5553) routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the httpd service, which listens on TCP port 80 by default. The issue results from the lack of proper access control. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-13911.Show less

Previous 1...159160161...255 Next