Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CVEs (5,090)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2023-24468 1Microfocus 1Netiq Advanced Authentication May 16, 2025 Mar 15, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Broken access control in Advanced Authentication versions prior to 6.4.1.1 and 6.3.7.2
CVE-2023-27268 1Sap 1Netweaver Application Server For Java Nov 21, 2024 Mar 14, 2023 N/A· v4 5.3 MEDIUM· v3 N/A· v2 SAP NetWeaver AS Java (Object Analyzing Service) - version 7.50, does not perform necessary authorization checks, allowing an unauthenticated attacker to attach to an open interface and make use of an open naming and dir...Show more SAP NetWeaver AS Java (Object Analyzing Service) - version 7.50, does not perform necessary authorization checks, allowing an unauthenticated attacker to attach to an open interface and make use of an open naming and directory API to access a service which will enable them to access but not modify server settings and data with no effect on availability., resulting in escalation of privileges. Show less
CVE-2023-26460 1Sap 1Netweaver Application Server For Java Nov 21, 2024 Mar 14, 2023 N/A· v4 5.3 MEDIUM· v3 N/A· v2 Cache Management Service in SAP NetWeaver Application Server for Java - version 7.50, does not perform any authentication checks for functionalities that require user identity
CVE-2022-2259 1Octopus 1Octopus Server Mar 3, 2025 Mar 13, 2023 N/A· v4 4.3 MEDIUM· v3 N/A· v2 In affected versions of Octopus Deploy it is possible for a user to view Workerpools without being explicitly assigned permissions to view these items
CVE-2023-23911 1Rocketchat 1Rocket.chat Nov 21, 2024 Mar 10, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 An improper access control vulnerability exists prior to v6 that could allow an attacker to break the E2E encryption of a chat room by a user changing the group key of a chat room.
CVE-2022-40539 1Qualcomm 25Qam8295p Firmware Qca6574au FirmwareQca6696 Firmware+22 more Nov 21, 2024 Mar 10, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 Memory corruption in Automotive Android OS due to improper validation of array index.
CVE-2022-4331 1Gitlab 1Gitlab Feb 28, 2025 Mar 9, 2023 N/A· v4 7.3 HIGH· v3 N/A· v2 An issue has been discovered in GitLab EE affecting all versions starting from 15.1 before 15.7.8, all versions starting from 15.8 before 15.8.4, all versions starting from 15.9 before 15.9.2. If a group with SAML SSO en...Show more An issue has been discovered in GitLab EE affecting all versions starting from 15.1 before 15.7.8, all versions starting from 15.8 before 15.8.4, all versions starting from 15.9 before 15.9.2. If a group with SAML SSO enabled is transferred to a new namespace as a child group, it's possible previously removed malicious maintainer or owner of the child group can still gain access to the group via SSO or a SCIM token to perform actions on the group.Show less
CVE-2023-27088 1Feiqu Opensource Project 1Feiqu Opensource Mar 5, 2025 Mar 8, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 feiqu-opensource Background Vertical authorization vulnerability exists in IndexController.java. demo users with low permission can perform operations within the permission of the admin super administrator and can use th...Show more feiqu-opensource Background Vertical authorization vulnerability exists in IndexController.java. demo users with low permission can perform operations within the permission of the admin super administrator and can use this vulnerability to change the blacklist IP address in the system at will.Show less
CVE-2023-25605 1Fortinet 1Fortisoar Nov 21, 2024 Mar 7, 2023 N/A· v4 7.2 HIGH· v3 N/A· v2 A improper access control vulnerability in Fortinet FortiSOAR 7.3.0 - 7.3.1 allows an attacker authenticated on the administrative interface to perform unauthorized actions via crafted HTTP requests.
CVE-2023-22335 1Dos Osaka 2Rakuraku Pc Cloud Agent Ss1 Mar 6, 2025 Mar 6, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 Improper access control vulnerability in SS1 Ver.13.0.0.40 and earlier and Rakuraku PC Cloud Agent Ver.2.1.8 and earlier allows a remote attacker to bypass access restriction and download an arbitrary file of the directo...Show more Improper access control vulnerability in SS1 Ver.13.0.0.40 and earlier and Rakuraku PC Cloud Agent Ver.2.1.8 and earlier allows a remote attacker to bypass access restriction and download an arbitrary file of the directory where the product runs. As a result of exploiting this vulnerability with CVE-2023-22336 and CVE-2023-22344 vulnerabilities together, it may allow a remote attacker to execute an arbitrary code with SYSTEM privileges by sending a specially crafted script to the affected device.Show less
CVE-2023-26474 1Xwiki 1Xwiki Nov 21, 2024 Mar 2, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 XWiki Platform is a generic wiki platform. Starting in version 13.10, it's possible to use the right of an existing document content author to execute a text area property. This has been patched in XWiki 14.10, 14.4.7, a...Show more XWiki Platform is a generic wiki platform. Starting in version 13.10, it's possible to use the right of an existing document content author to execute a text area property. This has been patched in XWiki 14.10, 14.4.7, and 13.10.11. There are no known workarounds.Show less
CVE-2023-26473 1Xwiki 1Xwiki Nov 21, 2024 Mar 2, 2023 N/A· v4 6.5 MEDIUM· v3 N/A· v2 XWiki Platform is a generic wiki platform. Starting in version 1.3-rc-1, any user with edit right can execute arbitrary database select and access data stored in the database. The problem has been patched in XWiki 13.10....Show more XWiki Platform is a generic wiki platform. Starting in version 1.3-rc-1, any user with edit right can execute arbitrary database select and access data stored in the database. The problem has been patched in XWiki 13.10.11, 14.4.7, and 14.10. There is no workaround for this vulnerability other than upgrading.Show less
CVE-2023-26471 1Xwiki 1Xwiki Nov 21, 2024 Mar 2, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 XWiki Platform is a generic wiki platform. Starting in version 11.6-rc-1, comments are supposed to be executed with the right of superadmin but in restricted mode (anything dangerous is disabled), but the async macro doe...Show more XWiki Platform is a generic wiki platform. Starting in version 11.6-rc-1, comments are supposed to be executed with the right of superadmin but in restricted mode (anything dangerous is disabled), but the async macro does not take into account the restricted mode. This means that any user with comment right can use the async macro to make it execute any wiki content with the right of superadmin. This has been patched in XWiki 14.9, 14.4.6, and 13.10.10. The only known workaround consists of applying a patch and rebuilding and redeploying `org.xwiki.platform:xwiki-platform-rendering-async-macro`.Show less
CVE-2022-23240 1Netapp 1Active Iq Unified Manager Mar 18, 2025 Feb 28, 2023 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Active IQ Unified Manager for VMware vSphere, Linux, and Microsoft Windows versions prior to 9.11P1 are susceptible to a vulnerability which allows unauthorized users to update EMS Subscriptions via unspecified vectors.
CVE-2023-23508 1Apple 1Macos Mar 11, 2025 Feb 27, 2023 N/A· v4 5.5 MEDIUM· v3 N/A· v2 The issue was addressed with improved memory handling. This issue is fixed in macOS Big Sur 11.7.3, macOS Ventura 13.2, macOS Monterey 12.6.3. An app may be able to bypass Privacy preferences.
CVE-2022-32902 1Apple 1Macos Mar 11, 2025 Feb 27, 2023 N/A· v4 5.5 MEDIUM· v3 N/A· v2 A logic issue was addressed with improved state management. This issue is fixed in macOS Ventura 13, macOS Monterey 12.6, macOS Big Sur 11.7. An app may be able to bypass Privacy preferences.
CVE-2023-25821 1Nextcloud 1Nextcloud Server Nov 21, 2024 Feb 25, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 Nextcloud is an Open Source private cloud software. Versions 24.0.4 and above, prior to 24.0.7, and 25.0.0 and above, prior to 25.0.1, contain Improper Access Control. Secure view for internal shares can be circumvented...Show more Nextcloud is an Open Source private cloud software. Versions 24.0.4 and above, prior to 24.0.7, and 25.0.0 and above, prior to 25.0.1, contain Improper Access Control. Secure view for internal shares can be circumvented if reshare permissions are also given. This issue is patched in versions 24.0.7 and 25.0.1. No workaround is available.Show less
CVE-2023-1007 1Filseclab 1Twister Antivirus Nov 21, 2024 Feb 24, 2023 N/A· v4 7.8 HIGH· v3 4.3 MEDIUM· v2 A vulnerability was found in Twister Antivirus 8.17. It has been declared as critical. This vulnerability affects the function 0x801120E4 in the library filmfd.sys of the component IoControlCode Handler. The manipulation...Show more A vulnerability was found in Twister Antivirus 8.17. It has been declared as critical. This vulnerability affects the function 0x801120E4 in the library filmfd.sys of the component IoControlCode Handler. The manipulation leads to improper access controls. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-221740.Show less
CVE-2023-0998 1Alphaware Simple E Commerce System Project 1Alphaware Simple E Commerce System Nov 21, 2024 Feb 24, 2023 N/A· v4 5.3 MEDIUM· v3 6.4 MEDIUM· v2 A vulnerability classified as critical has been found in SourceCodester Alphaware Simple E-Commerce System 1.0. This affects an unknown part of the file /alphaware/summary.php of the component Payment Handler. The manipu...Show more A vulnerability classified as critical has been found in SourceCodester Alphaware Simple E-Commerce System 1.0. This affects an unknown part of the file /alphaware/summary.php of the component Payment Handler. The manipulation of the argument amount leads to improper access controls. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-221733 was assigned to this vulnerability.Show less
CVE-2023-0963 1Music Gallery Site Project 1Music Gallery Site Nov 21, 2024 Feb 22, 2023 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 A vulnerability was found in SourceCodester Music Gallery Site 1.0. It has been rated as critical. This issue affects some unknown processing of the file Users.php of the component POST Request Handler. The manipulation...Show more A vulnerability was found in SourceCodester Music Gallery Site 1.0. It has been rated as critical. This issue affects some unknown processing of the file Users.php of the component POST Request Handler. The manipulation leads to improper access controls. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-221633 was assigned to this vulnerability.Show less

Previous 1...161162163...255 Next