Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CVEs (5,090)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2022-4807 1Usememos 1Memos Nov 21, 2024 Dec 28, 2022 N/A· v4 4.3 MEDIUM· v3 N/A· v2 Improper Access Control in GitHub repository usememos/memos prior to 0.9.1.
CVE-2022-45778 1Hillstonenet 4Sc 6000 Wv02 Firmware Sc 6000 Wv04 FirmwareSc 6000 Wv08 Firmware+1 more Apr 14, 2025 Dec 27, 2022 N/A· v4 9.8 CRITICAL· v3 N/A· v2 https://www.hillstonenet.com.cn/ Hillstone Firewall SG-6000 <= 5.0.4.0 is vulnerable to Incorrect Access Control. There is a permission bypass vulnerability in the Hillstone WEB application firewall. An attacker can ente...Show more https://www.hillstonenet.com.cn/ Hillstone Firewall SG-6000 <= 5.0.4.0 is vulnerable to Incorrect Access Control. There is a permission bypass vulnerability in the Hillstone WEB application firewall. An attacker can enter the background of the firewall with super administrator privileges through a configuration error in report.m.Show less
CVE-2022-45431 1Dahuasecurity 5Dhi Dss4004 S2 Firmware Dhi Dss7016d S2 FirmwareDhi Dss7016dr S2 Firmware+2 more Apr 11, 2025 Dec 27, 2022 N/A· v4 7.5 HIGH· v3 N/A· v2 Some Dahua software products have a vulnerability of unauthenticated restart of remote DSS Server. After bypassing the firewall access control policy, by sending a specific crafted packet to the vulnerable interface, an...Show more Some Dahua software products have a vulnerability of unauthenticated restart of remote DSS Server. After bypassing the firewall access control policy, by sending a specific crafted packet to the vulnerable interface, an attacker could unauthenticated restart of remote DSS Server.Show less
CVE-2022-45430 1Dahuasecurity 5Dhi Dss4004 S2 Firmware Dhi Dss7016d S2 FirmwareDhi Dss7016dr S2 Firmware+2 more Apr 11, 2025 Dec 27, 2022 N/A· v4 3.7 LOW· v3 N/A· v2 Some Dahua software products have a vulnerability of unauthenticated enable or disable SSHD service. After bypassing the firewall access control policy, by sending a specific crafted packet to the vulnerable interface, a...Show more Some Dahua software products have a vulnerability of unauthenticated enable or disable SSHD service. After bypassing the firewall access control policy, by sending a specific crafted packet to the vulnerable interface, an attacker could enable or disable the SSHD service.Show less
CVE-2022-4724 1Ikus Soft 1Rdiffweb Nov 21, 2024 Dec 27, 2022 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Improper Access Control in GitHub repository ikus060/rdiffweb prior to 2.5.5.
CVE-2022-44014 1Simmeth 1Lieferantenmanager Apr 15, 2025 Dec 25, 2022 N/A· v4 6.5 MEDIUM· v3 N/A· v2 An issue was discovered in Simmeth Lieferantenmanager before 5.6. In the design of the API, a user is inherently able to fetch arbitrary SQL tables. This leaks all user passwords and MSSQL hashes via /DS/LM_API/api/Selec...Show more An issue was discovered in Simmeth Lieferantenmanager before 5.6. In the design of the API, a user is inherently able to fetch arbitrary SQL tables. This leaks all user passwords and MSSQL hashes via /DS/LM_API/api/SelectionService/GetPaggedTab.Show less
CVE-2022-44565 1Ui 6Airfiber 60 Hd Firmware Airfiber 60 Lr FirmwareAirfiber 60 Xg Firmware+3 more Apr 15, 2025 Dec 23, 2022 N/A· v4 5.3 MEDIUM· v3 N/A· v2 An improper access validation vulnerability exists in airMAX AC <8.7.11, airFiber 60/LR <2.6.2, airFiber 60 XG/HD <v1.0.0 and airFiber GBE <1.4.1 that allows a malicious actor to retrieve status and usage data from the U...Show more An improper access validation vulnerability exists in airMAX AC <8.7.11, airFiber 60/LR <2.6.2, airFiber 60 XG/HD <v1.0.0 and airFiber GBE <1.4.1 that allows a malicious actor to retrieve status and usage data from the UISP device.Show less
CVE-2022-4689 1Usememos 1Memos Nov 21, 2024 Dec 23, 2022 N/A· v4 8.8 HIGH· v3 N/A· v2 Improper Access Control in GitHub repository usememos/memos prior to 0.9.0.
CVE-2022-4684 1Usememos 1Memos Nov 21, 2024 Dec 23, 2022 N/A· v4 8.8 HIGH· v3 N/A· v2 Improper Access Control in GitHub repository usememos/memos prior to 0.9.0.
CVE-2022-23513 1Pi Hole 1Adminlte Apr 11, 2025 Dec 23, 2022 N/A· v4 5.3 MEDIUM· v3 N/A· v2 Pi-Hole is a network-wide ad blocking via your own Linux hardware, AdminLTE is a Pi-hole Dashboard for stats and more. In case of an attack, the threat actor will obtain the ability to perform an unauthorized query for b...Show more Pi-Hole is a network-wide ad blocking via your own Linux hardware, AdminLTE is a Pi-hole Dashboard for stats and more. In case of an attack, the threat actor will obtain the ability to perform an unauthorized query for blocked domains on `queryads` endpoint. In the case of application, this vulnerability exists because of a lack of validation in code on a root server path: `/admin/scripts/pi-hole/phpqueryads.php.` Potential threat actor(s) are able to perform an unauthorized query search in blocked domain lists. This could lead to the disclosure for any victims' personal blacklists.Show less
CVE-2022-41654 1Ghost 1Ghost Nov 21, 2024 Dec 22, 2022 N/A· v4 4.3 MEDIUM· v3 N/A· v2 An authentication bypass vulnerability exists in the newsletter subscription functionality of Ghost Foundation Ghost 5.9.4. A specially-crafted HTTP request can lead to increased privileges. An attacker can send an HTTP...Show more An authentication bypass vulnerability exists in the newsletter subscription functionality of Ghost Foundation Ghost 5.9.4. A specially-crafted HTTP request can lead to increased privileges. An attacker can send an HTTP request to trigger this vulnerability.Show less
CVE-2022-3186 1Dataprobe 12Iboot Pdu4 N20 Firmware Iboot Pdu4a N15 FirmwareIboot Pdu4a N20 Firmware+9 more Nov 21, 2024 Dec 21, 2022 N/A· v4 7.5 HIGH· v3 N/A· v2 Dataprobe iBoot-PDU FW versions prior to 1.42.06162022 contain a vulnerability where the affected product allows an attacker to access the device’s main management page from the cloud. This feature enables users to remot...Show more Dataprobe iBoot-PDU FW versions prior to 1.42.06162022 contain a vulnerability where the affected product allows an attacker to access the device’s main management page from the cloud. This feature enables users to remotely connect devices, however, the current implementation permits users to access other device's information. Show less
CVE-2022-38655 1Hcltech 1Bigfix Webui Apr 16, 2025 Dec 21, 2022 N/A· v4 5.8 MEDIUM· v3 N/A· v2 BigFix WebUI non-master operators are missing controls that prevent them from being able to modify the relevance of fixlets or to deploy fixlets from the BES Support external site.
CVE-2022-38546 1Zyxel 1Nbg7510 Firmware Nov 21, 2024 Dec 21, 2022 N/A· v4 9.8 CRITICAL· v3 N/A· v2 A DNS misconfiguration was found in Zyxel NBG7510 firmware versions prior to V1.00(ABZY.3)C0, which could allow an unauthenticated attacker to access the DNS server when the device is switched to the AP mode.
CVE-2022-44643 1Grafana 1Enterprise Metrics Apr 15, 2025 Dec 20, 2022 N/A· v4 8.8 HIGH· v3 N/A· v2 A vulnerability in the label-based access control of Grafana Labs Grafana Enterprise Metrics allows an attacker more access than intended. If an access policy which has label selector restrictions also has been granted a...Show more A vulnerability in the label-based access control of Grafana Labs Grafana Enterprise Metrics allows an attacker more access than intended. If an access policy which has label selector restrictions also has been granted access to all tenants in the system, the label selector restrictions will not be applied when using this policy with the affected versions of the software. This issue affects: Grafana Labs Grafana Enterprise Metrics GEM 1.X versions prior to 1.7.1 on AMD64; GEM 2.X versions prior to 2.3.1 on AMD64.Show less
CVE-2022-28173 1Hikvision 2Ds 3wf01c 2n/o Firmware Ds 3wf0ac 2nt Firmware Nov 21, 2024 Dec 19, 2022 N/A· v4 9.8 CRITICAL· v3 N/A· v2 The web server of some Hikvision wireless bridge products have an access control vulnerability which can be used to obtain the admin permission. The attacker can exploit the vulnerability by sending crafted messages to t...Show more The web server of some Hikvision wireless bridge products have an access control vulnerability which can be used to obtain the admin permission. The attacker can exploit the vulnerability by sending crafted messages to the affected devices.Show less
CVE-2022-4567 1Open Emr 1Openemr Nov 21, 2024 Dec 17, 2022 N/A· v4 8.1 HIGH· v3 N/A· v2 Improper Access Control in GitHub repository openemr/openemr prior to 7.0.0.2.
CVE-2022-31708 1Vmware 1Vrealize Operations Apr 18, 2025 Dec 16, 2022 N/A· v4 4.9 MEDIUM· v3 N/A· v2 vRealize Operations (vROps) contains a broken access control vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 4.4.
CVE-2022-25627 1Broadcom 1Symantec Identity Governance And Administration Apr 18, 2025 Dec 16, 2022 N/A· v4 6.7 MEDIUM· v3 N/A· v2 An authenticated administrator who has physical access to the environment can carry out Remote Command Execution on Management Console in Symantec Identity Manager 14.4
CVE-2022-42865 1Apple 5Ipados Iphone OsMacos+2 more Apr 21, 2025 Dec 15, 2022 N/A· v4 5.5 MEDIUM· v3 N/A· v2 This issue was addressed by enabling hardened runtime. This issue is fixed in iOS 16.2 and iPadOS 16.2, macOS Ventura 13.1, tvOS 16.2, watchOS 9.2. An app may be able to bypass Privacy preferences.

Previous 1...167168169...255 Next