Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CVEs (5,090)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2022-26346 1Tcl 1Linkhub Mesh Wifi Ac1200 Nov 21, 2024 Aug 5, 2022 N/A· v4 9.8 CRITICAL· v3 N/A· v2 A denial of service vulnerability exists in the ucloud_del_node functionality of TCL LinkHub Mesh Wi-Fi MS1G_00_01.00_14. A specially-crafted network packet can lead to denial of service. An attacker can send packets to...Show more A denial of service vulnerability exists in the ucloud_del_node functionality of TCL LinkHub Mesh Wi-Fi MS1G_00_01.00_14. A specially-crafted network packet can lead to denial of service. An attacker can send packets to trigger this vulnerability.Show less
CVE-2021-28511 1Arista 1Eos Nov 21, 2024 Aug 5, 2022 N/A· v4 6.5 MEDIUM· v3 N/A· v2 This advisory documents the impact of an internally found vulnerability in Arista EOS for security ACL bypass. The impact of this vulnerability is that the security ACL drop rule might be bypassed if a NAT ACL rule filte...Show more This advisory documents the impact of an internally found vulnerability in Arista EOS for security ACL bypass. The impact of this vulnerability is that the security ACL drop rule might be bypassed if a NAT ACL rule filter with permit action matches the packet flow. This could allow a host with an IP address in a range that matches the range allowed by a NAT ACL and a range denied by a Security ACL to be forwarded incorrectly as it should have been denied by the Security ACL. This can enable an ACL bypass.Show less
CVE-2022-36832 1Samsung 1Cameralyzer Nov 21, 2024 Aug 5, 2022 N/A· v4 3.3 LOW· v3 N/A· v2 Improper access control vulnerability in WebApp in Cameralyzer prior to versions 3.2.22, 3.3.22, 3.4.22 and 3.5.51 allows attackers to access external storage as Cameralyzer privilege.
CVE-2022-33731 1Google 1Android Nov 21, 2024 Aug 5, 2022 N/A· v4 7.1 HIGH· v3 N/A· v2 Improper access control vulnerability in DesktopSystemUI prior to SMR Aug-2022 Release 1 allows attackers to enable and disable arbitrary components.
CVE-2022-33720 1Google 1Android Nov 21, 2024 Aug 5, 2022 N/A· v4 2.4 LOW· v3 N/A· v2 Improper authentication vulnerability in AppLock prior to SMR Aug-2022 Release 1 allows physical attacker to access Chrome locked by AppLock via new tap shortcut.
CVE-2022-33714 1Google 1Android Nov 21, 2024 Aug 5, 2022 N/A· v4 3.3 LOW· v3 N/A· v2 Improper access control vulnerability in SemWifiApBroadcastReceiver prior to SMR Aug-2022 Release 1 allows attacker to reset a setting value related to mobile hotspot.
CVE-2020-1754 1Moodle 1Moodle Nov 21, 2024 Aug 5, 2022 N/A· v4 4.3 MEDIUM· v3 N/A· v2 In Moodle before 3.8.2, 3.7.5, 3.6.9 and 3.5.11, users viewing the grade history report without the 'access all groups' capability were not restricted to viewing grades of users within their own groups.
CVE-2022-2631 1Tooljet 1Tooljet Nov 21, 2024 Aug 2, 2022 N/A· v4 8.8 HIGH· v3 N/A· v2 Improper Access Control in GitHub repository tooljet/tooljet prior to v1.19.0.
CVE-2022-26308 1Pandorafms 1Pandora Fms Nov 21, 2024 Aug 1, 2022 N/A· v4 5.4 MEDIUM· v3 N/A· v2 Pandora FMS v7.0NG.760 and below allows an improper access control in Configuration (Credential store) where a user with the role of Operator (Write) could create, delete, view existing keys which are outside the intende...Show more Pandora FMS v7.0NG.760 and below allows an improper access control in Configuration (Credential store) where a user with the role of Operator (Write) could create, delete, view existing keys which are outside the intended role.Show less
CVE-2022-2578 1Garage Management System Project 1Garage Management System Nov 21, 2024 Jul 29, 2022 N/A· v4 9.8 CRITICAL· v3 N/A· v2 A vulnerability, which was classified as critical, has been found in SourceCodester Garage Management System 1.0. This issue affects some unknown processing of the file /php_action/createUser.php. The manipulation leads...Show more A vulnerability, which was classified as critical, has been found in SourceCodester Garage Management System 1.0. This issue affects some unknown processing of the file /php_action/createUser.php. The manipulation leads to improper access controls. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.Show less
CVE-2016-4427 1Zulip 1Zulip Nov 21, 2024 Jul 28, 2022 N/A· v4 7.5 HIGH· v3 N/A· v2 In zulip before 1.3.12, deactivated users could access messages if SSO was enabled.
CVE-2016-4426 1Zulip 1Zulip Nov 21, 2024 Jul 28, 2022 N/A· v4 4.3 MEDIUM· v3 N/A· v2 In zulip before 1.3.12, bot API keys were accessible to other users in the same realm.
CVE-2021-38417 1Visam 1Vbase Web Remote Apr 17, 2025 Jul 27, 2022 N/A· v4 7.5 HIGH· v3 N/A· v2 VISAM VBASE version 11.6.0.6 is vulnerable to improper access control via the web-remote endpoint, which may allow an unauthenticated user viewing access to folders and files in the directory listing.
CVE-2022-2225 1Cloudflare 1Warp Nov 21, 2024 Jul 26, 2022 N/A· v4 7.8 HIGH· v3 N/A· v2 By using warp-cli subcommands (disable-ethernet, disable-wifi), it was possible for a user without admin privileges to bypass configured Zero Trust security policies (e.g. Secure Web Gateway policies) and features such a...Show more By using warp-cli subcommands (disable-ethernet, disable-wifi), it was possible for a user without admin privileges to bypass configured Zero Trust security policies (e.g. Secure Web Gateway policies) and features such as 'Lock WARP switch'.Show less
CVE-2022-31475 1Givewp 1Givewp Feb 20, 2025 Jul 21, 2022 N/A· v4 4.9 MEDIUM· v3 N/A· v2 Authenticated (custom plugin role) Arbitrary File Read via Export function vulnerability in GiveWP's GiveWP plugin <= 2.20.2 at WordPress.
CVE-2022-21586 1Oracle 1Banking Trade Finance Nov 21, 2024 Jul 19, 2022 N/A· v4 6.4 MEDIUM· v3 N/A· v2 Vulnerability in the Oracle Banking Trade Finance product of Oracle Financial Services Applications (component: Infrastructure). The supported version that is affected is 14.5. Difficult to exploit vulnerability allows l...Show more Vulnerability in the Oracle Banking Trade Finance product of Oracle Financial Services Applications (component: Infrastructure). The supported version that is affected is 14.5. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Banking Trade Finance. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Banking Trade Finance accessible data as well as unauthorized access to critical data or complete access to all Oracle Banking Trade Finance accessible data. CVSS 3.1 Base Score 6.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N).Show less
CVE-2022-32212 4Debian FedoraprojectNodejs+1 more 4Debian Linux FedoraNode.js+1 more Nov 21, 2024 Jul 14, 2022 N/A· v4 8.1 HIGH· v3 N/A· v2 A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.20.0, <18.5.0 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP addr...Show more A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.20.0, <18.5.0 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.Show less
CVE-2022-1025 1Argoproj 1Argo Cd Nov 21, 2024 Jul 12, 2022 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 All unpatched versions of Argo CD starting with v1.0.0 are vulnerable to an improper access control bug, allowing a malicious user to potentially escalate their privileges to admin-level.
CVE-2022-33706 1Samsung 1Samsung Gallery Nov 21, 2024 Jul 12, 2022 N/A· v4 2.4 LOW· v3 2.1 LOW· v2 Improper access control vulnerability in Samsung Gallery prior to version 13.1.05.8 allows physical attackers to access the pictures using S Pen air gesture.
CVE-2022-33701 1Google 1Android Nov 21, 2024 Jul 12, 2022 N/A· v4 3.3 LOW· v3 2.1 LOW· v2 Improper access control vulnerability in KnoxCustomManagerService prior to SMR Jul-2022 Release 1 allows attacker to call PowerManaer.goToSleep method which is protected by system permission by sending braodcast intent.

Previous 1...177178179...255 Next