Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CVEs (5,090)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2022-30752 1Google 1Android Nov 21, 2024 Jul 12, 2022 N/A· v4 3.3 LOW· v3 2.1 LOW· v2 Improper access control vulnerability in sendDHCPACKBroadcast function of SemWifiApClient prior to SMR Jul-2022 Release 1 allows attacker to access wifi ap client mac address that connected by using WIFI_AP_STA_STATE_CHA...Show more Improper access control vulnerability in sendDHCPACKBroadcast function of SemWifiApClient prior to SMR Jul-2022 Release 1 allows attacker to access wifi ap client mac address that connected by using WIFI_AP_STA_STATE_CHANGED action.Show less
CVE-2022-30751 1Google 1Android Nov 21, 2024 Jul 12, 2022 N/A· v4 3.3 LOW· v3 2.1 LOW· v2 Improper access control vulnerability in sendDHCPACKBroadcast function of SemWifiApClient prior to SMR Jul-2022 Release 1 allows attacker to access wifi ap client mac address that connected by using WIFI_AP_STA_DHCPACK_E...Show more Improper access control vulnerability in sendDHCPACKBroadcast function of SemWifiApClient prior to SMR Jul-2022 Release 1 allows attacker to access wifi ap client mac address that connected by using WIFI_AP_STA_DHCPACK_EVENT action.Show less
CVE-2022-30750 1Google 1Android Nov 21, 2024 Jul 12, 2022 N/A· v4 3.3 LOW· v3 2.1 LOW· v2 Improper access control vulnerability in updateLastConnectedClientInfo function of SemWifiApClient prior to SMR Jul-2022 Release 1 allows attacker to access wifi ap client mac address that connected.
CVE-2022-31257 1Mendix 1Mendix Nov 21, 2024 Jul 12, 2022 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 A vulnerability has been identified in Mendix Applications using Mendix 7 (All versions < V7.23.31), Mendix Applications using Mendix 8 (All versions < V8.18.18), Mendix Applications using Mendix 9 (All versions < V9.14....Show more A vulnerability has been identified in Mendix Applications using Mendix 7 (All versions < V7.23.31), Mendix Applications using Mendix 8 (All versions < V8.18.18), Mendix Applications using Mendix 9 (All versions < V9.14.0), Mendix Applications using Mendix 9 (V9.12) (All versions < V9.12.2), Mendix Applications using Mendix 9 (V9.6) (All versions < V9.6.12). In case of access to an active user session in an application that is built with an affected version, it’s possible to change that user’s password bypassing password validations within a Mendix application. This could allow to set weak passwords.Show less
CVE-2022-20859 1Cisco 3Unified Communications Manager Unified Communications Manager Im And Presence ServiceUnity Connection Nov 21, 2024 Jul 6, 2022 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 A vulnerability in the Disaster Recovery framework of Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P), and Cisco Unity Connection co...Show more A vulnerability in the Disaster Recovery framework of Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P), and Cisco Unity Connection could allow an authenticated, remote attacker to perform certain administrative actions they should not be able to. This vulnerability is due to insufficient access control checks on the affected device. An attacker with read-only privileges could exploit this vulnerability by executing a specific vulnerable command on an affected device. A successful exploit could allow the attacker to perform a set of administrative actions they should not be able to.Show less
CVE-2022-34894 1Jetbrains 1Hub Nov 21, 2024 Jul 1, 2022 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 In JetBrains Hub before 2022.2.14799, insufficient access control allowed the hijacking of untrusted services
CVE-2022-2088 1Smartics 1Smartics Nov 21, 2024 Jun 27, 2022 N/A· v4 4.9 MEDIUM· v3 6.8 MEDIUM· v2 An authenticated user with admin privileges may be able to terminate any process on the system running Elcomplus SmartICS v2.3.4.0.
CVE-2020-9754 1Navercorp 1Whale Nov 21, 2024 Jun 27, 2022 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 NAVER Whale browser mobile app before 1.10.6.2 allows the attacker to bypass its browser unlock function via incognito mode.
CVE-2022-2103 1Secheron 1Sepcos Control And Protection Relay Firmware Nov 21, 2024 Jun 24, 2022 N/A· v4 9.1 CRITICAL· v3 6.4 MEDIUM· v2 An attacker with weak credentials could access the TCP port via an open FTP port, allowing an attacker to read sensitive files and write to remotely executable directories.
CVE-2022-1521 1Illumina 1Local Run Manager Nov 21, 2024 Jun 24, 2022 N/A· v4 9.1 CRITICAL· v3 6.4 MEDIUM· v2 LRM does not implement authentication or authorization by default. A malicious actor can inject, replay, modify, and/or intercept sensitive data.
CVE-2017-20066 1Adminer Login Project 1Adminer Login Nov 21, 2024 Jun 20, 2022 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 A vulnerability has been found in Adminer Login 1.4.4 and classified as problematic. This vulnerability affects unknown code. The manipulation leads to improper access controls. It is possible to launch the attack on the...Show more A vulnerability has been found in Adminer Login 1.4.4 and classified as problematic. This vulnerability affects unknown code. The manipulation leads to improper access controls. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used.Show less
CVE-2022-27511 1Citrix 1Application Delivery Management Nov 21, 2024 Jun 16, 2022 N/A· v4 8.1 HIGH· v3 7.8 HIGH· v2 Corruption of the system by a remote, unauthenticated user. The impact of this can include the reset of the administrator password at the next device reboot, allowing an attacker with ssh access to connect with the defau...Show more Corruption of the system by a remote, unauthenticated user. The impact of this can include the reset of the administrator password at the next device reboot, allowing an attacker with ssh access to connect with the default administrator credentials after the device has rebooted.Show less
CVE-2022-28612 1Custom Popup Builder Project 1Custom Popup Builder Nov 21, 2024 Jun 15, 2022 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 Improper Access Control vulnerability leading to multiple Authenticated (contributor or higher user role) Stored Cross-Site Scripting (XSS) vulnerabilities in Muneeb's Custom Popup Builder plugin <= 1.3.1 at WordPress.
CVE-2022-32158 1Splunk 1Splunk Nov 21, 2024 Jun 15, 2022 N/A· v4 10.0 CRITICAL· v3 7.5 HIGH· v2 Splunk Enterprise deployment servers in versions before 8.1.10.1, 8.2.6.1, and 9.0 let clients deploy forwarder bundles to other deployment clients through the deployment server. An attacker that compromised a Universal...Show more Splunk Enterprise deployment servers in versions before 8.1.10.1, 8.2.6.1, and 9.0 let clients deploy forwarder bundles to other deployment clients through the deployment server. An attacker that compromised a Universal Forwarder endpoint could use the vulnerability to execute arbitrary code on all other Universal Forwarder endpoints subscribed to the deployment server.Show less
CVE-2022-1958 1Filecloud 1Filecloud Nov 21, 2024 Jun 15, 2022 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 A vulnerability classified as critical has been found in FileCloud. Affected is an unknown function of the component NTFS Handler. The manipulation leads to improper access controls. It is possible to launch the attack r...Show more A vulnerability classified as critical has been found in FileCloud. Affected is an unknown function of the component NTFS Handler. The manipulation leads to improper access controls. It is possible to launch the attack remotely. Upgrading to version 21.3.5.18513 is able to address this issue. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-201960.Show less
CVE-2022-32256 1Siemens 1Sinema Remote Connect Server Nov 21, 2024 Jun 14, 2022 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.1). The affected application consists of a web service that lacks proper access control for some of the endpoints. This could lead to...Show more A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.1). The affected application consists of a web service that lacks proper access control for some of the endpoints. This could lead to low privileged users accessing privileged information.Show less
CVE-2022-32255 1Siemens 1Sinema Remote Connect Server Nov 21, 2024 Jun 14, 2022 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.1). The affected application consists of a web service that lacks proper access control for some of the endpoints. This could lead to...Show more A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.1). The affected application consists of a web service that lacks proper access control for some of the endpoints. This could lead to unauthorized access to limited information.Show less
CVE-2022-31055 1Google 1Kctf Nov 21, 2024 Jun 13, 2022 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 kCTF is a Kubernetes-based infrastructure for capture the flag (CTF) competitions. Prior to version 1.6.0, the kctf cluster set-src-ip-ranges was broken and allowed traffic from any IP. The problem has been patched in v1...Show more kCTF is a Kubernetes-based infrastructure for capture the flag (CTF) competitions. Prior to version 1.6.0, the kctf cluster set-src-ip-ranges was broken and allowed traffic from any IP. The problem has been patched in v1.6.0. As a workaround, those who want to test challenges privately can mark them as `public: false` and use `kctf chal debug port-forward` to connect.Show less
CVE-2022-1659 1Artbees 1Jupiterx Nov 21, 2024 Jun 13, 2022 N/A· v4 7.3 HIGH· v3 7.5 HIGH· v2 Vulnerable versions of the JupiterX Core (<= 2.0.6) plugin register an AJAX action jupiterx_conditional_manager which can be used to call any function in the includes/condition/class-condition-manager.php file by sending...Show more Vulnerable versions of the JupiterX Core (<= 2.0.6) plugin register an AJAX action jupiterx_conditional_manager which can be used to call any function in the includes/condition/class-condition-manager.php file by sending the desired function to call in the sub_action parameter. This can be used to view site configuration and logged-in users, modify post conditions, or perform a denial of service attack.Show less
CVE-2022-1658 1Artbees 1Jupiter Nov 21, 2024 Jun 13, 2022 N/A· v4 5.4 MEDIUM· v3 5.5 MEDIUM· v2 Vulnerable versions of the Jupiter Theme (<= 6.10.1) allow arbitrary plugin deletion by any authenticated user, including users with the subscriber role, via the abb_remove_plugin AJAX action registered in the framework/...Show more Vulnerable versions of the Jupiter Theme (<= 6.10.1) allow arbitrary plugin deletion by any authenticated user, including users with the subscriber role, via the abb_remove_plugin AJAX action registered in the framework/admin/control-panel/logic/plugin-management.php file. Using this functionality, any logged-in user can delete any installed plugin on the site.Show less

Previous 1...178179180...255 Next