Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CVEs (5,090)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2022-1656 1Artbees 2Jupiter X Core Jupiterx Nov 21, 2024 Jun 13, 2022 N/A· v4 5.4 MEDIUM· v3 5.5 MEDIUM· v2 Vulnerable versions of the JupiterX Theme (<=2.0.6) allow any logged-in user, including subscriber-level users, to access any of the functions registered in lib/api/api/ajax.php, which also grant access to the jupiterx_a...Show more Vulnerable versions of the JupiterX Theme (<=2.0.6) allow any logged-in user, including subscriber-level users, to access any of the functions registered in lib/api/api/ajax.php, which also grant access to the jupiterx_api_ajax_ actions registered by the JupiterX Core Plugin (<=2.0.6). This includes the ability to deactivate arbitrary plugins as well as update the theme’s API key.Show less
CVE-2022-30745 1Samsung 1Quick Share Nov 21, 2024 Jun 7, 2022 N/A· v4 5.5 MEDIUM· v3 2.1 LOW· v2 Improper access control vulnerability in Quick Share prior to version 13.1.2.4 allows attacker to access internal files in Quick Share.
CVE-2022-30715 1Google 1Android Nov 21, 2024 Jun 7, 2022 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 Improper access control vulnerability in DofViewer prior to SMR Jun-2022 Release 1 allows attackers to control floating system alert window.
CVE-2022-31024 1Nextcloud 1Richdocuments Nov 21, 2024 Jun 2, 2022 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 richdocuments is the repository for NextCloud Collabra, the app for Nextcloud Office collaboration. Prior to versions 6.0.0, 5.0.4, and 4.2.6, a user could be tricked into working against a remote Office by sending them...Show more richdocuments is the repository for NextCloud Collabra, the app for Nextcloud Office collaboration. Prior to versions 6.0.0, 5.0.4, and 4.2.6, a user could be tricked into working against a remote Office by sending them a federated share. richdocuments versions 6.0.0, 5.0.4 and 4.2.6 contain a fix for this issue. There are currently no known workarounds available.Show less
CVE-2022-1261 1Honeywell 1Matrikon Opc Server Nov 21, 2024 May 26, 2022 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 Matrikon, a subsidary of Honeywell Matrikon OPC Server (all versions) is vulnerable to a condition where a low privileged user allowed to connect to the OPC server to use the functions of the IPersisFile to execute opera...Show more Matrikon, a subsidary of Honeywell Matrikon OPC Server (all versions) is vulnerable to a condition where a low privileged user allowed to connect to the OPC server to use the functions of the IPersisFile to execute operating system processes with system-level privileges.Show less
CVE-2021-41834 1Jfrog 1Artifactory Nov 21, 2024 May 23, 2022 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 JFrog Artifactory prior to version 7.28.0 and 6.23.38, is vulnerable to Broken Access Control, the copy functionality can be used by a low-privileged user to read and copy any artifact that exists in the Artifactory depl...Show more JFrog Artifactory prior to version 7.28.0 and 6.23.38, is vulnerable to Broken Access Control, the copy functionality can be used by a low-privileged user to read and copy any artifact that exists in the Artifactory deployment due to improper permissions validation.Show less
CVE-2022-29160 1Nextcloud 1Nextcloud Nov 21, 2024 May 20, 2022 N/A· v4 3.3 LOW· v3 2.1 LOW· v2 Nextcloud Android is the Android client for Nextcloud, a self-hosted productivity platform. Prior to version 3.19.0, sensitive tokens, images, and user related details exist after deletion of a user account. This could r...Show more Nextcloud Android is the Android client for Nextcloud, a self-hosted productivity platform. Prior to version 3.19.0, sensitive tokens, images, and user related details exist after deletion of a user account. This could result in misuse of the former account holder's information. Nextcloud Android version 3.19.0 contains a patch for this issue. There are no known workarounds available.Show less
CVE-2020-4107 1Hcltech 1Domino Nov 21, 2024 May 19, 2022 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 HCL Domino is affected by an Insufficient Access Control vulnerability. An authenticated attacker with local access to the system could exploit this vulnerability to attain escalation of privileges, denial of service, or...Show more HCL Domino is affected by an Insufficient Access Control vulnerability. An authenticated attacker with local access to the system could exploit this vulnerability to attain escalation of privileges, denial of service, or information disclosure.Show less
CVE-2021-45730 1Jfrog 1Artifactory Nov 21, 2024 May 19, 2022 N/A· v4 4.9 MEDIUM· v3 4.0 MEDIUM· v2 JFrog Artifactory prior to 7.31.10, is vulnerable to Broken Access Control where a Project Admin is able to create, edit and delete Repository Layouts while Repository Layouts configuration should only be available for P...Show more JFrog Artifactory prior to 7.31.10, is vulnerable to Broken Access Control where a Project Admin is able to create, edit and delete Repository Layouts while Repository Layouts configuration should only be available for Platform Administrators.Show less
CVE-2022-28184 1Nvidia 2Gpu Display Driver Virtual Gpu Nov 21, 2024 May 17, 2022 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape, where an unprivileged regular user can access administrator- privileged register...Show more NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape, where an unprivileged regular user can access administrator- privileged registers, which may lead to denial of service, information disclosure, and data tampering.Show less
CVE-2021-35249 1Solarwinds 1Serv U Nov 21, 2024 May 17, 2022 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 This broken access control vulnerability pertains specifically to a domain admin who can access configuration & user data of other domains which they should not have access to. Please note the admin is unable to modify t...Show more This broken access control vulnerability pertains specifically to a domain admin who can access configuration & user data of other domains which they should not have access to. Please note the admin is unable to modify the data (read only operation). This UAC issue leads to a data leak to unauthorized users for a domain, with no log of them accessing the data unless they attempt to modify it. This read-only activity is logged to the original domain and does not specify which domain was accessed.Show less
CVE-2022-1753 1Wowonder 1Wowonder Nov 21, 2024 May 17, 2022 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 A vulnerability, which was classified as critical, was found in WoWonder. Affected is the file /requests.php which is responsible to handle group messages. The manipulation of the argument group_id allows posting message...Show more A vulnerability, which was classified as critical, was found in WoWonder. Affected is the file /requests.php which is responsible to handle group messages. The manipulation of the argument group_id allows posting messages in other groups. It is possible to launch the attack remotely but it might require authentication. A video explaining the attack has been disclosed to the public.Show less
CVE-2021-27444 1Weintek 16Cmt Ctrl01 Firmware Cmt Fhd FirmwareCmt G01 Firmware+13 more Nov 21, 2024 May 16, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 The Weintek cMT product line is vulnerable to various improper access controls, which may allow an unauthenticated attacker to remotely access and download sensitive information and perform administrative actions on beha...Show more The Weintek cMT product line is vulnerable to various improper access controls, which may allow an unauthenticated attacker to remotely access and download sensitive information and perform administrative actions on behalf of a legitimate administrator.Show less
CVE-2022-1553 1Publify Project 1Publify Nov 21, 2024 May 16, 2022 N/A· v4 4.9 MEDIUM· v3 4.0 MEDIUM· v2 Leaking password protected articles content due to improper access control in GitHub repository publify/publify prior to 9.2.8. Attackers can leverage this vulnerability to view the contents of any password-protected art...Show more Leaking password protected articles content due to improper access control in GitHub repository publify/publify prior to 9.2.8. Attackers can leverage this vulnerability to view the contents of any password-protected article present on the publify website, compromising confidentiality and integrity of users.Show less
CVE-2022-0574 1Publify Project 1Publify Nov 21, 2024 May 16, 2022 N/A· v4 6.5 MEDIUM· v3 6.4 MEDIUM· v2 Improper Access Control in GitHub repository publify/publify prior to 9.2.8.
CVE-2022-22282 1Sonicwall 5Sma 6200 Firmware Sma 6210 FirmwareSma 7200 Firmware+2 more Nov 21, 2024 May 13, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 SonicWall SMA1000 series firmware 12.4.0, 12.4.1-02965 and earlier versions incorrectly restricts access to a resource using HTTP connections from an unauthorized actor leading to Improper Access Control vulnerability.
CVE-2021-33013 1Myscada 1Mypro Nov 21, 2024 May 13, 2022 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 mySCADA myPRO versions prior to 8.20.0 does not restrict unauthorized read access to sensitive system information.
CVE-2022-21182 1Inhandnetworks 1Inrouter302 Firmware Nov 21, 2024 May 12, 2022 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 A privilege escalation vulnerability exists in the router configuration import functionality of InHand Networks InRouter302 V3.5.4. A specially-crafted HTTP request can lead to increased privileges. An attacker can send...Show more A privilege escalation vulnerability exists in the router configuration import functionality of InHand Networks InRouter302 V3.5.4. A specially-crafted HTTP request can lead to increased privileges. An attacker can send an HTTP request to trigger this vulnerability.Show less
CVE-2022-26926 1Microsoft 10Windows 10 Windows 11Windows 7+7 more May 27, 2026 May 10, 2022 N/A· v4 7.8 HIGH· v3 6.8 MEDIUM· v2 Windows Address Book Remote Code Execution Vulnerability
CVE-2019-25060 1Wpgraphql 1Wpgraphql Nov 21, 2024 May 9, 2022 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 The WPGraphQL WordPress plugin before 0.3.5 doesn't properly restrict access to information about other users' roles on the affected site. Because of this, a remote attacker could forge a GraphQL query to retrieve the ac...Show more The WPGraphQL WordPress plugin before 0.3.5 doesn't properly restrict access to information about other users' roles on the affected site. Because of this, a remote attacker could forge a GraphQL query to retrieve the account roles of every user on the site.Show less

Previous 1...179180181...255 Next