Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CVEs (5,090)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2022-25824 1Samsung 1Bixby Touch Nov 21, 2024 Mar 10, 2022 N/A· v4 3.3 LOW· v3 2.1 LOW· v2 Improper access control vulnerability in BixbyTouch prior to version 2.2.00.6 in China models allows untrusted applications to load arbitrary URL and local files in webview.
CVE-2022-24930 1Samsung 1Wear Os Nov 21, 2024 Mar 10, 2022 N/A· v4 3.3 LOW· v3 4.3 MEDIUM· v2 An Improper access control vulnerability in StRetailModeReceiver in Wear OS 3.0 prior to Firmware update MAR-2022 Release allows untrusted applications to reset default app settings without a proper permission
CVE-2021-42855 1Riverbed 1Steelcentral Appinternals Dynamic Sampling Agent Nov 21, 2024 Mar 10, 2022 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 It was discovered that the SteelCentral AppInternals Dynamic Sampling Agent (DSA) uses the ".debug_command.config" file to store a json string that contains a list of IDs and pre-configured commands. The config file is s...Show more It was discovered that the SteelCentral AppInternals Dynamic Sampling Agent (DSA) uses the ".debug_command.config" file to store a json string that contains a list of IDs and pre-configured commands. The config file is subsequently used by the "/api/appInternals/1.0/agent/configuration" API to map the corresponding ID to a command to be executed.Show less
CVE-2022-26317 1Mendix 1Mendix Nov 21, 2024 Mar 8, 2022 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 A vulnerability has been identified in Mendix Applications using Mendix 7 (All versions < V7.23.29). When returning the result of a completed Microflow execution call the affected framework does not correctly verify, if...Show more A vulnerability has been identified in Mendix Applications using Mendix 7 (All versions < V7.23.29). When returning the result of a completed Microflow execution call the affected framework does not correctly verify, if the request was initially made by the user requesting the result. Together with predictable identifiers for Microflow execution calls, this could allow a malicious attacker to retrieve information about arbitrary Microflow execution calls made by users within the affected system.Show less
CVE-2022-26313 1Mendix 1Forgot Password Nov 21, 2024 Mar 8, 2022 N/A· v4 9.8 CRITICAL· v3 6.8 MEDIUM· v2 A vulnerability has been identified in Mendix Forgot Password Appstore module (All versions >= V3.3.0 < V3.5.1). In certain configurations of the affected product, a threat actor could use the sign up flow to hijack arbi...Show more A vulnerability has been identified in Mendix Forgot Password Appstore module (All versions >= V3.3.0 < V3.5.1). In certain configurations of the affected product, a threat actor could use the sign up flow to hijack arbitrary user accounts.Show less
CVE-2022-24309 1Mendix 1Mendix May 2, 2025 Mar 8, 2022 N/A· v4 8.1 HIGH· v3 4.9 MEDIUM· v2 A vulnerability has been identified in Mendix Runtime V7 (All versions < V7.23.29), Mendix Runtime V8 (All versions < V8.18.16), Mendix Runtime V9 (All versions < V9.13 only with Runtime Custom Setting DataStorage.UseNe...Show more A vulnerability has been identified in Mendix Runtime V7 (All versions < V7.23.29), Mendix Runtime V8 (All versions < V8.18.16), Mendix Runtime V9 (All versions < V9.13 only with Runtime Custom Setting DataStorage.UseNewQueryHandler* set to False). If an entity has an association readable by the user, then in some cases, Mendix Runtime may not apply checks for XPath constraints that parse said associations, within apps running on affected versions. A malicious user could use this to dump and manipulate sensitive data.Show less
CVE-2021-41543 1Siemens 1Climatix Pol909 Firmware Nov 21, 2024 Mar 8, 2022 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 A vulnerability has been identified in Climatix POL909 (AWB module) (All versions < V11.44), Climatix POL909 (AWM module) (All versions < V11.36). The handling of log files in the web application of affected devices cont...Show more A vulnerability has been identified in Climatix POL909 (AWB module) (All versions < V11.44), Climatix POL909 (AWM module) (All versions < V11.36). The handling of log files in the web application of affected devices contains an information disclosure vulnerability which could allow logged in users to access sensitive files.Show less
CVE-2021-46270 1Jfrog 1Artifactory Nov 21, 2024 Mar 2, 2022 N/A· v4 2.7 LOW· v3 4.0 MEDIUM· v2 JFrog Artifactory before 7.31.10, is vulnerable to Broken Access Control where a project admin user is able to list all available repository names due to insufficient permission validation.
CVE-2021-45074 1Jfrog 1Artifactory Nov 21, 2024 Mar 2, 2022 N/A· v4 5.4 MEDIUM· v3 5.5 MEDIUM· v2 JFrog Artifactory before 7.29.3 and 6.23.38, is vulnerable to Broken Access Control, a low-privileged user is able to delete other known users OAuth token, which will force a reauthentication on an active session or in t...Show more JFrog Artifactory before 7.29.3 and 6.23.38, is vulnerable to Broken Access Control, a low-privileged user is able to delete other known users OAuth token, which will force a reauthentication on an active session or in the next UI session.Show less
CVE-2022-0824 1Webmin 1Webmin Nov 21, 2024 Mar 2, 2022 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 Improper Access Control to Remote Code Execution in GitHub repository webmin/webmin prior to 1.990.
CVE-2021-24688 1Orange Form Project 1Orange Form Nov 21, 2024 Feb 28, 2022 N/A· v4 4.3 MEDIUM· v3 4.3 MEDIUM· v2 The Orange Form WordPress plugin through 1.0.1 does not have any authorisation and CSRF checks in all of its AJAX calls, for example the or_delete_filed one which is available to both unauthenticated and authenticated us...Show more The Orange Form WordPress plugin through 1.0.1 does not have any authorisation and CSRF checks in all of its AJAX calls, for example the or_delete_filed one which is available to both unauthenticated and authenticated users could allow attackers to delete arbitrary posts.The AJAX calls performing actions on posts also do not ensure that the post belong to them (or that they are allowed to perform such action on it)Show less
CVE-2021-3967 1Zulip 1Zulip Nov 21, 2024 Feb 26, 2022 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 Improper Access Control in GitHub repository zulip/zulip prior to 4.10.
CVE-2022-21706 1Zulip 1Zulip Server Nov 21, 2024 Feb 26, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Zulip is an open-source team collaboration tool with topic-based threading. Zulip Server version 2.0.0 and above are vulnerable to insufficient access control with multi-use invitations. A Zulip Server deployment which h...Show more Zulip is an open-source team collaboration tool with topic-based threading. Zulip Server version 2.0.0 and above are vulnerable to insufficient access control with multi-use invitations. A Zulip Server deployment which hosts multiple organizations is vulnerable to an attack where an invitation created in one organization (potentially as a role with elevated permissions) can be used to join any other organization. This bypasses any restrictions on required domains on users' email addresses, may be used to gain access to organizations which are only accessible by invitation, and may be used to gain access with elevated privileges. This issue has been patched in release 4.10. There are no known workarounds for this issue. ### Patches _Has the problem been patched? What versions should users upgrade to?_ ### Workarounds _Is there a way for users to fix or remediate the vulnerability without upgrading?_ ### References _Are there any links users can visit to find out more?_ ### For more information If you have any questions or comments about this advisory, you can discuss them on the [developer community Zulip server](https://zulip.com/developer-community/), or email the [Zulip security team](mailto:security@zulip.com).Show less
CVE-2020-14504 1Rockwellautomation 21734 Aentr Point I/o Dual Port Network Adaptor Series B Firmware 1734 Aentr Point I/o Dual Port Network Adaptor Series C Firmware Apr 17, 2025 Feb 24, 2022 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 The web interface of the 1734-AENTR communication module mishandles authentication for HTTP POST requests. A remote, unauthenticated attacker can send a crafted request that may allow for modification of the configuratio...Show more The web interface of the 1734-AENTR communication module mishandles authentication for HTTP POST requests. A remote, unauthenticated attacker can send a crafted request that may allow for modification of the configuration settings.Show less
CVE-2022-0732 11byte 9Copy9 ExactspyFonetracker+6 more Nov 21, 2024 Feb 24, 2022 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 The backend infrastructure shared by multiple mobile device monitoring services does not adequately authenticate or authorize API requests, creating an IDOR (Insecure Direct Object Reference) vulnerability.
CVE-2022-0731 1Dolibarr 1Dolibarr Erp/crm Nov 21, 2024 Feb 23, 2022 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 Improper Access Control (IDOR) in GitHub repository dolibarr/dolibarr prior to 16.0.
CVE-2022-0727 1Framasoft 1Peertube Nov 21, 2024 Feb 23, 2022 N/A· v4 5.4 MEDIUM· v3 5.5 MEDIUM· v2 Improper Access Control in GitHub repository chocobozzz/peertube prior to 4.1.0.
CVE-2022-23981 1Quadlayers 1Perfect Brands For Woocommerce Nov 21, 2024 Feb 18, 2022 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 The vulnerability allows Subscriber+ level users to create brands in WordPress Perfect Brands for WooCommerce plugin (versions <= 2.0.4).
CVE-2021-4201 1Forgerock 1Access Management Nov 21, 2024 Feb 14, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Missing access control in ForgeRock Access Management 7.1.0 and earlier versions on all platforms allows remote unauthenticated attackers to hijack sessions, including potentially admin-level sessions. This issue affects...Show more Missing access control in ForgeRock Access Management 7.1.0 and earlier versions on all platforms allows remote unauthenticated attackers to hijack sessions, including potentially admin-level sessions. This issue affects: ForgeRock Access Management 7.1 versions prior to 7.1.1; 6.5 versions prior to 6.5.4; all previous versions.Show less
CVE-2022-24924 1Samsung 1Livewallpaperservice Nov 21, 2024 Feb 11, 2022 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 An improper access control in LiveWallpaperService prior to versions 3.0.9.0 allows to create a specific named system directory without a proper permission.

Previous 1...182183184...255 Next