Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CVEs (5,090)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2022-24923 1Samsung 1Searchwidget Nov 21, 2024 Feb 11, 2022 N/A· v4 3.3 LOW· v3 2.1 LOW· v2 Improper access control vulnerability in Samsung SearchWidget prior to versions 2.3.00.6 in China models allows untrusted applications to load arbitrary URL and local files in webview.
CVE-2022-23997 1Samsung 1Wear Os Nov 21, 2024 Feb 11, 2022 N/A· v4 3.3 LOW· v3 4.3 MEDIUM· v2 Unprotected component vulnerability in StTheaterModeDurationAlarmReceiver in Wear OS 3.0 prior to Firmware update Feb-2022 Release allows untrusted applications to disable theater mode without a proper permission.
CVE-2022-23996 1Samsung 1Wear Os Nov 21, 2024 Feb 11, 2022 N/A· v4 3.3 LOW· v3 4.3 MEDIUM· v2 Unprotected component vulnerability in StTheaterModeReceiver in Wear OS 3.0 prior to Firmware update Feb-2022 Release allows untrusted applications to enable bedtime mode without a proper permission.
CVE-2022-23995 1Samsung 1Wear Os Nov 21, 2024 Feb 11, 2022 N/A· v4 3.3 LOW· v3 4.3 MEDIUM· v2 Unprotected component vulnerability in StBedtimeModeAlarmReceiver in Wear OS 3.0 prior to Firmware update Feb-2022 Release allows untrusted applications to change bedtime mode without a proper permission.
CVE-2022-23994 1Samsung 1Wear Os Nov 21, 2024 Feb 11, 2022 N/A· v4 3.3 LOW· v3 4.3 MEDIUM· v2 An Improper access control vulnerability in StBedtimeModeReceiver in Wear OS 3.0 prior to Firmware update Feb-2022 Release allows untrusted applications to change bedtime mode without a proper permission.
CVE-2022-23433 1Samsung 1Reminder Nov 21, 2024 Feb 11, 2022 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 Improper access control vulnerability in Reminder prior to versions 12.3.01.3000 in Android S(12), 12.2.05.6000 in Android R(11) and 11.6.08.6000 in Andoid Q(10) allows attackers to register reminders or execute exporete...Show more Improper access control vulnerability in Reminder prior to versions 12.3.01.3000 in Android S(12), 12.2.05.6000 in Android R(11) and 11.6.08.6000 in Andoid Q(10) allows attackers to register reminders or execute exporeted activities remotely.Show less
CVE-2020-13677 1Drupal 1Drupal Nov 21, 2024 Feb 11, 2022 N/A· v4 7.5 HIGH· v3 4.3 MEDIUM· v2 Under some circumstances, the Drupal core JSON:API module does not properly restrict access to certain content, which may result in unintended access bypass. Sites that do not have the JSON:API module enabled are not aff...Show more Under some circumstances, the Drupal core JSON:API module does not properly restrict access to certain content, which may result in unintended access bypass. Sites that do not have the JSON:API module enabled are not affected.Show less
CVE-2020-13676 1Drupal 1Drupal Nov 21, 2024 Feb 11, 2022 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 The QuickEdit module does not properly check access to fields in some circumstances, which can lead to unintended disclosure of field data. Sites are only affected if the QuickEdit module (which comes with the Standard p...Show more The QuickEdit module does not properly check access to fields in some circumstances, which can lead to unintended disclosure of field data. Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installed.Show less
CVE-2020-13675 1Drupal 1Drupal Nov 21, 2024 Feb 11, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Drupal's JSON:API and REST/File modules allow file uploads through their HTTP APIs. The modules do not correctly run all file validation, which causes an access bypass vulnerability. An attacker might be able to upload f...Show more Drupal's JSON:API and REST/File modules allow file uploads through their HTTP APIs. The modules do not correctly run all file validation, which causes an access bypass vulnerability. An attacker might be able to upload files that bypass the file validation process implemented by modules on the site.Show less
CVE-2022-21825 1Citrix 1Workspace Nov 21, 2024 Feb 9, 2022 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 An Improper Access Control vulnerability exists in Citrix Workspace App for Linux 2012 - 2111 with App Protection installed that can allow an attacker to perform local privilege escalation.
CVE-2022-21816 1Nvidia 2Cloud Gaming Virtual Gpu Virtual Gpu Nov 21, 2024 Feb 7, 2022 N/A· v4 5.5 MEDIUM· v3 4.9 MEDIUM· v2 NVIDIA vGPU software contains a vulnerability in the Virtual GPU Manager (nvidia.ko), where a user in the guest OS can cause a GPU interrupt storm on the hypervisor host, leading to a denial of service.
CVE-2022-21813 1Nvidia 8Cloud Gaming Guest GeforceGpu Display Driver+5 more Nov 21, 2024 Feb 7, 2022 N/A· v4 6.1 MEDIUM· v3 3.6 LOW· v2 NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel driver, where improper handling of insufficient permissions or privileges may allow an unprivileged local user limited write access to protected...Show more NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel driver, where improper handling of insufficient permissions or privileges may allow an unprivileged local user limited write access to protected memory, which can lead to denial of service.Show less
CVE-2021-21965 1Sealevel 1Seaconnect 370w Firmware Nov 21, 2024 Feb 4, 2022 N/A· v4 9.3 CRITICAL· v3 6.4 MEDIUM· v2 A denial of service vulnerability exists in the SeaMax remote configuration functionality of Sealevel Systems, Inc. SeaConnect 370W v1.3.34. Specially-crafted network packets can lead to denial of service. An attacker ca...Show more A denial of service vulnerability exists in the SeaMax remote configuration functionality of Sealevel Systems, Inc. SeaConnect 370W v1.3.34. Specially-crafted network packets can lead to denial of service. An attacker can send a malicious packet to trigger this vulnerability.Show less
CVE-2021-21964 1Sealevel 1Seaconnect 370w Firmware Nov 21, 2024 Feb 4, 2022 N/A· v4 7.4 HIGH· v3 7.1 HIGH· v2 A denial of service vulnerability exists in the Modbus configuration functionality of Sealevel Systems, Inc. SeaConnect 370W v1.3.34. Specially-crafted network packets can lead to denial of service. An attacker can send...Show more A denial of service vulnerability exists in the Modbus configuration functionality of Sealevel Systems, Inc. SeaConnect 370W v1.3.34. Specially-crafted network packets can lead to denial of service. An attacker can send a malicious packet to trigger this vulnerability.Show less
CVE-2022-0273 1Janeczku 1Calibre Web Nov 21, 2024 Jan 30, 2022 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 Improper Access Control in Pypi calibreweb prior to 0.6.16.
CVE-2021-40416 1Reolink 1Rlc 410w Firmware Nov 21, 2024 Jan 28, 2022 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 An incorrect default permission vulnerability exists in the cgiserver.cgi cgi_check_ability functionality of reolink RLC-410W v3.0.0.136_20121102. All the Get APIs that are not included in cgi_check_ability are already e...Show more An incorrect default permission vulnerability exists in the cgiserver.cgi cgi_check_ability functionality of reolink RLC-410W v3.0.0.136_20121102. All the Get APIs that are not included in cgi_check_ability are already executable by any logged-in users. An attacker can send an HTTP request to trigger this vulnerability.Show less
CVE-2021-40415 1Reolink 1Rlc 410w Firmware Nov 21, 2024 Jan 28, 2022 N/A· v4 6.5 MEDIUM· v3 6.8 MEDIUM· v2 An incorrect default permission vulnerability exists in the cgiserver.cgi cgi_check_ability functionality of reolink RLC-410W v3.0.0.136_20121102. In cgi_check_ability the Format API does not have a specific case, the us...Show more An incorrect default permission vulnerability exists in the cgiserver.cgi cgi_check_ability functionality of reolink RLC-410W v3.0.0.136_20121102. In cgi_check_ability the Format API does not have a specific case, the user permission will default to 7. This will give non-administrative users the possibility to format the SD card and reboot the device.Show less
CVE-2021-40414 1Reolink 1Rlc 410w Firmware Nov 21, 2024 Jan 28, 2022 N/A· v4 7.1 HIGH· v3 5.5 MEDIUM· v2 An incorrect default permission vulnerability exists in the cgiserver.cgi cgi_check_ability functionality of reolink RLC-410W v3.0.0.136_20121102. The SetMdAlarm API sets the movement detection parameters, giving the abi...Show more An incorrect default permission vulnerability exists in the cgiserver.cgi cgi_check_ability functionality of reolink RLC-410W v3.0.0.136_20121102. The SetMdAlarm API sets the movement detection parameters, giving the ability to set the sensitivity of the camera per a range of hours, and which of the camera spaces to ignore when considering movement detection. Because in cgi_check_ability the SetMdAlarm API does not have a specific case, the user permission will default to 7. This will give non-administrative users the possibility to change the movement detection parameters.Show less
CVE-2021-40413 1Reolink 1Rlc 410w Firmware Nov 21, 2024 Jan 28, 2022 N/A· v4 7.1 HIGH· v3 6.5 MEDIUM· v2 An incorrect default permission vulnerability exists in the cgiserver.cgi cgi_check_ability functionality of reolink RLC-410W v3.0.0.136_20121102. The UpgradePrepare is the API that checks if a provided filename identifi...Show more An incorrect default permission vulnerability exists in the cgiserver.cgi cgi_check_ability functionality of reolink RLC-410W v3.0.0.136_20121102. The UpgradePrepare is the API that checks if a provided filename identifies a new version of the RLC-410W firmware. If the version is new, it would be possible, allegedly, to later on perform the Upgrade. An attacker can send an HTTP request to trigger this vulnerability.Show less
CVE-2021-40404 1Reolink 1Rlc 410w Firmware Nov 21, 2024 Jan 28, 2022 N/A· v4 6.5 MEDIUM· v3 6.4 MEDIUM· v2 An authentication bypass vulnerability exists in the cgiserver.cgi Login functionality of reolink RLC-410W v3.0.0.136_20121102. A specially-crafted HTTP request can lead to authentication bypass. An attacker can send an...Show more An authentication bypass vulnerability exists in the cgiserver.cgi Login functionality of reolink RLC-410W v3.0.0.136_20121102. A specially-crafted HTTP request can lead to authentication bypass. An attacker can send an HTTP request to trigger this vulnerability.Show less

Previous 1...183184185...255 Next