Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CVEs (5,090)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2022-0203 1Craterapp 1Crater Nov 21, 2024 Jan 26, 2022 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 Improper Access Control in GitHub repository crater-invoice/crater prior to 6.0.2.
CVE-2022-0270 1Mirantis 1Bored Agent Nov 21, 2024 Jan 25, 2022 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 Prior to v0.6.1, bored-agent failed to sanitize incoming kubernetes impersonation headers allowing a user to override assigned user name and groups.
CVE-2021-23233 1Fresenius Kabi 6Agilia Connect Firmware Agilia Partner Maintenance SoftwareLink+ Agilia Firmware+3 more Nov 21, 2024 Jan 21, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Sensitive endpoints in Fresenius Kabi Agilia Link+ v3.0 and prior can be accessed without any authentication information such as the session cookie. An attacker can send requests to sensitive endpoints as an unauthentica...Show more Sensitive endpoints in Fresenius Kabi Agilia Link+ v3.0 and prior can be accessed without any authentication information such as the session cookie. An attacker can send requests to sensitive endpoints as an unauthenticated user to perform critical actions or modify critical configuration parameters.Show less
CVE-2021-4016 1Rapid7 1Insight Agent Nov 21, 2024 Jan 21, 2022 N/A· v4 3.3 LOW· v3 2.1 LOW· v2 Rapid7 Insight Agent, versions prior to 3.1.3, suffer from an improper access control vulnerability whereby, the user has access to the snapshot directory. An attacker can access, read and copy any of the files in this d...Show more Rapid7 Insight Agent, versions prior to 3.1.3, suffer from an improper access control vulnerability whereby, the user has access to the snapshot directory. An attacker can access, read and copy any of the files in this directory e.g. asset_info.json or file_info.json, leading to a loss of confidentiality. This issue was fixed in Rapid7 Insight Agent 3.1.3.Show less
CVE-2022-21305 3Debian NetappOracle 197 Mode Transition Tool Active Iq Unified ManagerCloud Insights Acquisition Unit+16 more May 27, 2026 Jan 19, 2022 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.0.1; Oracle GraalV...Show more Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.0.1; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).Show less
CVE-2022-21291 4Debian FedoraprojectNetapp+1 more 207 Mode Transition Tool Active Iq Unified ManagerCloud Insights Acquisition Unit+17 more May 27, 2026 Jan 19, 2022 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.0.1; Oracle GraalV...Show more Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.0.1; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).Show less
CVE-2021-34402 1Nvidia 1Shield Experience Nov 21, 2024 Jan 18, 2022 N/A· v4 6.7 MEDIUM· v3 4.6 MEDIUM· v2 NVIDIA Tegra kernel driver contains a vulnerability in NVIDIA NVDEC, where a user with high privileges might be able to read from or write to a memory location that is outside the intended boundary of the buffer, which m...Show more NVIDIA Tegra kernel driver contains a vulnerability in NVIDIA NVDEC, where a user with high privileges might be able to read from or write to a memory location that is outside the intended boundary of the buffer, which may lead to denial of service, Information disclosure, loss of Integrity, or possible escalation of privileges.Show less
CVE-2021-34401 1Nvidia 1Shield Experience Nov 21, 2024 Jan 18, 2022 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 NVIDIA Linux kernel distributions contain a vulnerability in nvmap NVGPU_IOCTL_CHANNEL_SET_ERROR_NOTIFIER, where improper access control may lead to code execution, compromised integrity, or denial of service.
CVE-2021-37864 1Mattermost 1Mattermost Nov 21, 2024 Jan 18, 2022 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 Mattermost 6.1 and earlier fails to sufficiently validate permissions while viewing archived channels, which allows authenticated users to view contents of archived channels even when this is denied by system administrat...Show more Mattermost 6.1 and earlier fails to sufficiently validate permissions while viewing archived channels, which allows authenticated users to view contents of archived channels even when this is denied by system administrators by directly accessing the APIs.Show less
CVE-2021-28507 1Arista 1Eos Nov 21, 2024 Jan 14, 2022 N/A· v4 7.1 HIGH· v3 4.9 MEDIUM· v2 An issue has recently been discovered in Arista EOS where, under certain conditions, the service ACL configured for OpenConfig gNOI and OpenConfig RESTCONF might be bypassed, which results in the denied requests being fo...Show more An issue has recently been discovered in Arista EOS where, under certain conditions, the service ACL configured for OpenConfig gNOI and OpenConfig RESTCONF might be bypassed, which results in the denied requests being forwarded to the agent.Show less
CVE-2022-23134 3Debian FedoraprojectZabbix 3Debian Linux FedoraZabbix Oct 30, 2025 Jan 13, 2022 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 After the initial setup process, some steps of setup.php file are reachable not only by super-administrators, but by unauthenticated users as well. Malicious actor can pass step checks and potentially change the configur...Show more After the initial setup process, some steps of setup.php file are reachable not only by super-administrators, but by unauthenticated users as well. Malicious actor can pass step checks and potentially change the configuration of Zabbix Frontend.Show less
CVE-2022-23132 2Fedoraproject Zabbix 2Fedora Zabbix Nov 3, 2025 Jan 13, 2022 N/A· v4 7.3 HIGH· v3 7.5 HIGH· v2 During Zabbix installation from RPM, DAC_OVERRIDE SELinux capability is in use to access PID files in [/var/run/zabbix] folder. In this case, Zabbix Proxy or Server processes can bypass file read, write and execute permi...Show more During Zabbix installation from RPM, DAC_OVERRIDE SELinux capability is in use to access PID files in [/var/run/zabbix] folder. In this case, Zabbix Proxy or Server processes can bypass file read, write and execute permissions check on the file system levelShow less
CVE-2022-0170 1Framasoft 1Peertube Nov 21, 2024 Jan 11, 2022 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 peertube is vulnerable to Improper Access Control
CVE-2021-45034 1Siemens 4Cp 8000 Master Module With I/o 25/+70 Firmware Cp 8000 Master Module With I/o 40/+70 FirmwareCp 8021 Master Module Firmware+1 more Nov 21, 2024 Jan 11, 2022 N/A· v4 7.5 HIGH· v3 4.3 MEDIUM· v2 A vulnerability has been identified in CP-8000 MASTER MODULE WITH I/O -25/+70°C (All versions < V16.20), CP-8000 MASTER MODULE WITH I/O -40/+70°C (All versions < V16.20), CP-8021 MASTER MODULE (All versions < V16.20), CP...Show more A vulnerability has been identified in CP-8000 MASTER MODULE WITH I/O -25/+70°C (All versions < V16.20), CP-8000 MASTER MODULE WITH I/O -40/+70°C (All versions < V16.20), CP-8021 MASTER MODULE (All versions < V16.20), CP-8022 MASTER MODULE WITH GPRS (All versions < V16.20). The web server of the affected system allows access to logfiles and diagnostic data generated by a privileged user. An unauthenticated attacker could access the files by knowing the corresponding download links.Show less
CVE-2022-0133 1Framasoft 1Peertube Nov 21, 2024 Jan 10, 2022 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 peertube is vulnerable to Improper Access Control
CVE-2021-23173 1Philips 1Engage Nov 21, 2024 Jan 10, 2022 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 The affected product is vulnerable to an improper access control, which may allow an authenticated user to gain unauthorized access to sensitive data.
CVE-2021-4194 1Bookstackapp 1Bookstack Nov 21, 2024 Jan 6, 2022 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 bookstack is vulnerable to Improper Access Control
CVE-2021-22567 1Dart 1Dart Software Development Kit Nov 21, 2024 Jan 5, 2022 N/A· v4 3.5 LOW· v3 3.5 LOW· v2 Bidirectional Unicode text can be interpreted and compiled differently than how it appears in editors which can be exploited to get nefarious code passed a code review by appearing benign. An attacker could embed a sourc...Show more Bidirectional Unicode text can be interpreted and compiled differently than how it appears in editors which can be exploited to get nefarious code passed a code review by appearing benign. An attacker could embed a source that is invisible to a code reviewer that modifies the behavior of a program in unexpected ways.Show less
CVE-2021-25991 1If Me 1Ifme Nov 21, 2024 Dec 29, 2021 N/A· v4 7.3 HIGH· v3 4.9 MEDIUM· v2 In Ifme, versions v5.0.0 to v7.32 are vulnerable against an improper access control, which makes it possible for admins to ban themselves leading to their deactivation from Ifme account and complete loss of admin access...Show more In Ifme, versions v5.0.0 to v7.32 are vulnerable against an improper access control, which makes it possible for admins to ban themselves leading to their deactivation from Ifme account and complete loss of admin access to Ifme.Show less
CVE-2021-20050 1Sonicwall 6Sma 100 Firmware Sma 200 FirmwareSma 210 Firmware+3 more Nov 21, 2024 Dec 23, 2021 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 An Improper Access Control Vulnerability in the SMA100 series leads to multiple restricted management APIs being accessible without a user login, potentially exposing configuration meta-data.

Previous 1...184185186...255 Next