Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CVEs (5,090)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2021-42808 1Thalesgroup 1Sentinel Protection Installer Nov 21, 2024 Dec 20, 2021 N/A· v4 6.7 MEDIUM· v3 7.2 HIGH· v2 Improper Access Control in Thales Sentinel Protection Installer could allow a local user to escalate privileges.
CVE-2021-4119 1Bookstackapp 1Bookstack Nov 21, 2024 Dec 15, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 bookstack is vulnerable to Improper Access Control
CVE-2021-36888 1Blocksera 1Image Hover Effects Nov 21, 2024 Dec 15, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Unauthenticated Arbitrary Options Update vulnerability leading to full website compromise discovered in Image Hover Effects Ultimate (versions <= 9.6.1) WordPress plugin.
CVE-2021-24859 1User Meta Shortcodes Project 1User Meta Shortcodes Nov 21, 2024 Dec 13, 2021 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 The User Meta Shortcodes WordPress plugin through 0.5 registers a shortcode that allows any user with a role as low as contributor to access other users metadata by specifying the user login as a parameter. This makes th...Show more The User Meta Shortcodes WordPress plugin through 0.5 registers a shortcode that allows any user with a role as low as contributor to access other users metadata by specifying the user login as a parameter. This makes the WP instance vulnerable to data extrafiltration, including password hashesShow less
CVE-2021-24845 1Improved Include Page Project 1Improved Include Page Nov 21, 2024 Dec 13, 2021 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 The Improved Include Page WordPress plugin through 1.2 allows passing shortcode attributes with post_type & post_status which can be used to retrieve arbitrary content. This way, users with a role as low as Contributor c...Show more The Improved Include Page WordPress plugin through 1.2 allows passing shortcode attributes with post_type & post_status which can be used to retrieve arbitrary content. This way, users with a role as low as Contributor can gain access to content they are not supposed to.Show less
CVE-2021-4089 1Snipeitapp 1Snipe It Nov 21, 2024 Dec 10, 2021 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 snipe-it is vulnerable to Improper Access Control
CVE-2021-22565 1Google 1Exposure Notification Verification Server Nov 21, 2024 Dec 9, 2021 N/A· v4 6.5 MEDIUM· v3 5.8 MEDIUM· v2 An attacker could prematurely expire a verification code, making it unusable by the patient, making the patient unable to upload their TEKs to generate exposure notifications. We recommend upgrading the Exposure Notifica...Show more An attacker could prematurely expire a verification code, making it unusable by the patient, making the patient unable to upload their TEKs to generate exposure notifications. We recommend upgrading the Exposure Notification server to V1.1.2 or greater.Show less
CVE-2021-42124 1Ivanti 1Avalanche Nov 21, 2024 Dec 7, 2021 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 An improper access control vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to perform a session takeover.
CVE-2021-35245 1Solarwinds 1Serv U Nov 21, 2024 Dec 6, 2021 N/A· v4 6.8 MEDIUM· v3 6.8 MEDIUM· v2 When a user has admin rights in Serv-U Console, the user can move, create and delete any files are able to be accessed on the Serv-U host machine.
CVE-2021-26334 1Amd 1Amd Uprof Nov 21, 2024 Dec 1, 2021 N/A· v4 9.9 CRITICAL· v3 9.0 HIGH· v2 The AMDPowerProfiler.sys driver of AMD μProf tool may allow lower privileged users to access MSRs in kernel which may lead to privilege escalation and ring-0 code execution by the lower privileged user.
CVE-2020-10627 1Insulet 1Omnipod Insulin Management System Firmware Nov 21, 2024 Dec 1, 2021 N/A· v4 8.1 HIGH· v3 4.8 MEDIUM· v2 Insulet Omnipod Insulin Management System insulin pump product ID 19191 and 40160 is designed to communicate using a wireless RF with an Insulet manufactured Personal Diabetes Manager device. This wireless RF communicati...Show more Insulet Omnipod Insulin Management System insulin pump product ID 19191 and 40160 is designed to communicate using a wireless RF with an Insulet manufactured Personal Diabetes Manager device. This wireless RF communication protocol does not properly implement authentication or authorization. An attacker with access to one of the affected insulin pump models may be able to modify and/or intercept data. This vulnerability could also allow attackers to change pump settings and control insulin delivery.Show less
CVE-2021-3992 1Kimai2 Project 1Kimai2 Nov 21, 2024 Dec 1, 2021 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 kimai2 is vulnerable to Improper Access Control
CVE-2021-4026 1Bookstackapp 1Bookstack Nov 21, 2024 Nov 30, 2021 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 bookstack is vulnerable to Improper Access Control
CVE-2021-42116 1Businessdnasolutions 1Topease Nov 21, 2024 Nov 30, 2021 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 Incorrect Access Control in Web Applications operating on Business-DNA Solutions GmbH’s TopEase® Platform Version <= 7.1.27 allows an authenticated remote attacker to view the Shape Editor and Settings, which are functio...Show more Incorrect Access Control in Web Applications operating on Business-DNA Solutions GmbH’s TopEase® Platform Version <= 7.1.27 allows an authenticated remote attacker to view the Shape Editor and Settings, which are functionality for higher privileged users, via identifying said components in the front-end source code or other means.Show less
CVE-2021-36917 1Wpwave 1Hide My Wp Nov 21, 2024 Nov 24, 2021 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 WordPress Hide My WP plugin (versions <= 6.2.3) can be deactivated by any unauthenticated user. It is possible to retrieve a reset token which can then be used to deactivate the plugin.
CVE-2021-3554 1Bitdefender 2Endpoint Security Tools Gravityzone Nov 21, 2024 Nov 24, 2021 N/A· v4 10.0 CRITICAL· v3 7.5 HIGH· v2 Improper Access Control vulnerability in the patchesUpdate API as implemented in Bitdefender Endpoint Security Tools for Linux as a relay role allows an attacker to manipulate the remote address used for pulling patches....Show more Improper Access Control vulnerability in the patchesUpdate API as implemented in Bitdefender Endpoint Security Tools for Linux as a relay role allows an attacker to manipulate the remote address used for pulling patches. This issue affects: Bitdefender Endpoint Security Tools for Linux versions prior to 6.6.27.390; versions prior to 7.1.2.33. Bitdefender Unified Endpoint versions prior to 6.2.21.160. Bitdefender GravityZone versions prior to 6.24.1-1.Show less
CVE-2021-26262 1Philips 2Mri 1.5t Firmware Mri 3t Firmware Apr 2, 2026 Nov 19, 2021 5.9 MEDIUM· v4 5.5 MEDIUM· v3 5.0 MEDIUM· v2 Philips MRI 1.5T and MRI 3T Version 5.3 through 5.8.1 does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CVE-2021-40130 1Cisco 1Common Services Platform Collector Nov 21, 2024 Nov 19, 2021 N/A· v4 4.9 MEDIUM· v3 4.0 MEDIUM· v2 A vulnerability in the web application of Cisco Common Services Platform Collector (CSPC) could allow an authenticated, remote attacker to specify non-log files as sources for syslog reporting. This vulnerability is due...Show more A vulnerability in the web application of Cisco Common Services Platform Collector (CSPC) could allow an authenticated, remote attacker to specify non-log files as sources for syslog reporting. This vulnerability is due to improper restriction of the syslog configuration. An attacker could exploit this vulnerability by configuring non-log files as sources for syslog reporting through the web application. A successful exploit could allow the attacker to read non-log files on the CSPC.Show less
CVE-2021-36909 1Webfactoryltd 1Wp Reset Pro Nov 21, 2024 Nov 18, 2021 N/A· v4 8.1 HIGH· v3 5.5 MEDIUM· v2 Authenticated Database Reset vulnerability in WordPress WP Reset PRO Premium plugin (versions <= 5.98) allows any authenticated user to wipe the entire database regardless of their authorization. It leads to a complete w...Show more Authenticated Database Reset vulnerability in WordPress WP Reset PRO Premium plugin (versions <= 5.98) allows any authenticated user to wipe the entire database regardless of their authorization. It leads to a complete website reset and takeover.Show less
CVE-2021-42360 1Brainstormforce 1Starter Templates Nov 21, 2024 Nov 17, 2021 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 On sites that also had the Elementor plugin for WordPress installed, it was possible for users with the edit_posts capability, which includes Contributor-level users, to import blocks onto any page using the astra-page-e...Show more On sites that also had the Elementor plugin for WordPress installed, it was possible for users with the edit_posts capability, which includes Contributor-level users, to import blocks onto any page using the astra-page-elementor-batch-process AJAX action. An attacker could craft and host a block containing malicious JavaScript on a server they controlled, and then use it to overwrite any post or page by sending an AJAX request with the action set to astra-page-elementor-batch-process and the url parameter pointed to their remotely-hosted malicious block, as well as an id parameter containing the post or page to overwrite. Any post or page that had been built with Elementor, including published pages, could be overwritten by the imported block, and the malicious JavaScript in the imported block would then be executed in the browser of any visitors to that page.Show less

Previous 1...185186187...255 Next