Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CVEs (5,090)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2021-38457 1Auvesy 1Versiondog Nov 21, 2024 Oct 22, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 The server permits communication without any authentication procedure, allowing the attacker to initiate a session with the server without providing any form of authentication.
CVE-2021-24752 1Catchplugins 10Catch Scroll Progress Bar Catch Sticky MenuCatch Themes Demo Import+7 more Nov 21, 2024 Oct 18, 2021 N/A· v4 5.7 MEDIUM· v3 3.5 LOW· v2 Multiple Plugins from the CatchThemes vendor do not perform capability and CSRF checks in the ctp_switch AJAX action, which could allow any authenticated users, such as Subscriber to change the Essential Widgets WordPres...Show more Multiple Plugins from the CatchThemes vendor do not perform capability and CSRF checks in the ctp_switch AJAX action, which could allow any authenticated users, such as Subscriber to change the Essential Widgets WordPress plugin before 1.9, To Top WordPress plugin before 2.3, Header Enhancement WordPress plugin before 1.5, Generate Child Theme WordPress plugin before 1.6, Essential Content Types WordPress plugin before 1.9, Catch Web Tools WordPress plugin before 2.7, Catch Under Construction WordPress plugin before 1.4, Catch Themes Demo Import WordPress plugin before 1.6, Catch Sticky Menu WordPress plugin before 1.7, Catch Scroll Progress Bar WordPress plugin before 1.6, Social Gallery and Widget WordPress plugin before 2.3, Catch Infinite Scroll WordPress plugin before 1.9, Catch Import Export WordPress plugin before 1.9, Catch Gallery WordPress plugin before 1.7, Catch Duplicate Switcher WordPress plugin before 1.6, Catch Breadcrumb WordPress plugin before 1.7, Catch IDs WordPress plugin before 2.4's configurations.Show less
CVE-2021-38454 1Moxa 1Mxview Nov 21, 2024 Oct 12, 2021 N/A· v4 10.0 CRITICAL· v3 7.5 HIGH· v2 A path traversal vulnerability in the Moxa MXview Network Management software Versions 3.x to 3.2.2 may allow an attacker to create or overwrite critical files used to execute code, such as programs or libraries.
CVE-2021-28129 1Apache 1Openoffice Nov 21, 2024 Oct 7, 2021 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 While working on Apache OpenOffice 4.1.8 a developer discovered that the DEB package did not install using root, but instead used a userid and groupid of 500. This both caused issues with desktop integration and could al...Show more While working on Apache OpenOffice 4.1.8 a developer discovered that the DEB package did not install using root, but instead used a userid and groupid of 500. This both caused issues with desktop integration and could allow a crafted attack on files owned by that user or group if they exist. Users who installed the Apache OpenOffice 4.1.8 DEB packaging should upgrade to the latest version of Apache OpenOffice.Show less
CVE-2021-38392 1Bostonscientific 1Zoom Latitude Pogrammer/recorder/monitor 3120 Firmware Nov 21, 2024 Oct 4, 2021 N/A· v4 7.6 HIGH· v3 7.2 HIGH· v2 A skilled attacker with physical access to the affected device can gain access to the hard disk drive of the device to change the telemetry region and could use this setting to interrogate or program an implantable devic...Show more A skilled attacker with physical access to the affected device can gain access to the hard disk drive of the device to change the telemetry region and could use this setting to interrogate or program an implantable device in any region in the world.Show less
CVE-2021-3626 1Canonical 1Multipass Nov 21, 2024 Oct 1, 2021 N/A· v4 8.8 HIGH· v3 4.6 MEDIUM· v2 The Windows version of Multipass before 1.7.0 allowed any local process to connect to the localhost TCP control socket to perform mounts from the operating system to a guest, allowing for privilege escalation.
CVE-2021-41298 1Ecoa 3Ecs Router Controller Ecs Firmware Riskbuster FirmwareRiskterminator Nov 21, 2024 Sep 30, 2021 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 ECOA BAS controller is vulnerable to insecure direct object references that occur when the application provides direct access to objects based on user-supplied input. As a result of this vulnerability, attackers with gen...Show more ECOA BAS controller is vulnerable to insecure direct object references that occur when the application provides direct access to objects based on user-supplied input. As a result of this vulnerability, attackers with general user's privilege can remotely bypass authorization and access the hidden resources in the system and execute privileged functionalities.Show less
CVE-2020-12030 1Emerson 3Wireless 1410 Gateway Firmware Wireless 1420 Gateway FirmwareWireless 1552wu Gateway Firmware Nov 21, 2024 Sep 29, 2021 N/A· v4 10.0 CRITICAL· v3 6.8 MEDIUM· v2 There is a flaw in the code used to configure the internal gateway firewall when the gateway's VLAN feature is enabled. If a user enables the VLAN setting, the internal gateway firewall becomes disabled resulting in expo...Show more There is a flaw in the code used to configure the internal gateway firewall when the gateway's VLAN feature is enabled. If a user enables the VLAN setting, the internal gateway firewall becomes disabled resulting in exposure of all ports used by the gateway.Show less
CVE-2021-20034 1Sonicwall 5Sma 200 Firmware Sma 210 FirmwareSma 400 Firmware+2 more Nov 21, 2024 Sep 27, 2021 N/A· v4 9.1 CRITICAL· v3 6.4 MEDIUM· v2 An improper access control vulnerability in SMA100 allows a remote unauthenticated attacker to bypass the path traversal checks and delete an arbitrary file potentially resulting in a reboot to factory default settings.
CVE-2021-22941 1Citrix 1Sharefile Storagezones Controller Nov 3, 2025 Sep 23, 2021 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 Improper Access Control in Citrix ShareFile storage zones controller before 5.11.20 may allow an unauthenticated attacker to remotely compromise the storage zones controller.
CVE-2021-34724 1Cisco 1Ios Xe Sd Wan Nov 21, 2024 Sep 23, 2021 N/A· v4 6.0 MEDIUM· v3 6.6 MEDIUM· v2 A vulnerability in the Cisco IOS XE SD-WAN Software CLI could allow an authenticated, local attacker to elevate privileges and execute arbitrary code on the underlying operating system as the root user. An attacker must...Show more A vulnerability in the Cisco IOS XE SD-WAN Software CLI could allow an authenticated, local attacker to elevate privileges and execute arbitrary code on the underlying operating system as the root user. An attacker must be authenticated on an affected device as a PRIV15 user. This vulnerability is due to insufficient file system protection and the presence of a sensitive file in the bootflash directory on an affected device. An attacker could exploit this vulnerability by overwriting an installer file stored in the bootflash directory with arbitrary commands that can be executed with root-level privileges. A successful exploit could allow the attacker to read and write changes to the configuration database on the affected device.Show less
CVE-2021-34696 1Cisco 1Ios Xe Nov 21, 2024 Sep 23, 2021 N/A· v4 5.8 MEDIUM· v3 5.0 MEDIUM· v2 A vulnerability in the access control list (ACL) programming of Cisco ASR 900 and ASR 920 Series Aggregation Services Routers could allow an unauthenticated, remote attacker to bypass a configured ACL. This vulnerability...Show more A vulnerability in the access control list (ACL) programming of Cisco ASR 900 and ASR 920 Series Aggregation Services Routers could allow an unauthenticated, remote attacker to bypass a configured ACL. This vulnerability is due to incorrect programming of hardware when an ACL is configured using a method other than the configuration CLI. An attacker could exploit this vulnerability by attempting to send traffic through an affected device. A successful exploit could allow the attacker to bypass an ACL on the affected device.Show less
CVE-2021-1625 1Cisco 1Ios Xe Nov 21, 2024 Sep 23, 2021 N/A· v4 5.8 MEDIUM· v3 4.3 MEDIUM· v2 A vulnerability in the Zone-Based Policy Firewall feature of Cisco IOS XE Software could allow an unauthenticated, remote attacker to prevent the Zone-Based Policy Firewall from correctly classifying traffic. This vulner...Show more A vulnerability in the Zone-Based Policy Firewall feature of Cisco IOS XE Software could allow an unauthenticated, remote attacker to prevent the Zone-Based Policy Firewall from correctly classifying traffic. This vulnerability exists because ICMP and UDP responder-to-initiator flows are not inspected when the Zone-Based Policy Firewall has either Unified Threat Defense (UTD) or Application Quality of Experience (AppQoE) configured. An attacker could exploit this vulnerability by attempting to send UDP or ICMP flows through the network. A successful exploit could allow the attacker to inject traffic through the Zone-Based Policy Firewall, resulting in traffic being dropped because it is incorrectly classified or in incorrect reporting figures being produced by high-speed logging (HSL).Show less
CVE-2021-1419 1Cisco 411100 8p Firmware 1120 Firmware1160 Firmware+38 more Nov 21, 2024 Sep 23, 2021 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 A vulnerability in the SSH management feature of multiple Cisco Access Points (APs) platforms could allow a local, authenticated user to modify files on the affected device and possibly gain escalated privileges. The vul...Show more A vulnerability in the SSH management feature of multiple Cisco Access Points (APs) platforms could allow a local, authenticated user to modify files on the affected device and possibly gain escalated privileges. The vulnerability is due to improper checking on file operations within the SSH management interface. A network administrator user could exploit this vulnerability by accessing an affected device through SSH management to make a configuration change. A successful exploit could allow the attacker to gain privileges equivalent to the root user.Show less
CVE-2021-24635 1Bootstrapped 1Visual Link Preview Nov 21, 2024 Sep 20, 2021 N/A· v4 5.4 MEDIUM· v3 5.5 MEDIUM· v2 The Visual Link Preview WordPress plugin before 2.2.3 does not enforce authorisation on several AJAX actions and has the CSRF nonce displayed for all authenticated users, allowing any authenticated user (such as subscrib...Show more The Visual Link Preview WordPress plugin before 2.2.3 does not enforce authorisation on several AJAX actions and has the CSRF nonce displayed for all authenticated users, allowing any authenticated user (such as subscriber) to call them and 1) Get and search through title and content of Draft post, 2) Get title of a password-protected post as well as 3) Upload an image from an URLShow less
CVE-2021-24583 1Motopress 1Timetable And Event Schedule Nov 21, 2024 Sep 20, 2021 N/A· v4 4.3 MEDIUM· v3 4.3 MEDIUM· v2 The Timetable and Event Schedule WordPress plugin before 2.4.2 does not have proper access control when deleting a timeslot, allowing any user with the edit_posts capability (contributor+) to delete arbitrary timeslot fr...Show more The Timetable and Event Schedule WordPress plugin before 2.4.2 does not have proper access control when deleting a timeslot, allowing any user with the edit_posts capability (contributor+) to delete arbitrary timeslot from any events. Furthermore, no CSRF check is in place as well, allowing such attack to be performed via CSRF against a logged in with such capabilityShow less
CVE-2021-37183 1Siemens 1Sinema Remote Connect Server Apr 23, 2025 Sep 14, 2021 N/A· v4 6.5 MEDIUM· v3 3.3 LOW· v2 A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.0 SP2). The affected software allows sending send-to-sleep notifications to the managed devices. An unauthenticated attacker in the s...Show more A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.0 SP2). The affected software allows sending send-to-sleep notifications to the managed devices. An unauthenticated attacker in the same network of the affected system can abuse these notifications to cause a Denial-of-Service condition in the managed devices.Show less
CVE-2021-25463 1Samsung 1Penup Nov 21, 2024 Sep 9, 2021 N/A· v4 3.3 LOW· v3 2.1 LOW· v2 Improper access control vulnerability in PENUP prior to version 3.8.00.18 allows arbitrary webpage loading in webview.
CVE-2021-35213 1Solarwinds 1Orion Platform Nov 21, 2024 Aug 31, 2021 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 An Improper Access Control Privilege Escalation Vulnerability was discovered in the User Setting of Orion Platform version 2020.2.5. It allows a guest user to elevate privileges to the Administrator using this vulnerabil...Show more An Improper Access Control Privilege Escalation Vulnerability was discovered in the User Setting of Orion Platform version 2020.2.5. It allows a guest user to elevate privileges to the Administrator using this vulnerability. Authentication is required to exploit the vulnerability.Show less
CVE-2021-35221 1Solarwinds 1Orion Platform Nov 21, 2024 Aug 31, 2021 N/A· v4 8.1 HIGH· v3 5.5 MEDIUM· v2 Improper Access Control Tampering Vulnerability using ImportAlert function which can lead to a Remote Code Execution (RCE) from the Alerts Settings page.

Previous 1...187188189...255 Next