Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CVEs (5,090)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2021-25438 1Samsung 1Members Nov 21, 2024 Jul 8, 2021 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 Improper access control vulnerability in Samsung Members prior to versions 2.4.85.11 in Android O(8.1) and below, and 3.9.10.11 in Android P(9.0) and above allows untrusted applications to cause local file inclusion in w...Show more Improper access control vulnerability in Samsung Members prior to versions 2.4.85.11 in Android O(8.1) and below, and 3.9.10.11 in Android P(9.0) and above allows untrusted applications to cause local file inclusion in webview.Show less
CVE-2021-25431 1Samsung 1Cameralyzer Nov 21, 2024 Jul 8, 2021 N/A· v4 5.5 MEDIUM· v3 2.1 LOW· v2 Improper access control vulnerability in Cameralyzer prior to versions 3.2.1041 in 3.2.x, 3.3.1040 in 3.3.x, and 3.4.4210 in 3.4.x allows untrusted applications to access some functions of Cameralyzer.
CVE-2021-28809 1Qnap 1Hybrid Backup Sync Nov 21, 2024 Jul 8, 2021 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 An improper access control vulnerability has been reported to affect certain legacy versions of HBS 3. If exploited, this vulnerability allows attackers to compromise the security of the operating system.QNAP have alread...Show more An improper access control vulnerability has been reported to affect certain legacy versions of HBS 3. If exploited, this vulnerability allows attackers to compromise the security of the operating system.QNAP have already fixed this vulnerability in the following versions of HBS 3: QTS 4.3.6: HBS 3 v3.0.210507 and later QTS 4.3.4: HBS 3 v3.0.210506 and later QTS 4.3.3: HBS 3 v3.0.210506 and laterShow less
CVE-2021-32517 1Qsan 1Storage Manager Nov 21, 2024 Jul 7, 2021 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 Improper access control vulnerability in share_link in QSAN Storage Manager allows remote attackers to download arbitrary files using particular parameter in download function. The referred vulnerability has been solved...Show more Improper access control vulnerability in share_link in QSAN Storage Manager allows remote attackers to download arbitrary files using particular parameter in download function. The referred vulnerability has been solved with the updated version of QSAN Storage Manager v3.3.3.Show less
CVE-2021-32514 1Qsan 1Storage Manager Nov 21, 2024 Jul 7, 2021 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 Improper access control vulnerability in FirmwareUpgrade in QSAN Storage Manager allows remote attackers to reboot and discontinue the device. The referred vulnerability has been solved with the updated version of QSAN S...Show more Improper access control vulnerability in FirmwareUpgrade in QSAN Storage Manager allows remote attackers to reboot and discontinue the device. The referred vulnerability has been solved with the updated version of QSAN Storage Manager v3.3.3.Show less
CVE-2021-34627 1Wp Upload Restriction Project 1Wp Upload Restriction Nov 21, 2024 Jul 7, 2021 N/A· v4 4.3 MEDIUM· v3 3.5 LOW· v2 A vulnerability in the getSelectedMimeTypesByRole function of the WP Upload Restriction WordPress plugin allows low-level authenticated users to view custom extensions added by administrators. This issue affects versions...Show more A vulnerability in the getSelectedMimeTypesByRole function of the WP Upload Restriction WordPress plugin allows low-level authenticated users to view custom extensions added by administrators. This issue affects versions 2.2.3 and prior.Show less
CVE-2021-34626 1Wp Upload Restriction Project 1Wp Upload Restriction Nov 21, 2024 Jul 7, 2021 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 A vulnerability in the deleteCustomType function of the WP Upload Restriction WordPress plugin allows low-level authenticated users to delete custom extensions added by administrators. This issue affects versions 2.2.3 a...Show more A vulnerability in the deleteCustomType function of the WP Upload Restriction WordPress plugin allows low-level authenticated users to delete custom extensions added by administrators. This issue affects versions 2.2.3 and prior.Show less
CVE-2021-28579 1Adobe 1Connect Nov 21, 2024 Jun 28, 2021 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 Adobe Connect version 11.2.1 (and earlier) is affected by an Improper access control vulnerability that can lead to the elevation of privileges. An attacker with 'Learner' permissions can leverage this scenario to access...Show more Adobe Connect version 11.2.1 (and earlier) is affected by an Improper access control vulnerability that can lead to the elevation of privileges. An attacker with 'Learner' permissions can leverage this scenario to access the list of event participants.Show less
CVE-2021-21083 1Adobe 2Experience Manager Experience Manager Cloud Service Nov 21, 2024 Jun 28, 2021 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 AEM's Cloud Service offering, as well as versions 6.5.7.0 (and below), 6.4.8.3 (and below) and 6.3.3.8 (and below) are affected by an Improper Access Control vulnerability. An unauthenticated attacker could leverage this...Show more AEM's Cloud Service offering, as well as versions 6.5.7.0 (and below), 6.4.8.3 (and below) and 6.3.3.8 (and below) are affected by an Improper Access Control vulnerability. An unauthenticated attacker could leverage this vulnerability to cause an application denial-of-service in the context of the current user.Show less
CVE-2021-23845 1Bosch 4B426 Cn Firmware B426 M FirmwareB426 Firmware+1 more Nov 21, 2024 Jun 18, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 This vulnerability could allow an attacker to hijack a session while a user is logged in the configuration web page. This vulnerability was discovered by a security researcher in B426 and found during internal product te...Show more This vulnerability could allow an attacker to hijack a session while a user is logged in the configuration web page. This vulnerability was discovered by a security researcher in B426 and found during internal product tests in B426-CN/B429-CN, and B426-M and has been fixed already starting from version 3.08 on, which was released on June 2019.Show less
CVE-2020-8300 1Citrix 3Application Delivery Controller Firmware GatewayNetscaler Gateway Nov 21, 2024 Jun 16, 2021 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 Citrix ADC and Citrix/NetScaler Gateway before 13.0-82.41, 12.1-62.23, 11.1-65.20 and Citrix ADC 12.1-FIPS before 12.1-55.238 suffer from improper access control allowing SAML authentication hijack through a phishing att...Show more Citrix ADC and Citrix/NetScaler Gateway before 13.0-82.41, 12.1-62.23, 11.1-65.20 and Citrix ADC 12.1-FIPS before 12.1-55.238 suffer from improper access control allowing SAML authentication hijack through a phishing attack to steal a valid user session. Note that Citrix ADC or Citrix Gateway must be configured as a SAML SP or a SAML IdP for this to be possible.Show less
CVE-2021-24359 1Posimyth 1The Plus Addons For Elementor Nov 21, 2024 Jun 14, 2021 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 The Plus Addons for Elementor Page Builder WordPress plugin before 4.1.11 did not properly check that a user requesting a password reset was the legitimate user, allowing an attacker to send an arbitrary reset password e...Show more The Plus Addons for Elementor Page Builder WordPress plugin before 4.1.11 did not properly check that a user requesting a password reset was the legitimate user, allowing an attacker to send an arbitrary reset password email to a registered user on behalf of the WordPress site. Such issue could be chained with an open redirect (CVE-2021-24358) in version below 4.1.10, to include a crafted password reset link in the email, which would lead to an account takeover.Show less
CVE-2021-25412 1Google 1Android Nov 21, 2024 Jun 11, 2021 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 An improper access control vulnerability in genericssoservice prior to SMR JUN-2021 Release 1 allows local attackers to execute protected activity with system privilege via untrusted applications.
CVE-2021-25405 1Samsung 1Notes Nov 21, 2024 Jun 11, 2021 N/A· v4 5.5 MEDIUM· v3 2.1 LOW· v2 An improper access control vulnerability in ScreenOffActivity in Samsung Notes prior to version 4.2.04.27 allows untrusted applications to access local files.
CVE-2020-14388 1Redhat 13scale Api Management Nov 21, 2024 Jun 2, 2021 N/A· v4 6.3 MEDIUM· v3 6.5 MEDIUM· v2 A flaw was found in the Red Hat 3scale API Management Platform, where member permissions for an API's admin portal were not properly enforced. This flaw allows an authenticated user to bypass normal account restrictions...Show more A flaw was found in the Red Hat 3scale API Management Platform, where member permissions for an API's admin portal were not properly enforced. This flaw allows an authenticated user to bypass normal account restrictions and access API services where they do not have permission.Show less
CVE-2021-32656 1Nextcloud 1Nextcloud Server Nov 21, 2024 Jun 1, 2021 N/A· v4 8.6 HIGH· v3 5.0 MEDIUM· v2 Nextcloud Server is a Nextcloud package that handles data storage. A vulnerability in federated share exists in versions prior to 19.0.11, 20.0.10, and 21.0.2. An attacker can gain access to basic information about users...Show more Nextcloud Server is a Nextcloud package that handles data storage. A vulnerability in federated share exists in versions prior to 19.0.11, 20.0.10, and 21.0.2. An attacker can gain access to basic information about users of a server by accessing a public link that a legitimate server user added as a federated share. This happens because Nextcloud supports sharing registered users with other Nextcloud servers, which can be done automatically when selecting the "Add server automatically once a federated share was created successfully" setting. The vulnerability is patched in versions 19.0.11, 20.0.10, and 21.0.2 As a workaround, disable "Add server automatically once a federated share was created successfully" in the Nextcloud settings.Show less
CVE-2021-32652 1Nextcloud 1Mail Nov 21, 2024 Jun 1, 2021 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 Nextcloud Mail is a mail app for the Nextcloud platform. A missing permission check in Nextcloud Mail before 1.4.3 and 1.8.2 allows another authenticated users to access mail metadata of other users. Versions 1.4.3 and 1...Show more Nextcloud Mail is a mail app for the Nextcloud platform. A missing permission check in Nextcloud Mail before 1.4.3 and 1.8.2 allows another authenticated users to access mail metadata of other users. Versions 1.4.3 and 1.8.2 contain patches for this vulnerability; no workarounds other than the patches are known to exist.Show less
CVE-2021-24318 1Purethemes 1Listeo Nov 21, 2024 Jun 1, 2021 N/A· v4 6.5 MEDIUM· v3 5.5 MEDIUM· v2 The Listeo WordPress theme before 1.6.11 did not ensure that the Post/Page and Booking to delete belong to the user making the request, allowing any authenticated users to delete arbitrary page/post and booking via an ID...Show more The Listeo WordPress theme before 1.6.11 did not ensure that the Post/Page and Booking to delete belong to the user making the request, allowing any authenticated users to delete arbitrary page/post and booking via an IDOR vector.Show less
CVE-2020-10145 1Adobe 1Coldfusion Nov 21, 2024 May 27, 2021 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 The Adobe ColdFusion installer fails to set a secure access-control list (ACL) on the default installation directory, such as C:\ColdFusion2021\. By default, unprivileged users can create files in this directory structur...Show more The Adobe ColdFusion installer fails to set a secure access-control list (ACL) on the default installation directory, such as C:\ColdFusion2021\. By default, unprivileged users can create files in this directory structure, which creates a privilege-escalation vulnerability.Show less
CVE-2021-22907 1Citrix 1Workspace Nov 21, 2024 May 27, 2021 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 An improper access control vulnerability exists in Citrix Workspace App for Windows potentially allows privilege escalation in CR versions prior to 2105 and 1912 LTSR prior to CU4.

Previous 1...189190191...255 Next