Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CVEs (5,081)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2020-10288 1Abb 1Robotware Nov 21, 2024 Jul 15, 2020 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 IRC5 exposes an ftp server (port 21). Upon attempting to gain access you are challenged with a request of username and password, however you can input whatever you like. As long as the field isn't empty it will be accept...Show more IRC5 exposes an ftp server (port 21). Upon attempting to gain access you are challenged with a request of username and password, however you can input whatever you like. As long as the field isn't empty it will be accepted.Show less
CVE-2020-14499 1Advantech 1Iview Nov 21, 2024 Jul 15, 2020 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 Advantech iView, versions 5.6 and prior, has an improper access control vulnerability. Successful exploitation of this vulnerability may allow an attacker to obtain all user accounts credentials.
CVE-2020-7578 1Siemens 1Opcenter Execution Core Nov 21, 2024 Jul 14, 2020 N/A· v4 8.1 HIGH· v3 5.5 MEDIUM· v2 A vulnerability has been identified in Camstar Enterprise Platform (All versions), Opcenter Execution Core (All versions < V8.2). Authenticated users could have access to resources they normally would not have. This vuln...Show more A vulnerability has been identified in Camstar Enterprise Platform (All versions), Opcenter Execution Core (All versions < V8.2). Authenticated users could have access to resources they normally would not have. This vulnerability could allow an attacker to view internal information and perform unauthorized changes.Show less
CVE-2020-8196 1Citrix 4Application Delivery Controller Firmware Gateway FirmwareNetscaler Gateway Firmware+1 more Oct 30, 2025 Jul 10, 2020 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 Improper access control in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 resulting in limi...Show more Improper access control in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 resulting in limited information disclosure to low privileged users.Show less
CVE-2020-8193 1Citrix 4Application Delivery Controller Firmware Gateway FirmwareNetscaler Gateway Firmware+1 more Oct 30, 2025 Jul 10, 2020 N/A· v4 6.5 MEDIUM· v3 5.0 MEDIUM· v2 Improper access control in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 allows unauthenti...Show more Improper access control in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 allows unauthenticated access to certain URL endpoints.Show less
CVE-2020-8179 1Nextcloud 1Deck Nov 21, 2024 Jul 2, 2020 N/A· v4 4.1 MEDIUM· v3 4.0 MEDIUM· v2 Improper access control in Nextcloud Deck 1.0.0 allowed an attacker to inject tasks into other users decks.
CVE-2020-15079 1Prestashop 1Prestashop Nov 21, 2024 Jul 2, 2020 N/A· v4 5.4 MEDIUM· v3 5.5 MEDIUM· v2 In PrestaShop from version 1.5.0.0 and before version 1.7.6.6, there is improper access control in Carrier page, Module Manager and Module Positions. The problem is fixed in version 1.7.6.6
CVE-2020-2500 1Qnap 1Helpdesk Nov 21, 2024 Jul 1, 2020 N/A· v4 6.5 MEDIUM· v3 6.4 MEDIUM· v2 This improper access control vulnerability in Helpdesk allows attackers to get control of QNAP Kayako service. Attackers can access the sensitive data on QNAP Kayako server with API keys. We have replaced the API key to...Show more This improper access control vulnerability in Helpdesk allows attackers to get control of QNAP Kayako service. Attackers can access the sensitive data on QNAP Kayako server with API keys. We have replaced the API key to mitigate the vulnerability, and already fixed the issue in Helpdesk 3.0.1 and later versions.Show less
CVE-2020-12024 1Baxter 2Em1200 Firmware Em2400 Firmware Nov 21, 2024 Jun 29, 2020 N/A· v4 6.1 MEDIUM· v3 3.6 LOW· v2 Baxter ExactaMix EM 2400 versions 1.10, 1.11, 1.13, 1.14 and ExactaMix EM1200 Versions 1.1, 1.2, 1.4 and 1.5 does not restrict access to the USB interface from an unauthorized user with physical access. Successful exploi...Show more Baxter ExactaMix EM 2400 versions 1.10, 1.11, 1.13, 1.14 and ExactaMix EM1200 Versions 1.1, 1.2, 1.4 and 1.5 does not restrict access to the USB interface from an unauthorized user with physical access. Successful exploitation of this vulnerability may allow an attacker with physical access to the system the ability to load an unauthorized payload or unauthorized access to the hard drive by booting a live USB OS. This could impact confidentiality and integrity of the system and risk exposure of sensitive information including PHI.Show less
CVE-2020-10278 4Aliasrobotics Enabled RoboticsMobile Industrial Robotics+1 more 10Er Flex Firmware Er Lite FirmwareEr One Firmware+7 more Nov 21, 2024 Jun 24, 2020 N/A· v4 4.6 MEDIUM· v3 5.0 MEDIUM· v2 The BIOS onboard MiR's Computer is not protected by password, therefore, it allows a Bad Operator to modify settings such as boot order. This can be leveraged by a Malicious operator to boot from a Live Image.
CVE-2020-4062 1Cyberark 1Conjur Oss Helm Chart Nov 21, 2024 Jun 22, 2020 N/A· v4 9.0 CRITICAL· v3 7.7 HIGH· v2 In Conjur OSS Helm Chart before 2.0.0, a recently identified critical vulnerability resulted in the installation of the Conjur Postgres database with an open port. This allows an attacker to gain full read & write access...Show more In Conjur OSS Helm Chart before 2.0.0, a recently identified critical vulnerability resulted in the installation of the Conjur Postgres database with an open port. This allows an attacker to gain full read & write access to the Conjur Postgres database, including escalating the attacker's privileges to assume full control. A malicious actor who knows the IP address and port number of the Postgres database and has access into the Kubernetes cluster where Conjur runs can gain full read & write access to the Postgres database. This enables the attacker to write a policy that allows full access to retrieve any secret. This Helm chart is a method to install Conjur OSS into a Kubernetes environment. Hence, the systems impacted are only Conjur OSS systems that were deployed using this chart. Other deployments including Docker and the CyberArk Dynamic Access Provider (DAP) are not affected. To remediate this vulnerability, clone the latest Helm Chart and follow the upgrade instructions. If you are not able to fully remediate this vulnerability immediately, you can mitigate some of the risk by making sure Conjur OSS is deployed on an isolated Kubernetes cluster or namespace. The term "isolated" refers to: - No other workloads besides Conjur OSS and its backend database are running in that Kubernetes cluster/namespace. - Kubernetes and helm access to the cluster/namespace is limited to security administrators via Role-Based Access Control (RBAC).Show less
CVE-2020-3364 1Cisco 1Ios Xr Nov 21, 2024 Jun 18, 2020 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 A vulnerability in the access control list (ACL) functionality of the standby route processor management interface of Cisco IOS XR Software could allow an unauthenticated, remote attacker to reach the configured IP addre...Show more A vulnerability in the access control list (ACL) functionality of the standby route processor management interface of Cisco IOS XR Software could allow an unauthenticated, remote attacker to reach the configured IP addresses on the standby route processor management Gigabit Ethernet Management interface. The vulnerability is due to a logic error that was introduced in the Cisco IOS XR Software, which prevents the ACL from working when applied against the standby route processor management interface. An attacker could exploit this vulnerability by attempting to access the device through the standby route processor management interface.Show less
CVE-2020-3245 1Cisco 1Smart Software Manager On Prem Nov 21, 2024 Jun 18, 2020 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 A vulnerability in the web application of Cisco Smart Software Manager On-Prem (SSM On-Prem) could allow an unauthenticated, remote attacker to create arbitrary user accounts. The vulnerability is due to the lack of auth...Show more A vulnerability in the web application of Cisco Smart Software Manager On-Prem (SSM On-Prem) could allow an unauthenticated, remote attacker to create arbitrary user accounts. The vulnerability is due to the lack of authorization controls in the web application. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to add user accounts to the configuration of an affected device. These accounts would not be administrator or operator accounts.Show less
CVE-2020-3231 1Cisco 1Ios Nov 21, 2024 Jun 3, 2020 N/A· v4 4.7 MEDIUM· v3 2.9 LOW· v2 A vulnerability in the 802.1X feature of Cisco Catalyst 2960-L Series Switches and Cisco Catalyst CDB-8P Switches could allow an unauthenticated, adjacent attacker to forward broadcast traffic before being authenticated...Show more A vulnerability in the 802.1X feature of Cisco Catalyst 2960-L Series Switches and Cisco Catalyst CDB-8P Switches could allow an unauthenticated, adjacent attacker to forward broadcast traffic before being authenticated on the port. The vulnerability exists because broadcast traffic that is received on the 802.1X-enabled port is mishandled. An attacker could exploit this vulnerability by sending broadcast traffic on the port before being authenticated. A successful exploit could allow the attacker to send and receive broadcast traffic on the 802.1X-enabled port before authentication.Show less
CVE-2020-12493 1Swarco 1Cpu Ls4000 Firmware Nov 21, 2024 May 29, 2020 N/A· v4 10.0 CRITICAL· v3 10.0 HIGH· v2 An open port used for debugging in SWARCOs CPU LS4000 Series with versions starting with G4... grants root access to the device without access control via network. A malicious user could use this vulnerability to get acc...Show more An open port used for debugging in SWARCOs CPU LS4000 Series with versions starting with G4... grants root access to the device without access control via network. A malicious user could use this vulnerability to get access to the device and disturb operations with connected devices.Show less
CVE-2020-6774 1Bosch 1Recording Station Firmware Nov 21, 2024 May 27, 2020 N/A· v4 8.8 HIGH· v3 7.2 HIGH· v2 Improper Access Control in the Kiosk Mode functionality of Bosch Recording Station allows a local unauthenticated attacker to escape from the Kiosk Mode and access the underlying operating system.
CVE-2020-9046 1Johnsoncontrols 1Kantech Entrapass Nov 21, 2024 May 26, 2020 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 A vulnerability in all versions of Kantech EntraPass Editions could potentially allow an authorized low-privileged user to gain full system-level privileges by replacing critical files with specifically crafted files.
CVE-2020-2025 1Katacontainers 1Runtime Nov 21, 2024 May 19, 2020 N/A· v4 8.8 HIGH· v3 4.6 MEDIUM· v2 Kata Containers before 1.11.0 on Cloud Hypervisor persists guest filesystem changes to the underlying image file on the host. A malicious guest can overwrite the image file to gain control of all subsequent guest VMs. Si...Show more Kata Containers before 1.11.0 on Cloud Hypervisor persists guest filesystem changes to the underlying image file on the host. A malicious guest can overwrite the image file to gain control of all subsequent guest VMs. Since Kata Containers uses the same VM image file with all VMMs, this issue may also affect QEMU and Firecracker based guests.Show less
CVE-2020-11931 2Canonical Pulseaudio 2Pulseaudio Ubuntu Linux Nov 21, 2024 May 15, 2020 N/A· v4 3.3 LOW· v3 2.1 LOW· v2 An Ubuntu-specific modification to Pulseaudio to provide security mediation for Snap-packaged applications was found to have a bypass of intended access restriction for snaps which plugs any of pulseaudio, audio-playback...Show more An Ubuntu-specific modification to Pulseaudio to provide security mediation for Snap-packaged applications was found to have a bypass of intended access restriction for snaps which plugs any of pulseaudio, audio-playback or audio-record via unloading the pulseaudio snap policy module. This issue affects: pulseaudio 1:8.0 versions prior to 1:8.0-0ubuntu3.12; 1:11.1 versions prior to 1:11.1-1ubuntu7.7; 1:13.0 versions prior to 1:13.0-1ubuntu1.2; 1:13.99.1 versions prior to 1:13.99.1-1ubuntu3.2;Show less
CVE-2020-10612 1Opto22 1Softpac Project Nov 21, 2024 May 14, 2020 N/A· v4 9.1 CRITICAL· v3 6.4 MEDIUM· v2 Opto 22 SoftPAC Project Version 9.6 and prior. SoftPACAgent communicates with SoftPACMonitor over network Port 22000. However, this port is open without any restrictions. This allows an attacker with network access to co...Show more Opto 22 SoftPAC Project Version 9.6 and prior. SoftPACAgent communicates with SoftPACMonitor over network Port 22000. However, this port is open without any restrictions. This allows an attacker with network access to control the SoftPACAgent service including updating SoftPAC firmware, starting or stopping service, or writing to certain registry values.Show less

Previous 1...195196197...255 Next