Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CVEs (5,081)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2019-15068 1Gigastone 1Smart Battery A4 Firmware Nov 21, 2024 Sep 25, 2019 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 A broken access control vulnerability in Smart Battery A4, a multifunctional portable charger, firmware version ?<= r1.7.9 allows an attacker to get/reset administrator’s password without any authentication.
CVE-2019-6810 1Schneider Electric 1Bmxnor0200h Firmware Nov 21, 2024 Sep 17, 2019 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 CWE-284: Improper Access Control vulnerability exists in BMXNOR0200H Ethernet / Serial RTU module (all firmware versions), which could cause the execution of commands by unauthorized users when using IEC 60870-5-104 prot...Show more CWE-284: Improper Access Control vulnerability exists in BMXNOR0200H Ethernet / Serial RTU module (all firmware versions), which could cause the execution of commands by unauthorized users when using IEC 60870-5-104 protocol.Show less
CVE-2019-13919 1Siemens 1Sinema Remote Connect Server Nov 21, 2024 Sep 13, 2019 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V2.0 SP1). Some pages that should only be accessible by a privileged user can also be accessed by a non-privileged user. The security vu...Show more A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V2.0 SP1). Some pages that should only be accessible by a privileged user can also be accessed by a non-privileged user. The security vulnerability could be exploited by an attacker with network access and valid credentials for the web interface. No user interaction is required. The vulnerability could allow an attacker to access information that he should not be able to read. The affected information does not include passwords. At the time of advisory publication no public exploitation of this security vulnerability was known.Show less
CVE-2019-11899 1Bosch 1Access Nov 21, 2024 Sep 12, 2019 N/A· v4 7.5 HIGH· v3 4.0 MEDIUM· v2 An unauthenticated attacker can achieve unauthorized access to sensitive data by exploiting Windows SMB protocol on a client installation. With Bosch Access Professional Edition (APE) 3.8, client installations need to be...Show more An unauthenticated attacker can achieve unauthorized access to sensitive data by exploiting Windows SMB protocol on a client installation. With Bosch Access Professional Edition (APE) 3.8, client installations need to be authorized by the APE administrator.Show less
CVE-2019-13656 1Broadcom 2Ca Client Automation Ca Workload Automation Ae Nov 21, 2024 Sep 6, 2019 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 An access vulnerability in CA Common Services DIA of CA Technologies Client Automation 14 and Workload Automation AE 11.3.5, 11.3.6 allows a remote attacker to execute arbitrary code.
CVE-2018-15513 1Totemo 1Totemomail Nov 21, 2024 Aug 30, 2019 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 Log viewer in totemomail 6.0.0 build 570 allows access to sessionIDs of high privileged users by leveraging access to a read-only auditor role.
CVE-2018-21007 1Wisetr 1User Email Verification For Woocommerce Nov 21, 2024 Aug 29, 2019 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 The woo-confirmation-email plugin before 3.2.0 for WordPress has no blocking of direct access to supportive xl folders inside uploads.
CVE-2015-9337 1Cozmoslabs 1Profile Builder Nov 21, 2024 Aug 22, 2019 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 The profile-builder plugin before 2.1.4 for WordPress has no access control for activating or deactivating addons via AJAX.
CVE-2019-12627 1Cisco 1Firepower Threat Defense Nov 21, 2024 Aug 21, 2019 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 A vulnerability in the application policy configuration of the Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to gain unauthorized read access to sensitive data. The vulnera...Show more A vulnerability in the application policy configuration of the Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to gain unauthorized read access to sensitive data. The vulnerability is due to insufficient application identification. An attacker could exploit this vulnerability by sending crafted traffic to an affected device. A successful exploit could allow the attacker to gain unauthorized read access to sensitive data.Show less
CVE-2019-5036 1Google 1Nest Cam Iq Indoor Firmware Nov 21, 2024 Aug 20, 2019 N/A· v4 7.5 HIGH· v3 7.8 HIGH· v2 An exploitable denial-of-service vulnerability exists in the Weave error reporting functionality of the Nest Cam IQ Indoor, version 4620002. A specially crafted weave packets can cause an arbitrary Weave Exchange Session...Show more An exploitable denial-of-service vulnerability exists in the Weave error reporting functionality of the Nest Cam IQ Indoor, version 4620002. A specially crafted weave packets can cause an arbitrary Weave Exchange Session to close, resulting in a denial of service. An attacker can send a specially crafted packet to trigger this vulnerability.Show less
CVE-2017-18543 1Invite Anyone Project 1Invite Anyone Nov 21, 2024 Aug 16, 2019 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 The invite-anyone plugin before 1.3.16 for WordPress has incorrect access control for email-based invitations.
CVE-2018-20957 1Tapplock 1One+ Firmware Nov 21, 2024 Aug 8, 2019 N/A· v4 8.8 HIGH· v3 5.8 MEDIUM· v2 The Bluetooth Low Energy (BLE) subsystem on Tapplock devices before 2018-06-12 allows replay attacks.
CVE-2016-10802 1Cpanel 1Cpanel Nov 21, 2024 Aug 7, 2019 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 cPanel before 58.0.4 allows code execution in the context of other user accounts through the PHP CGI handler (SEC-142).
CVE-2016-10799 1Cpanel 1Cpanel Nov 21, 2024 Aug 7, 2019 N/A· v4 5.5 MEDIUM· v3 2.1 LOW· v2 cPanel before 58.0.4 does not set the Pear tmp directory during a PHP installation (SEC-137).
CVE-2016-10792 1Cpanel 1Cpanel Nov 21, 2024 Aug 6, 2019 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 cPanel before 59.9999.145 allows code execution in the context of other accounts via mailman list archives (SEC-141).
CVE-2017-18457 1Cpanel 1Cpanel Nov 21, 2024 Aug 2, 2019 N/A· v4 4.4 MEDIUM· v3 4.9 MEDIUM· v2 cPanel before 62.0.17 allows arbitrary file-read operations via WHM /styled/ URLs (SEC-218).
CVE-2017-18421 1Cpanel 1Cpanel Nov 21, 2024 Aug 2, 2019 N/A· v4 3.3 LOW· v3 2.1 LOW· v2 cPanel before 66.0.2 allows demo accounts to create databases and users (SEC-271).
CVE-2019-10938 1Siemens 1Siprotec 5 Digsi Device Driver Nov 21, 2024 Aug 2, 2019 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 A vulnerability has been identified in SIPROTEC 5 devices with CPU variants CP200 (All versions < V7.59), SIPROTEC 5 devices with CPU variants CP300 and CP100 (All versions < V8.01), Siemens Power Meters Series 9410 (All...Show more A vulnerability has been identified in SIPROTEC 5 devices with CPU variants CP200 (All versions < V7.59), SIPROTEC 5 devices with CPU variants CP300 and CP100 (All versions < V8.01), Siemens Power Meters Series 9410 (All versions < V2.2.1), Siemens Power Meters Series 9810 (All versions). An unauthenticated attacker with network access to the device could potentially insert arbitrary code which is executed before firmware verification in the device. At the time of advisory publication no public exploitation of this security vulnerability was known.Show less
CVE-2017-18416 1Cpanel 1Cpanel Nov 21, 2024 Aug 2, 2019 N/A· v4 5.5 MEDIUM· v3 3.6 LOW· v2 cPanel before 67.9999.103 allows arbitrary file-overwrite operations during a Roundcube SQLite schema update (SEC-303).
CVE-2017-18404 1Cpanel 1Cpanel Nov 21, 2024 Aug 2, 2019 N/A· v4 3.1 LOW· v3 4.9 MEDIUM· v2 cPanel before 68.0.15 allows domain data to be deleted for domains with the .lock TLD (SEC-341).

Previous 1...199200201...255 Next