Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CVEs (5,077)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2025-65594 1Os4ed 1Opensis Dec 11, 2025 Dec 9, 2025 N/A· v4 8.1 HIGH· v3 N/A· v2 OpenSIS 9.2 and below is vulnerable to Incorrect Access Control in Student.php, which allows an authenticated low-privilege user to perform unauthorized database write operations relating to the data of other users.
CVE-2025-64673 1Microsoft 10Windows 10 1809 Windows 10 21h2Windows 10 22h2+7 more Dec 10, 2025 Dec 9, 2025 N/A· v4 7.8 HIGH· v3 N/A· v2 Improper access control in Storvsp.sys Driver allows an authorized attacker to elevate privileges locally.
CVE-2025-62570 1Microsoft 3Windows 11 24h2 Windows 11 25h2Windows Server 2025 Dec 10, 2025 Dec 9, 2025 N/A· v4 5.5 MEDIUM· v3 N/A· v2 Improper access control in Windows Camera Frame Server Monitor allows an authorized attacker to disclose information locally.
CVE-2025-62474 1Microsoft 14Windows 10 1607 Windows 10 1809Windows 10 21h2+11 more Dec 12, 2025 Dec 9, 2025 N/A· v4 7.8 HIGH· v3 N/A· v2 Improper access control in Windows Remote Access Connection Manager allows an authorized attacker to elevate privileges locally.
CVE-2025-59923 1Fortinet 1Fortiauthenticator Dec 11, 2025 Dec 9, 2025 N/A· v4 2.7 LOW· v3 N/A· v2 An improper access control vulnerability in Fortinet FortiAuthenticator 6.6.0 through 6.6.6, FortiAuthenticator 6.5 all versions, FortiAuthenticator 6.4 all versions, FortiAuthenticator 6.3 all versions may allow an auth...Show more An improper access control vulnerability in Fortinet FortiAuthenticator 6.6.0 through 6.6.6, FortiAuthenticator 6.5 all versions, FortiAuthenticator 6.4 all versions, FortiAuthenticator 6.3 all versions may allow an authenticated attacker with at least read-only admin permission to obtain the credentials of other administrators' messaging services via crafted requests.Show less
CVE-2025-59810 1Fortinet 1Fortisoar Dec 9, 2025 Dec 9, 2025 N/A· v4 6.5 MEDIUM· v3 N/A· v2 An improper access control vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.2, FortiSOAR PaaS 7.5.0 through 7.5.1, FortiSOAR PaaS 7.4 all versions, FortiSOAR PaaS 7.3 all versions, FortiSOAR on-premise 7.6.0 th...Show more An improper access control vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.2, FortiSOAR PaaS 7.5.0 through 7.5.1, FortiSOAR PaaS 7.4 all versions, FortiSOAR PaaS 7.3 all versions, FortiSOAR on-premise 7.6.0 through 7.6.2, FortiSOAR on-premise 7.5.0 through 7.5.1, FortiSOAR on-premise 7.4 all versions, FortiSOAR on-premise 7.3 all versions may allow information disclosure to an authenticated attacker via crafted requestsShow less
CVE-2025-59517 1Microsoft 12Windows 10 1607 Windows 10 1809Windows 10 21h2+9 more Dec 12, 2025 Dec 9, 2025 N/A· v4 7.8 HIGH· v3 N/A· v2 Improper access control in Windows Storage VSP Driver allows an authorized attacker to elevate privileges locally.
CVE-2025-63739 1Rockoa 1Rockoa Dec 12, 2025 Dec 9, 2025 N/A· v4 4.3 MEDIUM· v3 N/A· v2 An issue was discovered in function phpinisaveAction in file webmain/system/cogini/coginiAction.php in Xinhu Rainrock RockOA 2.7.0 allowing attackers to authenticated users to modify PHP configuration files via the a par...Show more An issue was discovered in function phpinisaveAction in file webmain/system/cogini/coginiAction.php in Xinhu Rainrock RockOA 2.7.0 allowing attackers to authenticated users to modify PHP configuration files via the a parameter to the index.php endpoint.Show less
CVE-2025-40939 1Siemens 1Simatic Cn 4100 Firmware Dec 16, 2025 Dec 9, 2025 5.1 MEDIUM· v4 4.6 MEDIUM· v3 N/A· v2 A vulnerability has been identified in SIMATIC CN 4100 (All versions < V4.0.1). The affected device contains a USB port which allows unauthenticated connections. This could allow an attacker with physical access to the d...Show more A vulnerability has been identified in SIMATIC CN 4100 (All versions < V4.0.1). The affected device contains a USB port which allows unauthenticated connections. This could allow an attacker with physical access to the device to trigger reboot that could cause denial of service condition.Show less
CVE-2025-14286 1Tenda 1Ac9 Firmware Dec 11, 2025 Dec 9, 2025 5.5 MEDIUM· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 A vulnerability was determined in Tenda AC9 15.03.05.14_multi. Affected by this vulnerability is an unknown functionality of the file /cgi-bin/DownloadCfg.jpg of the component Configuration File Handler. This manipulatio...Show more A vulnerability was determined in Tenda AC9 15.03.05.14_multi. Affected by this vulnerability is an unknown functionality of the file /cgi-bin/DownloadCfg.jpg of the component Configuration File Handler. This manipulation causes information disclosure. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized.Show less
CVE-2025-65797 1Usememos 1Memos Dec 11, 2025 Dec 8, 2025 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Incorrect access control in the Identity Provider service of usememos memos v0.25.2 allows attackers with low-level privileges to arbitrarily modify or delete registered identity providers, leading to an account takeover...Show more Incorrect access control in the Identity Provider service of usememos memos v0.25.2 allows attackers with low-level privileges to arbitrarily modify or delete registered identity providers, leading to an account takeover or Denial of Service (DoS).Show less
CVE-2025-65795 1Usememos 1Memos Dec 9, 2025 Dec 8, 2025 N/A· v4 7.5 HIGH· v3 N/A· v2 Incorrect access control in the /api/v1/user endpoint of usememos memos v0.25.2 allows unauthorized attackers to create arbitrary accounts via a crafted request.
CVE-2025-65798 1Usememos 1Memos Dec 9, 2025 Dec 8, 2025 N/A· v4 5.4 MEDIUM· v3 N/A· v2 Incorrect access control in usememos memos v0.25.2 allows attackers with low-level privileges to arbitrarily modify or delete attachments made by other users.
CVE-2025-65796 1Usememos 1Memos Dec 9, 2025 Dec 8, 2025 N/A· v4 4.3 MEDIUM· v3 N/A· v2 Incorrect access control in usememos memos v0.25.2 allows attackers with low-level privileges to arbitrarily delete reactions made to other users' Memos.
CVE-2025-14219 1Campcodes 1Retro Basketball Shoes Online Store Apr 29, 2026 Dec 8, 2025 2.0 LOW· v4 7.2 HIGH· v3 5.8 MEDIUM· v2 A weakness has been identified in Campcodes Retro Basketball Shoes Online Store 1.0. The impacted element is an unknown function of the file /admin/admin_running.php. Executing a manipulation of the argument product_imag...Show more A weakness has been identified in Campcodes Retro Basketball Shoes Online Store 1.0. The impacted element is an unknown function of the file /admin/admin_running.php. Executing a manipulation of the argument product_image can lead to unrestricted upload. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks.Show less
CVE-2025-14199 1Verysync 1Verysync Apr 29, 2026 Dec 7, 2025 2.1 LOW· v4 9.8 CRITICAL· v3 6.5 MEDIUM· v2 A flaw has been found in Verysync 微力同步 up to 2.21.3. This impacts an unknown function of the file /rest/f/api/resources/f96956469e7be39d/tmp/text.txt?override=false of the component Web Administration Module. Executing m...Show more A flaw has been found in Verysync 微力同步 up to 2.21.3. This impacts an unknown function of the file /rest/f/api/resources/f96956469e7be39d/tmp/text.txt?override=false of the component Web Administration Module. Executing manipulation can lead to unrestricted upload. The attack may be performed from remote. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.Show less
CVE-2025-14198 1Verysync 1Verysync Dec 11, 2025 Dec 7, 2025 5.5 MEDIUM· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 A vulnerability was detected in Verysync 微力同步 2.21.3. This affects an unknown function of the file /safebrowsing/clientreport/download?key=dummytoken of the component Web Administration Module. Performing manipulation re...Show more A vulnerability was detected in Verysync 微力同步 2.21.3. This affects an unknown function of the file /safebrowsing/clientreport/download?key=dummytoken of the component Web Administration Module. Performing manipulation results in information disclosure. The attack is possible to be carried out remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.Show less
CVE-2025-14197 - - Dec 8, 2025 Dec 7, 2025 5.5 MEDIUM· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 A security vulnerability has been detected in Verysync 微力同步 up to 2.21.3. The impacted element is an unknown function of the file /rest/f/api/resources/f96956469e7be39d of the component Web Administration Module. Such ma...Show more A security vulnerability has been detected in Verysync 微力同步 up to 2.21.3. The impacted element is an unknown function of the file /rest/f/api/resources/f96956469e7be39d of the component Web Administration Module. Such manipulation leads to information disclosure. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.Show less
CVE-2025-14195 1Carmelogarcia 1Employee Profile Management System Apr 29, 2026 Dec 7, 2025 2.1 LOW· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 A security flaw has been discovered in code-projects Employee Profile Management System 1.0. Impacted is an unknown function of the file /profiling/add_file_query.php. The manipulation of the argument per_file results in...Show more A security flaw has been discovered in code-projects Employee Profile Management System 1.0. Impacted is an unknown function of the file /profiling/add_file_query.php. The manipulation of the argument per_file results in unrestricted upload. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks.Show less
CVE-2025-66557 1Nextcloud 1Deck Dec 9, 2025 Dec 5, 2025 N/A· v4 4.3 MEDIUM· v3 N/A· v2 Nextcloud Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. Prior to 1.14.6 and 1.15.2, a bug in the permission logic allowed users with "Ca...Show more Nextcloud Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. Prior to 1.14.6 and 1.15.2, a bug in the permission logic allowed users with "Can share" permission to modify the permissions of other recipients. This vulnerability is fixed in 1.14.6 and 1.15.2.Show less

Previous 1...434445...254 Next