CWE-284: Improper Access Control

This vulnerability allows attackers to bypass authentication in the 2nd Line Android app by brute-forcing user tokens, since the server only validates...

The AG Life Logger Android app exposes credentials in network traffic and uses predictable verification codes, allowing attackers to intercept authent...

The TalkTalk 3.3.6 Android app contains improper access control vulnerabilities in multiple API endpoints. Attackers can modify request parameters to ...

This vulnerability allows attackers to bypass authentication in the AdForest Android app by manipulating Base64-encoded email credentials. Attackers c...

The mCarFix Motorists App version 2.3 contains improper access control vulnerabilities that allow attackers to bypass verification and register fake a...

This vulnerability allows unauthenticated attackers on the local network to interact with Dataphone A920 devices via port 8888 without credentials. Th...

This vulnerability in Oracle VM VirtualBox allows a low-privileged attacker with local access to the host system to potentially take over VirtualBox t...

An improper access control vulnerability in Windows SMB Server allows authenticated attackers to elevate privileges over the network. This affects Win...

A vulnerability in Stormshield Network Security (SNS) firewalls allows TPM authentication information to be shared among administrators in certain hig...

A broken access control vulnerability in HPE Aruba EdgeConnect OS allows attackers to bypass firewall protections, potentially enabling unauthorized n...

This vulnerability allows malicious applications to bypass Mobile Device Management (MDM) profile restrictions on macOS systems. It affects organizati...

This vulnerability in Dynamics 365 FastTrack Implementation Assets allows unauthorized access to sensitive information. It affects organizations using...

This CVE describes an account takeover vulnerability in the Bevy Event service when SSO is used. Attackers can hijack victim accounts by exploiting SS...

This vulnerability allows attackers to bypass authentication in my-site v1.0.2 by exploiting incorrect access control in the BaseInterceptor class. At...

This vulnerability allows attackers to bypass authentication in my-site v1.0.2.RELEASE by exploiting incorrect access control in the preHandle functio...

This vulnerability allows unauthenticated attackers to access the Database Monitor administrative interface in Sage DPW software through specially cra...

Apache Traffic Server versions 9.0.0-9.2.10 and 10.0.0-10.0.6 have an ACL bypass vulnerability when using PROXY protocol. The access control lists in ...

This vulnerability in Microsoft's Local Security Authority Server allows unauthorized attackers to cause denial of service over a network. It affects ...

This vulnerability allows a privileged user on affected Intel Xeon 6 processors with E-cores to potentially escalate privileges through improper memor...

An unauthenticated booking logic flaw in Easy!Appointments v1.5.1 allows attackers to create appointments with excessively long durations, blocking al...

This vulnerability allows attackers to bypass access controls in PassJava-Platform's schedule log component, enabling unauthorized access to sensitive...

This vulnerability in Shiro-Action v0.6 allows attackers to bypass access controls on the /user/list endpoint, potentially exposing sensitive user inf...

This vulnerability allows attackers to bypass access controls in the /user/list endpoint of production_ssm v0.0.1-SNAPSHOT, enabling unauthorized acce...

This vulnerability allows attackers to bypass access controls in Xinguan v0.0.1-SNAPSHOT's /system/user/findUserList API, enabling unauthorized access...

This vulnerability allows attackers to bypass access controls and download a JSON configuration file containing sensitive account information from DBS...

This vulnerability allows remote unauthenticated attackers to change the IP address of affected SICK devices, causing denial of service by making the ...

G-Net Dashcam BB GONX devices use an unregistered public domain name for internal communication, creating a security vulnerability. An attacker could ...

This vulnerability allows authenticated remote attackers to extract sensitive information from Odoo's mail module through an oracle-based attack that ...

This vulnerability allows unauthorized attackers to delete complaints in CodeAstro Complaint Management System v1.0 by manipulating the id parameter i...

This vulnerability in macrozheng mall-tiny 1.0.1 allows attackers to maintain access to user accounts even after logout due to improper token invalida...

An authenticated attacker can change their subscription plan without payment by manipulating POST requests to the payment endpoint. This affects all E...

An Improper Access Control vulnerability in EmbedAI 2.1 and earlier allows authenticated attackers to access database backup files via a specific endp...

This CVE describes an improper access control vulnerability in Joomla core that allows unauthorized users to access protected views. It affects Joomla...

This vulnerability allows an authorized attacker to elevate privileges in Imagine Cup software over a network connection. Attackers with existing acce...

CVE-2024-45408 is an incorrect permission check vulnerability in eLabFTW that allows authenticated users to access restricted information. If anonymou...

An access control vulnerability in IceCMS v3.4.7 and earlier allows attackers to modify any user's information, including usernames and passwords, wit...

This UEFI firmware vulnerability in certain Intel processors allows a privileged user with local access to potentially escalate privileges by bypassin...

This vulnerability allows unauthenticated attackers to disable Verifiable ID's on other tenants in Decentralized Identity Services due to improper acc...

An unauthenticated attacker can access the /admin/rooms.php endpoint in Kashipara Hotel Management System v1.0, allowing them to view hotel room entri...

This vulnerability in Joomla! allows backend users to overwrite their usernames even when this action should be restricted by access controls. This af...

This vulnerability in flask-cors 4.0.1 sets the Access-Control-Allow-Private-Network CORS header to true by default, allowing external websites to mak...

An incorrect access control vulnerability in Feripro allows remote attackers to export sensitive registration and participant data via the /admin/prog...

CVE-2024-40786 is an Apple iOS/iPadOS/macOS vulnerability involving improper state management that allows attackers to view sensitive user information...

This vulnerability allows an authenticated attacker to perform cross-session activation of DCOM objects, potentially gaining elevated privileges. It a...

This vulnerability in Shenzhen Weitillage Industrial Co., Ltd's access management specialist software allows remote attackers to access sensitive info...

This CVE describes an Improper Access Control vulnerability in Adobe ColdFusion that allows unauthenticated attackers to read arbitrary files from the...

CVE-2024-26029 is an improper access control vulnerability in Adobe Experience Manager that allows attackers to bypass security features and potential...

An unauthenticated read-what-where vulnerability in AutomationDirect P3-550E programming software allows attackers to read arbitrary memory locations ...

This vulnerability in FileMaker Server allows unauthorized access to database records by bypassing transaction validation. It affects organizations us...

This CVE describes an improper certificate validation vulnerability in UniFi Connect products that allows attackers on the same network to potentially...