Total
4422 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-13106 | 1 Dlink | 2 Dir-816, Dir-816 Firmware | 2025-05-02 | 5.0 MEDIUM | 5.3 MEDIUM |
|
A vulnerability was found in D-Link DIR-816 A2 1.10CNB05_R1B011D88210 and classified as critical. Affected by this issue is some unknown functionality of the file /goform/form2IPQoSTcAdd of the component IP QoS Handler. The manipulation leads to improper access controls. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2024-13107 | 1 Dlink | 2 Dir-816, Dir-816 Firmware | 2025-05-02 | 5.0 MEDIUM | 5.3 MEDIUM |
|
A vulnerability was found in D-Link DIR-816 A2 1.10CNB05_R1B011D88210. It has been classified as critical. This affects an unknown part of the file /goform/form2LocalAclEditcfg.cgi of the component ACL Handler. The manipulation leads to improper access controls. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2024-13108 | 1 Dlink | 2 Dir-816, Dir-816 Firmware | 2025-05-02 | 5.0 MEDIUM | 5.3 MEDIUM |
|
A vulnerability was found in D-Link DIR-816 A2 1.10CNB05_R1B011D88210. It has been declared as critical. This vulnerability affects unknown code of the file /goform/form2NetSniper.cgi. The manipulation leads to improper access controls. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2022-24309 | 1 Mendix | 1 Mendix | 2025-05-02 | 4.9 MEDIUM | 6.8 MEDIUM |
|
A vulnerability has been identified in Mendix Runtime V7 (All versions < V7.23.29), Mendix Runtime V8 (All versions < V8.18.16), Mendix Runtime V9 (All versions < V9.13 only with Runtime Custom Setting *DataStorage.UseNewQueryHandler* set to False). If an entity has an association readable by the user, then in some cases, Mendix Runtime may not apply checks for XPath constraints that parse said associations, within apps running on affected versions. A malicious user could use this to dump and ma ...
Show More |
|||||
| CVE-2025-46552 | 2025-05-02 | N/A | N/A | ||
|
KHC-INVITATION-AUTOMATION is a GitHub automation script that automatically invites followers of a bot account to join your organization. In some commits on version 1.2, a vulnerability was identified where user data, including email addresses and Discord usernames, were exposed in API responses without proper access controls. This allowed unauthorized users to access sensitive user information by directly calling specific endpoints. This issue has been patched in a later commit on version 1.2.
|
|||||
| CVE-2021-46851 | 1 Huawei | 2 Emui, Harmonyos | 2025-05-01 | N/A | 9.8 CRITICAL |
|
The DRM module has a vulnerability in verifying the secure memory attributes. Successful exploitation of this vulnerability may cause abnormal video playback.
|
|||||
| CVE-2022-31687 | 1 Vmware | 1 Workspace One Assist | 2025-05-01 | N/A | 9.8 CRITICAL |
|
VMware Workspace ONE Assist prior to 22.10 contains a Broken Access Control vulnerability. A malicious actor with network access to Workspace ONE Assist may be able to obtain administrative access without the need to authenticate to the application.
|
|||||
| CVE-2021-26360 | 1 Amd | 36 Enterprise Driver, Radeon Pro Software, Radeon Pro W6300m and 33 more | 2025-05-01 | N/A | 7.8 HIGH |
|
An attacker with local access to the system can make unauthorized modifications of the security configuration of the SOC registers. This could allow potential corruption of AMD secure processor’s encrypted memory contents which may lead to arbitrary code execution in ASP.
|
|||||
| CVE-2022-43679 | 1 Owncloud | 1 Owncloud | 2025-05-01 | N/A | 4.2 MEDIUM |
|
The Docker image of ownCloud Server through 10.11 contains a misconfiguration that renders the trusted_domains config useless. This could be abused to spoof the URL in password-reset e-mail messages.
|
|||||
| CVE-2022-27673 | 1 Amd | 1 Amd Link | 2025-05-01 | N/A | 7.5 HIGH |
|
Insufficient access controls in the AMD Link Android app may potentially result in information disclosure.
|
|||||
| CVE-2025-3969 | 1 Code-projects | 1 News Publishing Site Dashboard | 2025-04-30 | 6.5 MEDIUM | 6.3 MEDIUM |
|
A vulnerability was found in codeprojects News Publishing Site Dashboard 1.0. It has been rated as critical. This issue affects some unknown processing of the file /edit-category.php of the component Edit Category Page. The manipulation of the argument category_image leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2025-3830 | 1 Kuangstudy | 1 Kuangsimplebbs | 2025-04-30 | 6.5 MEDIUM | 6.3 MEDIUM |
|
A vulnerability was found in kuangstudy KuangSimpleBBS 1.0. It has been declared as critical. Affected by this vulnerability is the function fileUpload of the file src/main/java/com/kuang/controller/QuestionController.java. The manipulation of the argument editormd-image-file leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2024-42772 | 1 Jayesh | 1 Hotel Management System | 2025-04-30 | N/A | 7.5 HIGH |
|
An Incorrect Access Control vulnerability was found in /admin/rooms.php in Kashipara Hotel Management System v1.0, which allows an unauthenticated attacker to view valid hotel room entries in administrator section.
|
|||||
| CVE-2024-42775 | 1 Jayesh | 1 Hotel Management System | 2025-04-30 | N/A | 9.1 CRITICAL |
|
An Incorrect Access Control vulnerability was found in /admin/add_room_controller.php in Kashipara Hotel Management System v1.0, which allows an unauthenticated attacker to add the valid hotel room entries in the administrator section via the direct URL access.
|
|||||
| CVE-2024-42776 | 1 Jayesh | 1 Hotel Management System | 2025-04-30 | N/A | 7.2 HIGH |
|
Kashipara Hotel Management System v1.0 is vulnerable to Incorrect Access Control via /admin/users.php.
|
|||||
| CVE-2024-32418 | 1 Flusity | 1 Flusity | 2025-04-30 | N/A | 9.8 CRITICAL |
|
An issue in flusity CMS v2.33 allows a remote attacker to execute arbitrary code via the add_addon.php component.
|
|||||
| CVE-2024-27602 | 1 Alldata | 1 Alldata | 2025-04-30 | N/A | 9.1 CRITICAL |
|
Alldata V0.4.6 is vulnerable to Incorrect Access Control. A total of many modules interface documents have been leaked.For example, the /api/system/v2/api-docs module.
|
|||||
| CVE-2025-32796 | 1 Langgenius | 1 Dify | 2025-04-30 | N/A | 6.5 MEDIUM |
|
Dify is an open-source LLM app development platform. Prior to version 0.6.12, a vulnerability was identified in the DIFY where normal users can enable or disable apps through the API, even though the web UI button for this action is disabled and normal users are not permitted to make such changes. This access control flaw allows non-admin users to make unauthorized changes, which can disrupt the functionality and availability of the APPS. This issue has been patched in version 0.6.12. A workarou ...
Show More |
|||||
| CVE-2022-42126 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2025-04-30 | N/A | 4.3 MEDIUM |
|
The Asset Libraries module in Liferay Portal 7.3.5 through 7.4.3.28, and Liferay DXP 7.3 before update 8, and DXP 7.4 before update 29 does not properly check permissions of asset libraries, which allows remote authenticated users to view asset libraries via the UI.
|
|||||
| CVE-2024-20291 | 1 Cisco | 81 Nexus 3000 In Standalone Nx-os Mode, Nexus 3048, Nexus 31108pc-v and 78 more | 2025-04-30 | N/A | 5.8 MEDIUM |
|
A vulnerability in the access control list (ACL) programming for port channel subinterfaces of Cisco Nexus 3000 and 9000 Series Switches in standalone NX-OS mode could allow an unauthenticated, remote attacker to send traffic that should be blocked through an affected device.
This vulnerability is due to incorrect hardware programming that occurs when configuration changes are made to port channel member ports. An attacker could exploit this vulnerability by attempting to send traffic through ...
Show More |
|||||
| CVE-2022-34827 | 1 Carel | 2 Boss Mini, Boss Mini Firmware | 2025-04-29 | N/A | 9.9 CRITICAL |
|
Carel Boss Mini 1.5.0 has Improper Access Control.
|
|||||
| CVE-2023-42969 | 1 Apple | 3 Ipados, Iphone Os, Macos | 2025-04-29 | N/A | 3.3 LOW |
|
An app may be able to break out of its sandbox. This issue is fixed in iOS 17 and iPadOS 17, iOS 16.7 and iPadOS 16.7, macOS Sonoma 14, macOS Ventura 13.6, macOS Monterey 12.7. The issue was addressed with improved handling of caches.
|
|||||
| CVE-2025-30729 | 1 Oracle | 1 Communications Order And Service Management | 2025-04-29 | N/A | 5.5 MEDIUM |
|
Vulnerability in the Oracle Communications Order and Service Management product of Oracle Communications Applications (component: Security). Supported versions that are affected are 7.4.0, 7.4.1 and 7.5.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Communications Order and Service Management. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can res ...
Show More |
|||||
| CVE-2024-56195 | 1 Apache | 1 Traffic Server | 2025-04-29 | N/A | 6.3 MEDIUM |
|
Improper Access Control vulnerability in Apache Traffic Server.
This issue affects Apache Traffic Server: from 9.2.0 through 9.2.8, from 10.0.0 through 10.0.3.
Users are recommended to upgrade to version 9.2.9 or 10.0.4, which fixes the issue.
|
|||||
| CVE-2025-32470 | 2025-04-29 | N/A | 7.5 HIGH | ||
|
A remote unauthenticated attacker may be able to change the IP adress of the device, and therefore affecting the availability of the device.
|
|||||
| CVE-2025-4006 | 2025-04-29 | 5.8 MEDIUM | 4.7 MEDIUM | ||
|
A vulnerability classified as critical has been found in youyiio BeyongCms 1.6.0. Affected is an unknown function of the file /admin/theme/Upload.html of the component Document Management Page. The manipulation of the argument File leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2022-39070 | 1 Zte | 4 Zxa10 C300m, Zxa10 C300m Firmware, Zxa10 C350m and 1 more | 2025-04-29 | N/A | 9.8 CRITICAL |
|
There is an access control vulnerability in some ZTE PON OLT products. Due to improper access control settings, remote attackers could use the vulnerability to log in to the device and execute any operation.
|
|||||
| CVE-2024-46609 | 1 Thecosy | 1 Icecms | 2025-04-28 | N/A | 7.5 HIGH |
|
An access control issue in the CheckVip function in UserController.java of IceCMS v3.4.7 and before allows unauthenticated attackers to access and returns all user information, including passwords
|
|||||
| CVE-2024-45870 | 1 Bandisoft | 1 Bandiview | 2025-04-28 | N/A | 6.5 MEDIUM |
|
Bandisoft BandiView 7.05 is vulnerable to Incorrect Access Control in sub_0x3d80fc via a crafted POC file.
|
|||||
| CVE-2024-42797 | 1 Lopalopa | 1 Music Management System | 2025-04-28 | N/A | 9.8 CRITICAL |
|
An Incorrect Access Control vulnerability was found in /music/ajax.php?action=delete_playlist in Kashipara Music Management System v1.0. This vulnerability allows an unauthenticated attacker to delete the valid music playlist entries.
|
|||||
| CVE-2024-46607 | 1 Thecosy | 1 Icecms | 2025-04-28 | N/A | 7.6 HIGH |
|
Incorrect access control in IceCMS v3.4.7 and before allows attackers to authenticate by entering any arbitrary values as the username and password via the loginAdmin method in the UserController.java file.
|
|||||
| CVE-2024-42021 | 1 Veeam | 1 One | 2025-04-28 | N/A | 6.5 MEDIUM |
|
An improper access control vulnerability allows an attacker with valid access tokens to access saved credentials.
|
|||||
| CVE-2024-42022 | 1 Veeam | 1 One | 2025-04-28 | N/A | 5.3 MEDIUM |
|
An incorrect permission assignment vulnerability allows an attacker to modify product configuration files.
|
|||||
| CVE-2024-42023 | 1 Veeam | 1 One | 2025-04-28 | N/A | 8.8 HIGH |
|
An improper access control vulnerability allows low-privileged users to execute code with Administrator privileges remotely.
|
|||||
| CVE-2024-44571 | 1 Relyum | 2 Rely-pcie, Rely-pcie Firmware | 2025-04-28 | N/A | 8.8 HIGH |
|
RELY-PCIe v22.2.1 to v23.1.0 was discovered to contain incorrect access control in the mService function at phpinf.php.
|
|||||
| CVE-2024-42794 | 1 Lopalopa | 1 Music Management System | 2025-04-28 | N/A | 4.7 MEDIUM |
|
Kashipara Music Management System v1.0 is vulnerable to Incorrect Access Control via /music/ajax.php?action=save_user.
|
|||||
| CVE-2024-42795 | 1 Lopalopa | 1 Music Management System | 2025-04-28 | N/A | 4.2 MEDIUM |
|
An Incorrect Access Control vulnerability was found in /music/view_user.php?id=3 and /music/controller.php?page=edit_user&id=3 in Kashipara Music Management System v1.0. This vulnerability allows an unauthenticated attacker to view valid user details.
|
|||||
| CVE-2024-42796 | 1 Lopalopa | 1 Music Management System | 2025-04-28 | N/A | 5.9 MEDIUM |
|
An Incorrect Access Control vulnerability was found in /music/ajax.php?action=delete_genre in Kashipara Music Management System v1.0. This vulnerability allows an unauthenticated attacker to delete the valid music genre entries.
|
|||||
| CVE-2024-38909 | 1 Std42 | 1 Elfinder | 2025-04-28 | N/A | 9.8 CRITICAL |
|
Studio 42 elFinder 2.1.64 is vulnerable to Incorrect Access Control. Copying files with an unauthorized extension between server directories allows an arbitrary attacker to expose secrets, perform RCE, etc.
|
|||||
| CVE-2023-47422 | 1 Tenda | 8 Ax12, Ax12 Firmware, Ax3 and 5 more | 2025-04-25 | N/A | 8.8 HIGH |
|
An access control issue in /usr/sbin/httpd in Tenda TX9 V1 V22.03.02.54, Tenda AX3 V3 V16.03.12.11, Tenda AX9 V1 V22.03.01.46, and Tenda AX12 V1 V22.03.01.46 allows attackers to bypass authentication on any endpoint via a crafted URL.
|
|||||