Filtered by CWE-284
Total 3754 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2023-40528 1 Apple 5 Ipados, Iphone Os, Macos and 2 more 2025-06-17 5.5 Medium
This issue was addressed by removing the vulnerable code. This issue is fixed in tvOS 17, watchOS 10, macOS Sonoma 14, iOS 17 and iPadOS 17, macOS Ventura 13.6.4. An app may be able to bypass Privacy preferences.
CVE-2023-52099 1 Huawei 2 Emui, Harmonyos 2025-06-17 7.5 High
Vulnerability of foreground service restrictions being bypassed in the NMS module. Successful exploitation of this vulnerability may affect service confidentiality.
CVE-2023-50159 1 Scalefusion 1 Scalefusion 2025-06-17 8.8 High
In ScaleFusion (Windows Desktop App) agent 10.5.2, Kiosk mode application restrictions can be bypassed allowing arbitrary code to be executed. This is fixed in 10.5.7 by preventing the launching of the file explorer in Agent-based Multi-App and Single App Kiosk mode.
CVE-2023-41603 1 Dlink 2 R15, R15 Firmware 2025-06-17 5.3 Medium
D-Link R15 before v1.08.02 was discovered to contain no firewall restrictions for IPv6 traffic. This allows attackers to arbitrarily access any services running on the device that may be inadvertently listening via IPv6.
CVE-2025-4316 1 Devolutions 1 Devolutions Server 2025-06-17 4.3 Medium
Improper access control in PAM feature in Devolutions Server allows a PAM user to self approve their PAM requests even if disallowed by the configured policy via specific user interface actions. This issue affects Devolutions Server versions from 2025.1.3.0 through 2025.1.6.0, and all versions up to 2024.3.15.0.
CVE-2024-29866 1 Datalust 1 Seq 2025-06-17 9.1 Critical
Datalust Seq before 2023.4.11151 and 2024 before 2024.1.11146 has Incorrect Access Control because a Project Owner or Organization Owner can escalate to System privileges.
CVE-2023-50333 1 Mattermost 1 Mattermost Server 2025-06-17 3.7 Low
Mattermost fails to update the permissions of the current session for a user who was just demoted to guest, allowing freshly demoted guests to change group names.
CVE-2009-2631 4 Aladdin, Cisco, Sonicwall and 1 more 5 Safenet Securewire Access Gateway, Adaptive Security Appliance, E-class Ssl Vpn and 2 more 2025-06-16 N/A
Multiple clientless SSL VPN products that run in web browsers, including Stonesoft StoneGate; Cisco ASA; SonicWALL E-Class SSL VPN and SonicWALL SSL VPN; SafeNet SecureWire Access Gateway; Juniper Networks Secure Access; Nortel CallPilot; Citrix Access Gateway; and other products, when running in configurations that do not restrict access to the same domain as the VPN, retrieve the content of remote URLs from one domain and rewrite them so they originate from the VPN's domain, which violates the same origin policy and allows remote attackers to conduct cross-site scripting attacks, read cookies that originated from other domains, access the Web VPN session to gain access to internal resources, perform key logging, and conduct other attacks. NOTE: it could be argued that this is a fundamental design problem in any clientless VPN solution, as opposed to a commonly-introduced error that can be fixed in separate implementations. Therefore a single CVE has been assigned for all products that have this design
CVE-2024-37289 1 Trendmicro 1 Apex One 2025-06-16 7.8 High
An improper access control vulnerability in Trend Micro Apex One could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
CVE-2025-45237 1 86dbs 1 Dbsyncer 2025-06-16 7.5 High
Incorrect access control in the component /config/download of DBSyncer v2.0.6 allows attackers to access the JSON file containing sensitive account information, including the encrypted password.
CVE-2025-45612 1 Exrick 1 Xmall 2025-06-16 9.8 Critical
Incorrect access control in xmall v1.1 allows attackers to bypass authentication via a crafted GET request to /index.
CVE-2024-25677 1 Minbrowser 1 Min 2025-06-16 8.8 High
In Min before 1.31.0, local files are not correctly treated as unique security origins, which allows them to improperly request cross-origin resources. For example, a local file may request other local files through an XML document.
CVE-2023-51751 2 Microsoft, Scalefusion 2 Windows, Scalefusion 2025-06-16 7.3 High
ScaleFusion 10.5.2 does not properly limit users to the Edge application because Alt-F4 can be used. This is fixed in 10.5.7 by preventing the launching of the file explorer in Agent-based Multi-App and Single App Kiosk mode.
CVE-2023-51065 1 Qstar 1 Archive Storage Manager 2025-06-16 7.5 High
Incorrect access control in QStar Archive Solutions Release RELEASE_3-0 Build 7 Patch 0 allows unauthenticated attackers to obtain system backups and other sensitive information from the QStar Server.
CVE-2025-4538 1 Keking 1 Kkfileview 2025-06-16 6.3 Medium
A vulnerability was found in kkFileView 4.4.0. It has been classified as critical. This affects an unknown part of the file /fileUpload. The manipulation of the argument File leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2025-5130 1 Project Team 1 Tmall Demo 2025-06-16 4.7 Medium
A vulnerability was found in Tmall Demo up to 20250505. It has been classified as critical. This affects the function uploadProductImage of the file tmall/admin/uploadProductImage. The manipulation of the argument File leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2025-5428 1 Juzaweb 1 Cms 2025-06-16 6.3 Medium
A vulnerability classified as critical has been found in juzaweb CMS up to 3.4.2. This affects an unknown part of the file /admin-cp/log-viewer of the component Error Logs Page. The manipulation leads to improper access controls. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2025-46889 1 Adobe 1 Experience Manager 2025-06-16 5.4 Medium
Adobe Experience Manager versions 6.5.22 and earlier are affected by an Improper Access Control vulnerability that could result in privilege escalation. A low privileged attacker could leverage this vulnerability to bypass security measures and gain limited unauthorized elevated access. Exploitation of this issue does not require user interaction.
CVE-2025-27689 2025-06-16 7.8 High
Dell iDRAC Tools, version(s) prior to 11.3.0.0, contain(s) an Improper Access Control vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of privileges.
CVE-2024-31503 1 Dolibarr 1 Dolibarr Erp\/crm 2025-06-13 7.5 High
Incorrect access control in Dolibarr ERP CRM versions 19.0.0 and before, allows authenticated attackers to steal victim users' session cookies and CSRF protection tokens via user interaction with a crafted web page, leading to account takeover.