CVE Daily
← All tags

Tag: Security Misconfiguration

All CVEs associated with "Security Misconfiguration". Page 44/50 • 5958 CVEs.

Subscribe CVEs: RSS for “Security Misconfiguration”  ·  RSS (High+Critical only)

About “Security Misconfiguration”

A curated feed of “Security Misconfiguration”-related CVEs appears below. We currently track 5958 CVEs for this tag (all time). In the last 365 days, 2192 were published. Average CVSS is 5.9 (all time; 5.8 over 365d), and 26% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-862 - Missing Authorization, CWE-284 - Improper Access Control, CWE-266 - Incorrect Privilege Assignment.

In our taxonomy this topic maps to a LOW impact class. Vendor advisories and release notes are key. Verify compatibility matrices, prefer supported long term versions, and stage rollouts with monitoring. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0
2022-02-09
High

CVE-2022-21825

An Improper Access Control vulnerability exists in Citrix Workspace App for Linux 2012 - 2111 with App Protection installed that can allow an attacker to perform local privilege escalation.

CVSS: 7.8 CWE: CWE-284 - Improper Access Control View on NVD
High

CVE-2022-21174

Improper access control in a third-party component of Intel(R) Quartus(R) Prime Pro Edition before version 21.3 may allow an authenticated user to potentially enable escalation of privilege via local…

CVSS: 7.8 CWE: N/A View on NVD
Medium

CVE-2022-21157

Improper access control in the Intel(R) Smart Campus Android application before version 6.1 may allow authenticated user to potentially enable information disclosure via local access.

CVSS: 5.5 CWE: N/A View on NVD
Medium

CVE-2022-21153

Improper access control in the Intel(R) Capital Global Summit Android application may allow an authenticated user to potentially enable information disclosure via local access.

CVSS: 5.5 CWE: N/A View on NVD
Medium

CVE-2021-33119

Improper access control in the Intel(R) RealSense(TM) DCM before version 20210625 may allow an authenticated user to potentially enable information disclosure via local access.

CVSS: 5.5 CWE: N/A View on NVD
High

CVE-2021-23152

Improper access control in the Intel(R) Advisor software before version 2021.2 may allow an authenticated user to potentially enable escalation of privilege via local access.

CVSS: 7.8 CWE: N/A View on NVD
Medium

CVE-2021-0171

Improper access control in software for Intel(R) PROSet/Wireless Wi-Fi and Killer(TM) Wi-Fi in Windows 10 and 11 may allow an authenticated user to potentially enable information disclosure via local…

CVSS: 5.5 CWE: N/A View on NVD
Medium

CVE-2021-0167

Improper access control in software for Intel(R) PROSet/Wireless Wi-Fi and Killer(TM) Wi-Fi in Windows 10 and 11 may allow a privileged user to potentially enable escalation of privilege via local ac…

CVSS: 6.7 CWE: N/A View on NVD
High

CVE-2021-0164

Improper access control in firmware for Intel(R) PROSet/Wireless Wi-Fi in multiple operating systems and Killer(TM) Wi-Fi in Windows 10 and 11 may allow an unauthenticated user to potentially enable…

CVSS: 7.8 CWE: N/A View on NVD
Medium

CVE-2021-0124

Improper access control in the firmware for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via physical access.

CVSS: 6.6 CWE: N/A View on NVD
Medium

CVE-2021-0092

Improper access control in the firmware for some Intel(R) Processors may allow a privileged user to potentially enable a denial of service via local access.

CVSS: 4.4 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
High

CVE-2021-0091

Improper access control in the firmware for some Intel(R) Processors may allow an unauthenticated user to potentially enable an escalation of privilege via local access.

CVSS: 7.8 CWE: N/A View on NVD
2022-02-04
High

CVE-2021-44204

Local privilege escalation via named pipe due to improper access control checks. The following products are affected: Acronis Cyber Protect 15 (Windows) before build 28035, Acronis Agent (Windows) be…

CVSS: 7.8 CWE: CWE-285 - Improper Authorization View on NVD
2022-02-02
Critical

CVE-2022-21817

NVIDIA Omniverse Launcher contains a Cross-Origin Resource Sharing (CORS) vulnerability which can allow an unprivileged remote attacker, if they can get user to browse malicious site, to acquire acce…

CVSS: 9.3 CWE: N/A View on NVD
Medium

CVE-2021-36177

An improper access control vulnerability [CWE-284] in FortiAuthenticator HA service 6.3.2 and below, 6.2.x, 6.1.x, 6.0.x may allow an attacker on the same vlan as the HA management interface to make…

CVSS: 4.2 CWE: N/A View on NVD
2022-01-30
Medium

CVE-2022-0273

Improper Access Control in Pypi calibreweb prior to 0.6.16.

CVSS: 6.5 CWE: CWE-284 - Improper Access Control View on NVD
2022-01-26
Medium

CVE-2022-0203

Improper Access Control in GitHub repository crater-invoice/crater prior to 6.0.2.

CVSS: 5.3 CWE: CWE-284 - Improper Access Control View on NVD
2022-01-21
Medium

CVE-2021-4016

Rapid7 Insight Agent, versions prior to 3.1.3, suffer from an improper access control vulnerability whereby, the user has access to the snapshot directory. An attacker can access, read and copy any o…

CVSS: 4.0 CWE: CWE-284 - Improper Access Control View on NVD
2022-01-18
High

CVE-2021-34401

NVIDIA Linux kernel distributions contain a vulnerability in nvmap NVGPU_IOCTL_CHANNEL_SET_ERROR_NOTIFIER, where improper access control may lead to code execution, compromised integrity, or denial o…

CVSS: 7.8 CWE: CWE-284 - Improper Access Control View on NVD
Medium

CVE-2021-4074

The WHMCS Bridge WordPress plugin is vulnerable to Stored Cross-Site Scripting via the cc_whmcs_bridge_url parameter found in the ~/whmcs-bridge/bridge_cp.php file which allows attackers to inject ar…

CVSS: 6.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2022-01-13
Medium

CVE-2022-0178

Missing Authorization vulnerability in snipe snipe/snipe-it.This issue affects snipe/snipe-i before 5.3.8.

CVSS: 6.3 CWE: CWE-862 - Missing Authorization View on NVD
2022-01-12
Medium

CVE-2022-0179

snipe-it is vulnerable to Missing Authorization

CVSS: 5.4 CWE: CWE-862 - Missing Authorization View on NVD
2022-01-11
Medium

CVE-2022-0170

peertube is vulnerable to Improper Access Control

CVSS: 4.3 CWE: CWE-284 - Improper Access Control View on NVD
2022-01-10
Medium

CVE-2022-22289

Improper access control vulnerability in S Assistant prior to version 7.5 allows attacker to remotely get senstive information.

CVSS: 5.3 CWE: CWE-287 - Improper Authentication View on NVD
High

CVE-2022-0133

peertube is vulnerable to Improper Access Control

CVSS: 7.5 CWE: CWE-284 - Improper Access Control View on NVD
Low

CVE-2021-23173

The affected product is vulnerable to an improper access control, which may allow an authenticated user to gain unauthorized access to sensitive data.

CVSS: 2.6 CWE: CWE-284 - Improper Access Control View on NVD
2022-01-06
Medium

CVE-2021-4194

bookstack is vulnerable to Improper Access Control

CVSS: 6.5 CWE: CWE-284 - Improper Access Control View on NVD
2022-01-05
High

CVE-2022-22111

In DayByDay CRM, version 2.2.0 is vulnerable to missing authorization. Any application user in the application who has update user permission enabled is able to change the password of other users, in…

CVSS: 8.8 CWE: CWE-862 - Missing Authorization View on NVD
Medium

CVE-2022-22108

In Daybyday CRM, versions 2.0.0 through 2.2.0 are vulnerable to Missing Authorization. An attacker that has the lowest privileges account (employee type user), can view the absences of all users in t…

CVSS: 4.3 CWE: CWE-862 - Missing Authorization View on NVD
Medium

CVE-2022-22107

In Daybyday CRM, versions 2.0.0 through 2.2.0 are vulnerable to Missing Authorization. An attacker that has the lowest privileges account (employee type user), can view the appointments of all users…

CVSS: 4.3 CWE: CWE-862 - Missing Authorization View on NVD
2022-01-03
Critical

CVE-2021-30276

Improper access control while doing XPU re-configuration dynamically can lead to unauthorized access to a secure resource in Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snap…

CVSS: 9.3 CWE: N/A View on NVD
High

CVE-2021-1894

Improper access control in TrustZone due to improper error handling while handling the signing key in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon…

CVSS: 7.1 CWE: CWE-755 - Improper Handling of Exceptional Conditions View on NVD
2021-12-30
High

CVE-2021-44466

Bitmask Riseup VPN 0.21.6 contains a local privilege escalation flaw due to improper access controls. When the software is installed with a non-default installation directory off of the system root,…

CVSS: 7.3 CWE: CWE-732 - Incorrect Permission Assignment for Critical Resource View on NVD
Medium

CVE-2021-20156

Trendnet AC2600 TEW-827DRU version 2.08B01 contains an improper access control configuration that could allow for a malicious firmware update. It is possible to manually install firmware that may be…

CVSS: 6.5 CWE: CWE-347 - Improper Verification of Cryptographic Signature View on NVD
2021-12-29
Medium

CVE-2021-25991

In Ifme, versions v5.0.0 to v7.32 are vulnerable against an improper access control, which makes it possible for admins to ban themselves leading to their deactivation from Ifme account and complete…

CVSS: 5.7 CWE: CWE-284 - Improper Access Control View on NVD
2021-12-26
High

CVE-2021-37572

MediaTek microchips, as used in NETGEAR devices through 2021-11-11 and other devices, mishandle IEEE 1905 protocols. (Affected Chipsets MT7603E, MT7613, MT7615, MT7622, MT7628, MT7629, MT7915; Affect…

CVSS: 8.2 CWE: CWE-862 - Missing Authorization View on NVD
2021-12-23
High

CVE-2021-20050

An Improper Access Control Vulnerability in the SMA100 series leads to multiple restricted management APIs being accessible without a user login, potentially exposing configuration meta-data.

CVSS: 7.5 CWE: CWE-284 - Improper Access Control View on NVD
2021-12-21
Medium

CVE-2021-38900

IBM Business Process Manager 8.5 and 8.6 and IBM Business Automation Workflow 18.0, 19.0, 20.0 and 21.0 could allow a privileged user to obtain highly sensitive information due to improper access con…

CVSS: 6.5 CWE: N/A View on NVD
2021-12-20
Medium

CVE-2021-42809

Improper Access Control of Dynamically-Managed Code Resources (DLL) in Thales Sentinel Protection Installer could allow the execution of arbitrary code.

CVSS: 6.5 CWE: CWE-913 - Improper Control of Dynamically-Managed Code Resources View on NVD
Medium

CVE-2021-42808

Improper Access Control in Thales Sentinel Protection Installer could allow a local user to escalate privileges.

CVSS: 6.5 CWE: CWE-284 - Improper Access Control View on NVD
2021-12-15
Critical

CVE-2021-4119

bookstack is vulnerable to Improper Access Control

CVSS: 9.8 CWE: CWE-284 - Improper Access Control View on NVD
High

CVE-2021-27859

A missing authorization vulnerability in the web management interface of FatPipe WARP, IPVPN, and MPVPN software prior to versions 10.1.2r60p91 and 10.2.2r42 allows an authenticated, remote attacker…

CVSS: 8.8 CWE: CWE-862 - Missing Authorization View on NVD
Medium

CVE-2021-27858

A missing authorization vulnerability in the web management interface of FatPipe WARP, IPVPN, and MPVPN software prior to versions 10.1.2r60p91 and 10.2.2r42 allows a remote attacker to access at lea…

CVSS: 5.3 CWE: CWE-862 - Missing Authorization View on NVD
High

CVE-2021-27857

A missing authorization vulnerability in the web management interface of FatPipe WARP, IPVPN, and MPVPN software prior to versions 10.1.2r60p91 and 10.2.2r42 allows a remote, unauthenticated attacker…

CVSS: 7.5 CWE: CWE-862 - Missing Authorization View on NVD
2021-12-14
Medium

CVE-2021-42367

The Variation Swatches for WooCommerce WordPress plugin is vulnerable to Stored Cross-Site Scripting via several parameters found in the ~/includes/class-menu-page.php file which allows attackers to…

CVSS: 6.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2021-12-13
Critical

CVE-2021-39063

IBM Spectrum Protect Plus 10.1.0.0 through 10.1.8.x uses Cross-Origin Resource Sharing (CORS) which could allow an attacker to carry out privileged actions and retrieve sensitive information due to a…

CVSS: 9.1 CWE: CWE-346 - Origin Validation Error View on NVD
Low

CVE-2021-39945

Improper access control in the GitLab CE/EE API affecting all versions starting from 9.4 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, a…

CVSS: 2.7 CWE: CWE-863 - Incorrect Authorization View on NVD
Low

CVE-2021-39936

Improper access control in GitLab CE/EE affecting all versions starting from 10.7 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allows a…

CVSS: 3.5 CWE: CWE-863 - Incorrect Authorization View on NVD
Medium

CVE-2021-39934

Improper access control allows any project member to retrieve the service desk email address in GitLab CE/EE versions starting 12.10 before 14.3.6, all versions starting from 14.4 before 14.4.4, all…

CVSS: 4.3 CWE: CWE-639 - Authorization Bypass Through User-Controlled Key View on NVD
Medium

CVE-2021-39930

Missing authorization in GitLab EE versions between 12.4 and 14.3.6, between 14.4.0 and 14.4.4, and between 14.5.0 and 14.5.2 allowed an attacker to access a user's custom project and group templates

CVSS: 4.3 CWE: CWE-863 - Incorrect Authorization View on NVD
Medium

CVE-2021-39915

Improper access control in the GraphQL API in GitLab CE/EE affecting all versions starting from 13.0 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 befo…

CVSS: 5.3 CWE: CWE-668 - Exposure of Resource to Wrong Sphere View on NVD
Medium

CVE-2021-20867

Advanced Custom Fields versions prior to 5.11 and Advanced Custom Fields Pro versions prior to 5.11 contain a missing authorization vulnerability in moving the field group which may allow a user to m…

CVSS: 6.5 CWE: CWE-862 - Missing Authorization View on NVD
Medium

CVE-2021-20866

Advanced Custom Fields versions prior to 5.11 and Advanced Custom Fields Pro versions prior to 5.11 contain a missing authorization vulnerability in obtaining the user list which may allow a user to…

CVSS: 6.5 CWE: CWE-862 - Missing Authorization View on NVD
High

CVE-2021-20865

Advanced Custom Fields versions prior to 5.11 and Advanced Custom Fields Pro versions prior to 5.11 contain a missing authorization vulnerability in browsing database which may allow a user to browse…

CVSS: 7.5 CWE: CWE-862 - Missing Authorization View on NVD
2021-12-12
Critical

CVE-2021-44833

The CLI 1.0.0 for Amazon AWS OpenSearch has weak permissions for the configuration file.

CVSS: 9.8 CWE: CWE-276 - Incorrect Default Permissions View on NVD
2021-12-10
Medium

CVE-2021-4089

snipe-it is vulnerable to Improper Access Control

CVSS: 4.3 CWE: CWE-284 - Improper Access Control View on NVD
2021-12-08
Medium

CVE-2021-41013

An improper access control vulnerability [CWE-284] in FortiWeb versions 6.4.1 and below and 6.3.15 and below in the Report Browse section of Log & Report may allow an unauthorized and unauthenticated…

CVSS: 5.3 CWE: CWE-863 - Incorrect Authorization View on NVD
Medium

CVE-2021-37093

There is a Improper Access Control vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may lead to attackers steal short messages.

CVSS: 5.3 CWE: N/A View on NVD
Medium

CVE-2021-25519

An improper access control vulnerability in CPLC prior to SMR Dec-2021 Release 1 allows local attackers to access CPLC information without permission.

CVSS: 4.0 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
High

CVE-2021-42758

An improper access control vulnerability [CWE-284] in FortiWLC 8.6.1 and below may allow an authenticated and remote attacker with low privileges to execute any command as an admin user with full acc…

CVSS: 8.8 CWE: CWE-863 - Incorrect Authorization View on NVD
High

CVE-2021-26110

An improper access control vulnerability [CWE-284] in FortiOS autod daemon 7.0.0, 6.4.6 and below, 6.2.9 and below, 6.0.12 and below and FortiProxy 2.0.1 and below, 1.2.9 and below may allow an authe…

CVSS: 7.8 CWE: N/A View on NVD
2021-12-07
High

CVE-2021-37038

There is an Improper access control vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may affect service confidentiality.

CVSS: 7.5 CWE: N/A View on NVD
High

CVE-2021-42126

An improper authorization control vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to perform privilege escalation.

CVSS: 8.8 CWE: CWE-285 - Improper Authorization View on NVD
High

CVE-2021-42124

An improper access control vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to perform a session takeover.

CVSS: 8.8 CWE: CWE-284 - Improper Access Control View on NVD
2021-12-01
Medium

CVE-2021-3992

kimai2 is vulnerable to Improper Access Control

CVSS: 6.5 CWE: CWE-284 - Improper Access Control View on NVD
High

CVE-2021-20864

Improper access control vulnerability in ELECOM routers (WRC-1167GST2 firmware v1.25 and prior, WRC-1167GST2A firmware v1.25 and prior, WRC-1167GST2H firmware v1.25 and prior, WRC-2533GS2-B firmware…

CVSS: 8.8 CWE: N/A View on NVD
Medium

CVE-2021-20862

Improper access control vulnerability in ELECOM routers (WRC-1167GST2 firmware v1.25 and prior, WRC-1167GST2A firmware v1.25 and prior, WRC-1167GST2H firmware v1.25 and prior, WRC-2533GS2-B firmware…

CVSS: 4.3 CWE: N/A View on NVD
High

CVE-2021-20861

Improper access control vulnerability in ELECOM LAN routers (WRC-1167GST2 firmware v1.25 and prior, WRC-1167GST2A firmware v1.25 and prior, WRC-1167GST2H firmware v1.25 and prior, WRC-2533GS2-B firmw…

CVSS: 8.8 CWE: N/A View on NVD
2021-11-30
Medium

CVE-2021-4026

bookstack is vulnerable to Improper Access Control

CVSS: 4.3 CWE: CWE-284 - Improper Access Control View on NVD
High

CVE-2021-43771

Trend Micro Antivirus for Mac 2021 v11 (Consumer) is vulnerable to an improper access control privilege escalation vulnerability that could allow an attacker to establish a connection that could lead…

CVSS: 7.8 CWE: N/A View on NVD
2021-11-24
High

CVE-2021-22957

A Cross-Origin Resource Sharing (CORS) vulnerability found in UniFi Protect application Version 1.19.2 and earlier allows a malicious actor who has convinced a privileged user to access a URL with ma…

CVSS: 8.8 CWE: CWE-16 View on NVD
Critical

CVE-2021-3554

Improper Access Control vulnerability in the patchesUpdate API as implemented in Bitdefender Endpoint Security Tools for Linux as a relay role allows an attacker to manipulate the remote address used…

CVSS: 9.0 CWE: CWE-284 - Improper Access Control View on NVD
Medium

CVE-2021-20841

Improper access control in Management screen of EC-CUBE 2 series 2.11.2 to 2.17.1 allows a remote authenticated attacker to bypass access restriction and to alter System settings via unspecified vect…

CVSS: 6.5 CWE: N/A View on NVD
2021-11-23
Medium

CVE-2021-37023

There is a Improper Access Control vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability will cause media files which can be reads and writes in non-distributed directories…

CVSS: 6.5 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2021-11-17
High

CVE-2021-33118

Improper access control in the software installer for the Intel(R) Serial IO driver for Intel(R) NUC 11 Gen before version 30.100.2104.1 may allow an authenticated user to potentially enable escalati…

CVSS: 7.8 CWE: N/A View on NVD
High

CVE-2021-33058

Improper access control in the installer Intel(R)Administrative Tools for Intel(R) Network Adaptersfor Windowsbefore version 1.4.0.21 may allow an unauthenticated user to potentially enable escalatio…

CVSS: 7.8 CWE: N/A View on NVD
Medium

CVE-2021-0198

Improper access control in the firmware for the Intel(R) Ethernet Network Controller E810 before version 1.5.5.6 may allow a privileged user to potentially enable a denial of service via local access.

CVSS: 4.4 CWE: N/A View on NVD
High

CVE-2021-0151

Improper access control in the installer for some Intel(R) Wireless Bluetooth(R) and Killer(TM) Bluetooth(R) products in Windows 10 may allow an authenticated user to potentially enable escalation of…

CVSS: 7.8 CWE: N/A View on NVD
Medium

CVE-2021-0110

Improper access control in some Intel(R) Thunderbolt(TM) Windows DCH Drivers before version 1.41.1054.0 may allow unauthenticated user to potentially enable denial of service via local access.

CVSS: 5.5 CWE: N/A View on NVD
High

CVE-2021-33089

Improper access control in the software installer for the Intel(R) NUC HDMI Firmware Update Tool for NUC8i3BE, NUC8i5BE, NUC8i7BE before version 1.78.4.0.4 may allow an authenticated user to potentia…

CVSS: 7.8 CWE: N/A View on NVD
High

CVE-2021-0121

Improper access control in the installer for some Intel(R) Iris(R) Xe MAX Dedicated Graphics Drivers for Windows 10 before version 27.20.100.9466 may allow authenticated user to potentially enable es…

CVSS: 7.8 CWE: N/A View on NVD
High

CVE-2021-35528

Improper Access Control vulnerability in the application authentication and authorization of Hitachi Energy Retail Operations, Counterparty Settlement and Billing (CSB) allows an attacker to execute…

CVSS: 7.2 CWE: CWE-284 - Improper Access Control View on NVD
2021-11-16
High

CVE-2021-26338

Improper access controls in System Management Unit (SMU) may allow for an attacker to override performance control tables located in DRAM resulting in a potential lack of system resources.

CVSS: 7.5 CWE: CWE-284 - Improper Access Control View on NVD
2021-11-12
Medium

CVE-2021-3793

An improper access control vulnerability was reported in some Motorola-branded Binatone Hubble Cameras which could allow an unauthenticated attacker on the same network as the device to access admini…

CVSS: 6.5 CWE: CWE-424 - Improper Protection of Alternate Path View on NVD
2021-11-10
High

CVE-2021-3062

An improper access control vulnerability in PAN-OS software enables an attacker with authenticated access to GlobalProtect portals and gateways to connect to the EC2 instance metadata endpoint for VM…

CVSS: 8.1 CWE: CWE-284 - Improper Access Control View on NVD
2021-11-05
Medium

CVE-2021-25501

An improper access control vulnerability in SCloudBnRReceiver in SecTelephonyProvider prior to SMR Nov-2021 Release 1 allows untrusted application to call some protected providers.

CVSS: 5.7 CWE: CWE-284 - Improper Access Control View on NVD
Low

CVE-2021-39911

An improper access control flaw in all versions of GitLab CE/EE starting from 13.9 before 14.2.6, all versions starting from 14.3 before 14.3.4, and all versions starting from 14.4 before 14.4.1 expo…

CVSS: 1.7 CWE: N/A View on NVD
Medium

CVE-2021-39904

An Improper Access Control vulnerability in the GraphQL API in all versions of GitLab CE/EE starting from 13.1 before 14.2.6, all versions starting from 14.3 before 14.3.4, and all versions starting…

CVSS: 4.3 CWE: CWE-863 - Incorrect Authorization View on NVD
Low

CVE-2021-39897

Improper access control in GitLab CE/EE version 10.5 and above allowed subgroup members with inherited access to a project from a parent group to still have access even after the subgroup is transfer…

CVSS: 2.6 CWE: CWE-281 - Improper Preservation of Permissions View on NVD
2021-11-02
Medium

CVE-2021-26107

An improper access control vulnerability [CWE-284] in FortiManager versions 6.4.4 and 6.4.5 may allow an authenticated attacker with a restricted user profile to modify the VPN tunnel status of other…

CVSS: 6.3 CWE: N/A View on NVD
Medium

CVE-2021-25973

In Publify, 9.0.0.pre1 to 9.2.4 are vulnerable to Improper Access Control. “guest” role users can self-register even when the admin does not allow. This happens due to front-end restriction only.

CVSS: 6.5 CWE: CWE-285 - Improper Authorization View on NVD
2021-11-01
Critical

CVE-2021-20136

ManageEngine Log360 Builds < 5235 are affected by an improper access control vulnerability allowing database configuration overwrite. An unauthenticated remote attacker can send a specially crafted m…

CVSS: 9.8 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
2021-10-20
High

CVE-2021-1932

Improper access control in trusted application environment can cause unauthorized access to CDSP or ADSP VM memory with either privilege in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivit…

CVSS: 8.4 CWE: N/A View on NVD
2021-10-19
High

CVE-2021-31384

Due to a Missing Authorization weakness and Insufficient Granularity of Access Control in a specific device configuration, a vulnerability exists in Juniper Networks Junos OS on SRX Series whereby an…

CVSS: 7.2 CWE: CWE-285 - Improper Authorization View on NVD
2021-10-07
High

CVE-2021-20584

IBM Sterling File Gateway 2.2.0.0 through 6.1.1.0 could allow a remote attacker to upload arbitrary files, caused by improper access controls. IBM X-Force ID: 199397.

CVSS: 7.5 CWE: N/A View on NVD
Medium

CVE-2021-20375

IBM Sterling File Gateway 2.2.0.0 through 6.1.1.0 could allow an authenticated user to intercept and replace a message sent by another user due to improper access controls. IBM X-Force ID: 195567.

CVSS: 6.5 CWE: N/A View on NVD
2021-10-06
Medium

CVE-2021-34782

A vulnerability in the API endpoints for Cisco DNA Center could allow an authenticated, remote attacker to gain access to sensitive information that should be restricted. The attacker must have valid…

CVSS: 4.3 CWE: CWE-202 - Exposure of Sensitive Information Through Data Queries View on NVD
Medium

CVE-2021-25472

An improper access control vulnerability in BluetoothSettingsProvider prior to SMR Oct-2021 Release 1 allows untrusted application to overwrite some Bluetooth information.

CVSS: 4.0 CWE: CWE-264 View on NVD
Medium

CVE-2021-29758

IBM Sterling B2B Integrator Standard Edition 5.2.0.0 through 6.1.1.0 could allow an authenticated user to perform actions that they should not be able to access due to improper access controls. IBM X…

CVSS: 4.3 CWE: N/A View on NVD
2021-10-05
Medium

CVE-2021-22262

Missing access control in all GitLab versions starting from 13.12 before 14.0.9, all versions starting from 14.1 before 14.1.4, and all versions starting from 14.2 before 14.2.2 with Jira Cloud integ…

CVSS: 5.4 CWE: CWE-863 - Incorrect Authorization View on NVD
Medium

CVE-2021-39872

In all versions of GitLab CE/EE since version 14.1, an improper access control vulnerability allows users with expired password to still access GitLab through git and API through access tokens acquir…

CVSS: 6.5 CWE: CWE-287 - Improper Authentication View on NVD
2021-09-27
Critical

CVE-2021-20034

An improper access control vulnerability in SMA100 allows a remote unauthenticated attacker to bypass the path traversal checks and delete an arbitrary file potentially resulting in a reboot to facto…

CVSS: 9.1 CWE: CWE-284 - Improper Access Control View on NVD
2021-09-24
Critical

CVE-2021-22869

An improper access control vulnerability in GitHub Enterprise Server allowed a workflow job to execute in a self-hosted runner group it should not have had access to. This affects customers using sel…

CVSS: 9.8 CWE: CWE-668 - Exposure of Resource to Wrong Sphere View on NVD
2021-09-23
Critical

CVE-2021-22941

Improper Access Control in Citrix ShareFile storage zones controller before 5.11.20 may allow an unauthenticated attacker to remotely compromise the storage zones controller.

CVSS: 9.8 CWE: CWE-284 - Improper Access Control View on NVD
Medium

CVE-2021-1612

A vulnerability in the Cisco IOS XE SD-WAN Software CLI could allow an authenticated, local attacker to overwrite arbitrary files on the local system. This vulnerability is due to improper access con…

CVSS: 5.5 CWE: CWE-61 - UNIX Symbolic Link (Symlink) Following View on NVD
2021-09-22
High

CVE-2021-40875

Improper Access Control in Gurock TestRail versions < 7.2.0.3014 resulted in sensitive information exposure. A threat actor can access the /files.md5 file on the client side of a Gurock TestRail appl…

CVSS: 7.5 CWE: CWE-425 - Direct Request ('Forced Browsing') View on NVD
High

CVE-2021-31847

Improper access control vulnerability in the repair process for McAfee Agent for Windows prior to 5.7.4 could allow a local attacker to perform a DLL preloading attack using unsigned DLLs. This would…

CVSS: 8.2 CWE: CWE-269 - Improper Privilege Management View on NVD
2021-09-17
Critical

CVE-2021-20791

Improper access control vulnerability in RevoWorks Browser 2.1.230 and earlier allows an attacker to bypass access restriction and to exchange unauthorized files between the local environment and the…

CVSS: 9.3 CWE: N/A View on NVD
2021-09-15
High

CVE-2021-40639

Improper access control in Jfinal CMS 5.1.0 allows attackers to access sensitive information via /classes/conf/db.properties&config=filemanager.config.js.

CVSS: 7.5 CWE: CWE-668 - Exposure of Resource to Wrong Sphere View on NVD
High

CVE-2021-33704

The Service Layer of SAP Business One, version - 10.0, allows an authenticated attacker to invoke certain functions that would otherwise be restricted to specific users. For an attacker to discover t…

CVSS: 8.8 CWE: CWE-862 - Missing Authorization View on NVD
High

CVE-2020-19155

Improper Access Control in Jfinal CMS v4.7.1 and earlier allows remote attackers to obtain sensitive information and/or execute arbitrary code via the 'FileManager.rename()' function in the component…

CVSS: 8.8 CWE: CWE-668 - Exposure of Resource to Wrong Sphere View on NVD
Medium

CVE-2020-19154

Improper Access Control in Jfinal CMS v4.7.1 and earlier allows remote attackers to obtain sensitive information via the 'FileManager.editFile()' function in the component 'modules/filemanager/FileMa…

CVSS: 6.5 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
High

CVE-2020-19150

Improper Access Control in Jfinal CMS v4.7.1 and earlier allows remote attackers to obtain sensitive information or cause a denial of service via the 'FileManager.delete()' function in the component…

CVSS: 8.1 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
Medium

CVE-2020-19147

Improper Access Control in Jfinal CMS v4.7.1 and earlier allows remote attackers to obtain sensitive infromation via the 'getFolder()' function in the component '/modules/filemanager/FileManager.java…

CVSS: 6.5 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
Medium

CVE-2020-19146

Improper Access Control in Jfinal CMS v4.7.1 and earlier allows remote attackers to obtain sensitive information via the 'TemplatePath' parameter in the component 'jfinal_cms/admin/folder/list'.

CVSS: 6.5 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
High

CVE-2021-22149

Elastic Enterprise Search App Search versions before 7.14.0 are vulnerable to an issue where API keys were missing authorization via an alternate route. Using this vulnerability, an authenticated att…

CVSS: 8.8 CWE: CWE-732 - Incorrect Permission Assignment for Critical Resource View on NVD
2021-09-09
Medium

CVE-2021-25463

Improper access control vulnerability in PENUP prior to version 3.8.00.18 allows arbitrary webpage loading in webview.

CVSS: 4.0 CWE: CWE-284 - Improper Access Control View on NVD
Medium

CVE-2021-25460

An improper access control vulnerability in sspExit() in BlockchainTZService prior to SMR Sep-2021 Release 1 allows attackers to terminate BlockchainTZService.

CVSS: 4.0 CWE: CWE-285 - Improper Authorization View on NVD
Medium

CVE-2021-25459

An improper access control vulnerability in sspInit() in BlockchainTZService prior to SMR Sep-2021 Release 1 allows attackers to start BlockchainTZService.

CVSS: 4.0 CWE: CWE-285 - Improper Authorization View on NVD
Medium

CVE-2021-25453

Some improper access control in Bluetooth APIs prior to SMR Sep-2021 Release 1 allows untrusted application to get Bluetooth information.

CVSS: 5.1 CWE: CWE-20 - Improper Input Validation View on NVD