CWE-1220
83 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-1220page 1 of 2
- CVE-2021-31384HIGHCVSS 7.2EG 7.22021-10-19
Due to a Missing Authorization weakness and Insufficient Granularity of Access Control in a specific device configuration, a vulnerability exists in Juniper Networks Junos OS on SRX Series whereby an attacker who attempts to access J-Web a…
- CVE-2021-46747HIGHCVSS 7.1EG 7.12026-06-01
Insufficient granularity of access control in ASP (AMD Secure Processor) may allow an attacker with an untrusted user space application to map sensitive SMN (System Management Network) apertures leading to a potential escalation of privile…
- CVE-2022-1177MEDIUMCVSS 4.3EG 4.32022-03-30
Accounting User Can Download Patient Reports in openemr in GitHub repository openemr/openemr prior to 6.1.0.
- CVE-2022-1461MEDIUMCVSS 6.5EG 6.52022-04-25
Non Privilege User can Enable or Disable Registered in GitHub repository openemr/openemr prior to 6.1.0.1.
- CVE-2022-2475CRITICALCVSS 9.8EG 8.82022-10-28
Haas Controller version 100.20.000.1110 has insufficient granularity of access control when using the "Ethernet Q Commands" service. Any user is able to write macros into registers outside of the authorized accessible range. This could all…
- CVE-2022-36110HIGHCVSS 8.8EG 8.82022-09-09
Netmaker makes networks with WireGuard. Prior to version 0.15.1, Improper Authorization functions lead to non-privileged users running privileged API calls. If someone adds users to the Netmaker platform who do not have admin privileges, t…
- CVE-2022-4801MEDIUMCVSS 5.3EG 5.32022-12-28
Insufficient Granularity of Access Control in GitHub repository usememos/memos prior to 0.9.1.
- CVE-2022-4813MEDIUMCVSS 4.3EG 4.32022-12-28
Insufficient Granularity of Access Control in GitHub repository usememos/memos prior to 0.9.1.
- CVE-2023-0203MEDIUMCVSS 5.0EG 5.02023-04-22
NVIDIA ConnectX-5, ConnectX-6, and ConnectX6-DX contain a vulnerability in the NIC firmware, where an unprivileged user can exploit insufficient granularity of access control, which may lead to denial of service.
- CVE-2023-0205MEDIUMCVSS 5.0EG 5.02023-04-22
NVIDIA ConnectX-5, ConnectX-6, and ConnectX6-DX contain a vulnerability in the NIC firmware, where an unprivileged user can exploit insufficient granularity of access control, which may lead to denial of service.
- CVE-2023-27591HIGHCVSS 7.5EG 7.52023-03-17
Miniflux is a feed reader. Prior to version 2.0.43, an unauthenticated user can retrieve Prometheus metrics from a publicly reachable Miniflux instance where the `METRICS_COLLECTOR` configuration option is enabled and `METRICS_ALLOWED_NETW…
- CVE-2023-31342HIGHCVSS 7.5EG 7.52025-02-11
Improper input validation in the SMM handler may allow a privileged attacker to overwrite SMRAM, potentially leading to arbitrary code execution.
- CVE-2023-31343HIGHCVSS 7.5EG 7.52025-02-11
Improper input validation in the SMM handler may allow a privileged attacker to overwrite SMRAM, potentially leading to arbitrary code execution.
- CVE-2023-32259MEDIUMCVSS 6.5EG 6.52024-03-19
Insufficient Granularity of Access Control vulnerability in OpenText™ Service Management Automation X (SMAX), OpenText™ Asset Management X (AMX) allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects…
- CVE-2023-3227MEDIUMCVSS 5.7EG 5.42023-06-14
Insufficient Granularity of Access Control in GitHub repository fossbilling/fossbilling prior to 0.5.0.
- CVE-2023-33127HIGHCVSS 8.1EG 8.12023-07-11
.NET and Visual Studio Elevation of Privilege Vulnerability
- CVE-2023-39418LOWCVSS 3.1EG 3.12023-08-11
A vulnerability was found in PostgreSQL with the use of the MERGE command, which fails to test new rows against row security policies defined for UPDATE and SELECT. If UPDATE and SELECT policies forbid some rows that INSERT policies do not…
- CVE-2023-40070HIGHCVSS 8.8EG 8.82024-05-16
Improper access control in some Intel(R) Power Gadget software for macOS all versions may allow an authenticated user to potentially enable escalation of privilege via local access.
- CVE-2023-43040MEDIUMCVSS 6.5EG 6.52024-05-14
IBM Spectrum Fusion HCI 2.5.2 through 2.7.2 could allow an attacker to perform unauthorized actions in RGW for Ceph due to improper bucket access. IBM X-Force ID: 266807.
- CVE-2023-44285HIGHCVSS 7.8EG 7.82023-12-14
Dell PowerProtect DD, versions prior to 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110 contain an improper access control vulnerability. A local malicious user with low privileges could potentially exploit this vulnerability leading to…
- CVE-2023-4456MEDIUMCVSS 5.7EG 5.72023-08-21
A flaw was found in openshift-logging LokiStack. The key used for caching is just the token, which is too broad. This issue allows a user with a token valid for one action to execute other actions as long as the authorization allowing the …
- CVE-2023-45217HIGHCVSS 8.8EG 8.82024-05-16
Improper access control in Intel(R) Power Gadget software for Windows all versions may allow an authenticated user to potentially enable escalation of privilege via local access.
- CVE-2023-50713MEDIUMCVSS 6.5EG 6.52023-12-14
Speckle Server provides server, frontend, 3D viewer, and other JavaScript utilities for the Speckle 3D data platform. A vulnerability in versions prior to 2.17.6 affects users who: authorized an application which requested a 'token write' …
- CVE-2023-6725MEDIUMCVSS 5.5EG 6.62024-03-15
An access-control flaw was found in the OpenStack Designate component where private configuration information including access keys to BIND were improperly made world readable. A malicious attacker with access to any container could exploi…
- CVE-2024-11931MEDIUMCVSS 6.4EG 6.42025-01-24
An issue has been discovered in GitLab CE/EE affecting all versions starting from 17.0 prior to 17.6.4, from 17.7 prior to 17.7.3, and from 17.8 prior to 17.8.1. Under certain conditions, it may have been possible for users with developer …
- CVE-2024-12619MEDIUMCVSS 5.2EG 5.22025-03-28
An issue has been discovered in GitLab CE/EE affecting all versions from 16.0 before 17.8.6, 17.9 before 17.9.3, and 17.10 before 17.10.1, allowing internal users to gain unauthorized access to internal projects.
- CVE-2024-13256HIGHCVSS 7.5EG 7.52025-01-09
Insufficient Granularity of Access Control vulnerability in Drupal Email Contact allows Forceful Browsing.This issue affects Email Contact: from 0.0.0 before 2.0.4.
- CVE-2024-13272MEDIUMCVSS 6.3EG 6.32025-01-09
Insufficient Granularity of Access Control vulnerability in Drupal Paragraphs table allows Content Spoofing.This issue affects Paragraphs table: from 0.0.0 before 1.23.0, from 2.0.0 before 2.0.2.
- CVE-2024-21947HIGHCVSS 7.5EG 7.52025-09-06
Improper input validation in the system management mode (SMM) could allow a privileged attacker to overwrite arbitrary memory potentially resulting in arbitrary code execution at the SMM level.
- CVE-2024-21962HIGHCVSS 8.6EG 8.62026-05-15
Improper Input Validation in the AMD RAID driver could allow an attacker to point to an arbitrary memory location potentially resulting in privilege escalation and arbitrary code execution.
- CVE-2024-21971MEDIUMCVSS 5.5EG 5.52025-02-12
Improper input validation in AMD Crash Defender could allow an attacker to provide the Windows® system process ID to a kernel-mode driver, resulting in an operating system crash, potentially leading to denial of service.
- CVE-2024-2412MEDIUMCVSS 5.3EG 5.32024-03-13
The disabling function of the user registration page for Heimavista Rpage and Epage is not properly implemented, allowing remote attackers to complete user registration on sites where user registration is supposed to be disabled.
- CVE-2024-26246LOWCVSS 3.9EG 3.92024-03-14
Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability
- CVE-2024-29200MEDIUMCVSS 6.8EG 6.82024-03-28
Kimai is a web-based multi-user time-tracking application. The permission `view_other_timesheet` performs differently for the Kimai UI and the API, thus returning unexpected data through the API. When setting the `view_other_timesheet` per…
- CVE-2024-33058HIGHCVSS 7.5EG 7.52025-04-07
Memory corruption while assigning memory from the source DDR memory(HLOS) to ADSP.
- CVE-2024-39279MEDIUMCVSS 6.5EG 6.52025-02-12
Insufficient granularity of access control in UEFI firmware in some Intel(R) processors may allow a authenticated user to potentially enable denial of service via local access.
- CVE-2024-39323HIGHCVSS 7.1EG 7.12024-07-02
aimeos/ai-admin-graphql is the Aimeos GraphQL API admin interface. Starting in version 2022.04.01 and prior to versions 2022.10.10, 2023.10.6, and 2024.04.6, an improper access control vulnerability allows an editor to modify and take over…
- CVE-2024-39324LOWCVSS 3.8EG 3.82024-07-02
aimeos/ai-admin-graphql is the Aimeos GraphQL API admin interface. Starting in version 2022.04.1 and prior to versions 2022.10.10, 2023.10.6, and 2024.4.2, improper access control allows a editors to manage own services via GraphQL API whi…
- CVE-2024-4147MEDIUMCVSS 6.5EG 7.52026-02-02
In lunary-ai/lunary version 1.2.13, an insufficient granularity of access control vulnerability allows users to delete prompts created in other organizations through ID manipulation. The vulnerability stems from the application's failure t…
- CVE-2024-42365HIGHCVSS 7.4EG 7.42024-08-08
Asterisk is an open source private branch exchange (PBX) and telephony toolkit. Prior to asterisk versions 18.24.2, 20.9.2, and 21.4.2 and certified-asterisk versions 18.9-cert11 and 20.7-cert2, an AMI user with `write=originate` may chang…
- CVE-2024-43604MEDIUMCVSS 5.7EG 5.72024-10-08
Outlook for Android Elevation of Privilege Vulnerability
- CVE-2024-52799HIGHCVSS 8.2EG 8.22024-11-21
Argo Workflows Chart is used to set up argo and its needed dependencies through one command. Prior to 0.44.0, the workflow-role has excessive privileges, the worst being create pods/exec, which will allow kubectl exec into any Pod in the s…
- CVE-2024-52814LOWCVSS 2.8EG 2.82024-11-22
Argo Helm is a collection of community maintained charts for `argoproj.github.io` projects. Prior to version 0.45.0, the `workflow-role`) lacks granularity in its privileges, giving permissions to `workflowtasksets` and `workflowartifactgc…
- CVE-2024-53295HIGHCVSS 7.8EG 7.82025-02-01
Dell PowerProtect DD versions prior to 8.3.0.0, 7.10.1.50, and 7.13.1.20 contain an improper access control vulnerability. A local malicious user with low privileges could potentially exploit this vulnerability leading to escalation of pri…
- CVE-2024-5389HIGHCVSS 8.1EG 8.12024-06-09
In lunary-ai/lunary version 1.2.13, an insufficient granularity of access control vulnerability allows users to create, update, get, and delete prompt variations for datasets not owned by their organization. This issue arises due to the ap…
- CVE-2024-6696MEDIUMCVSS 4.9EG 4.92025-02-20
The product implements access controls via a policy or other feature with the intention to disable or restrict accesses (reads and/or writes) to assets in a system from untrusted agents. However, implemented access controls lack required g…
- CVE-2024-6867MEDIUMCVSS 6.5EG 6.52024-09-13
An information disclosure vulnerability exists in the lunary-ai/lunary, specifically in the `runs/{run_id}/related` endpoint. This endpoint does not verify that the user has the necessary access rights to the run(s) they are accessing. As …
- CVE-2024-8927HIGHCVSS 7.5EG 7.52024-10-08
In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, HTTP_REDIRECT_STATUS variable is used to check whether or not CGI binary is being run by the HTTP server. However, in certain scenarios, the content of this va…
- CVE-2025-1110LOWCVSS 2.7EG 2.72025-05-22
An issue has been discovered in GitLab CE/EE affecting all versions from 18.0 before 18.0.1. In certain circumstances, a user with limited permissions could access Job Data via a crafted GraphQL query.
- CVE-2025-11246MEDIUMCVSS 5.4EG 5.42026-01-09
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.4 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user with specific permissions to remove all project runners…
Map vulnerabilities like CWE-1220 to your infrastructure
EchelonGraph correlates every CVE — across CWE-1220 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →