CWE-284— Improper Access Control
4,238 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-284page 39 of 85
- CVE-2024-1376MEDIUMCVSS 4.3EG 4.32024-05-24
The Event post plugin for WordPress is vulnerable to unauthorized bulk metadata update due to a missing capability check on the save_bulkdatas function in all versions up to, and including, 5.9.4. This makes it possible for authenticated a…
- CVE-2024-13854MEDIUMCVSS 4.3EG 4.32025-02-19
The Education Addon for Elementor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.3.1 via the naedu_elementor_template shortcode due to missing validation on a user controlled …
- CVE-2024-13855MEDIUMCVSS 4.3EG 4.32025-02-20
The Prime Addons for Elementor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0.1 via the pae_global_block shortcode due to missing validation on a user controlled key. This m…
- CVE-2024-1418MEDIUMCVSS 5.3EG 5.32024-04-04
The CGC Maintenance Mode plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.2 via the REST API. This makes it possible for unauthenticated attackers to view protected posts via REST…
- CVE-2024-1439MEDIUMCVSS 6.5EG 6.52024-02-12
Inadequate access control in Moodle LMS. This vulnerability could allow a local user with a student role to create arbitrary events intended for users with higher roles. It could also allow the attacker to add events to the calendar of all…
- CVE-2024-1462MEDIUMCVSS 5.3EG 5.32024-03-13
The Maintenance Page plugin for WordPress is vulnerable to Basic Information Exposure in all versions up to, and including, 1.0.8 via the REST API. This makes it possible for unauthenticated attackers to view post titles and content when t…
- CVE-2024-1472MEDIUMCVSS 5.3EG 5.32024-02-29
The WP Maintenance plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 6.1.6 via the REST API. This makes it possible for unauthenticated attackers to bypass the plugin's maintenance mode obtain…
- CVE-2024-1473MEDIUMCVSS 5.3EG 5.32024-03-20
The Coming Soon & Maintenance Mode by Colorlib plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.0.99 via the REST API. This makes it possible for unauthenticated attackers to obtain post an…
- CVE-2024-1475MEDIUMCVSS 5.3EG 5.32024-02-29
The Coming Soon Maintenance Mode plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.5 via the REST API. This makes it possible for unauthenticated attackers to obtain post and pag…
- CVE-2024-1476MEDIUMCVSS 5.3EG 5.32024-02-28
The Under Construction / Maintenance Mode from Acurax plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.6 via the REST API. This makes it possible for unauthenticated attackers to …
- CVE-2024-1478MEDIUMCVSS 5.3EG 5.32024-03-05
The Maintenance Mode plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.0.1 via the REST API. This makes it possible for unauthenticated attackers to obtain post and page content vi…
- CVE-2024-1492MEDIUMCVSS 5.3EG 5.32024-02-29
The WPify Woo Czech plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the maybe_send_to_packeta function in all versions up to, and including, 4.0.8. This makes it possible for unauthent…
- CVE-2024-1525MEDIUMCVSS 5.3EG 5.32024-02-22
An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.1 before 16.7.6, all versions starting from 16.8 before 16.8.3, all versions starting from 16.9 before 16.9.1. Under some specialized conditions, an LDAP …
- CVE-2024-1584MEDIUMCVSS 5.3EG 5.32024-05-02
The Analytify – Google Analytics Dashboard For WordPress (GA4 analytics made easy) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wpa_check_authentication' function in al…
- CVE-2024-1605MEDIUMCVSS 6.6EG 6.62024-03-18
BMC Control-M branches 9.0.20 and 9.0.21 upon user login load all Dynamic Link Libraries (DLL) from a directory that grants Write and Read permissions to all users. Leveraging it leads to loading of a potentially malicious libraries, whi…
- CVE-2024-1632HIGHCVSS 8.8EG 8.82024-02-28
Low-privileged users with access to the Sitefinity backend may obtain sensitive information from the site's administrative area.
- CVE-2024-1668MEDIUMCVSS 6.5EG 6.52024-03-13
The Avada | Website Builder For WordPress & WooCommerce theme for WordPress is vulnerable to Sensitive Information Exposure in versions up to and including 7.11.5 via the form entries page. This makes it possible for authenticated attacker…
- CVE-2024-1675HIGHCVSS 8.8EG 8.82024-02-21
Insufficient policy enforcement in Download in Google Chrome prior to 122.0.6261.57 allowed a remote attacker to bypass filesystem restrictions via a crafted HTML page. (Chromium security severity: Medium)
- CVE-2024-1678MEDIUMCVSS 5.3EG 5.32024-05-02
The Subway – Private Site Option plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.1.4 via the REST API. This makes it possible for unauthenticated attackers to bypass the plugin…
- CVE-2024-1701MEDIUMCVSS 5.3EG 5.32024-02-21
A vulnerability has been found in keerti1924 PHP-MYSQL-User-Login-System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /edit.php. The manipulation leads to improper access controls. …
- CVE-2024-1823MEDIUMCVSS 5.3EG 5.32024-02-23
A vulnerability classified as critical was found in CodeAstro Simple Voting System 1.0. Affected by this vulnerability is an unknown functionality of the file users.php of the component Backend. The manipulation leads to improper access co…
- CVE-2024-1887MEDIUMCVSS 4.3EG 4.32024-02-29
Mattermost fails to check if compliance export is enabled when fetching posts of public channels allowing a user that is not a member of the public channel to fetch the posts, which will not be audited in the compliance export.
- CVE-2024-1888MEDIUMCVSS 4.3EG 4.32024-02-29
Mattermost fails to check the "invite_guest" permission when inviting guests of other teams to a team, allowing a member with permissions to add other members but not to add guests to add a guest to a team as long as the guest was alread…
- CVE-2024-1898MEDIUMCVSS 4.3EG 4.32024-03-05
Improper access control in the notification feature in Devolutions Server 2023.3.14.0 and earlier allows a low privileged user to change notifications settings configured by an administrator.
- CVE-2024-1942MEDIUMCVSS 4.3EG 4.32024-02-29
Mattermost versions 8.1.x before 8.1.9, 9.2.x before 9.2.5, and 9.3.0 fail to sanitize the metadata on posts containing permalinks under specific conditions, which allows an authenticated attacker to access the contents of individual posts…
- CVE-2024-20036MEDIUMCVSS 4.4EG 4.42024-03-04
In vdec, there is a possible permission bypass due to a permissions bypass. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08509508; I…
- CVE-2024-20065MEDIUMCVSS 4.0EG 4.02024-06-03
In telephony, there is a possible information disclosure due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Pa…
- CVE-2024-2019HIGHCVSS 7.5EG 7.52024-06-04
The WP-DB-Table-Editor plugin for WordPress is vulnerable to unauthorized access of data, modification of data, and loss of data due to lack of a default capability requirement on the 'dbte_render' function in all versions up to, and inclu…
- CVE-2024-20261MEDIUMCVSS 5.8EG 5.82024-05-22
A vulnerability in the file policy feature that is used to inspect encrypted archive files of Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to bypass a configured file policy to block an encr…
- CVE-2024-20263MEDIUMCVSS 5.8EG 5.82024-01-26
A vulnerability with the access control list (ACL) management within a stacked switch configuration of Cisco Business 250 Series Smart Switches and Business 350 Series Managed Switches could allow an unauthenticated, remote attacker to byp…
- CVE-2024-20279MEDIUMCVSS 4.3EG 4.32024-08-28
A vulnerability in the restricted security domain implementation of Cisco Application Policy Infrastructure Controller (APIC) could allow an authenticated, remote attacker to modify the behavior of default system policies, such as quality …
- CVE-2024-20283MEDIUMCVSS 4.3EG 4.32024-04-03
A vulnerability in Cisco Nexus Dashboard could allow an authenticated, remote attacker to learn cluster deployment information on an affected device. This vulnerability is due to improper access controls on a specific API endpoint. An a…
- CVE-2024-20291MEDIUMCVSS 5.8EG 5.82024-02-29
A vulnerability in the access control list (ACL) programming for port channel subinterfaces of Cisco Nexus 3000 and 9000 Series Switches in standalone NX-OS mode could allow an unauthenticated, remote attacker to send traffic that should b…
- CVE-2024-20302MEDIUMCVSS 5.4EG 5.42024-04-03
A vulnerability in the tenant security implementation of Cisco Nexus Dashboard Orchestrator (NDO) could allow an authenticated, remote attacker to modify or delete tenant templates on an affected system. This vulnerability is due to i…
- CVE-2024-20315MEDIUMCVSS 5.8EG 5.82024-03-13
A vulnerability in the access control list (ACL) processing on MPLS interfaces in the ingress direction of Cisco IOS XR Software could allow an unauthenticated, remote attacker to bypass a configured ACL. This vulnerability is due to im…
- CVE-2024-20319MEDIUMCVSS 4.3EG 4.32024-03-13
A vulnerability in the UDP forwarding code of Cisco IOS XR Software could allow an unauthenticated, adjacent attacker to bypass configured management plane protection policies and access the Simple Network Management Plane (SNMP) server of…
- CVE-2024-20322MEDIUMCVSS 5.8EG 5.82024-03-13
A vulnerability in the access control list (ACL) processing on Pseudowire interfaces in the ingress direction of Cisco IOS XR Software could allow an unauthenticated, remote attacker to bypass a configured ACL. This vulnerability is due…
- CVE-2024-20325MEDIUMCVSS 5.1EG 5.12024-02-21
A vulnerability in the Live Data server of Cisco Unified Intelligence Center could allow an unauthenticated, local attacker to read and modify data in a repository that belongs to an internal service on an affected device. This vulnerab…
- CVE-2024-20343MEDIUMCVSS 5.5EG 5.52024-09-11
A vulnerability in the CLI of Cisco IOS XR Software could allow an authenticated, local attacker to read any file in the file system of the underlying Linux operating system. The attacker must have valid credentials on the affected device.…
- CVE-2024-20373MEDIUMCVSS 5.3EG 5.32024-11-15
A vulnerability in the implementation of the Simple Network Management Protocol (SNMP) IPv4 access control list (ACL) feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to perform SNMP p…
- CVE-2024-20397MEDIUMCVSS 5.2EG 5.22024-12-04
A vulnerability in the bootloader of Cisco NX-OS Software could allow an unauthenticated attacker with physical access to an affected device, or an authenticated, local attacker with administrative credentials, to bypass NX-OS image signat…
- CVE-2024-20465MEDIUMCVSS 5.8EG 5.82024-09-25
A vulnerability in the access control list (ACL) programming of Cisco IOS Software running on Cisco Industrial Ethernet 4000, 4010, and 5000 Series Switches could allow an unauthenticated, remote attacker to bypass a configured ACL. Thi…
- CVE-2024-20657HIGHCVSS 7.0EG 7.02024-01-09
Windows Group Policy Elevation of Privilege Vulnerability
- CVE-2024-20675MEDIUMCVSS 6.3EG 6.32024-01-11
Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability
- CVE-2024-20695MEDIUMCVSS 5.7EG 5.72024-02-13
Skype for Business Information Disclosure Vulnerability
- CVE-2024-20767HIGHCVSS 7.4EG 9.0⚠ KEV2024-03-18
ColdFusion versions 2023.6, 2021.12 and earlier are affected by an Improper Access Control vulnerability that could result in arbitrary file system read. An attacker could leverage this vulnerability to access or modify restricted files. E…
- CVE-2024-20911LOWCVSS 2.6EG 2.62024-02-17
Vulnerability in Oracle Audit Vault and Database Firewall (component: Firewall). Supported versions that are affected are 20.1-20.9. Difficult to exploit vulnerability allows high privileged attacker with network access via Oracle Net to …
- CVE-2024-20912LOWCVSS 2.7EG 2.72024-01-16
Vulnerability in Oracle Audit Vault and Database Firewall (component: Firewall). Supported versions that are affected are 20.1-20.9. Easily exploitable vulnerability allows high privileged attacker with network access via Oracle Net to co…
- CVE-2024-20916HIGHCVSS 8.3EG 8.32024-01-16
Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Event Management). The supported version that is affected is 13.5.0.0. Easily exploitable vulnerability allows high privileged …
- CVE-2024-20918HIGHCVSS 7.4EG 7.42024-01-16
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u391, 8u391-perf, 11.0.21, 17.0.9, 21…
Map vulnerabilities like CWE-284 to your infrastructure
EchelonGraph correlates every CVE — across CWE-284 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →