CWE-284— Improper Access Control
4,239 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-284page 44 of 85
- CVE-2024-30148MEDIUMCVSS 4.1EG 4.12025-04-24
Improper access control of endpoint in HCL Leap allows certain admin users to import applications from the server's filesystem.
- CVE-2024-30211MEDIUMCVSS 6.0EG 6.02025-02-12
Improper access control in some Intel(R) ME driver pack installer engines before version 2422.6.2.0 may allow an authenticated user to potentially enable escalation of privilege via local access.
- CVE-2024-30261LOWCVSS 2.6EG 2.62024-04-04
Undici is an HTTP/1.1 client, written from scratch for Node.js. An attacker can alter the `integrity` option passed to `fetch()`, allowing `fetch()` to accept requests as valid even if they have been tampered. This vulnerability was patche…
- CVE-2024-30418HIGHCVSS 7.5EG 7.52024-04-07
Vulnerability of insufficient permission verification in the app management module. Impact: Successful exploitation of this vulnerability will affect availability.
- CVE-2024-30481MEDIUMCVSS 6.5EG 6.52024-06-09
Broken Access Control vulnerability in Samuel Marshall JCH Optimize.This issue affects JCH Optimize: from n/a through 4.0.0.
- CVE-2024-31207MEDIUMCVSS 5.9EG 5.92024-04-04
Vite (French word for "quick", pronounced /vit/, like "veet") is a frontend build tooling to improve the frontend development experience.`server.fs.deny` does not deny requests for patterns with directories. This vulnerability has been pat…
- CVE-2024-3127MEDIUMCVSS 4.3EG 4.32024-08-22
An issue has been discovered in GitLab EE affecting all versions starting from 12.5 before 17.1.6, all versions starting from 17.2 before 17.2.4, all versions starting from 17.3 before 17.3.1. Under certain conditions it may be possible to…
- CVE-2024-31320HIGHCVSS 7.8EG 7.42024-07-09
In setSkipPrompt of AssociationRequest.java , there is a possible way to establish a companion device association without any confirmation due to CDM. This could lead to local escalation of privilege with no additional execution privileges…
- CVE-2024-31503HIGHCVSS 7.5EG 7.52024-04-17
Incorrect access control in Dolibarr ERP CRM versions 19.0.0 and before, allows authenticated attackers to steal victim users' session cookies and CSRF protection tokens via user interaction with a crafted web page, leading to account take…
- CVE-2024-3164MEDIUMCVSS 4.5EG 4.52024-04-01
In dotCMS dashboard, the Tools and Log Files tabs under System → Maintenance Portlet, which is and always has been an Admin portlet, is accessible to anyone with that portlet and not just to CMS Admins. Users that get site admin but not …
- CVE-2024-31759HIGHCVSS 8.8EG 8.82024-04-16
An issue in sanluan PublicCMS v.4.0.202302.e allows an attacker to escalate privileges via the change password function.
- CVE-2024-31805MEDIUMCVSS 6.5EG 6.52024-04-08
TOTOLINK EX200 V4.0.3c.7646_B20201211 allows attackers to start the Telnet service without authorization via the telnet_enabled parameter in the setTelnetCfg function.
- CVE-2024-31815CRITICALCVSS 9.1EG 9.12024-04-08
In TOTOLINK EX200 V4.0.3c.7314_B20191204, an attacker can obtain the configuration file without authorization through /cgi-bin/ExportSettings.sh
- CVE-2024-31846HIGHCVSS 7.5EG 7.52024-04-19
An issue was discovered in Italtel Embrace 1.6.4. The web application does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
- CVE-2024-31859MEDIUMCVSS 4.3EG 4.32024-05-26
Mattermost versions 9.5.x <= 9.5.3, 9.6.x <= 9.6.1 and 8.1.x <= 8.1.12 fail to perform proper authorization checks which allows a member running a playbook in an existing channel to be promoted to a channel admin
- CVE-2024-31964HIGHCVSS 7.5EG 7.52024-05-02
A vulnerability on Mitel 6800 Series and 6900 Series SIP Phones through 6.3 SP3 HF4, 6900w Series SIP Phone through 6.3.3, and 6970 Conference Unit through 5.1.1 SP8 allows an unauthenticated attacker to conduct an authentication bypass at…
- CVE-2024-31967CRITICALCVSS 9.1EG 9.12024-05-02
A vulnerability on Mitel 6800 Series and 6900 Series SIP Phones through 6.3 SP3 HF4, 6900w Series SIP Phone through 6.3.3, and 6970 Conference Unit through 5.1.1 SP8 allows an unauthenticated attacker to conduct an unauthorized access atta…
- CVE-2024-32044MEDIUMCVSS 6.8EG 6.82024-11-13
Improper access control for some Intel(R) Arc(TM) Pro Graphics for Windows drivers before version 31.0.101.5319 may allow an authenticated user to potentially enable escalation of privilege via adjacent access.
- CVE-2024-32045MEDIUMCVSS 5.9EG 5.92024-05-26
Mattermost versions 9.5.x <= 9.5.3, 9.6.x <= 9.6.1, 8.1.x <= 8.1.12 fail to enforce proper access controls for channel and team membership when linking a playbook run to a channel which allows members to link their runs to private channe…
- CVE-2024-32124MEDIUMCVSS 4.3EG 4.32025-07-18
An improper access control vulnerability [CWE-284] in FortiIsolator version 2.4.4, version 2.4.3, 2.3 all versions logging component may allow a remote authenticated read-only attacker to alter logs via a crafted HTTP request.
- CVE-2024-32418CRITICALCVSS 9.8EG 9.82024-04-22
An issue in flusity CMS v2.33 allows a remote attacker to execute arbitrary code via the add_addon.php component.
- CVE-2024-32483HIGHCVSS 8.2EG 8.22024-11-13
Improper access control for some Intel(R) EMA software before version 1.13.1.0 may allow an authenticated user to potentially enable escalation of privilege via local access.
- CVE-2024-3270LOWCVSS 3.8EG 3.82024-04-03
A vulnerability classified as problematic was found in ThingsBoard up to 3.6.2. This vulnerability affects unknown code of the component AdvancedFeature. The manipulation leads to improper access controls. The attack can be initiated remot…
- CVE-2024-3279CRITICALCVSS 9.1EG 9.12024-08-12
An improper access control vulnerability exists in the mintplex-labs/anything-llm application, specifically within the import endpoint. This vulnerability allows an anonymous attacker, without an account in the application, to import their…
- CVE-2024-32939MEDIUMCVSS 4.3EG 4.32024-08-22
Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0, 9.8.x <= 9.8.2, when shared channels are enabled, fail to redact remote users' original email addresses stored in user props when email addresses are otherwise configure…
- CVE-2024-32940MEDIUMCVSS 6.5EG 6.52024-09-16
Improper access control in Intel(R) RAID Web Console software for all versions may allow an authenticated user to potentially enable denial of service via adjacent access.
- CVE-2024-32969LOWCVSS 2.7EG 2.72024-05-23
vantage6 is an open-source infrastructure for privacy preserving analysis. Collaboration administrators can add extra organizations to their collaboration that can extend their influence. For example, organizations that they include can th…
- CVE-2024-32973MEDIUMCVSS 4.8EG 4.82024-05-01
Pluto is a superset of Lua 5.4 with a focus on general-purpose programming. In affected versions an attacker with the ability to actively intercept network traffic would be able to use a specifically-crafted certificate to fool Pluto into …
- CVE-2024-33027HIGHCVSS 8.4EG 8.42024-08-05
Memory corruption can occur when arbitrary user-space app gains kernel level privilege to modify DDR memory by corrupting the GPU page table.
- CVE-2024-33227HIGHCVSS 8.8EG 8.82024-05-22
An issue in the component ddcdrv.sys of Nicomsoft WinI2C/DDC v3.7.4.0 allows attackers to escalate privileges and execute arbitrary code via sending crafted IOCTL requests.
- CVE-2024-33260MEDIUMCVSS 5.1EG 5.12024-04-26
Jerryscript commit cefd391 was discovered to contain a segmentation violation via the component parser_parse_class at jerry-core/parser/js/js-parser-expr.c
- CVE-2024-33393MEDIUMCVSS 6.2EG 6.22024-05-01
An issue in spidernet-io spiderpool v.0.9.3 and before allows a local attacker to execute arbitrary code via a crafted command to get the token component.
- CVE-2024-33396HIGHCVSS 8.4EG 8.42024-05-02
An issue in karmada-io karmada v1.9.0 and before allows a local attacker to execute arbitrary code via a crafted command to get the token component.
- CVE-2024-33647MEDIUMCVSS 6.5EG 6.52024-05-14
A vulnerability has been identified in Polarion ALM (All versions < V2404.0). The Apache Lucene based query engine in the affected application lacks proper access controls. This could allow an authenticated user to query items beyond the u…
- CVE-2024-33666HIGHCVSS 8.6EG 8.62024-04-26
An issue was discovered in Zammad before 6.3.0. Users with customer access to a ticket could have accessed time accounting details of this ticket via the API. This data should be available only to agents.
- CVE-2024-33673HIGHCVSS 7.8EG 7.82024-04-26
An issue was discovered in Veritas Backup Exec before 22.2 HotFix 917391. Improper access controls allow for DLL Hijacking in the Windows DLL Search path.
- CVE-2024-33898CRITICALCVSS 9.8EG 9.82024-06-24
Axiros AXESS Auto Configuration Server (ACS) 4.x and 5.0.0 is affected by an Incorrect Access Control vulnerability. An authorization bypass allows remote attackers to achieve unauthenticated remote code execution.
- CVE-2024-34022MEDIUMCVSS 6.7EG 6.72024-11-13
Improper Access Control in some Thunderbolt(TM) Share software before version 1.0.49.9 may allow an authenticated user to potentially enable escalation of privilege via local access.
- CVE-2024-3404MEDIUMCVSS 6.5EG 6.52024-06-06
In gaizhenbiao/chuanhuchatgpt, specifically the version tagged as 20240121, there exists a vulnerability due to improper access control mechanisms. This flaw allows an authenticated attacker to bypass intended access restrictions and read …
- CVE-2024-34068MEDIUMCVSS 6.4EG 6.42024-05-03
Pterodactyl wings is the server control plane for Pterodactyl Panel. An authenticated user who has access to a game server is able to bypass the previously implemented access control (GHSA-6rg3-8h8x-5xfv) that prevents accessing internal e…
- CVE-2024-34099HIGHCVSS 7.8EG 7.82024-05-15
Acrobat Reader versions 20.005.30574, 24.002.20736 and earlier are affected by an Improper Access Control vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires u…
- CVE-2024-34107MEDIUMCVSS 5.3EG 5.32024-06-13
Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass securi…
- CVE-2024-34112HIGHCVSS 7.5EG 7.52024-06-13
ColdFusion versions 2023u7, 2021u13 and earlier are affected by an Improper Access Control vulnerability that could result in arbitrary file system read. An attacker could exploit this vulnerability to gain unauthorized access to sensitive…
- CVE-2024-34152MEDIUMCVSS 4.3EG 4.32024-05-26
Mattermost versions 9.5.x <= 9.5.3, 9.6.x <= 9.6.1 and 8.1.x <= 8.1.12 fail to perform proper access control which allows a guest to get the metadata of a public playbook run that linked to the channel they are guest via sending an RHSRun…
- CVE-2024-34221HIGHCVSS 8.8EG 8.82024-05-14
Sourcecodester Human Resource Management System 1.0 is vulnerable to Insecure Permissions resulting in privilege escalation.
- CVE-2024-34404MEDIUMCVSS 6.8EG 6.82024-05-03
A vulnerability was discovered in the Alta Recovery Vault feature of Veritas NetBackup before 10.4 and NetBackup Appliance before 5.4. By design, only the cloud administrator should be able to disable the retention lock of Governance mode …
- CVE-2024-34543MEDIUMCVSS 6.7EG 6.72024-09-16
Improper access control in Intel(R) RAID Web Console software for all versions may allow an authenticated user to potentially enable escalation of privilege via local access.
- CVE-2024-34725HIGHCVSS 7.0EG 7.42024-07-09
In DevmemIntUnexportCtx of devicemem_server.c, there is a possible arbitrary code execution due to a race condition. This could lead to local escalation of privilege in the kernel with no additional execution privileges needed. User intera…
- CVE-2024-3504MEDIUMCVSS 6.5EG 8.12024-06-06
An improper access control vulnerability exists in lunary-ai/lunary versions up to and including 1.2.2, where an admin can update any organization user to the organization owner. This vulnerability allows the elevated user to delete projec…
- CVE-2024-35122LOWCVSS 2.8EG 2.82025-01-24
IBM i 7.2, 7.3, 7.4, and 7.5 is vulnerable to a file level local denial of service caused by an insufficient authority requirement. A local non-privileged user can configure a referential constraint with the privileges of a user socially e…
Map vulnerabilities like CWE-284 to your infrastructure
EchelonGraph correlates every CVE — across CWE-284 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →