Filtered by CWE-284
Filtered by vendor Subscriptions
Total 2874 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2024-43813 1 Mattermost 1 Mattermost 2024-08-23 4.3 Medium
Mattermost versions 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 fail to enforce proper access controls which allows any authenticated user, including guests, to mark any channel inside any team as read for any user.
CVE-2024-8071 1 Mattermost 1 Mattermost 2024-08-23 4.7 Medium
Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 and 9.8.x <= 9.8.2 fail to restrict which roles can promote a user as system admin which allows a System Role with edit access to the permissions section of system console to update their role (e.g. member) to include the `manage_system` permission, effectively becoming a System Admin.
CVE-2024-29977 1 Mattermost 1 Mattermost 2024-08-23 2.7 Low
Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6 fail to properly validate synced reactions, when shared channels are enabled, which allows a malicious remote to create arbitrary reactions on arbitrary posts
CVE-2024-36492 1 Mattermost 1 Mattermost 2024-08-23 7.4 High
Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, 9.8.x <= 9.8.1 fail to disallow the modification of local users when syncing users in shared channels. which allows a malicious remote to overwrite an existing local user.
CVE-2024-39274 1 Mattermost 1 Mattermost 2024-08-23 8.7 High
Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5 and 9.8.x <= 9.8.1 fail to properly validate that the channel that comes from the sync message is a shared channel, when shared channels are enabled, which allows a malicious remote to add users to arbitrary teams and channels
CVE-2024-39777 1 Mattermost 1 Mattermost 2024-08-23 8.7 High
Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5 and 9.8.x <= 9.8.1 fail to disallow unsolicited invites to expose access to local channels, when shared channels are enabled, which allows a malicious remote to send an invite with the ID of an existing local channel, and that local channel will then become shared without the consent of the local admin.
CVE-2024-36505 1 Fortinet 1 Fortios 2024-08-22 4.7 Medium
An improper access control vulnerability [CWE-284] in FortiOS 7.4.0 through 7.4.3, 7.2.5 through 7.2.7, 7.0.12 through 7.0.14 and 6.4.x may allow an attacker who has already successfully obtained write access to the underlying system (via another hypothetical exploit) to bypass the file integrity checking system.
CVE-2024-27187 1 Joomla 1 Joomla\! 2024-08-22 7.5 High
Improper Access Controls allows backend users to overwrite their username when disallowed.
CVE-2024-40480 2 Jayesh, Kashipara 2 Online Exam System, Online Exam System 2024-08-22 9.8 Critical
A Broken Access Control vulnerability was found in /admin/update.php and /admin/dashboard.php in Kashipara Online Exam System v1.0, which allows remote unauthenticated attackers to view administrator dashboard and delete valid user accounts via the direct URL access.
CVE-2024-29082 1 Vonets 28 Vap11ac, Vap11ac Firmware, Vap11g and 25 more 2024-08-21 8.6 High
Improper access control vulnerability affecting Vonets industrial wifi bridge relays and wifi bridge repeaters, software versions 3.3.23.6.9 and prior, enables an unauthenticated remote attacker to bypass authentication and factory reset the device via unprotected goform endpoints.
CVE-2024-41332 2 Oretnom23, Sourcecodester 2 Computer Laboratory Management System, Computer Laboratory Management System 2024-08-21 6.5 Medium
Incorrect access control in the delete_category function of Sourcecodester Computer Laboratory Management System v1.0 allows authenticated attackers with low-level privileges to arbitrarily delete categories.
CVE-2024-7921 2 Jielink\+ Jsotc2016 Project, Jieshun-tech 2 Jielink\+ Jsotc2016, Jielink\+ 2024-08-21 4.3 Medium
A vulnerability has been found in Anhui Deshun Intelligent Technology Jieshun JieLink+ JSOTC2016 up to 20240805 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /report/ParkOutRecord/GetDataList. The manipulation leads to improper access controls. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
CVE-2024-7920 2 Anhui Deshun Intelligent Technology, Jielink\+ Jsotc2016 Project 2 Jieshun Jielink Plus Jsotc2016, Jielink\+ Jsotc2016 2024-08-21 4.3 Medium
A vulnerability, which was classified as problematic, was found in Anhui Deshun Intelligent Technology Jieshun JieLink+ JSOTC2016 up to 20240805. Affected is an unknown function of the file /Report/ParkCommon/GetParkInThroughDeivces. The manipulation leads to improper access controls. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
CVE-2024-7919 2 Anhui Deshun Intelligent Technology, Jielink\+ Jsotc2016 Project 2 Jieshun Jielink\+, Jielink\+ Jsotc2016 2024-08-21 5.3 Medium
A vulnerability, which was classified as critical, has been found in Anhui Deshun Intelligent Technology Jieshun JieLink+ JSOTC2016 up to 20240805. This issue affects some unknown processing of the file /report/ParkChargeRecord/GetDataList. The manipulation leads to improper access controls. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
CVE-2024-6221 1 Corydolphin 1 Flask-cors 2024-08-20 7.5 High
A vulnerability in corydolphin/flask-cors version 4.0.1 allows the `Access-Control-Allow-Private-Network` CORS header to be set to true by default, without any configuration option. This behavior can expose private network resources to unauthorized external access, leading to significant security risks such as data breaches, unauthorized access to sensitive information, and potential network intrusions.
CVE-2024-42559 1 Hotel Management System Project 1 Hotel Management System 2024-08-20 9.8 Critical
An issue in the login component (process_login.php) of Hotel Management System commit 79d688 allows attackers to authenticate without providing a valid password.
CVE-2024-42480 1 Clastix 1 Kamaji 2024-08-16 8.1 High
Kamaji is the Hosted Control Plane Manager for Kubernetes. In versions 1.0.0 and earlier, Kamaji uses an "open at the top" range definition in RBAC for etcd roles leading to some TCPs API servers being able to read, write, and delete the data of other control planes. This vulnerability is fixed in edge-24.8.2.
CVE-2024-40475 2 Mayurik, Sourcecodester 2 Best House Rental Management System, Best House Rental Management System 2024-08-15 5.3 Medium
SourceCodester Best House Rental Management System v1.0 is vulnerable to Incorrect Access Control via /rental/payment_report.php, /rental/balance_report.php, /rental/invoices.php, /rental/tenants.php, and /rental/users.php.
CVE-2024-41905 1 Siemens 1 Sinec Traffic Analyzer 2024-08-14 6.8 Medium
A vulnerability has been identified in SINEC Traffic Analyzer (6GK8822-1BG01-0BA0) (All versions < V2.0). The affected application do not have access control for accessing the files. This could allow an authenticated attacker with low privilege's to get access to sensitive information.
CVE-2023-43489 2024-08-14 5.5 Medium
Improper access control for some Intel(R) CIP software before version 2.4.10717 may allow an authenticated user to potentially enable denial of service via local access.