Filtered by CWE-284
Total 3309 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2025-2551 2025-03-20 4.3 Medium
A vulnerability was found in D-Link DIR-618 and DIR-605L 2.02/3.02. It has been classified as problematic. This affects an unknown part of the file /goform/formSetPortTr. The manipulation leads to improper access controls. Access to the local network is required for this attack. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer.
CVE-2025-2552 2025-03-20 4.3 Medium
A vulnerability was found in D-Link DIR-618 and DIR-605L 2.02/3.02. It has been declared as problematic. This vulnerability affects unknown code of the file /goform/formTcpipSetup. The manipulation leads to improper access controls. Access to the local network is required for this attack to succeed. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer.
CVE-2025-2546 2025-03-20 4.3 Medium
A vulnerability classified as problematic was found in D-Link DIR-618 and DIR-605L 2.02/3.02. This vulnerability affects unknown code of the file /goform/formAdvFirewall of the component Firewall Service. The manipulation leads to improper access controls. The attack needs to be approached within the local network. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer.
CVE-2023-23835 1 Mendix 1 Mendix 2025-03-20 5.9 Medium
A vulnerability has been identified in Mendix Applications using Mendix 7 (All versions < V7.23.34), Mendix Applications using Mendix 8 (All versions < V8.18.23), Mendix Applications using Mendix 9 (All versions < V9.22.0), Mendix Applications using Mendix 9 (V9.12) (All versions < V9.12.10), Mendix Applications using Mendix 9 (V9.18) (All versions < V9.18.4), Mendix Applications using Mendix 9 (V9.6) (All versions < V9.6.15). Some of the Mendix runtime API’s allow attackers to bypass XPath constraints and retrieve information using XPath queries that trigger errors.
CVE-2024-10272 2025-03-20 N/A
lunary-ai/lunary is vulnerable to broken access control in the latest version. An attacker can view the content of any dataset without any kind of authorization by sending a GET request to the /v1/datasets endpoint without a valid authorization token.
CVE-2024-8238 2025-03-20 N/A
In version 3.22.0 of aimhubio/aim, the AimQL query language uses an outdated version of the safer_getattr() function from RestrictedPython. This version does not protect against the str.format_map() method, allowing an attacker to leak server-side secrets or potentially gain unrestricted code execution. The vulnerability arises because str.format_map() can read arbitrary attributes of Python objects, enabling attackers to access sensitive variables such as os.environ. If an attacker can write files to a known location on the Aim server, they can use str.format_map() to load a malicious .dll/.so file into the Python interpreter, leading to unrestricted code execution.
CVE-2024-10956 2025-03-20 N/A
GPT Academy version 3.83 in the binary-husky/gpt_academic repository is vulnerable to Cross-Site WebSocket Hijacking (CSWSH). This vulnerability allows an attacker to hijack an existing WebSocket connection between the victim's browser and the server, enabling unauthorized actions such as deleting conversation history without the victim's consent. The issue arises due to insufficient WebSocket authentication and lack of origin validation.
CVE-2024-5691 2 Mozilla, Redhat 8 Firefox, Firefox Esr, Thunderbird and 5 more 2025-03-19 4.7 Medium
By tricking the browser with a `X-Frame-Options` header, a sandboxed iframe could have presented a button that, if clicked by a user, would bypass restrictions to open a new window. This vulnerability affects Firefox < 127, Firefox ESR < 115.12, and Thunderbird < 115.12.
CVE-2024-41243 1 Lopalopa 1 Responsive School Management System 2025-03-19 5.3 Medium
An Incorrect Access Control vulnerability was found in /smsa/view_marks.php in Kashipara Responsive School Management System v3.2.0, which allows remote unauthenticated attackers to view MARKS details.
CVE-2023-42957 1 Apple 4 Ipados, Iphone Os, Macos and 1 more 2025-03-19 3.3 Low
A permissions issue was addressed with additional restrictions. This issue is fixed in iOS 17 and iPadOS 17, macOS Sonoma 14, watchOS 10. An app may be able to read sensitive location information.
CVE-2024-40786 1 Apple 3 Ipados, Iphone Os, Macos 2025-03-19 7.5 High
This issue was addressed through improved state management. This issue is fixed in iOS 17.6 and iPadOS 17.6, iOS 16.7.9 and iPadOS 16.7.9, macOS Ventura 13.6.8. An attacker may be able to view sensitive user information.
CVE-2025-25585 2025-03-19 7.3 High
Incorrect access control in the component /config/WebSecurityConfig.java of yimioa before v2024.07.04 allows unauthorized attackers to arbitrarily modify Administrator passwords.
CVE-2023-20927 1 Google 1 Android 2025-03-19 7.8 High
In permissions of AndroidManifest.xml, there is a possible way to grant signature permissions due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-244216503
CVE-2022-46892 1 Amperecomputing 4 Ampere Altra, Ampere Altra Firmware, Ampere Altra Max and 1 more 2025-03-19 9.8 Critical
In Ampere AltraMax and Ampere Altra before 2.10c, improper access controls allows the OS to reinitialize a disabled root complex.
CVE-2022-38935 1 Niter 1 Niterforum 2025-03-19 8.8 High
An issue was discovered in NiterForum version 2.5.0-beta in /src/main/java/cn/niter/forum/api/SsoApi.java and /src/main/java/cn/niter/forum/controller/AdminController.java, allows attackers to gain escalated privileges.
CVE-2024-7001 1 Google 1 Chrome 2025-03-19 4.3 Medium
Inappropriate implementation in HTML in Google Chrome prior to 127.0.6533.72 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
CVE-2024-57032 1 Wegia 1 Wegia 2025-03-19 9.8 Critical
WeGIA < 3.2.0 is vulnerable to Incorrect Access Control in controle/control.php. The application does not validate the value of the old password, so it is possible to change the password by placing any value in the senha_antiga field.
CVE-2023-24485 1 Citrix 1 Workspace 2025-03-19 7.8 High
Vulnerabilities have been identified that, collectively, allow a standard Windows user to perform operations as SYSTEM on the computer running Citrix Workspace app.
CVE-2025-25598 2025-03-19 8.8 High
Incorrect access control in the scheduled tasks console of Inova Logic CUSTOMER MONITOR (CM) v3.1.757.1 allows attackers to escalate privileges via placing a crafted executable into a scheduled task.
CVE-2025-0650 1 Redhat 2 Enterprise Linux, Openshift 2025-03-19 8.1 High
A flaw was found in the Open Virtual Network (OVN). Specially crafted UDP packets may bypass egress access control lists (ACLs) in OVN installations configured with a logical switch with DNS records set on it and if the same switch has any egress ACLs configured. This issue can lead to unauthorized access to virtual machines and containers running on the OVN network.