Przykłady dla CWE-284: Improper Access Control

	Tytuł	Data	Autor
Low	EnBw SENEC Legacy Storage Box Log Disclosure	20.11.2023	Ph0s
Med.	CVE-2023-36339 WebBoss.io CMS IDOR	23.07.2023	Steven n0tst3 Black
Low	MOV.AI Robotics Engine 2.2.3-3 Improper Access Control	13.01.2023	Thurein Soe
High	Dovecot IMAP Server 2.2 Improper Access Control	08.07.2022	Julian Brook
High	Voltage SecureMail Server Business Logic Bypass	07.02.2022	TING Meng Yean
Low	WordPress Modern Events Calendar 5.16.2 Information Disclosure	02.07.2021	Ron Jost
Med.	Realteo WordPress Plugin <= 1.2.3 - Improper Access Control	02.04.2021	m0ze
Med.	Controlled Admin Access WordPress Plugin <= 1.4.0 - Improper Access Control & Privilege Escalation	23.03.2021	m0ze
Med.	Barco wePresent Undocumented SSH Interface	21.11.2020	Jim Becher
Med.	Reliable Services Improper Access Control	12.05.2020	KingSkrupellos
Med.	ThinkTrek Solutions Improper Access Control	11.05.2020	KingSkrupellos
Med.	Native Sparrow Improper Access Control	11.05.2020	KingSkrupellos
Med.	MediaCosmo CMS Improper Access Control	11.05.2020	KingSkrupellos
Med.	Avast Secure Browser 76.0.1659.101 Local Privilege Escalation	21.03.2020	Silton Santos
High	Avira Free Security Suite 2019 Software Updater 2.0.6.13175 Improper Access Control	06.08.2019	Silton Santos
Low	Yurdum Software Reflected XSS Privilege Escalation	17.06.2019	KingSkrupellos
Med.	Blue Prism Robotic Process Automation (RPA) Privilege Escalation	23.05.2019	Benjamin Hess
Med.	AlumniMagnet OmniMagnet Improper Access Control Vulnerability	20.05.2019	KingSkrupellos
Med.	Gemalto DS3 Authentication Server / Ezio Server Command Injection / File Disclosure	11.05.2019	TING Meng Yean
Med.	Designed by Longtail E-Media Improper Access Control and RFU Vulnerability	22.09.2018	AYAR
Low	WordPress Developed by Netsoft Limited Software Development Bangladesh Improper Authentication Vulnerability	05.09.2018	KingSkrupellos
Med.	WordPress DrcSystems EthicSolutions Jssor-Slider Library Plugin Arbitrary File Upload Vulnerability	21.06.2018	KingSkrupellos
High	Solarwinds LEM 6.3.1 Hardcoded Credentials	25.04.2017	Matt Bergin
Med.	HP Printers Wi-Fi Direct Improper Access Control	03.02.2017	Neseso
Med.	SAP HANA Information Disclosure	28.05.2015	onapsis
High	TheCartPress WordPress plugin 1.3.9 Multiple Vulns	29.04.2015	High-Tech Bridge Secur...
Low	SAP Background Processing RFC Missing Authorization	29.04.2014	Onapsis
Low	SAP BASIS Missing Authorization Check	29.04.2014	Onapsis
Low	SAP Profile Maintenance Missing Authorization	29.04.2014	Onapsis
High	OpenDocMan 1.2.7 Multiple Vulnerabilities	05.03.2014	High-Tech Bridge Secur...
High	Microweber 0.8 Arbitrary File Deletion	18.10.2013	High-Tech Bridge Secur...
High	Samsung Kies 2.3.2.12054_20 NULL Pointer Dereference and bypass	16.10.2012	High-Tech Bridge Secur...
High	PBBoard 2.1.4 SQL Injection and Improper Authentication	09.08.2012	High-Tech Bridge Secur...
Med.	AWScripts Gallery Search Engine 1.x Insecure Cookie Vulnerability	01.07.2009	TiGeR-Dz

Common Weakness Enumeration (CWE)

CVE

Szczegóły

Opis

2024-07-23

CVE-2024-38164

Updating...

An improper access control vulnerability in GroupMe allows an a unauthenticated attacker to elevate privileges over a network by convincing a user to click on a malicious link.

2024-07-15

	CVE-2024-6738	Updating...	The tumbnail API of Tronclass from WisdomGarden lacks proper access control, allowing unauthenticated remote attackers to obtain certain specific files by modifying the URL.
	CVE-2024-6737	Updating...	The access control in the Electronic Official Document Management System from 2100 TECHNOLOGY is not properly implemented, allowing remote attackers with regular privileges to access the account settings functionality and create an administrator account.

2024-07-09

CVE-2024-23663

Updating...

An improper access control in Fortinet FortiExtender 4.1.1 - 4.1.9, 4.2.0 - 4.2.6, 5.3.2, 7.0.0 - 7.0.4, 7.2.0 - 7.2.4 and 7.4.0 - 7.4.2 allows an attacker to create users with elevated privileges via a crafted HTTP request.

2024-07-03

CVE-2024-5821

Updating...

Improper Access Control in stitionai/devika

2024-06-27

CVE-2024-0949	Updating...	Improper Access Control, Missing Authorization, Incorrect Authorization, Incorrect Permission Assignment for Critical Resource, Missing Authentication, Weak Authentication, Improper Restriction of Communication Channel to Intended Endpoints vulnerability in Talya Informatics Elektraweb allows Exploiting Incorrectly Configured Access Control Security Levels, Manipulating Web Input to File System Calls, Embedding Scripts within Scripts, Malicious Logic Insertion, Modification of Windows Service Configuration, Malicious Root Certificate, Intent Spoof, WebView Exposure, Data Injected During Configuration, Incomplete Data Deletion in a Multi-Tenant Environment, Install New Service, Modify Existing Service, Install Rootkit, Replace File Extension Handlers, Replace Trusted Executable, Modify Shared File, Add Malicious File to Shared Webroot, Run Software at Logon, Disable Security Software.This issue affects Elektraweb: before v17.0.68.
CVE-2024-1153	Updating...	Improper Access Control vulnerability in Talya Informatics Travel APPS allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Travel APPS: before v17.0.68.
CVE-2024-39376	Updating...	TELSAT marKoni FM Transmitters are vulnerable to users gaining unauthorized access to sensitive information or performing actions beyond their designated permissions.
CVE-2024-6086	Updating...	In version 1.2.7 of lunary-ai/lunary, any authenticated user, regardless of their role, can change the name of an organization due to improper access control. The function checkAccess() is not implemented, allowing users with the lowest privileges, such as the 'Prompt Editor' role, to modify organization attributes without proper authorization.
CVE-2024-5714	Updating...	In lunary-ai/lunary version 1.2.4, an improper access control vulnerability allows members with team management permissions to manipulate project identifiers in requests, enabling them to invite users to projects in other organizations, change members to projects in other organizations with escalated privileges, and change members from other organizations to their own or other projects, also with escalated privileges. This vulnerability is due to the backend's failure to validate project identifiers against the current user's organization ID and projects belonging to it, as well as a misconfiguration in attribute naming (`org_id` should be `orgId`) that prevents proper user organization validation. As a result, attackers can cause inconsistencies on the platform for affected users and organizations, including unauthorized privilege escalation. The issue is present in the backend API endpoints for user invitation and modification, specifically in the handling of project IDs in requests.

20.11.2023

23.07.2023

13.01.2023

08.07.2022

07.02.2022

02.07.2021

02.04.2021

23.03.2021

21.11.2020

12.05.2020

11.05.2020

11.05.2020

11.05.2020

21.03.2020

06.08.2019

17.06.2019

23.05.2019

20.05.2019

11.05.2019

22.09.2018

05.09.2018

21.06.2018

25.04.2017

03.02.2017

28.05.2015

29.04.2015

29.04.2014

29.04.2014

29.04.2014

05.03.2014

18.10.2013

16.10.2012

09.08.2012

01.07.2009