Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2023-1883

Summary
Assigner-@huntrdev
Assigner Org ID-c09c270a-b464-47c1-9133-acb35b22c19a
Published At-05 Apr, 2023 | 00:00
Updated At-10 Feb, 2025 | 19:49
Rejected At-
Credits

Improper Access Control in thorsten/phpmyfaq

Improper Access Control in GitHub repository thorsten/phpmyfaq prior to 3.1.12.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:@huntrdev
Assigner Org ID:c09c270a-b464-47c1-9133-acb35b22c19a
Published At:05 Apr, 2023 | 00:00
Updated At:10 Feb, 2025 | 19:49
Rejected At:
▼CVE Numbering Authority (CNA)
Improper Access Control in thorsten/phpmyfaq

Improper Access Control in GitHub repository thorsten/phpmyfaq prior to 3.1.12.

Affected Products
Vendor
Thorsten Rinne (phpMyFAQ)thorsten
Product
thorsten/phpmyfaq
Versions
Affected
  • From unspecified before 3.1.12 (custom)
Problem Types
TypeCWE IDDescription
CWECWE-284CWE-284 Improper Access Control
Type: CWE
CWE ID: CWE-284
Description: CWE-284 Improper Access Control
Metrics
VersionBase scoreBase severityVector
3.05.4MEDIUM
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Version: 3.0
Base score: 5.4
Base severity: MEDIUM
Vector:
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://huntr.dev/bounties/2f1e417d-cf64-4cfb-954b-3a9cb2f38191
N/A
https://github.com/thorsten/phpmyfaq/commit/db77df888178766987398597d4f153831c62a503
N/A
Hyperlink: https://huntr.dev/bounties/2f1e417d-cf64-4cfb-954b-3a9cb2f38191
Resource: N/A
Hyperlink: https://github.com/thorsten/phpmyfaq/commit/db77df888178766987398597d4f153831c62a503
Resource: N/A
▼Authorized Data Publishers (ADP)
1. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://huntr.dev/bounties/2f1e417d-cf64-4cfb-954b-3a9cb2f38191
x_transferred
https://github.com/thorsten/phpmyfaq/commit/db77df888178766987398597d4f153831c62a503
x_transferred
Hyperlink: https://huntr.dev/bounties/2f1e417d-cf64-4cfb-954b-3a9cb2f38191
Resource:
x_transferred
Hyperlink: https://github.com/thorsten/phpmyfaq/commit/db77df888178766987398597d4f153831c62a503
Resource:
x_transferred
2. CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security@huntr.dev
Published At:05 Apr, 2023 | 17:15
Updated At:12 Apr, 2023 | 14:33

Improper Access Control in GitHub repository thorsten/phpmyfaq prior to 3.1.12.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.15.4MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Secondary3.05.4MEDIUM
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Type: Primary
Version: 3.1
Base score: 5.4
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Type: Secondary
Version: 3.0
Base score: 5.4
Base severity: MEDIUM
Vector:
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
CPE Matches

Thorsten Rinne (phpMyFAQ)
phpmyfaq
>>phpmyfaq>>Versions before 3.1.12(exclusive)
cpe:2.3:a:phpmyfaq:phpmyfaq:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-284Primarysecurity@huntr.dev
CWE ID: CWE-284
Type: Primary
Source: security@huntr.dev
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://github.com/thorsten/phpmyfaq/commit/db77df888178766987398597d4f153831c62a503security@huntr.dev
Patch
https://huntr.dev/bounties/2f1e417d-cf64-4cfb-954b-3a9cb2f38191security@huntr.dev
Exploit
Patch
Third Party Advisory
Hyperlink: https://github.com/thorsten/phpmyfaq/commit/db77df888178766987398597d4f153831c62a503
Source: security@huntr.dev
Resource:
Patch
Hyperlink: https://huntr.dev/bounties/2f1e417d-cf64-4cfb-954b-3a9cb2f38191
Source: security@huntr.dev
Resource:
Exploit
Patch
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

77Records found

CVE-2026-23496
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.27% / 17.86%
||
7 Day CHG~0.00%
Published-15 Jan, 2026 | 16:58
Updated-30 Jan, 2026 | 19:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Pimcore Web2Print Tools Bundle "Favourite Output Channel Configuration" Missing Function Level Authorization

Pimcore Web2Print Tools Bundle adds tools for web-to-print use cases to Pimcore. Prior to 5.2.2 and 6.1.1, the application fails to enforce proper server-side authorization checks on the API endpoint responsible for managing "Favourite Output Channel Configurations." Testing revealed that an authenticated backend user without explicitely lacking permissions for this feature was still able to successfully invoke the endpoint and modify or retrieve these configurations. This vulnerability is fixed in 5.2.2 and 6.1.1.

Action-Not Available
Vendor-Pimcore
Product-web2print_toolspimcore
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-863
Incorrect Authorization
CVE-2016-8323
Matching Score-4
Assigner-Oracle
ShareView Details
Matching Score-4
Assigner-Oracle
CVSS Score-5.4||MEDIUM
EPSS-0.93% / 56.32%
||
7 Day CHG~0.00%
Published-27 Jan, 2017 | 22:01
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Vulnerability in the Oracle FLEXCUBE Core Banking component of Oracle Financial Services Applications (subcomponent: Core). Supported versions that are affected are 5.1.0, 5.2.0 and 11.5.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle FLEXCUBE Core Banking. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle FLEXCUBE Core Banking accessible data as well as unauthorized read access to a subset of Oracle FLEXCUBE Core Banking accessible data. CVSS v3.0 Base Score 5.4 (Confidentiality and Integrity impacts).

Action-Not Available
Vendor-Oracle Corporation
Product-flexcube_core_bankingFLEXCUBE Core Banking
CWE ID-CWE-284
Improper Access Control
CVE-2016-5502
Matching Score-4
Assigner-Oracle
ShareView Details
Matching Score-4
Assigner-Oracle
CVSS Score-5.4||MEDIUM
EPSS-1.18% / 63.98%
||
7 Day CHG~0.00%
Published-25 Oct, 2016 | 14:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Unspecified vulnerability in the Oracle FLEXCUBE Universal Banking component in Oracle Financial Services Applications 11.3.0, 11.4.0, 12.0.1 through 12.0.3 allows remote authenticated users to affect confidentiality and integrity via vectors related to INFRA.

Action-Not Available
Vendor-n/aOracle Corporation
Product-flexcube_universal_bankingn/a
CWE ID-CWE-284
Improper Access Control
CVE-2016-5569
Matching Score-4
Assigner-Oracle
ShareView Details
Matching Score-4
Assigner-Oracle
CVSS Score-5.4||MEDIUM
EPSS-1.16% / 63.23%
||
7 Day CHG~0.00%
Published-25 Oct, 2016 | 14:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Unspecified vulnerability in the Oracle FLEXCUBE Enterprise Limits and Collateral Management component in Oracle Financial Services Applications 12.0.0 and 12.1.0 allows remote authenticated users to affect confidentiality and integrity via unknown vectors.

Action-Not Available
Vendor-n/aOracle Corporation
Product-flexcube_enterprise_limits_and_collateral_managementn/a
CWE ID-CWE-284
Improper Access Control
CVE-2016-5943
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.86% / 54.19%
||
7 Day CHG~0.00%
Published-26 Sep, 2016 | 01:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM Spectrum Control (formerly Tivoli Storage Productivity Center) 5.2.x before 5.2.11 allows remote authenticated users to bypass intended access restrictions, and read task details or edit properties, via unspecified vectors.

Action-Not Available
Vendor-n/aIBM Corporation
Product-spectrum_controln/a
CWE ID-CWE-284
Improper Access Control
CVE-2016-5600
Matching Score-4
Assigner-Oracle
ShareView Details
Matching Score-4
Assigner-Oracle
CVSS Score-5.4||MEDIUM
EPSS-1.16% / 63.23%
||
7 Day CHG~0.00%
Published-25 Oct, 2016 | 14:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Unspecified vulnerability in the PeopleSoft Enterprise SCM Services Procurement component in Oracle PeopleSoft Products 9.1 and 9.2 allows remote authenticated users to affect confidentiality and integrity via unknown vectors.

Action-Not Available
Vendor-n/aOracle Corporation
Product-peoplesoft_enterprise_supply_chain_management_services_procurementn/a
CWE ID-CWE-284
Improper Access Control
CVE-2016-5533
Matching Score-4
Assigner-Oracle
ShareView Details
Matching Score-4
Assigner-Oracle
CVSS Score-5.4||MEDIUM
EPSS-0.90% / 55.21%
||
7 Day CHG~0.00%
Published-25 Oct, 2016 | 14:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Unspecified vulnerability in the Primavera P6 Enterprise Project Portfolio Management component in Oracle Primavera Products Suite 8.4, 15.x, and 16.x allows remote authenticated users to affect confidentiality and integrity via unknown vectors.

Action-Not Available
Vendor-n/aOracle Corporation
Product-primavera_p6_enterprise_project_portfolio_managementn/a
CWE ID-CWE-284
Improper Access Control
CVE-2016-5560
Matching Score-4
Assigner-Oracle
ShareView Details
Matching Score-4
Assigner-Oracle
CVSS Score-5.4||MEDIUM
EPSS-0.90% / 55.24%
||
7 Day CHG~0.00%
Published-25 Oct, 2016 | 14:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Unspecified vulnerability in the Siebel UI Framework component in Oracle Siebel CRM 16.1 allows remote authenticated users to affect confidentiality and integrity via vectors related to OpenUI.

Action-Not Available
Vendor-n/aOracle Corporation
Product-siebel_customer_order_managementn/a
CWE ID-CWE-284
Improper Access Control
CVE-2016-5620
Matching Score-4
Assigner-Oracle
ShareView Details
Matching Score-4
Assigner-Oracle
CVSS Score-5.4||MEDIUM
EPSS-1.18% / 63.98%
||
7 Day CHG~0.00%
Published-25 Oct, 2016 | 14:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Unspecified vulnerability in the Oracle FLEXCUBE Universal Banking component in Oracle Financial Services Applications 11.3.0, 11.4.0, 12.0.1 through 12.0.3, 12.1.0, and 12.2.0 allows remote authenticated users to affect confidentiality and integrity via vectors related to INFRA, a different vulnerability than CVE-2016-5619.

Action-Not Available
Vendor-n/aOracle Corporation
Product-flexcube_universal_bankingn/a
CWE ID-CWE-284
Improper Access Control
CVE-2016-2100
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-5.4||MEDIUM
EPSS-1.17% / 63.66%
||
7 Day CHG~0.00%
Published-20 May, 2016 | 14:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Foreman before 1.10.3 and 1.11.0 before 1.11.0-RC2 allow remote authenticated users to read, modify, or delete private bookmarks by leveraging the (1) edit_bookmarks or (2) destroy_bookmarks permission.

Action-Not Available
Vendor-n/aThe Foreman
Product-foremann/a
CWE ID-CWE-284
Improper Access Control
CVE-2016-0342
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.67% / 47.51%
||
7 Day CHG~0.00%
Published-02 Feb, 2018 | 21:00
Updated-05 Aug, 2024 | 22:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM TRIRIGA Application Platform 3.3 before 3.3.2.6, 3.4 before 3.4.2.3, and 3.5 before 3.5.0.1 allows remote authenticated users to read or modify arbitrary reports by leveraging an incorrect grant of access. IBM X-Force ID: 111783.

Action-Not Available
Vendor-n/aIBM Corporation
Product-tririga_application_platformn/a
CWE ID-CWE-284
Improper Access Control
CVE-2015-5017
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.66% / 47.09%
||
7 Day CHG~0.00%
Published-03 Jan, 2016 | 02:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM Maximo Asset Management 7.1 through 7.1.1.13, 7.5.0 before 7.5.0.8 IFIX005, and 7.6.0 before 7.6.0.2 IFIX002; Maximo Asset Management 7.5.0 before 7.5.0.8 IFIX005, 7.5.1, and 7.6.0 before 7.6.0.2 IFIX002 for SmartCloud Control Desk; and Maximo Asset Management 7.1 through 7.1.1.13 and 7.2 for Tivoli IT Asset Management for IT and certain other products allow remote authenticated users to bypass intended access restrictions and establish a login session by entering an expired password.

Action-Not Available
Vendor-n/aIBM Corporation
Product-maximo_for_life_sciencesmaximo_for_transportationmaximo_asset_management_essentialsmaximo_for_governmenttivoli_service_request_managermaximo_for_energy_optimizationmaximo_for_nuclear_powermaximo_asset_managementchange_and_configuration_management_databasetivoli_asset_management_for_itmaximo_for_oil_and_gasmaximo_for_utilitiessmartcloud_control_deskn/a
CWE ID-CWE-284
Improper Access Control
CVE-2025-65963
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.16% / 5.28%
||
7 Day CHG~0.00%
Published-25 Nov, 2025 | 23:38
Updated-01 Dec, 2025 | 15:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
CFiles Unauthorized Folder/ZIP Access in Public Spaces

Files is a module for managing files inside spaces and user profiles. Prior to versions 0.16.11 and 0.17.2, insufficient authorization checks allow non-member users to create new folders, up- and download files as a ZIP archive in public spaces. Private spaces are not affected. This issue has been patched in versions 0.16.11 and 0.17.2.

Action-Not Available
Vendor-humhub
Product-cfiles
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-285
Improper Authorization
CVE-2025-60982
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.17% / 6.21%
||
7 Day CHG~0.00%
Published-27 Oct, 2025 | 00:00
Updated-30 Oct, 2025 | 15:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IDOR vulnerability in Educare ERP 1.0 (2025-04-22) allows unauthorized access to sensitive data via manipulated object references. Affected endpoints do not enforce proper authorization checks, allowing authenticated users to access or modify data belonging to other users by changing object identifiers in API requests. Attackers can exploit this flaw to view or modify sensitive records without proper authorization.

Action-Not Available
Vendor-n/a
Product-n/a
CWE ID-CWE-284
Improper Access Control
CVE-2025-58337
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-5.4||MEDIUM
EPSS-0.34% / 25.55%
||
7 Day CHG+0.04%
Published-05 Nov, 2025 | 09:26
Updated-12 Nov, 2025 | 20:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache Doris-MCP-Server: Improper Access Control results in bypassing a "read-only" mode for doris-mcp-server MCP Server

An attacker with a valid read-only account can bypass Doris MCP Server’s read-only mode due to improper access control, allowing modifications that should have been prevented by read-only restrictions. Impact: Bypasses read-only mode; attackers with read-only access may perform unauthorized modifications. Recommended action for operators: Upgrade to version 0.6.0 as soon as possible (this release contains the fix).

Action-Not Available
Vendor-The Apache Software Foundation
Product-doris_mcp_serverApache Doris-MCP-Server
CWE ID-CWE-284
Improper Access Control
CVE-2013-6739
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.94% / 56.43%
||
7 Day CHG~0.00%
Published-27 Apr, 2018 | 16:00
Updated-06 Aug, 2024 | 17:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM SPSS Modeler before 16 on UNIX allows remote authenticated users to bypass intended access restrictions via an SSO token. IBM X-Force ID: 89855.

Action-Not Available
Vendor-n/aIBM Corporation
Product-spss_modelern/a
CWE ID-CWE-284
Improper Access Control
CVE-2023-2104
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-5.4||MEDIUM
EPSS-0.45% / 35.83%
||
7 Day CHG~0.00%
Published-15 Apr, 2023 | 00:00
Updated-06 Feb, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Access Control in alextselegidis/easyappointments

Improper Access Control in GitHub repository alextselegidis/easyappointments prior to 1.5.0.

Action-Not Available
Vendor-easyappointmentsalextselegidis
Product-easyappointmentsalextselegidis/easyappointments
CWE ID-CWE-284
Improper Access Control
CVE-2025-46889
Matching Score-4
Assigner-Adobe Systems Incorporated
ShareView Details
Matching Score-4
Assigner-Adobe Systems Incorporated
CVSS Score-5.4||MEDIUM
EPSS-0.33% / 24.80%
||
7 Day CHG+0.01%
Published-10 Jun, 2025 | 22:18
Updated-26 Feb, 2026 | 17:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Adobe Experience Manager | Improper Access Control (CWE-284)

Adobe Experience Manager versions 6.5.22 and earlier are affected by an Improper Access Control vulnerability that could result in privilege escalation. A low privileged attacker could leverage this vulnerability to bypass security measures and gain limited unauthorized elevated access. Exploitation of this issue does not require user interaction.

Action-Not Available
Vendor-Adobe Inc.
Product-experience_managerAdobe Experience Manager
CWE ID-CWE-284
Improper Access Control
CVE-2025-43495
Matching Score-4
Assigner-Apple Inc.
ShareView Details
Matching Score-4
Assigner-Apple Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.21% / 11.88%
||
7 Day CHG+0.01%
Published-04 Nov, 2025 | 01:16
Updated-02 Apr, 2026 | 18:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The issue was addressed with improved checks. This issue is fixed in iOS 18.7.2 and iPadOS 18.7.2, iOS 26.1 and iPadOS 26.1. An app may be able to monitor keystrokes without user permission.

Action-Not Available
Vendor-Apple Inc.
Product-iphone_osipadosiOS and iPadOS
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-284
Improper Access Control
CVE-2025-65798
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.19% / 8.72%
||
7 Day CHG~0.00%
Published-08 Dec, 2025 | 00:00
Updated-09 Dec, 2025 | 17:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Incorrect access control in usememos memos v0.25.2 allows attackers with low-level privileges to arbitrarily modify or delete attachments made by other users.

Action-Not Available
Vendor-n/aUsememos
Product-memosn/a
CWE ID-CWE-284
Improper Access Control
CVE-2025-30760
Matching Score-4
Assigner-Oracle
ShareView Details
Matching Score-4
Assigner-Oracle
CVSS Score-5.4||MEDIUM
EPSS-0.21% / 11.21%
||
7 Day CHG~0.00%
Published-15 Jul, 2025 | 19:27
Updated-16 Jul, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Web Runtime SEC). Supported versions that are affected are 9.2.0.0-9.2.9.3. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise JD Edwards EnterpriseOne Tools. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of JD Edwards EnterpriseOne Tools accessible data as well as unauthorized read access to a subset of JD Edwards EnterpriseOne Tools accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N).

Action-Not Available
Vendor-Oracle Corporation
Product-JD Edwards EnterpriseOne Tools
CWE ID-CWE-284
Improper Access Control
CVE-2025-29557
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.21% / 11.70%
||
7 Day CHG+0.01%
Published-31 Jul, 2025 | 00:00
Updated-31 Jul, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

ExaGrid EX10 6.3 - 7.0.1.P08 is vulnerable to Incorrect Access Control in the MailConfiguration API endpoint, where users with operator-level privileges can issue an HTTP request to retrieve SMTP credentials, including plaintext passwords.

Action-Not Available
Vendor-n/a
Product-n/a
CWE ID-CWE-284
Improper Access Control
CVE-2024-42406
Matching Score-4
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-4
Assigner-Mattermost, Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.22% / 12.58%
||
7 Day CHG+0.01%
Published-26 Sep, 2024 | 08:04
Updated-01 Oct, 2024 | 11:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Unauthorized access on archived channels

Mattermost versions 9.11.x <= 9.11.0, 9.10.x <= 9.10.1, 9.9.x <= 9.9.2 and 9.5.x <= 9.5.8 fail to properly authorize requests when viewing archived channels is disabled, which allows an attacker to retrieve post and file information about archived channels. Examples are flagged or unread posts as well as files.

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermost_serverMattermost
CWE ID-CWE-284
Improper Access Control
CVE-2021-24635
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-5.4||MEDIUM
EPSS-0.61% / 45.09%
||
7 Day CHG~0.00%
Published-20 Sep, 2021 | 10:06
Updated-03 Aug, 2024 | 19:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Visual Link Preview < 2.2.3 - Unauthorised AJAX Calls

The Visual Link Preview WordPress plugin before 2.2.3 does not enforce authorisation on several AJAX actions and has the CSRF nonce displayed for all authenticated users, allowing any authenticated user (such as subscriber) to call them and 1) Get and search through title and content of Draft post, 2) Get title of a password-protected post as well as 3) Upload an image from an URL

Action-Not Available
Vendor-bootstrappedUnknown
Product-visual_link_previewVisual Link Preview
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-862
Missing Authorization
CVE-2023-20230
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.33% / 25.21%
||
7 Day CHG~0.00%
Published-23 Aug, 2023 | 18:21
Updated-01 Oct, 2024 | 15:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability in the restricted security domain implementation of Cisco Application Policy Infrastructure Controller (APIC) could allow an authenticated, remote attacker to read, modify, or delete non-tenant policies (for example, access policies) created by users associated with a different security domain on an affected system. This vulnerability is due to improper access control when restricted security domains are used to implement multi-tenancy for policies outside the tenant boundaries. An attacker with a valid user account associated with a restricted security domain could exploit this vulnerability. A successful exploit could allow the attacker to read, modify, or delete policies created by users associated with a different security domain. Exploitation is not possible for policies under tenants that an attacker has no authorization to access.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-application_policy_infrastructure_controllerCisco Application Policy Infrastructure Controller (APIC)
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2020-25634
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.52% / 40.18%
||
7 Day CHG~0.00%
Published-26 May, 2021 | 20:54
Updated-04 Aug, 2024 | 15:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A flaw was found in Red Hat 3scale’s API docs URL, where it is accessible without credentials. This flaw allows an attacker to view sensitive information or modify service APIs. Versions before 3scale-2.10.0-ER1 are affected.

Action-Not Available
Vendor-n/aRed Hat, Inc.
Product-3scale3scale_api_management3scale-system
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2023-6547
Matching Score-4
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-4
Assigner-Mattermost, Inc.
CVSS Score-3.7||LOW
EPSS-0.32% / 23.58%
||
7 Day CHG~0.00%
Published-12 Dec, 2023 | 08:22
Updated-12 May, 2025 | 19:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Playbooks access/modification by removed team member

Mattermost fails to validate team membership when a user attempts to access a playbook, allowing a user with permissions to a playbook but no permissions to the team the playbook is on to access and modify the playbook. This can happen if the user was once a member of the team, got permissions to the playbook and was then removed from the team. 

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermost_serverMattermost
CWE ID-CWE-284
Improper Access Control
  • Previous
  • 1
  • 2
  • Next
Details not found