Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2023-30582

Summary
Assigner-hackerone
Assigner Org ID-36234546-b8fa-4601-9d6f-f4e334aa8ea1
Published At-07 Sep, 2024 | 16:00
Updated At-30 Apr, 2025 | 22:24
Rejected At-
Credits

A vulnerability has been identified in Node.js version 20, affecting users of the experimental permission model when the --allow-fs-read flag is used with a non-* argument. This flaw arises from an inadequate permission model that fails to restrict file watching through the fs.watchFile API. As a result, malicious actors can monitor files that they do not have explicit read access to. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:hackerone
Assigner Org ID:36234546-b8fa-4601-9d6f-f4e334aa8ea1
Published At:07 Sep, 2024 | 16:00
Updated At:30 Apr, 2025 | 22:24
Rejected At:
▼CVE Numbering Authority (CNA)

A vulnerability has been identified in Node.js version 20, affecting users of the experimental permission model when the --allow-fs-read flag is used with a non-* argument. This flaw arises from an inadequate permission model that fails to restrict file watching through the fs.watchFile API. As a result, malicious actors can monitor files that they do not have explicit read access to. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.

Affected Products
Vendor
Node.js (OpenJS Foundation)NodeJS
Product
Node
Default Status
unaffected
Versions
Affected
  • From 4.0 before 4.* (semver)
  • From 5.0 before 5.* (semver)
  • From 6.0 before 6.* (semver)
  • From 7.0 before 7.* (semver)
  • From 8.0 before 8.* (semver)
  • From 9.0 before 9.* (semver)
  • From 10.0 before 10.* (semver)
  • From 11.0 before 11.* (semver)
  • From 12.0 before 12.* (semver)
  • From 13.0 before 13.* (semver)
  • From 14.0 before 14.* (semver)
  • From 15.0 before 15.* (semver)
  • From 17.0 before 17.* (semver)
  • From 19.0 before 19.* (semver)
  • From 20.0 before 20.3.1 (semver)
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://nodejs.org/en/blog/vulnerability/june-2023-security-releases
N/A
Hyperlink: https://nodejs.org/en/blog/vulnerability/june-2023-security-releases
Resource: N/A
▼Authorized Data Publishers (ADP)
1. CISA ADP Vulnrichment
Affected Products
Vendor
Node.js (OpenJS Foundation)nodejs
Product
nodejs
CPEs
  • cpe:2.3:a:nodejs:nodejs:*:*:*:*:*:*:*:*
Default Status
unaffected
Versions
Affected
  • From 20.0 before 20.3.1 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-284CWE-284 Improper Access Control
Type: CWE
CWE ID: CWE-284
Description: CWE-284 Improper Access Control
Metrics
VersionBase scoreBase severityVector
3.15.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Version: 3.1
Base score: 5.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
2. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://security.netapp.com/advisory/ntap-20240926-0007/
N/A
Hyperlink: https://security.netapp.com/advisory/ntap-20240926-0007/
Resource: N/A
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:support@hackerone.com
Published At:07 Sep, 2024 | 16:15
Updated At:15 Apr, 2026 | 00:35

A vulnerability has been identified in Node.js version 20, affecting users of the experimental permission model when the --allow-fs-read flag is used with a non-* argument. This flaw arises from an inadequate permission model that fails to restrict file watching through the fs.watchFile API. As a result, malicious actors can monitor files that they do not have explicit read access to. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.15.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Type: Secondary
Version: 3.1
Base score: 5.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CPE Matches

Weaknesses
CWE IDTypeSource
CWE-284Secondary134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE ID: CWE-284
Type: Secondary
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://nodejs.org/en/blog/vulnerability/june-2023-security-releasessupport@hackerone.com
N/A
https://security.netapp.com/advisory/ntap-20240926-0007/af854a3a-2127-422b-91ae-364da2661108
N/A
Hyperlink: https://nodejs.org/en/blog/vulnerability/june-2023-security-releases
Source: support@hackerone.com
Resource: N/A
Hyperlink: https://security.netapp.com/advisory/ntap-20240926-0007/
Source: af854a3a-2127-422b-91ae-364da2661108
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

245Records found

CVE-2025-4904
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-1.03% / 59.57%
||
7 Day CHG~0.00%
Published-19 May, 2025 | 01:00
Updated-27 May, 2025 | 16:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
D-Link DI-7003GV2 webgl.data sub_41F0FC information disclosure

A vulnerability has been found in D-Link DI-7003GV2 24.04.18D1 R(68125) and classified as problematic. This vulnerability affects the function sub_41F0FC of the file /H5/webgl.data. The manipulation leads to information disclosure. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-D-Link Corporation
Product-di-7003gdi-7003g_firmwareDI-7003GV2
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-284
Improper Access Control
CVE-2025-4902
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-8.45% / 94.35%
||
7 Day CHG~0.00%
Published-19 May, 2025 | 00:00
Updated-19 May, 2025 | 14:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
D-Link DI-7003GV2 versionupdate.data sub_48F4F0 information disclosure

A vulnerability, which was classified as problematic, has been found in D-Link DI-7003GV2 24.04.18D1 R(68125). Affected by this issue is the function sub_48F4F0 of the file /H5/versionupdate.data. The manipulation leads to information disclosure. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-D-Link Corporation
Product-DI-7003GV2
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-284
Improper Access Control
CVE-2025-48861
Matching Score-4
Assigner-Robert Bosch GmbH
ShareView Details
Matching Score-4
Assigner-Robert Bosch GmbH
CVSS Score-5.3||MEDIUM
EPSS-0.28% / 19.75%
||
7 Day CHG~0.00%
Published-14 Aug, 2025 | 09:07
Updated-14 Aug, 2025 | 15:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability in the Task API endpoint of the ctrlX OS setup mechanism allowed a remote, unauthenticated attacker to access and extract internal application data, including potential debug logs and the version of installed apps.

Action-Not Available
Vendor-Bosch Rexroth AG
Product-ctrlX OS - Setup
CWE ID-CWE-284
Improper Access Control
CVE-2024-55402
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.29% / 21.10%
||
7 Day CHG~0.00%
Published-06 Aug, 2025 | 00:00
Updated-01 Oct, 2025 | 20:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

4C Strategies Exonaut before v22.4 was discovered to contain an access control issue.

Action-Not Available
Vendor-4cstrategiesn/a
Product-exonautn/a
CWE ID-CWE-284
Improper Access Control
CVE-2023-26460
Matching Score-4
Assigner-SAP SE
ShareView Details
Matching Score-4
Assigner-SAP SE
CVSS Score-5.3||MEDIUM
EPSS-0.48% / 37.71%
||
7 Day CHG~0.00%
Published-14 Mar, 2023 | 04:56
Updated-27 Feb, 2025 | 15:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Access Control in SAP NetWeaver AS Java (Cache Management Service)

Cache Management Service in SAP NetWeaver Application Server for Java - version 7.50, does not perform any authentication checks for functionalities that require user identity

Action-Not Available
Vendor-SAP SE
Product-netweaver_application_server_for_javaNetWeaver AS for Java
CWE ID-CWE-284
Improper Access Control
CVE-2024-11961
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.86% / 53.99%
||
7 Day CHG~0.00%
Published-28 Nov, 2024 | 15:00
Updated-11 Dec, 2024 | 19:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Guangzhou Huayi Intelligent Technology Jeewms WmOmNoticeHController.java preHandle information disclosure

A vulnerability was found in Guangzhou Huayi Intelligent Technology Jeewms 3.7. It has been rated as problematic. This issue affects the function preHandle of the file src/main/java/com/zzjee/wm/controller/WmOmNoticeHController.java. The manipulation of the argument request leads to information disclosure. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-huayi-tecGuangzhou Huayi Intelligent Technologyguangzhou_huayi_intelligent_technology
Product-jeewmsJeewmsjeewms
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-284
Improper Access Control
CVE-2026-5003
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.31% / 22.93%
||
7 Day CHG~0.00%
Published-28 Mar, 2026 | 17:30
Updated-24 Apr, 2026 | 16:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PromtEngineer localGPT Web api_server.py handle_index information disclosure

A vulnerability was found in PromtEngineer localGPT up to 4d41c7d1713b16b216d8e062e51a5dd88b20b054. This affects the function handle_index of the file rag_system/api_server.py of the component Web Interface. Performing a manipulation results in information disclosure. It is possible to initiate the attack remotely. The exploit has been made public and could be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-PromtEngineer
Product-localGPT
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-284
Improper Access Control
CVE-2026-5311
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.99% / 58.25%
||
7 Day CHG~0.00%
Published-01 Apr, 2026 | 19:45
Updated-07 Apr, 2026 | 15:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
D-Link DNS-1550-04 file_center.cgi Webdav_Access_List access control

A security flaw has been discovered in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20260205. Affected is the function Webdav_Access_List of the file /cgi-bin/file_center.cgi. Performing a manipulation of the argument cmd results in improper access controls. It is possible to initiate the attack remotely. The exploit has been released to the public and may be used for attacks.

Action-Not Available
Vendor-D-Link Corporation
Product-dns-320lwdns-322l_firmwaredns-1100-4_firmwaredns-345dnr-326_firmwaredns-327ldns-326_firmwarednr-326dns-327l_firmwaredns-321_firmwaredns-322ldns-320_firmwaredns-120dns-321dns-343dns-315l_firmwaredns-315ldns-340ldnr-202ldns-320lw_firmwaredns-325_firmwaredns-1550-04_firmwaredns-120_firmwaredns-320ldns-1200-05dns-726-4_firmwaredns-1200-05_firmwaredns-726-4dns-320l_firmwaredns-1550-04dns-325dns-323_firmwaredns-343_firmwaredns-340l_firmwaredns-323dns-326dnr-202l_firmwaredns-345_firmwaredns-320dns-1100-4DNS-321DNS-323DNS-1550-04DNS-1100-4DNS-327LDNR-202LDNS-320LWDNR-322LDNS-345DNS-320DNS-1200-05DNS-340LDNS-320LDNS-326DNR-326DNS-315LDNS-726-4DNS-325DNS-120DNS-343
CWE ID-CWE-266
Incorrect Privilege Assignment
CWE ID-CWE-284
Improper Access Control
CVE-2024-11868
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-1.11% / 61.90%
||
7 Day CHG~0.00%
Published-10 Dec, 2024 | 12:24
Updated-08 Apr, 2026 | 18:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
LearnPress – WordPress LMS Plugin <= 4.2.7.3 - Course Material Sensitive Information Exposure via REST API

The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.2.7.3 via class-lp-rest-material-controller.php. This makes it possible for unauthenticated attackers to extract potentially sensitive paid course material.

Action-Not Available
Vendor-ThimPress (PhysCode)
Product-learnpressLearnPress – WordPress LMS Plugin for Create and Sell Online Courseslearnpress
CWE ID-CWE-284
Improper Access Control
CVE-2026-5215
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.84% / 53.44%
||
7 Day CHG~0.00%
Published-31 Mar, 2026 | 21:15
Updated-02 Apr, 2026 | 17:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
D-Link DNS-1550-04 network_mgr.cgi cgi_get_ipv6 access control

A vulnerability was identified in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20260205. The impacted element is the function cgi_get_ipv6 of the file /cgi-bin/network_mgr.cgi. Such manipulation leads to improper access controls. The exploit is publicly available and might be used.

Action-Not Available
Vendor-D-Link Corporation
Product-dns-320lwdns-322l_firmwaredns-1100-4_firmwaredns-345dnr-326_firmwaredns-327ldns-326_firmwarednr-326dns-327l_firmwaredns-321_firmwaredns-322ldns-320_firmwaredns-120dns-321dns-343dns-315l_firmwaredns-315ldns-340ldnr-202ldns-320lw_firmwaredns-325_firmwaredns-1550-04_firmwaredns-120_firmwaredns-320ldns-1200-05dns-726-4_firmwaredns-1200-05_firmwaredns-726-4dns-320l_firmwaredns-1550-04dns-325dns-323_firmwaredns-343_firmwaredns-340l_firmwaredns-323dns-326dnr-202l_firmwaredns-345_firmwaredns-320dns-1100-4DNS-321DNS-323DNS-1550-04DNS-1100-4DNS-327LDNR-202LDNS-320LWDNR-322LDNS-345DNS-320DNS-1200-05DNS-340LDNS-320LDNS-326DNR-326DNS-315LDNS-726-4DNS-325DNS-120DNS-343
CWE ID-CWE-266
Incorrect Privilege Assignment
CWE ID-CWE-284
Improper Access Control
CVE-2025-4750
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.92% / 55.80%
||
7 Day CHG~0.00%
Published-16 May, 2025 | 05:31
Updated-03 Jun, 2025 | 15:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
D-Link DI-7003GV2 Configuration get_version.data information disclosure

A vulnerability, which was classified as problematic, has been found in D-Link DI-7003GV2 24.04.18D1 R(68125). This issue affects some unknown processing of the file /H5/get_version.data of the component Configuration Handler. The manipulation leads to information disclosure. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-D-Link Corporation
Product-di-7003g_firmwaredi-7003gDI-7003GV2
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-284
Improper Access Control
CVE-2023-23752
Matching Score-4
Assigner-Joomla! Project
ShareView Details
Matching Score-4
Assigner-Joomla! Project
CVSS Score-5.3||MEDIUM
EPSS-99.83% / 99.96%
||
7 Day CHG~0.00%
Published-16 Feb, 2023 | 16:25
Updated-26 Feb, 2026 | 05:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2024-01-29||Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
[20230201] - Core - Improper access check in webservice endpoints

An issue was discovered in Joomla! 4.0.0 through 4.2.7. An improper access check allows unauthorized access to webservice endpoints.

Action-Not Available
Vendor-Joomla!
Product-joomla\!Joomla! CMSjoomla\!Joomla!
CWE ID-CWE-284
Improper Access Control
CVE-2024-1088
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.58% / 43.33%
||
7 Day CHG~0.00%
Published-05 Mar, 2024 | 01:56
Updated-08 Apr, 2026 | 18:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Password Protected Store for WooCommerce <= 2.2 - Information Exposure via REST API

The Password Protected Store for WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.2 via the REST API. This makes it possible for unauthenticated attackers to extract sensitive data including post titles and content.

Action-Not Available
Vendor-rajkakadiyarajkakadiyageek_code_lab
Product-password_protected_store_for_woocommercePassword Protected Store for WooCommercepassword_protected_store
CWE ID-CWE-284
Improper Access Control
CVE-2026-47200
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-6.3||MEDIUM
EPSS-0.23% / 13.69%
||
7 Day CHG~0.00%
Published-12 Jun, 2026 | 12:58
Updated-15 Jun, 2026 | 18:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Nuxt: Route middleware not enforced when rendering `.server.vue` pages via `/__nuxt_island/page_*`

Nuxt is an open-source web development framework for Vue.js. In Nuxt versions 3.11.0 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6 and @nuxt/nitro-server versions 3.20.0 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6, when experimental.componentIslands is enabled (default in Nuxt 4), any .server.vue file under pages/ is automatically registered as a server island under the key page_<routeName> and exposed via the /__nuxt_island/:name endpoint. Until this fix, requests through that endpoint rendered the page component directly via the SSR renderer without instantiating Vue Router, which meant route middleware declared on the page (including definePageMeta({ middleware })) did not run. This issue has been patched in versions 3.21.6 and 4.4.6.

Action-Not Available
Vendor-nuxtnuxt
Product-nuxtnuxt\/nitro-servernuxt
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-288
Authentication Bypass Using an Alternate Path or Channel
CVE-2025-4752
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.92% / 55.80%
||
7 Day CHG~0.00%
Published-16 May, 2025 | 06:00
Updated-03 Jun, 2025 | 15:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
D-Link DI-7003GV2 install_base.data information disclosure

A vulnerability has been found in D-Link DI-7003GV2 24.04.18D1 R(68125) and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /install_base.data. The manipulation leads to information disclosure. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-D-Link Corporation
Product-di-7003g_firmwaredi-7003gDI-7003GV2
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-284
Improper Access Control
CVE-2025-4753
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.92% / 55.80%
||
7 Day CHG~0.00%
Published-16 May, 2025 | 06:31
Updated-03 Jun, 2025 | 15:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
D-Link DI-7003GV2 login.data information disclosure

A vulnerability was found in D-Link DI-7003GV2 24.04.18D1 R(68125) and classified as problematic. Affected by this issue is some unknown functionality of the file /login.data. The manipulation leads to information disclosure. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-D-Link Corporation
Product-di-7003g_firmwaredi-7003gDI-7003GV2
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-284
Improper Access Control
CVE-2024-0969
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.48% / 38.07%
||
7 Day CHG~0.00%
Published-05 Feb, 2024 | 21:22
Updated-08 Apr, 2026 | 19:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ARMember <= 4.0.24 - Improper Access Control to Sensitive Information Exposure via REST API

The ARMember plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.21 via the REST API. This makes it possible for unauthenticated attackers to bypass the plugin's "Default Restriction" feature and view restricted post content.

Action-Not Available
Vendor-reputeinfosystemsreputeinfosystemsreputeinfosystems
Product-armemberARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signuparforms
CWE ID-CWE-284
Improper Access Control
CVE-2024-0411
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-2.21% / 80.43%
||
7 Day CHG~0.00%
Published-11 Jan, 2024 | 16:31
Updated-03 Jun, 2025 | 14:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
DeShang DSMall HTTP GET Request install.php access control

A vulnerability was found in DeShang DSMall up to 6.1.0. It has been classified as problematic. This affects an unknown part of the file public/install.php of the component HTTP GET Request Handler. The manipulation leads to improper access controls. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-250431.

Action-Not Available
Vendor-csdeshangDeShang
Product-dsmallDSMall
CWE ID-CWE-284
Improper Access Control
CVE-2024-0965
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.48% / 38.09%
||
7 Day CHG~0.00%
Published-08 Feb, 2024 | 08:32
Updated-08 Apr, 2026 | 19:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Simple Page Access Restriction <= 1.0.21 - Improper Access Control to Sensitive Information Exposure via REST API

The Simple Page Access Restriction plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.21 via the REST API. This makes it possible for unauthenticated attackers to bypass the plugin's page restriction and view page content.

Action-Not Available
Vendor-pluginsandsnippetspluginsandsnippets
Product-simple_page_access_restrictionSimple Page Access Restriction
CWE ID-CWE-284
Improper Access Control
CVE-2026-44341
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.24% / 14.95%
||
7 Day CHG~0.00%
Published-12 May, 2026 | 22:39
Updated-13 May, 2026 | 18:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
GoJobs: Insecure Direct Object Reference (IDOR) in Job Retrieval Endpoint

GoJobs is a REST API for a Job Board platform. The application exposes a job retrieval endpoint that allows unauthenticated users to access job details by directly manipulating object identifiers. The endpoint lacks proper authentication and authorization checks, resulting in unauthorized access to job data.

Action-Not Available
Vendor-karnop
Product-gojobs
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2025-47220
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.24% / 14.73%
||
7 Day CHG+0.01%
Published-13 Nov, 2025 | 00:00
Updated-17 Dec, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A local file enumeration was found in Keyfactor SignServer versions prior to 7.3.2 .The property VISIBLE_SIGNATURE_CUSTOM_IMAGE_PATH, which exists in the PDFSigner and the PAdESSigner, can be set to any path without any restrictions by an admin user. In the case that the provided path points to an existing file, readable by the user running the application server, but is not a recognized image format, it will return this as an error to the clientside, confirming the existences of the file.

Action-Not Available
Vendor-keyfactorn/a
Product-signservern/a
CWE ID-CWE-284
Improper Access Control
CVE-2025-46308
Matching Score-4
Assigner-Apple Inc.
ShareView Details
Matching Score-4
Assigner-Apple Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.23% / 13.76%
||
7 Day CHG~0.00%
Published-11 Jun, 2026 | 18:47
Updated-12 Jun, 2026 | 12:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An authorization issue was addressed with improved state management. This issue is fixed in iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4. An app may be able to leak sensitive user information.

Action-Not Available
Vendor-Apple Inc.
Product-macosipadosiphone_osmacOSiOS and iPadOS
CWE ID-CWE-284
Improper Access Control
CVE-2023-6785
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.55% / 41.75%
||
7 Day CHG~0.00%
Published-13 Mar, 2024 | 15:26
Updated-08 Apr, 2026 | 18:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Download Manager <= 3.2.84 - Missing Authorization

The Download Manager plugin for WordPress is vulnerable to unauthorized file download of files added via the plugin in all versions up to, and including, 3.2.84. This makes it possible for unauthenticated attackers to download files added with the plugin (even when privately published).

Action-Not Available
Vendor-WordPress Download Manager ProW3 Eden, Inc.Shahjada (codename065)
Product-download_managerDownload Manager
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-862
Missing Authorization
CVE-2026-41837
Matching Score-4
Assigner-VMware by Broadcom
ShareView Details
Matching Score-4
Assigner-VMware by Broadcom
CVSS Score-5.3||MEDIUM
EPSS-0.19% / 8.93%
||
7 Day CHG~0.00%
Published-09 Jun, 2026 | 23:49
Updated-30 Jun, 2026 | 22:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Spring Data REST Querydsl integration exposes Jackson-hidden persistent fields as filter keys

Spring Data REST's Querydsl integration accepts arbitrary persistent property paths as request-parameter filter keys and does not consider Jackson customizations before handing them to Querydsl. Affected versions: Spring Data REST 3.7.0 through 3.7.19; 4.3.0 through 4.3.16; 4.4.0 through 4.4.14; 4.5.0 through 4.5.11; 5.0.0 through 5.0.5.

Action-Not Available
Vendor-VMware (Broadcom Inc.)
Product-spring_data_restSpring Data REST
CWE ID-CWE-284
Improper Access Control
CVE-2023-48441
Matching Score-4
Assigner-Adobe Systems Incorporated
ShareView Details
Matching Score-4
Assigner-Adobe Systems Incorporated
CVSS Score-5.3||MEDIUM
EPSS-0.78% / 51.55%
||
7 Day CHG~0.00%
Published-15 Dec, 2023 | 10:17
Updated-19 Sep, 2025 | 17:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Adobe Experience Manager | Improper Access Control (CWE-284)

Adobe Experience Manager versions 6.5.18 and earlier are affected by an Improper Access Control vulnerability. An attacker could leverage this vulnerability to achieve a low-confidentiality impact within the application. Exploitation of this issue does not require user interaction.

Action-Not Available
Vendor-Adobe Inc.
Product-experience_managerAdobe Experience Manager
CWE ID-CWE-284
Improper Access Control
CVE-2025-4535
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.53% / 41.01%
||
7 Day CHG~0.00%
Published-11 May, 2025 | 08:00
Updated-08 Jul, 2025 | 16:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Gosuncn Technology Group Audio-Visual Integrated Management Platform Configuration File config.properties information disclosure

A vulnerability, which was classified as problematic, was found in Gosuncn Technology Group Audio-Visual Integrated Management Platform 4.0. Affected is an unknown function of the file /config/config.properties of the component Configuration File Handler. The manipulation leads to information disclosure. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-gosuncntechGosuncn Technology Group
Product-group_audio-visual_integrated_managementAudio-Visual Integrated Management Platform
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-284
Improper Access Control
CVE-2025-45424
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.34% / 26.34%
||
7 Day CHG~0.00%
Published-02 Jul, 2025 | 00:00
Updated-18 Oct, 2025 | 01:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Incorrect access control in Xinference before v1.4.0 allows attackers to access the Web GUI without authentication.

Action-Not Available
Vendor-xinferencen/a
Product-xinferencen/a
CWE ID-CWE-284
Improper Access Control
CVE-2025-46118
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.50% / 39.21%
||
7 Day CHG~0.00%
Published-21 Jul, 2025 | 00:00
Updated-05 Aug, 2025 | 17:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in CommScope Ruckus Unleashed prior to 200.15.6.212.14 and 200.17.7.0.139 and in Ruckus ZoneDirector prior to 10.5.1.0.279, where hard-coded credentials for the ftpuser account provide FTP access to the controller, enabling a remote attacker to upload or retrieve arbitrary files from writable firmware directories and thereby expose sensitive information or compromise the controller.

Action-Not Available
Vendor-ruckuswirelesscommscopen/a
Product-ruckus_r350ruckus_r310ruckus_r510ruckus_r560ruckus_r320ruckus_t670ruckus_t811-cm_\(non-sfp\)ruckus_t310sruckus_t750seruckus_t350cruckus_unleashedruckus_r850ruckus_e510ruckus_c110ruckus_r760ruckus_h320ruckus_t310nruckus_r610ruckus_t750ruckus_r350eruckus_t350seruckus_zonedirectorruckus_m510ruckus_t610ruckus_t350druckus_h550ruckus_r710ruckus_h510ruckus_r750ruckus_r770ruckus_t710ruckus_r550ruckus_r650ruckus_t811-cmzonedirector_1200ruckus_r670ruckus_r720ruckus_t710sruckus_m510-jpruckus_h350ruckus_r730ruckus_t310cn/a
CWE ID-CWE-284
Improper Access Control
CVE-2026-2975
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.41% / 33.09%
||
7 Day CHG~0.00%
Published-23 Feb, 2026 | 06:02
Updated-05 Mar, 2026 | 13:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
FastApiAdmin Custom Documentation Endpoint init_app.py reset_api_docs information disclosure

A security flaw has been discovered in FastApiAdmin up to 2.2.0. Affected by this vulnerability is the function reset_api_docs of the file /backend/app/plugin/init_app.py of the component Custom Documentation Endpoint. The manipulation results in information disclosure. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks.

Action-Not Available
Vendor-fastapiadminn/a
Product-fastapiadminFastApiAdmin
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-284
Improper Access Control
CVE-2024-0414
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.81% / 52.41%
||
7 Day CHG~0.00%
Published-11 Jan, 2024 | 17:00
Updated-03 Jun, 2025 | 14:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
DeShang DSCMS install.php access control

A vulnerability classified as problematic has been found in DeShang DSCMS up to 3.1.2/7.1. Affected is an unknown function of the file public/install.php. The manipulation leads to improper access controls. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-250434 is the identifier assigned to this vulnerability.

Action-Not Available
Vendor-csdeshangDeShang
Product-dscmsDSCMS
CWE ID-CWE-284
Improper Access Control
CVE-2026-28828
Matching Score-4
Assigner-Apple Inc.
ShareView Details
Matching Score-4
Assigner-Apple Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.34% / 26.33%
||
7 Day CHG~0.00%
Published-25 Mar, 2026 | 00:32
Updated-02 Apr, 2026 | 18:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A permissions issue was addressed by removing the vulnerable code. This issue is fixed in macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4. An app may be able to access sensitive user data.

Action-Not Available
Vendor-Apple Inc.
Product-macosmacOS
CWE ID-CWE-284
Improper Access Control
CVE-2023-2159
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.77% / 51.19%
||
7 Day CHG~0.00%
Published-09 Jun, 2023 | 05:33
Updated-08 Apr, 2026 | 19:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
CMP – Coming Soon & Maintenance <= 4.1.7 - Maintenance Mode Bypass

The CMP – Coming Soon & Maintenance plugin for WordPress is vulnerable to Maintenance Mode Bypass in versions up to, and including, 4.1.7. A correct cmp_bypass GET parameter in the URL (equal to the md5-hashed home_url in the default setting) allows users to visit a site placed in maintenance mode thus bypassing the plugin's provided feature.

Action-Not Available
Vendor-niteothemesniteo
Product-cmpCMP – Coming Soon & Maintenance Plugin by NiteoThemes
CWE ID-CWE-284
Improper Access Control
CVE-2026-2861
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.46% / 36.36%
||
7 Day CHG~0.00%
Published-21 Feb, 2026 | 06:02
Updated-16 Mar, 2026 | 16:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Foswiki Changes/Viewfile/Oops information disclosure

A vulnerability was detected in Foswiki up to 2.1.10. The affected element is an unknown function of the component Changes/Viewfile/Oops. The manipulation results in information disclosure. It is possible to launch the attack remotely. The exploit is now public and may be used. Upgrading to version 2.1.11 is sufficient to fix this issue. The patch is identified as 31aeecb58b64/d8ed86b10e46. Upgrading the affected component is recommended.

Action-Not Available
Vendor-foswikin/a
Product-foswikiFoswiki
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-284
Improper Access Control
CVE-2026-28838
Matching Score-4
Assigner-Apple Inc.
ShareView Details
Matching Score-4
Assigner-Apple Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.47% / 37.43%
||
7 Day CHG~0.00%
Published-25 Mar, 2026 | 00:32
Updated-10 May, 2026 | 14:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A permissions issue was addressed with additional sandbox restrictions. This issue is fixed in macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4. An app may be able to break out of its sandbox.

Action-Not Available
Vendor-Apple Inc.
Product-macosmacOS
CWE ID-CWE-284
Improper Access Control
CVE-2026-28824
Matching Score-4
Assigner-Apple Inc.
ShareView Details
Matching Score-4
Assigner-Apple Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.34% / 26.33%
||
7 Day CHG~0.00%
Published-25 Mar, 2026 | 00:32
Updated-02 Apr, 2026 | 18:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An authorization issue was addressed with improved state management. This issue is fixed in macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4. An app may be able to access sensitive user data.

Action-Not Available
Vendor-Apple Inc.
Product-macosmacOS
CWE ID-CWE-284
Improper Access Control
CVE-2025-4271
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.53% / 40.72%
||
7 Day CHG~0.00%
Published-05 May, 2025 | 08:00
Updated-07 May, 2025 | 16:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
TOTOLINK A720R cstecgi.cgi information disclosure

A vulnerability was found in TOTOLINK A720R 4.1.5cu.374. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument topicurl with the input showSyslog leads to information disclosure. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-TOTOLINK
Product-a720ra720r_firmwareA720R
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-284
Improper Access Control
CVE-2023-41721
Matching Score-4
Assigner-HackerOne
ShareView Details
Matching Score-4
Assigner-HackerOne
CVSS Score-10||CRITICAL
EPSS-0.59% / 43.87%
||
7 Day CHG~0.00%
Published-25 Oct, 2023 | 00:24
Updated-13 Sep, 2024 | 16:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Instances of UniFi Network Application that (i) are run on a UniFi Gateway Console, and (ii) are versions 7.5.176. and earlier, implement device adoption with improper access control logic, creating a risk of access to device configuration information by a malicious actor with preexisting access to the network. Affected Products: UDM UDM-PRO UDM-SE UDR UDW Mitigation: Update UniFi Network to Version 7.5.187 or later.

Action-Not Available
Vendor-Ubiquiti Inc.
Product-unifi_dream_machine_special_editionunifi_dream_wallunifi_network_applicationunifi_dream_machineunifi_dream_routerunifi_dream_machine_proUniFi Network Applicationunifi_network_application
CWE ID-CWE-284
Improper Access Control
CVE-2026-2667
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.55% / 42.11%
||
7 Day CHG~0.00%
Published-18 Feb, 2026 | 20:32
Updated-26 Feb, 2026 | 20:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Rongzhitong Visual Integrated Command and Dispatch Platform api access control

A vulnerability has been found in Rongzhitong Visual Integrated Command and Dispatch Platform up to 20260206. The impacted element is an unknown function of the file /dispatch/api?cmd=userinfo. The manipulation leads to improper access controls. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-rongzhitongRongzhitong
Product-visual_integrated_command_and_dispatch_platformVisual Integrated Command and Dispatch Platform
CWE ID-CWE-266
Incorrect Privilege Assignment
CWE ID-CWE-284
Improper Access Control
CVE-2025-4270
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-9.69% / 94.92%
||
7 Day CHG~0.00%
Published-05 May, 2025 | 07:31
Updated-07 May, 2025 | 16:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
TOTOLINK A720R Config cstecgi.cgi information disclosure

A vulnerability was found in TOTOLINK A720R 4.1.5cu.374. It has been classified as problematic. Affected is an unknown function of the file /cgi-bin/cstecgi.cgi of the component Config Handler. The manipulation of the argument topicurl with the input getInitCfg/getSysStatusCfg leads to information disclosure. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-TOTOLINK
Product-a720ra720r_firmwareA720R
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-284
Improper Access Control
CVE-2025-43308
Matching Score-4
Assigner-Apple Inc.
ShareView Details
Matching Score-4
Assigner-Apple Inc.
CVSS Score-3.3||LOW
EPSS-0.36% / 28.46%
||
7 Day CHG~0.00%
Published-15 Sep, 2025 | 22:35
Updated-02 Apr, 2026 | 19:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

This issue was addressed with additional entitlement checks. This issue is fixed in macOS Sequoia 15.7, macOS Sonoma 14.8, macOS Tahoe 26. An app may be able to access sensitive user data.

Action-Not Available
Vendor-Apple Inc.
Product-macosmacOS
CWE ID-CWE-284
Improper Access Control
CVE-2024-50353
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.29% / 20.77%
||
7 Day CHG~0.00%
Published-30 Oct, 2024 | 13:57
Updated-13 Nov, 2024 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ICG.AspNetCore.Utilities.CloudStorage's Secure Token Durations Different Than Expected

ICG.AspNetCore.Utilities.CloudStorage is a collection of cloud storage utilities to assist with the management of files for cloud upload. Users of this library that set a duration for a SAS Uri with a value other than 1 hour may have generated a URL with a duration that is longer, or shorter than desired. Users not implemented SAS Uri's are unaffected. This issue was resolved in version 8.0.0 of the library.

Action-Not Available
Vendor-iowacomputergurusIowaComputerGurusiowa_computer_gurus
Product-aspnetcore.utilities.cloudstorageaspnetcore.utilities.cloudstorageaspnetcore.utilites.cloudstorage
CWE ID-CWE-284
Improper Access Control
CVE-2025-51539
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.67% / 47.32%
||
7 Day CHG~0.00%
Published-19 Aug, 2025 | 00:00
Updated-07 Oct, 2025 | 21:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

EzGED3 3.5.0 contains an unauthenticated arbitrary file read vulnerability due to improper access control and insufficient input validation in a script exposed via the web interface. A remote attacker can supply a crafted path parameter to a PHP script to read arbitrary files from the filesystem. The script lacks both authentication checks and secure path handling, allowing directory traversal attacks (e.g., ../../../) to access sensitive files such as configuration files, database dumps, source code, and password reset tokens. If phpMyAdmin is exposed, extracted credentials can be used for direct administrative access. In environments without such tools, attacker-controlled file reads still allow full database extraction by targeting raw MySQL data files. The vendor states that the issue is fixed in 3.5.72.27183.

Action-Not Available
Vendor-ezgedn/a
Product-ezged3n/a
CWE ID-CWE-284
Improper Access Control
CVE-2025-4119
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.51% / 39.66%
||
7 Day CHG+0.02%
Published-30 Apr, 2025 | 13:31
Updated-16 May, 2025 | 16:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Weitong Mall Product Statistics queryTotal access control

A vulnerability classified as critical was found in Weitong Mall 1.0.0. This vulnerability affects unknown code of the file /queryTotal of the component Product Statistics Handler. The manipulation of the argument isDelete with the input 1 leads to improper access controls. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-weitongWeitong
Product-mallMall
CWE ID-CWE-266
Incorrect Privilege Assignment
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2025-4067
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.44% / 35.19%
||
7 Day CHG+0.02%
Published-29 Apr, 2025 | 15:00
Updated-12 May, 2025 | 19:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ScriptAndTools Online-Travling-System viewpackage.php access control

A vulnerability classified as critical has been found in ScriptAndTools Online-Travling-System 1.0. Affected is an unknown function of the file /admin/viewpackage.php. The manipulation leads to improper access controls. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-scriptandtoolsScriptAndTools
Product-online_traveling_systemOnline-Travling-System
CWE ID-CWE-266
Incorrect Privilege Assignment
CWE ID-CWE-284
Improper Access Control
CVE-2025-4064
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.44% / 35.19%
||
7 Day CHG+0.02%
Published-29 Apr, 2025 | 14:00
Updated-09 May, 2025 | 19:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ScriptAndTools Online-Travling-System viewenquiry.php access control

A vulnerability was found in ScriptAndTools Online-Travling-System 1.0. It has been classified as critical. This affects an unknown part of the file /admin/viewenquiry.php. The manipulation leads to improper access controls. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-scriptandtoolsScriptAndTools
Product-online_traveling_systemOnline-Travling-System
CWE ID-CWE-266
Incorrect Privilege Assignment
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-862
Missing Authorization
CVE-2025-50434
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.22% / 12.74%
||
7 Day CHG~0.00%
Published-19 Aug, 2025 | 00:00
Updated-09 Sep, 2025 | 18:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A security issue has been identified in Appian Enterprise Business Process Management version 25.3. The vulnerability is related to incorrect access control, which under certain conditions could allow unauthorized access to information. NOTE: this has been disputed because the CVE Record information does not originate from the Supplier, and the report lacks specificity about why a problem exists, how the behavior could be reproduced, and whether any action could be taken to resolve the problem.

Action-Not Available
Vendor-n/a
Product-n/a
CWE ID-CWE-284
Improper Access Control
CVE-2025-4118
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.52% / 40.49%
||
7 Day CHG+0.02%
Published-30 Apr, 2025 | 13:31
Updated-16 May, 2025 | 16:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Weitong Mall Product History historyList access control

A vulnerability classified as critical has been found in Weitong Mall 1.0.0. This affects an unknown part of the file /historyList of the component Product History Handler. The manipulation of the argument isDelete with the input 1 leads to improper access controls. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-weitongWeitong
Product-mallMall
CWE ID-CWE-266
Incorrect Privilege Assignment
CWE ID-CWE-284
Improper Access Control
CVE-2025-5163
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.46% / 36.49%
||
7 Day CHG~0.00%
Published-26 May, 2025 | 01:31
Updated-03 Jun, 2025 | 15:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
yangshare 技术杨工 warehouseManager 仓库管理系统 access control

A vulnerability, which was classified as problematic, was found in yangshare 技术杨工 warehouseManager 仓库管理系统 1.0. This affects an unknown part. The manipulation leads to improper access controls. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-yangshareyangshare 技术杨工
Product-warehouse_management_systemwarehouseManager 仓库管理系统
CWE ID-CWE-266
Incorrect Privilege Assignment
CWE ID-CWE-284
Improper Access Control
CVE-2025-3975
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.60% / 44.47%
||
7 Day CHG+0.02%
Published-27 Apr, 2025 | 15:31
Updated-12 May, 2025 | 19:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ScriptAndTools eCommerce-website-in-PHP subscriber-csv.php information disclosure

A vulnerability was found in ScriptAndTools eCommerce-website-in-PHP 3.0 and classified as problematic. This issue affects some unknown processing of the file /admin/subscriber-csv.php. The manipulation leads to information disclosure. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-scriptandtoolsScriptAndTools
Product-ecommerce-website-in-phpeCommerce-website-in-PHP
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-284
Improper Access Control
CVE-2025-3966
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.40% / 31.65%
||
7 Day CHG+0.02%
Published-27 Apr, 2025 | 10:00
Updated-12 May, 2025 | 19:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
itwanger paicoding Browsing History home information disclosure

A vulnerability was found in itwanger paicoding 1.0.3 and classified as problematic. Affected by this issue is some unknown functionality of the file /user/home?userId=1&homeSelectType=read of the component Browsing History Handler. The manipulation leads to information disclosure. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-itwangeritwanger
Product-paicodingpaicoding
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-284
Improper Access Control
  • Previous
  • 1
  • 2
  • 3
  • 4
  • 5
  • Next
Details not found