CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Related To CWE-284

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2023-22473 284 Bypass 2023-01-09 2023-01-13
0.0
None ??? ??? ??? ??? ??? ???
Talk-Android enables users to have video & audio calls through Nextcloud on Android. Due to passcode bypass, an attacker is able to access the user's Nextcloud files and view conversations. To exploit this the attacker needs to have physical access to the target's device. There are currently no known workarounds available. It is recommended that the Nextcloud Talk Android app is upgraded to 15.0.2.
2 CVE-2023-0451 284 2023-01-26 2023-01-26
0.0
None ??? ??? ??? ??? ??? ???
All versions of Econolite EOS traffic control software are vulnerable to CWE-284: Improper Access Control, and lack a password requirement for gaining “READONLY” access to log files, as well as certain database and configuration files. One such file contains tables with message-digest algorithm 5 (MD5) hashes and usernames for all defined users in the control software, including administrators and technicians.
3 CVE-2023-0017 284 2023-01-10 2023-01-13
0.0
None ??? ??? ??? ??? ??? ???
An unauthenticated attacker in SAP NetWeaver AS for Java - version 7.50, due to improper access control, can attach to an open interface and make use of an open naming and directory API to access services which can be used to perform unauthorized operations affecting users and data on the current system. This could allow the attacker to have full read access to user data, make modifications to user data, and make services within the system unavailable.
4 CVE-2023-0012 284 +Priv 2023-01-10 2023-01-13
0.0
None ??? ??? ??? ??? ??? ???
In SAP Host Agent (Windows) - versions 7.21, 7.22, an attacker who gains local membership to SAP_LocalAdmin could be able to replace executables with a malicious file that will be started under a privileged account. Note that by default all user members of SAP_LocaAdmin are denied the ability to logon locally by security policy so that this can only occur if the system has already been compromised.
5 CVE-2022-46664 284 2022-12-13 2023-01-10
0.0
None ??? ??? ??? ??? ??? ???
A vulnerability has been identified in Mendix Workflow Commons (All versions < V2.4.0), Mendix Workflow Commons V2.1 (All versions < V2.1.4), Mendix Workflow Commons V2.3 (All versions < V2.3.2). Affected versions of the module improperly handle access control for some module entities. This could allow authenticated remote attackers to read or delete sensitive information.
6 CVE-2022-46331 284 2023-01-18 2023-01-25
0.0
None ??? ??? ??? ??? ??? ???
An unauthorized user could possibly delete any file on the system.
7 CVE-2022-43494 284 2023-01-18 2023-01-25
0.0
None ??? ??? ??? ??? ??? ???
An unauthorized user could be able to read any file on the system, potentially exposing sensitive information.
8 CVE-2022-41654 284 Bypass 2022-12-22 2022-12-29
0.0
None ??? ??? ??? ??? ??? ???
An authentication bypass vulnerability exists in the newsletter subscription functionality of Ghost Foundation Ghost 5.9.4. A specially-crafted HTTP request can lead to increased privileges. An attacker can send an HTTP request to trigger this vulnerability.
9 CVE-2022-41261 284 2022-12-12 2022-12-15
0.0
None ??? ??? ??? ??? ??? ???
SAP Solution Manager (Diagnostic Agent) - version 7.20, allows an authenticated attacker on Windows system to access a file containing sensitive data which can be used to access a configuration file which contains credentials to access other system files. Successful exploitation can make the attacker access files and systems for which he/she is not authorized.
10 CVE-2022-36024 284 2022-08-18 2022-12-09
0.0
None ??? ??? ??? ??? ??? ???
py-cord is a an API wrapper for Discord written in Python. Bots creating using py-cord version 2.0.0 are vulnerable to remote shutdown if they are added to the server with the `application.commands` scope without the `bot` scope. Currently, it appears that all public bots that use slash commands are affected. This issue has been patched in version 2.0.1. There are currently no recommended workarounds - please upgrade to a patched version.
11 CVE-2022-34255 284 2022-08-16 2022-10-26
0.0
None ??? ??? ??? ??? ??? ???
Adobe Commerce versions 2.4.3-p2 (and earlier), 2.3.7-p3 (and earlier) and 2.4.4 (and earlier) are affected by an Improper Access Control vulnerability that could result in Privilege escalation. An attacker with a low privilege account could leverage this vulnerability to perform an account takeover for a victim. Exploitation of this issue does not require user interaction.
12 CVE-2022-31024 284 2022-06-02 2022-06-13
4.3
None Remote Medium Not required None Partial None
richdocuments is the repository for NextCloud Collabra, the app for Nextcloud Office collaboration. Prior to versions 6.0.0, 5.0.4, and 4.2.6, a user could be tricked into working against a remote Office by sending them a federated share. richdocuments versions 6.0.0, 5.0.4 and 4.2.6 contain a fix for this issue. There are currently no known workarounds available.
13 CVE-2022-29417 284 2022-04-25 2022-05-03
4.0
None Remote Low ??? None Partial None
Plugin Settings Update vulnerability in ShortPixel's ShortPixel Adaptive Images plugin <= 3.3.1 at WordPress allows an attacker with a low user role like a subscriber or higher to change the plugin settings.
14 CVE-2022-29160 284 2022-05-20 2022-06-02
2.1
None Local Low Not required Partial None None
Nextcloud Android is the Android client for Nextcloud, a self-hosted productivity platform. Prior to version 3.19.0, sensitive tokens, images, and user related details exist after deletion of a user account. This could result in misuse of the former account holder's information. Nextcloud Android version 3.19.0 contains a patch for this issue. There are no known workarounds available.
15 CVE-2022-27805 284 Bypass 2022-10-25 2022-10-26
0.0
None ??? ??? ??? ??? ??? ???
An authentication bypass vulnerability exists in the GHOME control functionality of Abode Systems, Inc. iota All-In-One Security Kit 6.9X and 6.9Z. A specially-crafted network request can lead to arbitrary XCMD execution. An attacker can send a malicious XML payload to trigger this vulnerability.
16 CVE-2022-27660 284 DoS 2022-08-05 2022-08-09
0.0
None ??? ??? ??? ??? ??? ???
A denial of service vulnerability exists in the confctl_set_guest_wlan functionality of TCL LinkHub Mesh Wi-Fi MS1G_00_01.00_14. A specially-crafted network packet can lead to denial of service. An attacker can send packets to trigger this vulnerability.
17 CVE-2022-23513 284 2022-12-23 2022-12-30
0.0
None ??? ??? ??? ??? ??? ???
Pi-Hole is a network-wide ad blocking via your own Linux hardware, AdminLTE is a Pi-hole Dashboard for stats and more. In case of an attack, the threat actor will obtain the ability to perform an unauthorized query for blocked domains on `queryads` endpoint. In the case of application, this vulnerability exists because of a lack of validation in code on a root server path: `/admin/scripts/pi-hole/phpqueryads.php.` Potential threat actor(s) are able to perform an unauthorized query search in blocked domain lists. This could lead to the disclosure for any victims' personal blacklists.
18 CVE-2022-21950 284 2022-09-07 2023-01-19
0.0
None ??? ??? ??? ??? ??? ???
A Improper Access Control vulnerability in the systemd service of cana in openSUSE Backports SLE-15-SP3, openSUSE Backports SLE-15-SP4 allows local users to hijack the UNIX domain socket This issue affects: openSUSE Backports SLE-15-SP3 canna versions prior to canna-3.7p3-bp153.2.3.1. openSUSE Backports SLE-15-SP4 canna versions prior to 3.7p3-bp154.3.3.1. openSUSE Factory was also affected. Instead of fixing the package it was deleted there.
19 CVE-2022-21947 284 2022-04-01 2022-04-11
5.8
None Local Network Low Not required Partial Partial Partial
A Improper Access Control vulnerability in Rancher Desktop of SUSE allows attackers in the local network to connect to the Dashboard API (steve) to carry out arbitrary actions. This issue affects: SUSE Rancher Desktop versions prior to V.
20 CVE-2022-4814 284 2022-12-28 2023-01-05
0.0
None ??? ??? ??? ??? ??? ???
Improper Access Control in GitHub repository usememos/memos prior to 0.9.1.
21 CVE-2022-4810 284 2022-12-28 2023-01-05
0.0
None ??? ??? ??? ??? ??? ???
Improper Access Control in GitHub repository usememos/memos prior to 0.9.1.
22 CVE-2022-4809 284 2022-12-28 2023-01-05
0.0
None ??? ??? ??? ??? ??? ???
Improper Access Control in GitHub repository usememos/memos prior to 0.9.1.
23 CVE-2022-4807 284 2022-12-28 2023-01-05
0.0
None ??? ??? ??? ??? ??? ???
Improper Access Control in GitHub repository usememos/memos prior to 0.9.1.
24 CVE-2022-4724 284 2022-12-27 2023-01-05
0.0
None ??? ??? ??? ??? ??? ???
Improper Access Control in GitHub repository ikus060/rdiffweb prior to 2.5.5.
25 CVE-2022-4711 284 2023-01-10 2023-01-14
0.0
None ??? ??? ??? ??? ??? ???
The Royal Elementor Addons plugin for WordPress is vulnerable to insufficient access control in the 'wpr_save_mega_menu_settings' AJAX action in versions up to, and including, 1.3.59. This allows any authenticated user, including those with subscriber-level permissions, to enable and modify Mega Menu settings for any menu item.
26 CVE-2022-4709 284 2023-01-10 2023-01-13
0.0
None ??? ??? ??? ??? ??? ???
The Royal Elementor Addons plugin for WordPress is vulnerable to insufficient access control in the 'wpr_import_library_template' AJAX action in versions up to, and including, 1.3.59. This allows any authenticated user, including those with subscriber-level permissions, to import and activate templates from the plugin's template library.
27 CVE-2022-4708 284 2023-01-10 2023-01-13
0.0
None ??? ??? ??? ??? ??? ???
The Royal Elementor Addons plugin for WordPress is vulnerable to insufficient access control in the 'wpr_save_template_conditions' AJAX action in versions up to, and including, 1.3.59. This allows any authenticated user, including those with subscriber-level permissions, to modify the conditions under which templates are displayed.
28 CVE-2022-4705 284 2023-01-10 2023-01-13
0.0
None ??? ??? ??? ??? ??? ???
The Royal Elementor Addons plugin for WordPress is vulnerable to insufficient access control in the 'wpr_final_settings_setup' AJAX action in versions up to, and including, 1.3.59. This allows any authenticated user, including those with subscriber-level permissions, to finalize activation of preset site configuration templates, which can be chosen and imported via a separate action documented in CVE-2022-4704.
29 CVE-2022-4704 284 2023-01-10 2023-01-13
0.0
None ??? ??? ??? ??? ??? ???
The Royal Elementor Addons plugin for WordPress is vulnerable to insufficient access control in the 'wpr_import_templates_kit' AJAX action in versions up to, and including, 1.3.59. This allows any authenticated user, including those with subscriber-level permissions, to import preset site configuration templates including images and settings.
30 CVE-2022-4703 284 2023-01-10 2023-01-13
0.0
None ??? ??? ??? ??? ??? ???
The Royal Elementor Addons plugin for WordPress is vulnerable to insufficient access control in the 'wpr_reset_previous_import' AJAX action in versions up to, and including, 1.3.59. This allows any authenticated user, including those with subscriber-level permissions, to reset previously imported data.
31 CVE-2022-4702 284 2023-01-10 2023-01-13
0.0
None ??? ??? ??? ??? ??? ???
The Royal Elementor Addons plugin for WordPress is vulnerable to insufficient access control in the 'wpr_fix_royal_compatibility' AJAX action in versions up to, and including, 1.3.59. This allows any authenticated user, including those with subscriber-level permissions, to deactivate every plugin on the site unless it is part of an extremely limited hardcoded selection. This also switches the site to the 'royal-elementor-kit' theme, potentially resulting in availability issues.
32 CVE-2022-4700 284 2023-01-10 2023-01-13
0.0
None ??? ??? ??? ??? ??? ???
The Royal Elementor Addons plugin for WordPress is vulnerable to insufficient access control in the 'wpr_activate_required_theme' AJAX action in versions up to, and including, 1.3.59. This allows any authenticated user, including those with subscriber-level permissions, to activate the 'royal-elementor-kit' theme. If no such theme is installed doing so can also impact site availability as the site attempts to load a nonexistent theme.
33 CVE-2022-4689 284 2022-12-23 2022-12-30
0.0
None ??? ??? ??? ??? ??? ???
Improper Access Control in GitHub repository usememos/memos prior to 0.9.0.
34 CVE-2022-4685 284 2022-12-23 2022-12-23
0.0
None ??? ??? ??? ??? ??? ???
Improper Access Control in GitHub repository usememos/memos prior to 0.9.0.
35 CVE-2022-4684 284 2022-12-23 2022-12-30
0.0
None ??? ??? ??? ??? ??? ???
Improper Access Control in GitHub repository usememos/memos prior to 0.9.0.
36 CVE-2022-4567 284 2022-12-17 2022-12-21
0.0
None ??? ??? ??? ??? ??? ???
Improper Access Control in GitHub repository openemr/openemr prior to 7.0.0.2.
37 CVE-2022-4505 284 2022-12-15 2022-12-16
0.0
None ??? ??? ??? ??? ??? ???
Improper Access Control in GitHub repository openemr/openemr prior to 7.0.0.2.
38 CVE-2022-4229 284 2022-11-30 2023-01-09
0.0
None ??? ??? ??? ??? ??? ???
A vulnerability classified as critical was found in SourceCodester Book Store Management System 1.0. This vulnerability affects unknown code of the file /bsms_ci/index.php. The manipulation leads to improper access controls. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-214588.
39 CVE-2022-3923 284 2023-01-09 2023-01-13
0.0
None ??? ??? ??? ??? ??? ???
The ActiveCampaign for WooCommerce WordPress plugin through 1.9.6 does not have authorisation check when cleaning up its error logs via an AJAX action, which could allow any authenticated users, such as subscriber to call it and remove error logs.
40 CVE-2022-3770 284 2022-10-31 2022-11-01
0.0
None ??? ??? ??? ??? ??? ???
A vulnerability classified as critical was found in Yunjing CMS. This vulnerability affects unknown code of the file /index/user/upload_img.html. The manipulation of the argument file leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-212500.
41 CVE-2022-3735 284 2022-10-28 2022-10-31
0.0
None ??? ??? ??? ??? ??? ???
A vulnerability was found in seccome Ehoney. It has been rated as critical. This issue affects some unknown processing of the file /api/public/signup. The manipulation leads to improper access controls. The identifier VDB-212417 was assigned to this vulnerability.
42 CVE-2022-3458 284 2022-10-12 2022-10-13
0.0
None ??? ??? ??? ??? ??? ???
A vulnerability has been found in SourceCodester Human Resource Management System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /employeeview.php of the component Image File Handler. The manipulation leads to unrestricted upload. The attack can be launched remotely. The associated identifier of this vulnerability is VDB-210559.
43 CVE-2022-3225 284 2022-09-16 2022-09-19
0.0
None ??? ??? ??? ??? ??? ???
Improper Access Control in GitHub repository budibase/budibase prior to 1.3.20.
44 CVE-2022-3186 284 2022-12-21 2022-12-28
0.0
None ??? ??? ??? ??? ??? ???
Dataprobe iBoot-PDU FW versions prior to 1.42.06162022 contain a vulnerability where the affected product allows an attacker to access the device’s main management page from the cloud. This feature enables users to remotely connect devices, however, the current implementation permits users to access other device's information.
45 CVE-2022-2702 284 2022-08-08 2022-08-11
0.0
None ??? ??? ??? ??? ??? ???
A vulnerability was found in SourceCodester Company Website CMS and classified as critical. Affected by this issue is some unknown functionality of the file site-settings.php of the component Cookie Handler. The manipulation leads to improper access controls. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-205826 is the identifier assigned to this vulnerability.
46 CVE-2022-2631 284 2022-08-02 2022-08-06
0.0
None ??? ??? ??? ??? ??? ???
Improper Access Control in GitHub repository tooljet/tooljet prior to v1.19.0.
47 CVE-2022-2578 284 2022-07-29 2022-08-05
0.0
None ??? ??? ??? ??? ??? ???
A vulnerability, which was classified as critical, has been found in SourceCodester Garage Management System 1.0. This issue affects some unknown processing of the file /php_action/createUser.php. The manipulation leads to improper access controls. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
48 CVE-2022-2088 284 2022-06-27 2022-07-07
6.8
None Remote Low ??? None None Complete
An authenticated user with admin privileges may be able to terminate any process on the system running Elcomplus SmartICS v2.3.4.0.
49 CVE-2022-1958 284 2022-06-15 2022-12-28
6.5
None Remote Low ??? Partial Partial Partial
A vulnerability classified as critical has been found in FileCloud. Affected is an unknown function of the component NTFS Handler. The manipulation leads to improper access controls. It is possible to launch the attack remotely. Upgrading to version 21.3.5.18513 is able to address this issue. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-201960.
50 CVE-2022-1656 284 2022-06-13 2022-06-17
5.5
None Remote Low ??? Partial Partial None
Vulnerable versions of the JupiterX Theme (<=2.0.6) allow any logged-in user, including subscriber-level users, to access any of the functions registered in lib/api/api/ajax.php, which also grant access to the jupiterx_api_ajax_ actions registered by the JupiterX Core Plugin (<=2.0.6). This includes the ability to deactivate arbitrary plugins as well as update the theme’s API key.
Total number of vulnerabilities : 981   Page : 1 (This Page)2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.