Incorrect authorization vulnerability in HTTP POST method in Govee Home application on Android and iOS allows remote attacker to control devices owned by other users via changing "device", "sku" and "...

All versions of Confluence Data Center and Server are affected by this unexploited vulnerability. This Improper Authorization vulnerability allows an unauthenticated attacker to reset Confluence and c...

The iframe sandbox rules were not correctly applied to XSLT stylesheets, allowing an iframe to bypass restrictions such as executing scripts or navigating the top-level frame. This vulnerability affec...

GitLab CE/EE version 13.3 prior to 13.3.4 was vulnerable to an OAuth authorization scope change without user consent in the middle of the authorization flow.

Vulnerability in the Oracle Agile PLM Framework product of Oracle Supply Chain (component: Agile Integration Services). The supported version that is affected is 9.3.6. Easily exploitable vulnerabilit...

Vulnerability in the Oracle Hospitality Simphony product of Oracle Food and Beverage Applications (component: Simphony Enterprise Server). Supported versions that are affected are 19.1.0-19.5.4. Easil...

NeDi 1.9C allows an authenticated user to inject PHP code in the System Files function on the endpoint /System-Files.php via the txt HTTP POST parameter. This allows an attacker to obtain access to th...

Vasion Print (formerly PrinterLogic) before Virtual Appliance Host 22.0.933 Application 20.0.2368 allows Insecure Extension Installation by Trusting HTTP Permission Methods on the Server Side V-2024-0...

DESCOR INFOCAD 3.5.1 and before and fixed in v.3.5.2.0 has a broken authorization schema.

A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Ventura 13.7.5, macOS Sequoia 15.4, macOS Sonoma 14.7.5. A malicious app may be able to read or write to pr...

Incorrect Authorization vulnerability in National Keep Cyber Security Services CyberMath allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects CyberMath: before CYBM.24081...

An incorrect authorization vulnerability exists in multiple WSO2 products due to a business logic flaw in the account recovery-related SOAP admin service. A malicious actor can exploit this vulnerabil...

Improper access control in Calibre 6.9.0 ~ 7.14.0 allow unauthenticated attackers to achieve remote code execution.

HaloITSM versions up to 2.146.1 are affected by a SAML XML Signature Wrapping (XSW) vulnerability. When having a SAML integration configured, anonymous actors could impersonate arbitrary HaloITSM user...

WeGIA < 3.2.0 is vulnerable to Incorrect Access Control in controle/control.php. The application does not validate the value of the old password, so it is possible to change the password by placing an...

oc_huff_tree_unpack in huffdec.c in libtheora in Theora through 1.0 7180717 has an invalid negative left shift. NOTE: this is disputed by third parties because there is no evidence of a security impac...

Incorrect Authorization vulnerability in Wpsoul Greenshift – animation and page builder blocks allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Greenshift – a...

An Incorrect Access Control issue in SAMPMAX com.sampmax.homemax 2.1.2.7 allows a remote attacker to obtain sensitive information via the firmware update process.

WTCMS 1.0 is vulnerable to Incorrect Access Control in \Common\Controller\HomebaseController.class.php.

Lylme Spage v1.9.5 is vulnerable to Incorrect Access Control. There is no limit on the number of login attempts, and the verification code will not be refreshed after a failed login, which allows atta...

app/Controller/UserLoginProfilesController.php in MISP before 2.4.198 does not prevent an org admin from viewing sensitive login fields of another org admin in the same org.

In MISP through 2.4.196, app/Controller/BookmarksController.php does not properly restrict access to bookmarks data in the case where the user is not an org admin.

Incorrect access control in TOTOLINK N350RT V9.3.5u.6139_B20201216 allows attackers to obtain the apmib configuration file, which contains the username and the password, via a crafted request to /cgi-...

OpenFGA is an authorization/permission engine. OpenFGA v1.5.7 and v1.5.8 are vulnerable to authorization bypass when calling Check API with a model that uses `but not` and `from` expressions and a use...