CWE-284— Improper Access Control
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.— MITRE CWE catalog
4,700 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-284page 67 of 94
- CVE-2025-47220MEDIUMCVSS 5.3EG 5.32025-11-13
A local file enumeration was found in Keyfactor SignServer versions prior to 7.3.2 .The property VISIBLE_SIGNATURE_CUSTOM_IMAGE_PATH, which exists in the PDFSigner and the PAdESSigner, can be set to any path without any restrictions by an …
- CVE-2025-47221MEDIUMCVSS 5.3EG 5.32025-11-13
An arbitrary file write was found in Keyfactor SignServer versions prior to 7.3.2. The properties ARCHIVETODISK_FILENAME-PATTERN, ARCHIVETODISK_PATH_BASE, ARCHIVETODISK_PATH_PATTERN can be set to any path, even ones that will point to file…
- CVE-2025-47222MEDIUMCVSS 6.5EG 6.52025-11-13
A class name enumeration was found in Keyfactor SignServer versions prior to 7.3.2. Setting any chosen class name to any of the properties requiring a class path and the provided class is not expected to return different errors if the clas…
- CVE-2025-4735MEDIUMCVSS 6.3EG 6.32025-05-16
A vulnerability has been found in Campcodes Sales and Inventory System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /pages/product.php. The manipulation of the argument Picture lead…
- CVE-2025-4750MEDIUMCVSS 5.3EG 5.32025-05-16
A vulnerability, which was classified as problematic, has been found in D-Link DI-7003GV2 24.04.18D1 R(68125). This issue affects some unknown processing of the file /H5/get_version.data of the component Configuration Handler. The manipula…
- CVE-2025-4751MEDIUMCVSS 5.3EG 5.32025-05-16
A vulnerability, which was classified as problematic, was found in D-Link DI-7003GV2 24.04.18D1 R(68125). Affected is an unknown function of the file /index.data. The manipulation leads to information disclosure. It is possible to launch t…
- CVE-2025-4752MEDIUMCVSS 5.3EG 5.32025-05-16
A vulnerability has been found in D-Link DI-7003GV2 24.04.18D1 R(68125) and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /install_base.data. The manipulation leads to information disclos…
- CVE-2025-4753MEDIUMCVSS 5.3EG 5.32025-05-16
A vulnerability was found in D-Link DI-7003GV2 24.04.18D1 R(68125) and classified as problematic. Affected by this issue is some unknown functionality of the file /login.data. The manipulation leads to information disclosure. The attack ma…
- CVE-2025-4768MEDIUMCVSS 6.3EG 6.32025-05-16
A vulnerability classified as critical has been found in feng_ha_ha/megagao ssm-erp and production_ssm 1.0. This affects the function uploadPicture of the file PictureServiceImpl.java. The manipulation of the argument File leads to unrestr…
- CVE-2025-47792MEDIUMCVSS 5.0EG 5.02025-05-16
Nextcloud Desktop is the desktop sync client for Nextcloud. In versions of Nextcloud Desktop prior to 3.15, 3rdparty applications already installed on a user machine can create link shares for almost all data via the socket API. These shar…
- CVE-2025-47794LOWCVSS 2.6EG 2.62025-05-16
Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server prior to 29.0.13, 30.0.7, and 31.0.1 and Nextcloud Enterprise Server prior to 26.0.13.13, 27.1.11.13, 28.0.14.4, 29.0.13, 30.0.7, and 31.0.1, an attacker on a mul…
- CVE-2025-47884CRITICALCVSS 9.1EG 9.12025-05-14
In Jenkins OpenID Connect Provider Plugin 96.vee8ed882ec4d and earlier the generation of build ID Tokens uses potentially overridden values of environment variables, in conjunction with certain other plugins allowing attackers able to conf…
- CVE-2025-47962HIGHCVSS 7.8EG 7.82025-06-10
Improper access control in Windows SDK allows an authorized attacker to elevate privileges locally.
- CVE-2025-47989HIGHCVSS 7.0EG 7.02025-10-14
Improper access control in Azure Connected Machine Agent allows an authorized attacker to elevate privileges locally.
- CVE-2025-47993HIGHCVSS 7.8EG 7.82025-07-08
Improper access control in Microsoft PC Manager allows an authorized attacker to elevate privileges locally.
- CVE-2025-48025MEDIUMCVSS 4.3EG 4.32025-10-20
In Samsung Mobile Processor and Wearable Processor Exynos 980, 850, 1280, 1330, 1380, 1480, 1580, W920, W930, and W1000, there is an improper access control vulnerability related to a log file.
- CVE-2025-48707HIGHCVSS 7.5EG 7.52025-09-25
An issue was discovered in Stormshield Network Security (SNS) before 5.0.1. TPM authentication information could, in some HA use cases, be shared among administrators, which can cause secret sharing.
- CVE-2025-48734HIGHCVSS 8.8EG 8.82025-05-28
Improper Access Control vulnerability in Apache Commons. A special BeanIntrospector class was added in version 1.9.2. This can be used to stop attackers from using the declared class property of Java enum objects to get access to the cl…
- CVE-2025-48817HIGHCVSS 8.8EG 8.82025-07-08
Relative path traversal in Remote Desktop Client allows an unauthorized attacker to execute code over a network.
- CVE-2025-48860HIGHCVSS 8.0EG 8.02025-08-14
A vulnerability in the web application of the ctrlX OS setup mechanism facilitated an authenticated (low privileged) attacker to gain remote access to backup archives created by a user with elevated permissions. Depending on the content o…
- CVE-2025-48861MEDIUMCVSS 5.3EG 5.32025-08-14
A vulnerability in the Task API endpoint of the ctrlX OS setup mechanism allowed a remote, unauthenticated attacker to access and extract internal application data, including potential debug logs and the version of installed apps.
- CVE-2025-48869HIGHCVSS 7.5EG 7.52025-09-24
Horilla is a free and open source Human Resource Management System (HRMS). Unauthenticated users can access uploaded resume files in Horilla 1.3.0 by directly guessing or predicting file URLs. These files are stored in a publicly accessibl…
- CVE-2025-48983CRITICALCVSS 9.9EG 9.92025-10-31
A vulnerability in the Mount service of Veeam Backup & Replication, which allows for remote code execution (RCE) on the Backup infrastructure hosts by an authenticated domain user.
- CVE-2025-48986HIGHCVSS 8.8EG 8.82025-11-20
Authorization bypass in Revive Adserver 5.5.2 and 6.0.1 and earlier versions causes an logged in attacker to change other users' email address and potentialy take over their accounts using the forgot password functionality.
- CVE-2025-48999HIGHCVSS 8.8EG 8.82025-06-03
DataEase is an open source business intelligence and data visualization tool. A bypass of CVE-2025-46566's patch exists in versions prior to 2.10.10. In a malicious payload, `getUrlType()` retrieves `hostName`. Since the judgment statement…
- CVE-2025-4901MEDIUMCVSS 4.3EG 4.32025-05-19
A vulnerability classified as problematic was found in D-Link DI-7003GV2 24.04.18D1 R(68125). Affected by this vulnerability is the function sub_41E304 of the file /H5/state_view.data of the component HTTP Endpoint. The manipulation leads …
- CVE-2025-4902MEDIUMCVSS 5.3EG 5.32025-05-19
A vulnerability, which was classified as problematic, has been found in D-Link DI-7003GV2 24.04.18D1 R(68125). Affected by this issue is the function sub_48F4F0 of the file /H5/versionupdate.data. The manipulation leads to information disc…
- CVE-2025-4904MEDIUMCVSS 5.3EG 5.32025-05-19
A vulnerability has been found in D-Link DI-7003GV2 24.04.18D1 R(68125) and classified as problematic. This vulnerability affects the function sub_41F0FC of the file /H5/webgl.data. The manipulation leads to information disclosure. The att…
- CVE-2025-49154HIGHCVSS 8.7EG 8.72025-06-17
An insecure access control vulnerability in Trend Micro Apex One and Trend Micro Worry-Free Business Security could allow a local attacker to overwrite key memory-mapped files which could then have severe consequences for the security and …
- CVE-2025-4923HIGHCVSS 7.3EG 7.32025-05-19
A vulnerability, which was classified as critical, has been found in SourceCodester Client Database Management System 1.0. This issue affects some unknown processing of the file /user_delivery_update.php. The manipulation of the argument u…
- CVE-2025-4926MEDIUMCVSS 4.7EG 4.72025-05-19
A vulnerability was found in PHPGurukul Car Rental Project 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /admin/post-avehical.php. The manipulation of the argument img1/img2/img3/img4/img5…
- CVE-2025-49546LOWCVSS 2.4EG 2.42025-07-08
ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by an Improper Access Control vulnerability that could lead to a partial application denial-of-service. A high-privileged attacker could exploit this vulnerability to pa…
- CVE-2025-49591CRITICALCVSS 9.1EG 9.12025-06-18
CryptPad is a collaboration suite. Prior to version 2025.3.0, enforcement of Two-Factor Authentication (2FA) in CryptPad can be trivially bypassed, due to weak implementation of access controls. An attacker that compromises a user's creden…
- CVE-2025-49603CRITICALCVSS 9.1EG 9.12025-06-26
Northern.tech Mender Server before 3.7.11 and 4.x before 4.0.1 has Incorrect Access Control.
- CVE-2025-4962HIGHCVSS 7.7EG 7.72025-08-18
An Insecure Direct Object Reference (IDOR) vulnerability was identified in the `POST /v1/templates` endpoint of the Lunary API, affecting versions up to 0.8.8. This vulnerability allows authenticated users to create templates in another us…
- CVE-2025-49692HIGHCVSS 7.8EG 7.82025-09-09
Improper access control in Azure Windows Virtual Machine Agent allows an authorized attacker to elevate privileges locally.
- CVE-2025-49707HIGHCVSS 7.9EG 7.92025-08-12
Improper access control in Azure Virtual Machines allows an authorized attacker to perform spoofing locally.
- CVE-2025-4977MEDIUMCVSS 5.3EG 5.32025-05-20
A vulnerability, which was classified as problematic, has been found in Netgear DGND3700 1.1.00.15_1.00.15NA. Affected by this issue is some unknown functionality of the file /BRS_top.html. The manipulation leads to information disclosure.…
- CVE-2025-4980MEDIUMCVSS 5.3EG 5.32025-05-20
A vulnerability has been found in Netgear DGND3700 1.1.00.15_1.00.15NA and classified as problematic. This vulnerability affects unknown code of the file /currentsetting.htm of the component mini_http. The manipulation leads to information…
- CVE-2025-50059HIGHCVSS 8.6EG 8.62025-07-15
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java SE: 8u451-perf, 11.0.27, 17.0.15, 21.0.…
- CVE-2025-50060HIGHCVSS 8.1EG 8.12025-07-15
Vulnerability in the Oracle BI Publisher product of Oracle Analytics (component: Web Server). Supported versions that are affected are 7.6.0.0.0, 8.2.0.0.0 and 12.2.1.4.0. Easily exploitable vulnerability allows low privileged attacker w…
- CVE-2025-50070MEDIUMCVSS 5.3EG 5.32025-07-15
Vulnerability in the JDBC component of Oracle Database Server. Supported versions that are affected are 23.4-23.8. Difficult to exploit vulnerability allows low privileged attacker having Authenticated OS User privilege with logon to the …
- CVE-2025-50071MEDIUMCVSS 6.4EG 6.42025-07-15
Vulnerability in the Oracle Applications Framework product of Oracle E-Business Suite (component: Web Utilities). Supported versions that are affected are 12.2.3-12.2.14. Easily exploitable vulnerability allows low privileged attacker wit…
- CVE-2025-50072MEDIUMCVSS 4.0EG 4.02025-07-15
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0, 14.1.1.0.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated at…
- CVE-2025-50075MEDIUMCVSS 6.5EG 6.52025-10-21
Vulnerability in the Oracle Financial Services Revenue Management and Billing product of Oracle Financial Services Applications (component: Security Management System). Supported versions that are affected are 2.9.0.0.0-7.2.0.0.0. Easily …
- CVE-2025-50081LOWCVSS 3.1EG 3.12025-07-15
Vulnerability in the MySQL Client product of Oracle MySQL (component: Client: mysqldump). Supported versions that are affected are 8.0.0-8.0.42, 8.4.0-8.4.5 and 9.0.0-9.3.0. Difficult to exploit vulnerability allows high privileged attac…
- CVE-2025-50087MEDIUMCVSS 4.9EG 4.92025-07-15
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.42, 8.4.0-8.4.5 and 9.0.0-9.3.0. Easily exploitable vulnerability allows high privileged attacke…
- CVE-2025-50105HIGHCVSS 8.1EG 8.12025-07-15
Vulnerability in the Oracle Universal Work Queue product of Oracle E-Business Suite (component: Work Provider Administration). Supported versions that are affected are 12.2.3-12.2.14. Easily exploitable vulnerability allows low privileged…
- CVE-2025-50107MEDIUMCVSS 6.1EG 6.12025-07-15
Vulnerability in the Oracle Universal Work Queue product of Oracle E-Business Suite (component: Request handling). Supported versions that are affected are 12.2.5-12.2.14. Easily exploitable vulnerability allows unauthenticated attacker w…
- CVE-2025-50108MEDIUMCVSS 5.4EG 5.42025-07-15
Vulnerability in the Oracle Hyperion Financial Reporting product of Oracle Hyperion (component: Workspace). The supported version that is affected is 11.2.20.0.000. Easily exploitable vulnerability allows low privileged attacker with net…
Map vulnerabilities like CWE-284 to your infrastructure
EchelonGraph correlates every CVE — across CWE-284 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →