Vulnerabilities (CVE)

Filtered by CWE-284
Total 4391 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2024-6796 1 Baxter 1 Connex Health Portal 2026-06-17 N/A 8.2 HIGH
In Baxter Connex health portal released before 8/30/2024, an improper access control vulnerability has been found that could allow an unauthenticated attacker to gain unauthorized access to Connex portal's database and/or modify content.
CVE-2024-6738 1 Wisdomgarden 1 Tronclass 2026-06-17 N/A 5.3 MEDIUM
The tumbnail API of Tronclass from WisdomGarden lacks proper access control, allowing unauthenticated remote attackers to obtain certain specific files by modifying the URL.
CVE-2024-6737 1 Electronic Official Document Management System Project 1 Electronic Official Document Management System 2026-06-17 N/A 8.8 HIGH
The access control in the Electronic Official Document Management System from 2100 TECHNOLOGY is not properly implemented, allowing remote attackers with regular privileges to access the account settings functionality and create an administrator account.
CVE-2024-6727 2026-06-17 N/A 5.4 MEDIUM
A flaw in versions of Delphix Data Control Tower (DCT) prior to 19.0.0 results in broken authentication through the enable-scale-testing functionality of the application.
CVE-2024-6428 1 Mattermost 1 Mattermost 2026-06-17 N/A 5.3 MEDIUM
Mattermost versions 9.8.0, 9.7.x <= 9.7.4, 9.6.x <= 9.6.2, 9.5.x <= 9.5.5 fail to prevent specifying a RemoteId when creating a new user which allows an attacker to specify both a remoteId and the user ID, resulting in creating a user with a user-defined user ID. This can cause some broken functionality in User Management such administrative actions against the user not working.
CVE-2024-6385 1 Gitlab 1 Gitlab 2026-06-17 N/A 9.6 CRITICAL
An issue was discovered in GitLab CE/EE affecting all versions starting from 15.8 prior to 16.11.6, starting from 17.0 prior to 17.0.4, and starting from 17.1 prior to 17.1.2, which allows an attacker to trigger a pipeline as another user under certain circumstances.
CVE-2024-6364 1 Absolute 1 Persistence 2026-06-17 N/A 6.4 MEDIUM
A vulnerability in Absolute Persistence® versions before 2.8 exists when it is not activated. This may allow a skilled attacker with both physical access to the device, and full hostile network control, to initiate OS commands on the device. To remediate this vulnerability, update the device firmware to the latest available version. Please contact the device manufacturer for upgrade instructions or contact Absolute Security, see reference below.
CVE-2024-6221 1 Corydolphin 1 Flask-cors 2026-06-17 N/A 7.5 HIGH
A vulnerability in corydolphin/flask-cors version 4.0.1 allows the `Access-Control-Allow-Private-Network` CORS header to be set to true by default. This behavior can expose private network resources to unauthorized external access, leading to significant security risks such as data breaches, unauthorized access to sensitive information, and potential network intrusions.
CVE-2024-5840 2 Fedoraproject, Google 2 Fedora, Chrome 2026-06-17 N/A 6.5 MEDIUM
Policy bypass in CORS in Google Chrome prior to 126.0.6478.54 allowed a remote attacker to bypass discretionary access control via a crafted HTML page. (Chromium security severity: Medium)
CVE-2024-5814 1 Wolfssl 1 Wolfssl 2026-06-17 N/A 5.3 MEDIUM
A malicious TLS1.2 server can force a TLS1.3 client with downgrade capability to use a ciphersuite that it did not agree to and achieve a successful connection. This is because, aside from the extensions, the client was skipping fully parsing the server hello. https://doi.org/10.46586/tches.v2024.i1.457-500
CVE-2024-5687 1 Mozilla 1 Firefox 2026-06-17 N/A 5.3 MEDIUM
If a specific sequence of actions is performed when opening a new tab, the triggering principal associated with the new tab may have been incorrect. The triggering principal is used to calculate many values, including the `Referer` and `Sec-*` headers, meaning there is the potential for incorrect security checks within the browser in addition to incorrect or misleading information sent to remote websites. *This bug only affects Firefox for Android. Other versions of Firefox are unaffected.* This vulnerability affects Firefox < 127.
CVE-2024-5655 1 Gitlab 1 Gitlab 2026-06-17 N/A 9.6 CRITICAL
An issue was discovered in GitLab CE/EE affecting all versions starting from 15.8 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows an attacker to trigger a pipeline as another user under certain circumstances.
CVE-2024-5650 2026-06-17 N/A 8.5 HIGH
DLL Hijacking vulnerability has been found in CENTUM CAMS Log server provided by Yokogawa Electric Corporation. If an attacker is somehow able to intrude into a computer that installed affected product or access to a shared folder, by replacing the DLL file with a tampered one, it is possible to execute arbitrary programs with the authority of the SYSTEM account. The affected products and versions are as follows: CENTUM CS 3000 R3.08.10 to R3.09.50 CENTUM VP R4.01.00 to R4.03.00, R5.01.00 to R5.04.20, R6.01.00 to R6.11.10.
CVE-2024-5470 1 Gitlab 1 Gitlab 2026-06-17 N/A 3.8 LOW
An issue was discovered in GitLab CE/EE affecting all versions starting from 17.0 prior to 17.0.4 and from 17.1 prior to 17.1.2 where a Guest user with `admin_push_rules` permission may have been able to create project-level deploy tokens.
CVE-2024-5430 1 Gitlab 1 Gitlab 2026-06-17 N/A 6.8 MEDIUM
An issue was discovered in GitLab CE/EE affecting all versions starting from 16.10 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows a project maintainer can delete the merge request approval policy via graphQL.
CVE-2024-5331 1 Soflyy 1 Breakdance 2026-06-17 N/A 4.3 MEDIUM
The Breakdance plugin for WordPress is vulnerable to unauthorized access of data in all versions up to, and including, 1.7.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to export form submissions.
CVE-2024-5272 1 Mattermost 1 Mattermost Server 2026-06-17 N/A 4.3 MEDIUM
Mattermost versions 9.5.x <= 9.5.3, 9.6.x <= 9.6.1, 8.1.x <= 8.1.12 fail to restrict the audience of the "custom_playbooks_playbook_run_updated" webhook event, which allows a guest on a channel with a playbook run linked to see all the details of the playbook run when the run is marked by finished.
CVE-2024-5270 1 Mattermost 1 Mattermost Server 2026-06-17 N/A 4.3 MEDIUM
Mattermost versions 9.5.x <= 9.5.3, 9.7.x <= 9.7.1, 9.6.x <= 9.6.1 and 8.1.x <= 8.1.12 fail to check if the email signup configuration option is enabled when a user requests to switch from SAML to Email. This allows the user to switch their authentication mail from SAML to email and possibly edit personal details that were otherwise non-editable and provided by the SAML provider.
CVE-2024-5257 1 Gitlab 1 Gitlab 2026-06-17 N/A 4.9 MEDIUM
An issue was discovered in GitLab CE/EE affecting all versions starting from 17.0 prior to 17.0.4 and from 17.1 prior to 17.1.2 where a Developer user with `admin_compliance_framework` custom role may have been able to modify the URL for a group namespace.
CVE-2024-5168 2026-06-17 N/A 9.8 CRITICAL
Improper access control vulnerability in Prodys' Quantum Audio codec affecting versions 2.3.4t and below. This vulnerability could allow an unauthenticated user to bypass authentication entirely and execute arbitrary API requests against the web application.