Vulnerabilities (CVE)

Filtered by CWE-284
Total 4417 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2024-42775 1 Jayesh 1 Hotel Management System 2026-06-17 N/A 9.1 CRITICAL
An Incorrect Access Control vulnerability was found in /admin/add_room_controller.php in Kashipara Hotel Management System v1.0, which allows an unauthenticated attacker to add the valid hotel room entries in the administrator section via the direct URL access.
CVE-2024-42772 1 Jayesh 1 Hotel Management System 2026-06-17 N/A 7.5 HIGH
An Incorrect Access Control vulnerability was found in /admin/rooms.php in Kashipara Hotel Management System v1.0, which allows an unauthenticated attacker to view valid hotel room entries in administrator section.
CVE-2024-42766 1 Kjayvik 1 Bus Ticket Reservation System 2026-06-17 N/A 5.4 MEDIUM
Kashipara Bus Ticket Reservation System v1.0 0 is vulnerable to Incorrect Access Control via /deleteTicket.php.
CVE-2024-42655 1 Emqx 1 Nanomq 2026-06-17 N/A 8.8 HIGH
An access control issue in NanoMQ v0.21.10 allows attackers to bypass security restrictions and access sensitive system topic messages using MQTT wildcard characters.
CVE-2024-42559 2026-06-17 N/A 9.8 CRITICAL
An issue in the login component (process_login.php) of Hotel Management System commit 79d688 allows attackers to authenticate without providing a valid password.
CVE-2024-42514 1 Mitel 1 Micontact Center Business 2026-06-17 N/A 8.1 HIGH
A vulnerability in the legacy chat component of Mitel MiContact Center Business through 10.1.0.4 could allow an unauthenticated attacker to conduct an unauthorized access attack due to inadequate access control checks. A successful exploit requires user interaction and could allow an attacker to access sensitive information and send unauthorized messages during an active chat session.
CVE-2024-42497 1 Mattermost 1 Mattermost Server 2026-06-17 N/A 6.0 MEDIUM
Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0, 9.8.x <= 9.8.2 fail to properly enforce permissions which allows a user with systems manager role with read-only access to teams to perform write operations on teams.
CVE-2024-42480 1 Clastix 1 Kamaji 2026-06-17 N/A 8.1 HIGH
Kamaji is the Hosted Control Plane Manager for Kubernetes. In versions 1.0.0 and earlier, Kamaji uses an "open at the top" range definition in RBAC for etcd roles leading to some TCPs API servers being able to read, write, and delete the data of other control planes. This vulnerability is fixed in edge-24.8.2.
CVE-2024-42406 1 Mattermost 1 Mattermost Server 2026-06-17 N/A 5.4 MEDIUM
Mattermost versions 9.11.x <= 9.11.0, 9.10.x <= 9.10.1, 9.9.x <= 9.9.2 and 9.5.x <= 9.5.8 fail to properly authorize requests when viewing archived channels is disabled, which allows an attacker to retrieve post and file information about archived channels. Examples are flagged or unread posts as well as files.
CVE-2024-42354 1 Shopware 1 Shopware 2026-06-17 N/A 5.3 MEDIUM
Shopware is an open commerce platform. The store-API works with regular entities and not expose all fields for the public API; fields need to be marked as ApiAware in the EntityDefinition. So only ApiAware fields of the EntityDefinition will be encoded to the final JSON. Prior to versions 6.6.5.1 and 6.5.8.13, the processing of the Criteria did not considered ManyToMany associations and so they were not considered properly and the protections didn't get used. This issue cannot be reproduced with the default entities by Shopware, but can be triggered with extensions. Update to Shopware 6.6.5.1 or 6.5.8.13 to receive a patch. For older versions of 6.2, 6.3, and 6.4, corresponding security measures are also available via a plugin.
CVE-2024-42048 2026-06-17 N/A 6.5 MEDIUM
OpenOrange Business Framework version 1.15.5 installs to a directory with overly permissive access control, allowing all authenticated users to write to the installation path. In combination with the application's behavior of loading DLLs from this location, this allows for DLL hijacking and may result in arbitrary code execution and privilege escalation.
CVE-2024-42033 1 Huawei 2 Emui, Harmonyos 2026-06-17 N/A 6.9 MEDIUM
Access control vulnerability in the security verification module mpact: Successful exploitation of this vulnerability will affect integrity and confidentiality.
CVE-2024-42023 1 Veeam 1 One 2026-06-17 N/A 8.8 HIGH
An improper access control vulnerability allows low-privileged users to execute code with Administrator privileges remotely.
CVE-2024-42022 1 Veeam 1 One 2026-06-17 N/A 5.3 MEDIUM
An incorrect permission assignment vulnerability allows an attacker to modify product configuration files.
CVE-2024-42021 1 Veeam 1 One 2026-06-17 N/A 6.5 MEDIUM
An improper access control vulnerability allows an attacker with valid access tokens to access saved credentials.
CVE-2024-41934 2026-06-17 N/A 5.9 MEDIUM
Improper access control in some Intel(R) GPA software before version 2024.3 may allow an authenticated user to potentially enable denial of service via local access.
CVE-2024-41926 1 Mattermost 1 Mattermost Server 2026-06-17 N/A 2.7 LOW
Mattermost versions 9.9.x <= 9.9.0 and 9.5.x <= 9.5.6 fail to validate the source of sync messages and only allow the correct remote IDs, which allows a malicious remote to set arbitrary RemoteId values for synced users and therefore claim that a user was synced from another remote.
CVE-2024-41912 1 Hp 1 Poly Clariti Manager 2026-06-17 N/A 9.8 CRITICAL
A vulnerability was discovered in the firmware builds up to 10.10.2.2 in Poly Clariti Manager devices. The firmware flaw does not properly implement access controls.
CVE-2024-41905 1 Siemens 1 Sinec Traffic Analyzer 2026-06-17 N/A 6.8 MEDIUM
A vulnerability has been identified in SINEC Traffic Analyzer (6GK8822-1BG01-0BA0) (All versions < V2.0). The affected application do not have access control for accessing the files. This could allow an authenticated attacker with low privilege's to get access to sensitive information.
CVE-2024-41806 2026-06-17 N/A 5.3 MEDIUM
The Open edX Platform is a learning management platform. Instructors can upload csv files containing learner information to create cohorts in the instructor dashboard. These files are uploaded using the django default storage. With certain storage backends, uploads may become publicly available when the uploader uses versions master, palm, olive, nutmeg, maple, lilac, koa, or juniper. The patch in commit cb729a3ced0404736dfa0ae768526c82b608657b ensures that cohorts data uploaded to AWS S3 buckets is written with a private ACL. Beyond patching, deployers should also ensure that existing cohorts uploads have a private ACL, or that other precautions are taken to avoid public access.