Vulnerabilities (CVE)

Filtered by CWE-284
Total 4438 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2024-31846 1 Italtel 1 Embrace 2026-06-17 N/A 7.5 HIGH
An issue was discovered in Italtel Embrace 1.6.4. The web application does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CVE-2024-31805 1 Totolink 2 Ex200, Ex200 Firmware 2026-06-17 N/A 6.5 MEDIUM
TOTOLINK EX200 V4.0.3c.7646_B20201211 allows attackers to start the Telnet service without authorization via the telnet_enabled parameter in the setTelnetCfg function.
CVE-2024-31759 1 Publiccms 1 Publiccms 2026-06-17 N/A 8.8 HIGH
An issue in sanluan PublicCMS v.4.0.202302.e allows an attacker to escalate privileges via the change password function.
CVE-2024-31503 1 Dolibarr 1 Dolibarr Erp\/crm 2026-06-17 N/A 7.5 HIGH
Incorrect access control in Dolibarr ERP CRM versions 19.0.0 and before, allows authenticated attackers to steal victim users' session cookies and CSRF protection tokens via user interaction with a crafted web page, leading to account takeover.
CVE-2024-31320 1 Google 1 Android 2026-06-17 N/A 7.8 HIGH
In setSkipPrompt of AssociationRequest.java , there is a possible way to establish a companion device association without any confirmation due to CDM. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
CVE-2024-30481 1 Jch Optimize Project 1 Jch Optimize 2026-06-17 N/A 6.5 MEDIUM
Broken Access Control vulnerability in Samuel Marshall JCH Optimize.This issue affects JCH Optimize: from n/a through 4.0.0.
CVE-2024-30418 1 Huawei 2 Emui, Harmonyos 2026-06-17 N/A 7.5 HIGH
Vulnerability of insufficient permission verification in the app management module. Impact: Successful exploitation of this vulnerability will affect availability.
CVE-2024-30261 2 Fedoraproject, Nodejs 2 Fedora, Undici 2026-06-17 N/A 2.6 LOW
Undici is an HTTP/1.1 client, written from scratch for Node.js. An attacker can alter the `integrity` option passed to `fetch()`, allowing `fetch()` to accept requests as valid even if they have been tampered. This vulnerability was patched in version(s) 5.28.4 and 6.11.1.
CVE-2024-30211 2026-06-17 N/A 6.0 MEDIUM
Improper access control in some Intel(R) ME driver pack installer engines before version 2422.6.2.0 may allow an authenticated user to potentially enable escalation of privilege via local access.
CVE-2024-30148 1 Hcltech 1 Hcl Leap 2026-06-17 N/A 4.1 MEDIUM
Improper access control of endpoint in HCL Leap allows certain admin users to import applications from the server's filesystem.
CVE-2024-30146 1 Hcltech 1 Domino Leap 2026-06-17 N/A 4.1 MEDIUM
Improper access control of endpoint in HCL Domino Leap allows certain admin users to import applications from the server's filesystem.
CVE-2024-30107 1 Hcltech 1 Connections 2026-06-17 N/A 3.5 LOW
HCL Connections contains a broken access control vulnerability that may expose sensitive information to unauthorized users in certain scenarios.
CVE-2024-30059 1 Microsoft 1 Intune Mobile Application Management 2026-06-17 N/A 6.1 MEDIUM
Microsoft Intune for Android Mobile Application Management Tampering Vulnerability
CVE-2024-2880 1 Gitlab 1 Gitlab 2026-06-17 N/A 2.7 LOW
An issue was discovered in GitLab CE/EE affecting all versions starting from 16.5 prior to 16.11.6, starting from 17.0 prior to 17.0.4, and starting from 17.1 prior to 17.1.2 in which a user with `admin_group_member` custom role permission could ban group members.
CVE-2024-2749 1 Vikwp 1 Vikbooking Hotel Booking Engine \& Pms 2026-06-17 N/A 5.9 MEDIUM
The VikBooking Hotel Booking Engine & PMS WordPress plugin before 1.6.8's access control mechanism fails to properly restrict access to its settings, permitting any users that can access a menu to manipulate requests and perform unauthorized actions such as editing, renaming or deleting (categories for example) despite initial settings prohibiting such access. This vulnerability resembles broken access control, enabling unauthorized users to modify critical VikBooking Hotel Booking Engine & PMS WordPress plugin before 1.6.8 configurations.
CVE-2024-2481 1 Surya2developer 1 Hostel Management System 2026-06-17 6.4 MEDIUM 6.5 MEDIUM
A vulnerability, which was classified as critical, was found in Surya2Developer Hostel Management System 1.0. Affected is an unknown function of the file /admin/manage-students.php. The manipulation of the argument del leads to improper access controls. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-256890 is the identifier assigned to this vulnerability.
CVE-2024-2447 1 Mattermost 1 Mattermost Server 2026-06-17 N/A 6.5 MEDIUM
Mattermost versions 8.1.x before 8.1.11, 9.3.x before 9.3.3, 9.4.x before 9.4.4, and 9.5.x before 9.5.2 fail to authenticate the source of certain types of post actions, allowing an authenticated attacker to create posts as other users via a crafted post action.
CVE-2024-2315 1 Ami 1 Aptio V 2026-06-17 N/A 7.1 HIGH
APTIOV contains a vulnerability in BIOS where may cause Improper Access Control by a local attacker. Successful exploitation of this vulnerability may lead to unexpected SPI flash modifications and BIOS boot kit launches, also impacting the availability.
CVE-2024-2281 1 Boyiddha 1 Automated-mess-management-system 2026-06-17 6.5 MEDIUM 6.3 MEDIUM
A vulnerability was found in boyiddha Automated-Mess-Management-System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /admin/index.php of the component Setting Handler. The manipulation leads to improper access controls. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-256048. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2024-2217 1 Gaizhenbiao 1 Chuanhuchatgpt 2026-06-17 N/A 7.5 HIGH
gaizhenbiao/chuanhuchatgpt is vulnerable to improper access control, allowing unauthorized access to the `config.json` file. This vulnerability is present in both authenticated and unauthenticated versions of the application, enabling attackers to obtain sensitive information such as API keys (`openai_api_key`, `google_palm_api_key`, `xmchat_api_key`, etc.), configuration details, and user credentials. The issue stems from the application's handling of HTTP requests for the `config.json` file, which does not properly restrict access based on user authentication.