Vulnerabilities > Improper Access Control

DATE CVE VULNERABILITY TITLE RISK
2025-03-26 CVE-2025-20230 In Splunk Enterprise versions below 9.4.1, 9.3.3, 9.2.5, and 9.1.8, and versions below 3.8.38 and 3.7.23 of the Splunk Secure Gateway app on Splunk Cloud Platform, a low-privileged user that does not hold the “admin“ or “power“ Splunk roles could edit and delete other user data in App Key Value Store (KVStore) collections that the Splunk Secure Gateway app created.
network
low complexity
CWE-284
4.3
2025-03-26 CVE-2025-20229 In Splunk Enterprise versions below 9.3.3, 9.2.5, and 9.1.8, and Splunk Cloud Platform versions below 9.3.2408.104, 9.2.2406.108, 9.2.2403.114, and 9.1.2312.208, a low-privileged user that does not hold the "admin" or "power" Splunk roles could perform a Remote Code Execution (RCE) through a file upload to the "$SPLUNK_HOME/var/run/splunk/apptemp" directory due to missing authorization checks.
network
low complexity
CWE-284
8.0
2025-03-16 CVE-2025-2348 A vulnerability was found in IROAD Dash Cam FX2 up to 20250308.
low complexity
CWE-284
4.3
2025-03-12 CVE-2025-20144 A vulnerability in the hybrid access control list (ACL) processing of IPv4 packets in Cisco IOS XR Software could allow an unauthenticated, remote attacker to bypass a configured ACL. This vulnerability is due to incorrect handling of packets when a specific configuration of the hybrid ACL exists.
network
high complexity
CWE-284
4.0
2025-03-12 CVE-2024-13430 The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.9.8 via the 'pagelayer_builder_posts_shortcode' function due to insufficient restrictions on which posts can be included.
network
low complexity
CWE-284
4.3
2025-03-11 CVE-2025-24076 Improper access control in Windows Cross Device Service allows an authorized attacker to elevate privileges locally.
local
low complexity
CWE-284
7.3
2025-03-11 CVE-2025-24994 Improper access control in Windows Cross Device Service allows an authorized attacker to elevate privileges locally.
local
low complexity
CWE-284
7.3
2025-03-07 CVE-2024-13635 The VK Blocks plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.94.2.2 via the page content block.
network
low complexity
CWE-284
4.3
2025-03-03 CVE-2024-51954 Improper Access Control vulnerability in Esri Arcgis Server 10.9.1/11.1
There is an improper access control issue in ArcGIS Server versions 10.9.1 through 11.3 on Windows and Linux, which under unique circumstances, could potentially allow a remote, low privileged authenticated attacker to access secure services published a standalone (Unfederated) ArcGIS Server instance.  If successful this compromise would have a high impact on Confidentiality, low impact on integrity and no impact to availability of the software.
network
low complexity
esri CWE-284
7.1
2025-02-25 CVE-2024-13693 Improper Access Control vulnerability in Kriesi Enfold
The Enfold theme for WordPress is vulnerable to unauthorized access of data due to a missing capability check in avia-export-class.php in all versions up to, and including, 6.0.9.
network
low complexity
kriesi CWE-284
5.3