CWE-284
Improper Access Control
Description
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Hierarchy (View 1000)
Parents
none
Children
- CWE-1191
- CWE-1220
- CWE-1224
- CWE-1231
- CWE-1233
- CWE-1252
- CWE-1257
- CWE-1259
- CWE-1260
- CWE-1262
- CWE-1263
- CWE-1267
- CWE-1270
- CWE-1274
- CWE-1276
- CWE-1280
- CWE-1283
- CWE-1290
- CWE-1292
- CWE-1294
- CWE-1296
- CWE-1304
- CWE-1311
- CWE-1312
- CWE-1313
- CWE-1315
- CWE-1316
- CWE-1317
- CWE-1320
- CWE-1323
- CWE-1334
- CWE-269
- CWE-282
- CWE-285
- CWE-286
- CWE-287
- CWE-346
- CWE-749
- CWE-923
Related attack patterns (CAPEC)
CAPEC-19 · CAPEC-441 · CAPEC-478 · CAPEC-479 · CAPEC-502 · CAPEC-503 · CAPEC-536 · CAPEC-546 · CAPEC-550 · CAPEC-551 · CAPEC-552 · CAPEC-556 · CAPEC-558 · CAPEC-562 · CAPEC-563 · CAPEC-564 · CAPEC-578
CVEs mapped to this weakness (2,700)
page 10 of 135| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-50886 | Cri | 0.59 | 9.1 | 0.00 | Jun 15, 2026 | Incorrect access control in the webhook management component of Project Firefly III v6.5.9 allows attackers to scan internal resources via a crafted POST request. | ||
| CVE-2026-45177 | Cri | 0.59 | — | 0.01 | Jun 11, 2026 | Idira Secrets Manager SaaS Edge versions prior to 1.8 exhibit improper access control within its internal authentication components. A remote, unauthenticated attacker could exploit this by submitting a specially crafted request. Under specific circumstances, this could allow… | ||
| CVE-2026-45746 | Cri | 0.59 | 9.0 | 0.00 | Jun 5, 2026 | Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to version 2.3.2, the File Manager functionality in Termix contains a critical Broken Access Control vulnerability due to improper validation of the sessionId… | ||
| CVE-2026-46819 | Cri | 0.59 | 9.1 | 0.00 | May 28, 2026 | Vulnerability in the Oracle Internet Procurement Connector product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP… | ||
| CVE-2026-49002 | — | Cri | 0.59 | 9.1 | 0.00 | May 27, 2026 | Access control failure means that an application does not effectively check user access permissions, so that unauthorized users can access system data beyond their permissions, such as viewing and modifying configuration information. | |
| CVE-2023-24215 | Cri | 0.59 | 9.1 | 0.00 | May 18, 2026 | Incorrect access control in the /uci/get/ endpoint of NOVUS AirGate 4G firmware v1.1.16 allows unauthenticated attackers to obtain administrator credentials via a crafted POST request. | ||
| CVE-2026-34287 | Cri | 0.59 | 9.1 | 0.00 | Apr 21, 2026 | Vulnerability in the Oracle Identity Manager Connector product of Oracle Fusion Middleware (component: Core). The supported version that is affected is 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise… | ||
| CVE-2021-4477 | Cri | 0.59 | 9.1 | 0.00 | Apr 3, 2026 | Hirschmann HiLCOS OpenBAT and BAT450 products contain a firewall bypass vulnerability in IPv6 IPsec deployments that allows traffic from VPN connections to bypass configured firewall rules. Attackers can exploit this vulnerability by establishing IPv6 IPsec connections (IKEv1 or… | ||
| CVE-2025-69634 | Cri | 0.59 | 9.0 | 0.00 | Feb 12, 2026 | Cross Site Request Forgery vulnerability in Dolibarr ERP & CRM v.22.0.9 allows a remote attacker to escalate privileges via the notes field in perms.php NOTE: this is disputed by a third party who indicates that exploitation can only occur if an unprivileged user knows the token… | ||
| CVE-2026-1181 | Cri | 0.59 | 9.0 | 0.00 | Jan 19, 2026 | Altium 365 workspace endpoints were configured with an overly permissive Cross-Origin Resource Sharing (CORS) policy that allowed credentialed cross-origin requests from other Altium-controlled subdomains, including forum.live.altium.com. As a result, JavaScript executing on… | ||
| CVE-2025-13828 | Cri | 0.59 | — | 0.00 | Dec 2, 2025 | SummaryA non privileged user can install and remove arbitrary packages via composer for a composer based installed, even if the flag in update settings for enable composer based update is unticked. ImpactA low-privileged user of the platform can install malicious code to obtain… | ||
| CVE-2025-60291 | — | Cri | 0.59 | 9.1 | 0.00 | Oct 27, 2025 | An issue was discovered in eTimeTrackLite Web thru 12.0 (20250704). There is a permission control flaw that allows unauthorized attackers to access specific routes and modify database connection configurations. | |
| CVE-2025-57567 | Cri | 0.59 | 9.1 | 0.01 | Oct 17, 2025 | A remote code execution (RCE) vulnerability exists in the PluXml CMS theme editor, specifically in the minify.php file located under the default theme directory (/themes/defaut/css/minify.php). An authenticated administrator user can overwrite this file with arbitrary PHP code… | ||
| CVE-2025-57247 | — | Cri | 0.59 | 9.1 | 0.00 | Oct 6, 2025 | The BATBToken smart contract (address 0xfbf1388408670c02f0dbbb74251d8ded1d63b7a2, Compiler Version v0.8.26+commit.8a97fa7a) contains incorrect access control implementation in whitelist management functions. The setColdWhiteList() and setSpecialAddress() functions in the base… | |
| CVE-2025-54391 | Cri | 0.59 | 9.1 | 0.01 | Sep 16, 2025 | A vulnerability in the EnableTwoFactorAuthRequest SOAP endpoint of Zimbra Collaboration (ZCS) allows an attacker with valid user credentials to bypass Two-Factor Authentication (2FA) protection. The attacker can configure an additional 2FA method (either a third-party… | ||
| CVE-2024-45438 | Cri | 0.59 | 9.1 | 0.01 | Aug 21, 2025 | An issue was discovered in TitanHQ SpamTitan Email Security Gateway 8.00.x before 8.00.101 and 8.01.x before 8.01.14. The file quarantine.php within the SpamTitan interface allows unauthenticated users to trigger account-level actions using a crafted GET request. Notably, when a… | ||
| CVE-2025-49603 | Cri | 0.59 | 9.1 | 0.00 | Jun 26, 2025 | Northern.tech Mender Server before 3.7.11 and 4.x before 4.0.1 has Incorrect Access Control. | ||
| CVE-2025-28233 | Cri | 0.59 | 9.1 | 0.00 | Apr 18, 2025 | Incorrect access control in BW Broadcast TX600 (14980), TX300 (32990) (31448), TX150, TX1000, TX30, and TX50 Hardware Version: 2, Software Version: 1.6.0, Control Version: 1.0, AIO Firmware Version: 1.7 allows attackers to access log files and extract session identifiers to… | ||
| CVE-2025-28231 | Cri | 0.59 | 9.1 | 0.00 | Apr 18, 2025 | Incorrect access control in Itel Electronics IP Stream v1.7.0.6 allows unauthorized attackers to execute arbitrary commands with Administrator privileges. | ||
| CVE-2025-3113 | Cri | 0.59 | — | 0.00 | Apr 17, 2025 | A valid, authenticated user with sufficient privileges and who is aware of Continuous Compliance’s internal database configurations can leverage the application’s built-in Connector functionality to access Continuous Compliance’s internal database. This allows the user to… |
- risk 0.59cvss 9.1epss 0.00
Incorrect access control in the webhook management component of Project Firefly III v6.5.9 allows attackers to scan internal resources via a crafted POST request.
- risk 0.59cvss —epss 0.01
Idira Secrets Manager SaaS Edge versions prior to 1.8 exhibit improper access control within its internal authentication components. A remote, unauthenticated attacker could exploit this by submitting a specially crafted request. Under specific circumstances, this could allow…
- risk 0.59cvss 9.0epss 0.00
Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to version 2.3.2, the File Manager functionality in Termix contains a critical Broken Access Control vulnerability due to improper validation of the sessionId…
- risk 0.59cvss 9.1epss 0.00
Vulnerability in the Oracle Internet Procurement Connector product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP…
- risk 0.59cvss 9.1epss 0.00
Access control failure means that an application does not effectively check user access permissions, so that unauthorized users can access system data beyond their permissions, such as viewing and modifying configuration information.
- risk 0.59cvss 9.1epss 0.00
Incorrect access control in the /uci/get/ endpoint of NOVUS AirGate 4G firmware v1.1.16 allows unauthenticated attackers to obtain administrator credentials via a crafted POST request.
- risk 0.59cvss 9.1epss 0.00
Vulnerability in the Oracle Identity Manager Connector product of Oracle Fusion Middleware (component: Core). The supported version that is affected is 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise…
- risk 0.59cvss 9.1epss 0.00
Hirschmann HiLCOS OpenBAT and BAT450 products contain a firewall bypass vulnerability in IPv6 IPsec deployments that allows traffic from VPN connections to bypass configured firewall rules. Attackers can exploit this vulnerability by establishing IPv6 IPsec connections (IKEv1 or…
- risk 0.59cvss 9.0epss 0.00
Cross Site Request Forgery vulnerability in Dolibarr ERP & CRM v.22.0.9 allows a remote attacker to escalate privileges via the notes field in perms.php NOTE: this is disputed by a third party who indicates that exploitation can only occur if an unprivileged user knows the token…
- risk 0.59cvss 9.0epss 0.00
Altium 365 workspace endpoints were configured with an overly permissive Cross-Origin Resource Sharing (CORS) policy that allowed credentialed cross-origin requests from other Altium-controlled subdomains, including forum.live.altium.com. As a result, JavaScript executing on…
- risk 0.59cvss —epss 0.00
SummaryA non privileged user can install and remove arbitrary packages via composer for a composer based installed, even if the flag in update settings for enable composer based update is unticked. ImpactA low-privileged user of the platform can install malicious code to obtain…
- risk 0.59cvss 9.1epss 0.00
An issue was discovered in eTimeTrackLite Web thru 12.0 (20250704). There is a permission control flaw that allows unauthorized attackers to access specific routes and modify database connection configurations.
- risk 0.59cvss 9.1epss 0.01
A remote code execution (RCE) vulnerability exists in the PluXml CMS theme editor, specifically in the minify.php file located under the default theme directory (/themes/defaut/css/minify.php). An authenticated administrator user can overwrite this file with arbitrary PHP code…
- risk 0.59cvss 9.1epss 0.00
The BATBToken smart contract (address 0xfbf1388408670c02f0dbbb74251d8ded1d63b7a2, Compiler Version v0.8.26+commit.8a97fa7a) contains incorrect access control implementation in whitelist management functions. The setColdWhiteList() and setSpecialAddress() functions in the base…
- risk 0.59cvss 9.1epss 0.01
A vulnerability in the EnableTwoFactorAuthRequest SOAP endpoint of Zimbra Collaboration (ZCS) allows an attacker with valid user credentials to bypass Two-Factor Authentication (2FA) protection. The attacker can configure an additional 2FA method (either a third-party…
- risk 0.59cvss 9.1epss 0.01
An issue was discovered in TitanHQ SpamTitan Email Security Gateway 8.00.x before 8.00.101 and 8.01.x before 8.01.14. The file quarantine.php within the SpamTitan interface allows unauthenticated users to trigger account-level actions using a crafted GET request. Notably, when a…
- risk 0.59cvss 9.1epss 0.00
Northern.tech Mender Server before 3.7.11 and 4.x before 4.0.1 has Incorrect Access Control.
- risk 0.59cvss 9.1epss 0.00
Incorrect access control in BW Broadcast TX600 (14980), TX300 (32990) (31448), TX150, TX1000, TX30, and TX50 Hardware Version: 2, Software Version: 1.6.0, Control Version: 1.0, AIO Firmware Version: 1.7 allows attackers to access log files and extract session identifiers to…
- risk 0.59cvss 9.1epss 0.00
Incorrect access control in Itel Electronics IP Stream v1.7.0.6 allows unauthorized attackers to execute arbitrary commands with Administrator privileges.
- risk 0.59cvss —epss 0.00
A valid, authenticated user with sufficient privileges and who is aware of Continuous Compliance’s internal database configurations can leverage the application’s built-in Connector functionality to access Continuous Compliance’s internal database. This allows the user to…