CWE-284

Improper Access Control

PillarIncomplete

Description

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Hierarchy (View 1000)

Parents

none

Children

CWE-1191
CWE-1220
CWE-1224
CWE-1231
CWE-1233
CWE-1252
CWE-1257
CWE-1259
CWE-1260
CWE-1262
CWE-1263
CWE-1267
CWE-1270
CWE-1274
CWE-1276
CWE-1280
CWE-1283
CWE-1290
CWE-1292
CWE-1294
CWE-1296
CWE-1304
CWE-1311
CWE-1312
CWE-1313
CWE-1315
CWE-1316
CWE-1317
CWE-1320
CWE-1323
CWE-1334
CWE-269
CWE-282
CWE-285
CWE-286
CWE-287
CWE-346
CWE-749
CWE-923

Related attack patterns (CAPEC)

CAPEC-19 · CAPEC-441 · CAPEC-478 · CAPEC-479 · CAPEC-502 · CAPEC-503 · CAPEC-536 · CAPEC-546 · CAPEC-550 · CAPEC-551 · CAPEC-552 · CAPEC-556 · CAPEC-558 · CAPEC-562 · CAPEC-563 · CAPEC-564 · CAPEC-578

CVEs mapped to this weakness (2,580)

page 107 of 129

CVE	Vendor / Product	CVSS	Published	Description
CVE-2024-45133	Adobe Inc. Commerce	—	Oct 10, 2024	Adobe Commerce versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by an Information Exposure vulnerability that could result in a security feature bypass. An admin attacker could leverage this vulnerability to have a low impact on confidentiality which may…
CVE-2024-45124	Adobe Inc. Commerce	—	Oct 10, 2024	Adobe Commerce versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and have a low impact on…
CVE-2024-45121	Adobe Inc. Commerce	—	Oct 10, 2024	Adobe Commerce versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and have a…
CVE-2024-45122	Adobe Inc. Commerce	—	Oct 10, 2024	Adobe Commerce versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and have a…
CVE-2024-45135	Adobe Inc. Commerce	—	Oct 10, 2024	Adobe Commerce versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An admin attacker could leverage this vulnerability to bypass security measures and have a low…
CVE-2024-45130	Adobe Inc. Commerce	—	Oct 10, 2024	Adobe Commerce versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and have a…
CVE-2024-45129	Adobe Inc. Commerce	—	Oct 10, 2024	Adobe Commerce versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by an Improper Access Control vulnerability that could result in Privilege escalation. A low-privileged attacker could leverage this vulnerability to bypass security measures and have a low…
CVE-2024-45118	Adobe Inc. Commerce	—	Oct 10, 2024	Adobe Commerce versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and have…
CVE-2024-45149	Adobe Inc. Commerce	—	Oct 10, 2024	Adobe Commerce versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. A high-privileged attacker could leverage this vulnerability to bypass security measures and have…
CVE-2024-8037	Canonical Juju	—	Oct 2, 2024	Vulnerable juju hook tool abstract UNIX domain socket. When combined with an attack of JUJU_CONTEXT_ID, any user on the local system with access to the default network namespace may connect to the @/var/lib/juju/agents/unit-xxxx-yyyy/agent.socket and perform actions that are…
CVE-2022-25768	Mautic Mautic	—	Sep 18, 2024	The logic in place to facilitate the update process via the user interface lacks access control to verify if permission exists to perform the tasks. Prior to this patch being applied it might be possible for an attacker to access the Mautic version number or to execute parts of…
CVE-2024-46990	Monospace Directus	—	Sep 18, 2024	Directus is a real-time API and App dashboard for managing SQL database content. When relying on blocking access to localhost using the default `0.0.0.0` filter a user may bypass this block by using other registered loopback devices (like `127.0.0.2` - `127.127.127.127`). This…
CVE-2024-39772	Mattermost Mattermost	—	Sep 16, 2024	Mattermost Desktop App versions <=5.8.0 fail to safeguard screen capture functionality which allows an attacker to silently capture high-quality screenshots via JavaScript APIs.
CVE-2024-6087	Lunary AI Lunary	—	Sep 13, 2024	An improper access control vulnerability exists in lunary-ai/lunary at the latest commit (a761d83) on the main branch. The vulnerability allows an attacker to use the auth tokens issued by the 'invite user' functionality to obtain valid JWT tokens. These tokens can be used to…
CVE-2024-45233	—	—	Aug 28, 2024	An issue was discovered in powermail extension through 12.3.5 for TYPO3. Several actions in the OutputController can directly be called, due to missing or insufficiently implemented access checks, resulting in Broken Access Control. Depending on the configuration of the…
CVE-2024-43780	Mattermost Mattermost	—	Aug 22, 2024	Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.0, 9.8.x <= 9.8.2 fail to enforce permissions which allows a guest user with read access to upload files to a channel.
CVE-2024-42497	Mattermost Mattermost	—	Aug 22, 2024	Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0, 9.8.x <= 9.8.2 fail to properly enforce permissions which allows a user with systems manager role with read-only access to teams to perform write operations on teams.
CVE-2024-40884	Mattermost Mattermost	—	Aug 22, 2024	Mattermost versions 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 fail to properly enforce permissions which allows a team admin user without "Add Team Members" permission to disable the invite URL.
CVE-2024-8071	Mattermost Mattermost	—	Aug 22, 2024	Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 and 9.8.x <= 9.8.2 fail to restrict which roles can promote a user as system admin which allows a System Role with edit access to the permissions section of system console to update their role (e.g. member) to…
CVE-2024-32939	Mattermost Mattermost	—	Aug 22, 2024	Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0, 9.8.x <= 9.8.2, when shared channels are enabled, fail to redact remote users' original email addresses stored in user props when email addresses are otherwise configured not to be visible in the local server."

CVE-2024-45133Oct 10, 2024
Adobe Inc.
Commerce
risk 0.00cvss —epss 0.00
Adobe Commerce versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by an Information Exposure vulnerability that could result in a security feature bypass. An admin attacker could leverage this vulnerability to have a low impact on confidentiality which may…
CVE-2024-45124Oct 10, 2024
Adobe Inc.
Commerce
risk 0.00cvss —epss 0.00
Adobe Commerce versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and have a low impact on…
CVE-2024-45121Oct 10, 2024
Adobe Inc.
Commerce
risk 0.00cvss —epss 0.00
Adobe Commerce versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and have a…
CVE-2024-45122Oct 10, 2024
Adobe Inc.
Commerce
risk 0.00cvss —epss 0.00
Adobe Commerce versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and have a…
CVE-2024-45135Oct 10, 2024
Adobe Inc.
Commerce
risk 0.00cvss —epss 0.00
Adobe Commerce versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An admin attacker could leverage this vulnerability to bypass security measures and have a low…
CVE-2024-45130Oct 10, 2024
Adobe Inc.
Commerce
risk 0.00cvss —epss 0.00
Adobe Commerce versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and have a…
CVE-2024-45129Oct 10, 2024
Adobe Inc.
Commerce
risk 0.00cvss —epss 0.00
Adobe Commerce versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by an Improper Access Control vulnerability that could result in Privilege escalation. A low-privileged attacker could leverage this vulnerability to bypass security measures and have a low…
CVE-2024-45118Oct 10, 2024
Adobe Inc.
Commerce
risk 0.00cvss —epss 0.00
Adobe Commerce versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and have…
CVE-2024-45149Oct 10, 2024
Adobe Inc.
Commerce
risk 0.00cvss —epss 0.00
Adobe Commerce versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. A high-privileged attacker could leverage this vulnerability to bypass security measures and have…
CVE-2024-8037Oct 2, 2024
Canonical
Juju
risk 0.00cvss —epss 0.00
Vulnerable juju hook tool abstract UNIX domain socket. When combined with an attack of JUJU_CONTEXT_ID, any user on the local system with access to the default network namespace may connect to the @/var/lib/juju/agents/unit-xxxx-yyyy/agent.socket and perform actions that are…
CVE-2022-25768Sep 18, 2024
Mautic
Mautic
risk 0.00cvss —epss 0.00
The logic in place to facilitate the update process via the user interface lacks access control to verify if permission exists to perform the tasks. Prior to this patch being applied it might be possible for an attacker to access the Mautic version number or to execute parts of…
CVE-2024-46990Sep 18, 2024
Monospace
Directus
risk 0.00cvss —epss 0.00
Directus is a real-time API and App dashboard for managing SQL database content. When relying on blocking access to localhost using the default `0.0.0.0` filter a user may bypass this block by using other registered loopback devices (like `127.0.0.2` - `127.127.127.127`). This…
CVE-2024-39772Sep 16, 2024
Mattermost
Mattermost
risk 0.00cvss —epss 0.00
Mattermost Desktop App versions <=5.8.0 fail to safeguard screen capture functionality which allows an attacker to silently capture high-quality screenshots via JavaScript APIs.
CVE-2024-6087Sep 13, 2024
Lunary AI
Lunary
risk 0.00cvss —epss 0.00
An improper access control vulnerability exists in lunary-ai/lunary at the latest commit (a761d83) on the main branch. The vulnerability allows an attacker to use the auth tokens issued by the 'invite user' functionality to obtain valid JWT tokens. These tokens can be used to…
CVE-2024-45233Aug 28, 2024
risk 0.00cvss —epss 0.00
An issue was discovered in powermail extension through 12.3.5 for TYPO3. Several actions in the OutputController can directly be called, due to missing or insufficiently implemented access checks, resulting in Broken Access Control. Depending on the configuration of the…
CVE-2024-43780Aug 22, 2024
Mattermost
Mattermost
risk 0.00cvss —epss 0.00
Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.0, 9.8.x <= 9.8.2 fail to enforce permissions which allows a guest user with read access to upload files to a channel.
CVE-2024-42497Aug 22, 2024
Mattermost
Mattermost
risk 0.00cvss —epss 0.00
Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0, 9.8.x <= 9.8.2 fail to properly enforce permissions which allows a user with systems manager role with read-only access to teams to perform write operations on teams.
CVE-2024-40884Aug 22, 2024
Mattermost
Mattermost
risk 0.00cvss —epss 0.00
Mattermost versions 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 fail to properly enforce permissions which allows a team admin user without "Add Team Members" permission to disable the invite URL.
CVE-2024-8071Aug 22, 2024
Mattermost
Mattermost
risk 0.00cvss —epss 0.00
Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 and 9.8.x <= 9.8.2 fail to restrict which roles can promote a user as system admin which allows a System Role with edit access to the permissions section of system console to update their role (e.g. member) to…
CVE-2024-32939Aug 22, 2024
Mattermost
Mattermost
risk 0.00cvss —epss 0.00
Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0, 9.8.x <= 9.8.2, when shared channels are enabled, fail to redact remote users' original email addresses stored in user props when email addresses are otherwise configured not to be visible in the local server."