CWE-284
Improper Access Control
Description
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Hierarchy (View 1000)
Parents
none
Children
- CWE-1191
- CWE-1220
- CWE-1224
- CWE-1231
- CWE-1233
- CWE-1252
- CWE-1257
- CWE-1259
- CWE-1260
- CWE-1262
- CWE-1263
- CWE-1267
- CWE-1270
- CWE-1274
- CWE-1276
- CWE-1280
- CWE-1283
- CWE-1290
- CWE-1292
- CWE-1294
- CWE-1296
- CWE-1304
- CWE-1311
- CWE-1312
- CWE-1313
- CWE-1315
- CWE-1316
- CWE-1317
- CWE-1320
- CWE-1323
- CWE-1334
- CWE-269
- CWE-285
- CWE-286
- CWE-287
- CWE-282
- CWE-346
- CWE-749
- CWE-923
Related attack patterns (CAPEC)
CAPEC-19 · CAPEC-441 · CAPEC-478 · CAPEC-479 · CAPEC-502 · CAPEC-503 · CAPEC-536 · CAPEC-546 · CAPEC-550 · CAPEC-551 · CAPEC-552 · CAPEC-556 · CAPEC-558 · CAPEC-562 · CAPEC-563 · CAPEC-564 · CAPEC-578
CVEs mapped to this weakness (2,700)
page 11 of 135| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-30132 | Cri | 0.59 | 9.1 | 0.00 | Mar 18, 2025 | An issue was discovered on IROAD Dashcam V devices. It uses an unregistered public domain name as an internal domain, creating a security risk. During analysis, it was found that this domain was not owned by IROAD, allowing an attacker to register it and potentially intercept… | ||
| CVE-2025-1260 | Cri | 0.59 | 9.1 | 0.00 | Mar 4, 2025 | On affected platforms running Arista EOS with OpenConfig configured, a gNOI request can be run when it should have been rejected. This issue can result in unexpected configuration/operations being applied to the switch. | ||
| CVE-2025-1941 | Cri | 0.59 | 9.1 | 0.00 | Mar 4, 2025 | Under certain circumstances, a user opt-in setting that Focus should require authentication before use could have been be bypassed (distinct from CVE-2025-0245). This vulnerability was fixed in Firefox 136. | ||
| CVE-2020-35546 | Cri | 0.59 | 9.1 | 0.00 | Feb 19, 2025 | Lexmark MX6500 LW75.JD.P296 and previous devices have Incorrect Access Control via the access control settings. | ||
| CVE-2024-31967 | Cri | 0.59 | 9.1 | 0.00 | May 2, 2024 | A vulnerability on Mitel 6800 Series and 6900 Series SIP Phones through 6.3 SP3 HF4, 6900w Series SIP Phone through 6.3.3, and 6970 Conference Unit through 5.1.1 SP8 allows an unauthenticated attacker to conduct an unauthorized access attack due to improper access control. A… | ||
| CVE-2021-47155 | Cri | 0.59 | 9.1 | 0.01 | Mar 18, 2024 | The Net::IPV4Addr module 0.10 for Perl does not properly consider extraneous zero characters in an IP address string, which (in some situations) allows attackers to bypass access control that is based on IP addresses. | ||
| CVE-2023-51786 | Cri | 0.59 | 9.1 | 0.01 | Mar 7, 2024 | An issue was discovered in Lustre versions 2.13.x, 2.14.x, and 2.15.x before 2.15.4, allows attackers to escalate privileges and obtain sensitive information via Incorrect Access Control. | ||
| CVE-2016-9639 | Cri | 0.59 | 9.1 | 0.03 | Feb 7, 2017 | Salt before 2015.8.11 allows deleted minions to read or write to minions with the same id, related to caching. | ||
| CVE-2016-8325 | Cri | 0.59 | 9.1 | 0.02 | Jan 27, 2017 | Vulnerability in the Oracle One-to-One Fulfillment component of Oracle E-Business Suite (subcomponent: Internal Operations). Supported versions that are affected are 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5 and 12.2.6. Easily exploitable vulnerability allows… | ||
| CVE-2016-5605 | Cri | 0.59 | 9.1 | 0.02 | Oct 25, 2016 | Unspecified vulnerability in the Oracle VM VirtualBox component before 5.1.4 in Oracle Virtualization allows remote attackers to affect confidentiality and integrity via vectors related to VRDE. | ||
| CVE-2016-5599 | Cri | 0.59 | 9.1 | 0.02 | Oct 25, 2016 | Unspecified vulnerability in the Oracle Advanced Supply Chain Planning component in Oracle Supply Chain Products Suite 12.2.3 through 12.2.5 allows remote attackers to affect confidentiality and integrity via vectors related to MscObieeSrvlt. | ||
| CVE-2016-8565 | Cri | 0.59 | 9.1 | 0.03 | Oct 13, 2016 | Siemens Automation License Manager (ALM) before 5.3 SP3 allows remote attackers to write to files, rename files, create directories, or delete directories via crafted packets. | ||
| CVE-2015-1000009 | Cri | 0.59 | 9.1 | 0.02 | Oct 6, 2016 | Open proxy in Wordpress plugin google-adsense-and-hotel-booking v1.05 | ||
| CVE-2016-4694 | Cri | 0.59 | 9.1 | 0.01 | Sep 25, 2016 | The Apache HTTP Server in Apple OS X before 10.12 and OS X Server before 5.2 follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted CGI client data in the HTTP_PROXY environment variable, which might allow remote attackers to… | ||
| CVE-2016-4501 | Cri | 0.59 | 9.1 | 0.02 | May 31, 2016 | Environmental Systems Corporation (ESC) 8832 Data Controller 3.02 and earlier mishandles sessions, which allows remote attackers to bypass authentication and make arbitrary configuration changes via unspecified vectors. | ||
| CVE-2016-0188 | Hig | 0.59 | 8.8 | 0.18 | May 11, 2016 | The User Mode Code Integrity (UMCI) implementation in Device Guard in Microsoft Internet Explorer 11 allows remote attackers to bypass a code-signing protection mechanism via unspecified vectors, aka "Internet Explorer Security Feature Bypass." | ||
| CVE-2015-8361 | Cri | 0.59 | 9.1 | 0.03 | Feb 8, 2016 | Multiple unspecified services in Atlassian Bamboo before 5.9.9 and 5.10.x before 5.10.0 do not require authentication, which allows remote attackers to obtain sensitive information, modify settings, or manage build agents via unknown vectors involving the JMS port. | ||
| CVE-2026-46695 | Cri | 0.58 | 10.0 | 0.00 | Jun 10, 2026 | Boxlite is a sandbox service that allows users to create lightweight virtual machines (Boxes) and launch OCI containers within them to run untrusted code. Prior to version 0.9.0, Boxlite does not restrict the kernel capabilities available inside the container, malicious code can… | ||
| CVE-2018-8088 | — | Cri | 0.58 | 9.8 | 0.15 | Mar 20, 2018 | org.slf4j.ext.EventData in the slf4j-ext module in QOS.CH SLF4J before 1.8.0-beta2 allows remote attackers to bypass intended access restrictions via crafted data. EventData in the slf4j-ext module in QOS.CH SLF4J, has been fixed in SLF4J versions 1.7.26 later and in the 2.0.x… | |
| CVE-2015-2692 | Cri | 0.58 | 10.0 | 0.02 | Jun 8, 2017 | AdBlock before 2.21 allows remote attackers to block arbitrary resources on arbitrary websites and to disable arbitrary blocking filters. |
- risk 0.59cvss 9.1epss 0.00
An issue was discovered on IROAD Dashcam V devices. It uses an unregistered public domain name as an internal domain, creating a security risk. During analysis, it was found that this domain was not owned by IROAD, allowing an attacker to register it and potentially intercept…
- risk 0.59cvss 9.1epss 0.00
On affected platforms running Arista EOS with OpenConfig configured, a gNOI request can be run when it should have been rejected. This issue can result in unexpected configuration/operations being applied to the switch.
- risk 0.59cvss 9.1epss 0.00
Under certain circumstances, a user opt-in setting that Focus should require authentication before use could have been be bypassed (distinct from CVE-2025-0245). This vulnerability was fixed in Firefox 136.
- risk 0.59cvss 9.1epss 0.00
Lexmark MX6500 LW75.JD.P296 and previous devices have Incorrect Access Control via the access control settings.
- risk 0.59cvss 9.1epss 0.00
A vulnerability on Mitel 6800 Series and 6900 Series SIP Phones through 6.3 SP3 HF4, 6900w Series SIP Phone through 6.3.3, and 6970 Conference Unit through 5.1.1 SP8 allows an unauthenticated attacker to conduct an unauthorized access attack due to improper access control. A…
- risk 0.59cvss 9.1epss 0.01
The Net::IPV4Addr module 0.10 for Perl does not properly consider extraneous zero characters in an IP address string, which (in some situations) allows attackers to bypass access control that is based on IP addresses.
- risk 0.59cvss 9.1epss 0.01
An issue was discovered in Lustre versions 2.13.x, 2.14.x, and 2.15.x before 2.15.4, allows attackers to escalate privileges and obtain sensitive information via Incorrect Access Control.
- risk 0.59cvss 9.1epss 0.03
Salt before 2015.8.11 allows deleted minions to read or write to minions with the same id, related to caching.
- risk 0.59cvss 9.1epss 0.02
Vulnerability in the Oracle One-to-One Fulfillment component of Oracle E-Business Suite (subcomponent: Internal Operations). Supported versions that are affected are 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5 and 12.2.6. Easily exploitable vulnerability allows…
- risk 0.59cvss 9.1epss 0.02
Unspecified vulnerability in the Oracle VM VirtualBox component before 5.1.4 in Oracle Virtualization allows remote attackers to affect confidentiality and integrity via vectors related to VRDE.
- risk 0.59cvss 9.1epss 0.02
Unspecified vulnerability in the Oracle Advanced Supply Chain Planning component in Oracle Supply Chain Products Suite 12.2.3 through 12.2.5 allows remote attackers to affect confidentiality and integrity via vectors related to MscObieeSrvlt.
- risk 0.59cvss 9.1epss 0.03
Siemens Automation License Manager (ALM) before 5.3 SP3 allows remote attackers to write to files, rename files, create directories, or delete directories via crafted packets.
- risk 0.59cvss 9.1epss 0.02
Open proxy in Wordpress plugin google-adsense-and-hotel-booking v1.05
- risk 0.59cvss 9.1epss 0.01
The Apache HTTP Server in Apple OS X before 10.12 and OS X Server before 5.2 follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted CGI client data in the HTTP_PROXY environment variable, which might allow remote attackers to…
- risk 0.59cvss 9.1epss 0.02
Environmental Systems Corporation (ESC) 8832 Data Controller 3.02 and earlier mishandles sessions, which allows remote attackers to bypass authentication and make arbitrary configuration changes via unspecified vectors.
- risk 0.59cvss 8.8epss 0.18
The User Mode Code Integrity (UMCI) implementation in Device Guard in Microsoft Internet Explorer 11 allows remote attackers to bypass a code-signing protection mechanism via unspecified vectors, aka "Internet Explorer Security Feature Bypass."
- risk 0.59cvss 9.1epss 0.03
Multiple unspecified services in Atlassian Bamboo before 5.9.9 and 5.10.x before 5.10.0 do not require authentication, which allows remote attackers to obtain sensitive information, modify settings, or manage build agents via unknown vectors involving the JMS port.
- risk 0.58cvss 10.0epss 0.00
Boxlite is a sandbox service that allows users to create lightweight virtual machines (Boxes) and launch OCI containers within them to run untrusted code. Prior to version 0.9.0, Boxlite does not restrict the kernel capabilities available inside the container, malicious code can…
- risk 0.58cvss 9.8epss 0.15
org.slf4j.ext.EventData in the slf4j-ext module in QOS.CH SLF4J before 1.8.0-beta2 allows remote attackers to bypass intended access restrictions via crafted data. EventData in the slf4j-ext module in QOS.CH SLF4J, has been fixed in SLF4J versions 1.7.26 later and in the 2.0.x…
- risk 0.58cvss 10.0epss 0.02
AdBlock before 2.21 allows remote attackers to block arbitrary resources on arbitrary websites and to disable arbitrary blocking filters.