CWE-284

Improper Access Control

PillarIncomplete

Description

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Hierarchy (View 1000)

Parents

none

Children

CWE-1191
CWE-1220
CWE-1224
CWE-1231
CWE-1233
CWE-1252
CWE-1257
CWE-1259
CWE-1260
CWE-1262
CWE-1263
CWE-1267
CWE-1270
CWE-1274
CWE-1276
CWE-1280
CWE-1283
CWE-1290
CWE-1292
CWE-1294
CWE-1296
CWE-1304
CWE-1311
CWE-1312
CWE-1313
CWE-1315
CWE-1316
CWE-1317
CWE-1320
CWE-1323
CWE-1334
CWE-269
CWE-282
CWE-285
CWE-286
CWE-287
CWE-346
CWE-749
CWE-923

Related attack patterns (CAPEC)

CAPEC-19 · CAPEC-441 · CAPEC-478 · CAPEC-479 · CAPEC-502 · CAPEC-503 · CAPEC-536 · CAPEC-546 · CAPEC-550 · CAPEC-551 · CAPEC-552 · CAPEC-556 · CAPEC-558 · CAPEC-562 · CAPEC-563 · CAPEC-564 · CAPEC-578

CVEs mapped to this weakness (2,580)

page 113 of 129

CVE	Vendor / Product	CVSS	EPSS	Published	Description
CVE-2023-33191	Kyverno Kyverno	—	0.00	May 30, 2023	Kyverno is a policy engine designed for Kubernetes. Kyverno seccomp control can be circumvented. Users of the podSecurity `validate.podSecurity` subrule in Kyverno 1.9.2 and 1.9.3 are vulnerable. This issue was patched in version 1.9.4.
CVE-2023-33947	Liferay Portal	—	0.00	May 24, 2023	The Object module in Liferay Portal 7.4.3.4 through 7.4.3.60, and Liferay DXP 7.4 before update 61 does not segment object definition by virtual instance in search which allows remote authenticated users in one virtual instance to view object definition from a second virtual…
CVE-2023-33946	Liferay Portal	—	0.00	May 24, 2023	The Object module in Liferay Portal 7.4.3.4 through 7.4.3.48, and Liferay DXP 7.4 before update 49 does properly isolate objects in difference virtual instances, which allows remote authenticated users in one virtual instance to view objects in a different virtual instance via…
CVE-2023-2429	—	—	0.01	Apr 30, 2023	Improper Access Control in GitHub repository thorsten/phpmyfaq prior to 3.1.13.
CVE-2023-2202	—	—	0.00	Apr 21, 2023	Improper Access Control in GitHub repository francoisjacquet/rosariosis prior to 10.9.3.
CVE-2023-29513	Cryptpad Xwiki Platform	—	0.02	Apr 18, 2023	XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. If guest has view right on any document. It's possible to create a new user using the `distribution/firstadminuser.wiki` in the wrong context. This vulnerability has been…
CVE-2023-2104	—	—	0.00	Apr 15, 2023	Improper Access Control in GitHub repository alextselegidis/easyappointments prior to 1.5.0.
CVE-2023-1883	—	—	0.00	Apr 5, 2023	Improper Access Control in GitHub repository thorsten/phpmyfaq prior to 3.1.12.
CVE-2023-22250	Adobe Inc. Magento Commerce	—	0.00	Mar 27, 2023	Adobe Commerce versions 2.4.4-p2 (and earlier) and 2.4.5-p1 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to impact the availability of a user's minor feature.…
CVE-2023-28443	Monospace Directus	—	0.00	Mar 23, 2023	Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 9.23.3, the `directus_refresh_token` is not redacted properly from the log outputs and can be used to impersonate users without their permission. This issue is patched in version…
CVE-2023-28675	Jenkins Project OctoPerf Load Testing Plugin	—	0.01	Mar 23, 2023	A missing permission check in Jenkins OctoPerf Load Testing Plugin Plugin 4.5.2 and earlier allows attackers to connect to a previously configured Octoperf server using attacker-specified credentials.
CVE-2023-28673	Jenkins Project OctoPerf Load Testing Plugin	—	0.01	Mar 23, 2023	A missing permission check in Jenkins OctoPerf Load Testing Plugin Plugin 4.5.2 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.
CVE-2023-26471	Cryptpad Xwiki Platform	—	0.11	Mar 2, 2023	XWiki Platform is a generic wiki platform. Starting in version 11.6-rc-1, comments are supposed to be executed with the right of superadmin but in restricted mode (anything dangerous is disabled), but the async macro does not take into account the restricted mode. This means…
CVE-2023-26473	Cryptpad Xwiki Platform	—	0.00	Mar 2, 2023	XWiki Platform is a generic wiki platform. Starting in version 1.3-rc-1, any user with edit right can execute arbitrary database select and access data stored in the database. The problem has been patched in XWiki 13.10.11, 14.4.7, and 14.10. There is no workaround for this…
CVE-2023-26474	Cryptpad Xwiki Platform	—	0.02	Mar 2, 2023	XWiki Platform is a generic wiki platform. Starting in version 13.10, it's possible to use the right of an existing document content author to execute a text area property. This has been patched in XWiki 14.10, 14.4.7, and 13.10.11. There are no known workarounds.
CVE-2023-0994	—	—	0.00	Feb 24, 2023	Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository francoisjacquet/rosariosis prior to 10.8.2.
CVE-2023-23923	Moodle Moodle	—	0.00	Feb 17, 2023	The vulnerability was found Moodle which exists due to insufficient limitations on the "start page" preference. A remote attacker can set that preference for another user. The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted…
CVE-2023-0744	—	—	0.09	Feb 8, 2023	Improper Access Control in GitHub repository answerdev/answer prior to 1.0.4.
CVE-2022-21953	SUSE S.A. Rancher	—	0.00	Feb 7, 2023	A Missing Authorization vulnerability in of SUSE Rancher allows authenticated user to create an unauthorized shell pod and kubectl access in the local cluster This issue affects: SUSE Rancher Rancher versions prior to 2.5.17; Rancher versions prior to 2.6.10; Rancher versions…
CVE-2022-43759	SUSE S.A. Rancher	—	0.00	Feb 7, 2023	A Improper Privilege Management vulnerability in SUSE Rancher, allows users with access to the escalate verb on PRTBs to escalate permissions for any -promoted resource in any cluster. This issue affects: SUSE Rancher Rancher versions prior to 2.5.17; Rancher versions prior to…

CVE-2023-33191May 30, 2023
Kyverno
Kyverno
risk 0.00cvss —epss 0.00
Kyverno is a policy engine designed for Kubernetes. Kyverno seccomp control can be circumvented. Users of the podSecurity `validate.podSecurity` subrule in Kyverno 1.9.2 and 1.9.3 are vulnerable. This issue was patched in version 1.9.4.
CVE-2023-33947May 24, 2023
Liferay
Portal
risk 0.00cvss —epss 0.00
The Object module in Liferay Portal 7.4.3.4 through 7.4.3.60, and Liferay DXP 7.4 before update 61 does not segment object definition by virtual instance in search which allows remote authenticated users in one virtual instance to view object definition from a second virtual…
CVE-2023-33946May 24, 2023
Liferay
Portal
risk 0.00cvss —epss 0.00
The Object module in Liferay Portal 7.4.3.4 through 7.4.3.48, and Liferay DXP 7.4 before update 49 does properly isolate objects in difference virtual instances, which allows remote authenticated users in one virtual instance to view objects in a different virtual instance via…
CVE-2023-2429Apr 30, 2023
risk 0.00cvss —epss 0.01
Improper Access Control in GitHub repository thorsten/phpmyfaq prior to 3.1.13.
CVE-2023-2202Apr 21, 2023
risk 0.00cvss —epss 0.00
Improper Access Control in GitHub repository francoisjacquet/rosariosis prior to 10.9.3.
CVE-2023-29513Apr 18, 2023
Cryptpad
Xwiki Platform
risk 0.00cvss —epss 0.02
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. If guest has view right on any document. It's possible to create a new user using the `distribution/firstadminuser.wiki` in the wrong context. This vulnerability has been…
CVE-2023-2104Apr 15, 2023
risk 0.00cvss —epss 0.00
Improper Access Control in GitHub repository alextselegidis/easyappointments prior to 1.5.0.
CVE-2023-1883Apr 5, 2023
risk 0.00cvss —epss 0.00
Improper Access Control in GitHub repository thorsten/phpmyfaq prior to 3.1.12.
CVE-2023-22250Mar 27, 2023
Adobe Inc.
Magento Commerce
risk 0.00cvss —epss 0.00
Adobe Commerce versions 2.4.4-p2 (and earlier) and 2.4.5-p1 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to impact the availability of a user's minor feature.…
CVE-2023-28443Mar 23, 2023
Monospace
Directus
risk 0.00cvss —epss 0.00
Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 9.23.3, the `directus_refresh_token` is not redacted properly from the log outputs and can be used to impersonate users without their permission. This issue is patched in version…
CVE-2023-28675Mar 23, 2023
Jenkins Project
OctoPerf Load Testing Plugin
risk 0.00cvss —epss 0.01
A missing permission check in Jenkins OctoPerf Load Testing Plugin Plugin 4.5.2 and earlier allows attackers to connect to a previously configured Octoperf server using attacker-specified credentials.
CVE-2023-28673Mar 23, 2023
Jenkins Project
OctoPerf Load Testing Plugin
risk 0.00cvss —epss 0.01
A missing permission check in Jenkins OctoPerf Load Testing Plugin Plugin 4.5.2 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.
CVE-2023-26471Mar 2, 2023
Cryptpad
Xwiki Platform
risk 0.00cvss —epss 0.11
XWiki Platform is a generic wiki platform. Starting in version 11.6-rc-1, comments are supposed to be executed with the right of superadmin but in restricted mode (anything dangerous is disabled), but the async macro does not take into account the restricted mode. This means…
CVE-2023-26473Mar 2, 2023
Cryptpad
Xwiki Platform
risk 0.00cvss —epss 0.00
XWiki Platform is a generic wiki platform. Starting in version 1.3-rc-1, any user with edit right can execute arbitrary database select and access data stored in the database. The problem has been patched in XWiki 13.10.11, 14.4.7, and 14.10. There is no workaround for this…
CVE-2023-26474Mar 2, 2023
Cryptpad
Xwiki Platform
risk 0.00cvss —epss 0.02
XWiki Platform is a generic wiki platform. Starting in version 13.10, it's possible to use the right of an existing document content author to execute a text area property. This has been patched in XWiki 14.10, 14.4.7, and 13.10.11. There are no known workarounds.
CVE-2023-0994Feb 24, 2023
risk 0.00cvss —epss 0.00
Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository francoisjacquet/rosariosis prior to 10.8.2.
CVE-2023-23923Feb 17, 2023
Moodle
Moodle
risk 0.00cvss —epss 0.00
The vulnerability was found Moodle which exists due to insufficient limitations on the "start page" preference. A remote attacker can set that preference for another user. The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted…
CVE-2023-0744Feb 8, 2023
risk 0.00cvss —epss 0.09
Improper Access Control in GitHub repository answerdev/answer prior to 1.0.4.
CVE-2022-21953Feb 7, 2023
SUSE S.A.
Rancher
risk 0.00cvss —epss 0.00
A Missing Authorization vulnerability in of SUSE Rancher allows authenticated user to create an unauthorized shell pod and kubectl access in the local cluster This issue affects: SUSE Rancher Rancher versions prior to 2.5.17; Rancher versions prior to 2.6.10; Rancher versions…
CVE-2022-43759Feb 7, 2023
SUSE S.A.
Rancher
risk 0.00cvss —epss 0.00
A Improper Privilege Management vulnerability in SUSE Rancher, allows users with access to the escalate verb on PRTBs to escalate permissions for any -promoted resource in any cluster. This issue affects: SUSE Rancher Rancher versions prior to 2.5.17; Rancher versions prior to…