CWE-284
Improper Access Control
Description
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Hierarchy (View 1000)
Parents
none
Children
- CWE-1191
- CWE-1220
- CWE-1224
- CWE-1231
- CWE-1233
- CWE-1252
- CWE-1257
- CWE-1259
- CWE-1260
- CWE-1262
- CWE-1263
- CWE-1267
- CWE-1270
- CWE-1274
- CWE-1276
- CWE-1280
- CWE-1283
- CWE-1290
- CWE-1292
- CWE-1294
- CWE-1296
- CWE-1304
- CWE-1311
- CWE-1312
- CWE-1313
- CWE-1315
- CWE-1316
- CWE-1317
- CWE-1320
- CWE-1323
- CWE-1334
- CWE-269
- CWE-282
- CWE-285
- CWE-286
- CWE-287
- CWE-346
- CWE-749
- CWE-923
Related attack patterns (CAPEC)
CAPEC-19 · CAPEC-441 · CAPEC-478 · CAPEC-479 · CAPEC-502 · CAPEC-503 · CAPEC-536 · CAPEC-546 · CAPEC-550 · CAPEC-551 · CAPEC-552 · CAPEC-556 · CAPEC-558 · CAPEC-562 · CAPEC-563 · CAPEC-564 · CAPEC-578
CVEs mapped to this weakness (2,700)
page 130 of 135| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2015-3675 | 0.00 | — | 0.02 | Jul 3, 2015 | The default configuration of the Apache HTTP Server on Apple OS X before 10.10.4 does not enable the mod_hfs_apple module, which allows remote attackers to bypass HTTP authentication via a crafted URL. | |||
| CVE-2015-3672 | 0.00 | — | 0.00 | Jul 3, 2015 | Admin Framework in Apple OS X before 10.10.4 does not properly handle authentication errors, which allows local users to obtain admin privileges via unspecified vectors. | |||
| CVE-2015-3671 | 0.00 | — | 0.00 | Jul 3, 2015 | Admin Framework in Apple OS X before 10.10.4 does not properly verify XPC entitlements, which allows local users to bypass authentication and obtain admin privileges via unspecified vectors. | |||
| CVE-2015-1959 | 0.00 | — | 0.00 | Jun 28, 2015 | IBM Tivoli Security Directory Server 6.0 before iFix 75, 6.1 before iFix 68, 6.2 before iFix 44, 6.3 before iFix 37, 6.3.1 before iFix 11, and 6.4 before iFix 2 does not properly restrict encrypted files, which allows local users to obtain sensitive information or possibly have… | |||
| CVE-2015-2952 | 0.00 | — | 0.01 | Jun 13, 2015 | The user-information management functionality in Igreks MilkyStep Light 0.94 and earlier and Professional 1.82 and earlier allows remote authenticated users to bypass intended access restrictions and modify administrative credentials via unspecified vectors, a different… | |||
| CVE-2015-4418 | 0.00 | — | 0.03 | Jun 9, 2015 | Zoho NetFlow Analyzer build 10250 and earlier does not have an off autocomplete attribute for a password field, which makes it easier for remote attackers to obtain access by leveraging an unattended workstation. | |||
| CVE-2015-2959 | 0.00 | — | 0.03 | Jun 9, 2015 | Zoho NetFlow Analyzer build 10250 and earlier does not check for administrative authorization, which allows remote attackers to obtain sensitive information, modify passwords, or remove accounts by leveraging the guest role. | |||
| CVE-2015-4051 | 0.00 | — | 0.06 | Jun 8, 2015 | Beckhoff IPC Diagnostics before 1.8 does not properly restrict access to functions in /config, which allows remote attackers to cause a denial of service (reboot or shutdown), create arbitrary users, or possibly have unspecified other impact via a crafted request, as… | |||
| CVE-2015-2267 | 0.00 | — | 0.02 | Jun 1, 2015 | mdeploy.php in Moodle through 2.5.9, 2.6.x before 2.6.9, 2.7.x before 2.7.6, and 2.8.x before 2.8.4 allows remote authenticated users to bypass intended access restrictions and extract archives to arbitrary directories via a crafted dataroot value. | |||
| CVE-2015-1937 | 0.00 | — | 0.02 | May 30, 2015 | IBM PowerVC 1.2.0.x through 1.2.0.4, 1.2.1.x through 1.2.1.2, and 1.2.2.x through 1.2.2.2 does not require authentication for the ceilometer NoSQL database, which allows remote attackers to read or write to arbitrary database records, and consequently obtain administrator… | |||
| CVE-2015-0755 | 0.00 | — | 0.00 | May 29, 2015 | The Posture module for Cisco Identity Services Engine (ISE), as distributed in Cisco AnyConnect Secure Mobility Client 4.0(64), allows local users to gain privileges via unspecified commands, aka Bug ID CSCut05797. | |||
| CVE-2015-0180 | 0.00 | — | 0.01 | May 25, 2015 | The Connector Migration Tool in IBM InfoSphere Information Server 8.1 through 11.3 allows remote authenticated users to bypass intended restrictions on job creation and modification via unspecified vectors. | |||
| CVE-2014-2174 | 0.00 | — | 0.01 | May 25, 2015 | Cisco TelePresence T, TelePresence TE, and TelePresence TC before 7.1 do not properly implement access control, which allows remote attackers to obtain root privileges by sending packets on the local network and allows physically proximate attackers to obtain root privileges via… | |||
| CVE-2015-3911 | 0.00 | — | 0.01 | May 21, 2015 | Huawei E587 Mobile WiFi with firmware before 11.203.30.00.00 allows remote attackers to bypass authentication, change configurations, send messages, and cause a denial of service (device restart) via unspecified vectors. | |||
| CVE-2015-1253 | 0.00 | — | 0.02 | May 20, 2015 | core/html/parser/HTMLConstructionSite.cpp in the DOM implementation in Blink, as used in Google Chrome before 43.0.2357.65, allows remote attackers to bypass the Same Origin Policy via crafted JavaScript code that appends a child to a SCRIPT element, related to the insert and… | |||
| CVE-2015-3407 | 0.00 | — | 0.02 | May 19, 2015 | Module::Signature before 0.74 allows remote attackers to bypass signature verification for files via a signature file that does not list the files. | |||
| CVE-2015-3644 | 0.00 | — | 0.02 | May 14, 2015 | Stunnel 5.00 through 5.13, when using the redirect option, does not redirect client connections to the expected server after the initial connection, which allows remote attackers to bypass authentication. | |||
| CVE-2015-0531 | 0.00 | — | 0.02 | May 7, 2015 | EMC SourceOne Email Management before 7.2 does not have a lockout mechanism for invalid login attempts, which makes it easier for remote attackers to obtain access via a brute-force attack. | |||
| CVE-2015-0914 | 0.00 | — | 0.02 | May 1, 2015 | EasyCTF before 1.4 does not validate the session ID, which allows remote attackers to obtain access via a crafted HTTP request. | |||
| CVE-2015-1151 | 0.00 | — | 0.02 | Apr 28, 2015 | Wiki Server in Apple OS X Server before 4.1 allows remote attackers to bypass intended restrictions on Activity and People pages by connecting from an iPad client. |
- CVE-2015-3675Jul 3, 2015risk 0.00cvss —epss 0.02
The default configuration of the Apache HTTP Server on Apple OS X before 10.10.4 does not enable the mod_hfs_apple module, which allows remote attackers to bypass HTTP authentication via a crafted URL.
- CVE-2015-3672Jul 3, 2015risk 0.00cvss —epss 0.00
Admin Framework in Apple OS X before 10.10.4 does not properly handle authentication errors, which allows local users to obtain admin privileges via unspecified vectors.
- CVE-2015-3671Jul 3, 2015risk 0.00cvss —epss 0.00
Admin Framework in Apple OS X before 10.10.4 does not properly verify XPC entitlements, which allows local users to bypass authentication and obtain admin privileges via unspecified vectors.
- CVE-2015-1959Jun 28, 2015risk 0.00cvss —epss 0.00
IBM Tivoli Security Directory Server 6.0 before iFix 75, 6.1 before iFix 68, 6.2 before iFix 44, 6.3 before iFix 37, 6.3.1 before iFix 11, and 6.4 before iFix 2 does not properly restrict encrypted files, which allows local users to obtain sensitive information or possibly have…
- CVE-2015-2952Jun 13, 2015risk 0.00cvss —epss 0.01
The user-information management functionality in Igreks MilkyStep Light 0.94 and earlier and Professional 1.82 and earlier allows remote authenticated users to bypass intended access restrictions and modify administrative credentials via unspecified vectors, a different…
- CVE-2015-4418Jun 9, 2015risk 0.00cvss —epss 0.03
Zoho NetFlow Analyzer build 10250 and earlier does not have an off autocomplete attribute for a password field, which makes it easier for remote attackers to obtain access by leveraging an unattended workstation.
- CVE-2015-2959Jun 9, 2015risk 0.00cvss —epss 0.03
Zoho NetFlow Analyzer build 10250 and earlier does not check for administrative authorization, which allows remote attackers to obtain sensitive information, modify passwords, or remove accounts by leveraging the guest role.
- CVE-2015-4051Jun 8, 2015risk 0.00cvss —epss 0.06
Beckhoff IPC Diagnostics before 1.8 does not properly restrict access to functions in /config, which allows remote attackers to cause a denial of service (reboot or shutdown), create arbitrary users, or possibly have unspecified other impact via a crafted request, as…
- CVE-2015-2267Jun 1, 2015risk 0.00cvss —epss 0.02
mdeploy.php in Moodle through 2.5.9, 2.6.x before 2.6.9, 2.7.x before 2.7.6, and 2.8.x before 2.8.4 allows remote authenticated users to bypass intended access restrictions and extract archives to arbitrary directories via a crafted dataroot value.
- CVE-2015-1937May 30, 2015risk 0.00cvss —epss 0.02
IBM PowerVC 1.2.0.x through 1.2.0.4, 1.2.1.x through 1.2.1.2, and 1.2.2.x through 1.2.2.2 does not require authentication for the ceilometer NoSQL database, which allows remote attackers to read or write to arbitrary database records, and consequently obtain administrator…
- CVE-2015-0755May 29, 2015risk 0.00cvss —epss 0.00
The Posture module for Cisco Identity Services Engine (ISE), as distributed in Cisco AnyConnect Secure Mobility Client 4.0(64), allows local users to gain privileges via unspecified commands, aka Bug ID CSCut05797.
- CVE-2015-0180May 25, 2015risk 0.00cvss —epss 0.01
The Connector Migration Tool in IBM InfoSphere Information Server 8.1 through 11.3 allows remote authenticated users to bypass intended restrictions on job creation and modification via unspecified vectors.
- CVE-2014-2174May 25, 2015risk 0.00cvss —epss 0.01
Cisco TelePresence T, TelePresence TE, and TelePresence TC before 7.1 do not properly implement access control, which allows remote attackers to obtain root privileges by sending packets on the local network and allows physically proximate attackers to obtain root privileges via…
- CVE-2015-3911May 21, 2015risk 0.00cvss —epss 0.01
Huawei E587 Mobile WiFi with firmware before 11.203.30.00.00 allows remote attackers to bypass authentication, change configurations, send messages, and cause a denial of service (device restart) via unspecified vectors.
- CVE-2015-1253May 20, 2015risk 0.00cvss —epss 0.02
core/html/parser/HTMLConstructionSite.cpp in the DOM implementation in Blink, as used in Google Chrome before 43.0.2357.65, allows remote attackers to bypass the Same Origin Policy via crafted JavaScript code that appends a child to a SCRIPT element, related to the insert and…
- CVE-2015-3407May 19, 2015risk 0.00cvss —epss 0.02
Module::Signature before 0.74 allows remote attackers to bypass signature verification for files via a signature file that does not list the files.
- CVE-2015-3644May 14, 2015risk 0.00cvss —epss 0.02
Stunnel 5.00 through 5.13, when using the redirect option, does not redirect client connections to the expected server after the initial connection, which allows remote attackers to bypass authentication.
- CVE-2015-0531May 7, 2015risk 0.00cvss —epss 0.02
EMC SourceOne Email Management before 7.2 does not have a lockout mechanism for invalid login attempts, which makes it easier for remote attackers to obtain access via a brute-force attack.
- CVE-2015-0914May 1, 2015risk 0.00cvss —epss 0.02
EasyCTF before 1.4 does not validate the session ID, which allows remote attackers to obtain access via a crafted HTTP request.
- CVE-2015-1151Apr 28, 2015risk 0.00cvss —epss 0.02
Wiki Server in Apple OS X Server before 4.1 allows remote attackers to bypass intended restrictions on Activity and People pages by connecting from an iPad client.