VYPR

CWE-284

Improper Access Control

PillarIncomplete

Description

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-19 · CAPEC-441 · CAPEC-478 · CAPEC-479 · CAPEC-502 · CAPEC-503 · CAPEC-536 · CAPEC-546 · CAPEC-550 · CAPEC-551 · CAPEC-552 · CAPEC-556 · CAPEC-558 · CAPEC-562 · CAPEC-563 · CAPEC-564 · CAPEC-578

CVEs mapped to this weakness (2,700)

page 130 of 135
  • CVE-2015-3675Jul 3, 2015
    risk 0.00cvss epss 0.02

    The default configuration of the Apache HTTP Server on Apple OS X before 10.10.4 does not enable the mod_hfs_apple module, which allows remote attackers to bypass HTTP authentication via a crafted URL.

  • CVE-2015-3672Jul 3, 2015
    risk 0.00cvss epss 0.00

    Admin Framework in Apple OS X before 10.10.4 does not properly handle authentication errors, which allows local users to obtain admin privileges via unspecified vectors.

  • CVE-2015-3671Jul 3, 2015
    risk 0.00cvss epss 0.00

    Admin Framework in Apple OS X before 10.10.4 does not properly verify XPC entitlements, which allows local users to bypass authentication and obtain admin privileges via unspecified vectors.

  • CVE-2015-1959Jun 28, 2015
    risk 0.00cvss epss 0.00

    IBM Tivoli Security Directory Server 6.0 before iFix 75, 6.1 before iFix 68, 6.2 before iFix 44, 6.3 before iFix 37, 6.3.1 before iFix 11, and 6.4 before iFix 2 does not properly restrict encrypted files, which allows local users to obtain sensitive information or possibly have…

  • CVE-2015-2952Jun 13, 2015
    risk 0.00cvss epss 0.01

    The user-information management functionality in Igreks MilkyStep Light 0.94 and earlier and Professional 1.82 and earlier allows remote authenticated users to bypass intended access restrictions and modify administrative credentials via unspecified vectors, a different…

  • CVE-2015-4418Jun 9, 2015
    risk 0.00cvss epss 0.03

    Zoho NetFlow Analyzer build 10250 and earlier does not have an off autocomplete attribute for a password field, which makes it easier for remote attackers to obtain access by leveraging an unattended workstation.

  • CVE-2015-2959Jun 9, 2015
    risk 0.00cvss epss 0.03

    Zoho NetFlow Analyzer build 10250 and earlier does not check for administrative authorization, which allows remote attackers to obtain sensitive information, modify passwords, or remove accounts by leveraging the guest role.

  • CVE-2015-4051Jun 8, 2015
    risk 0.00cvss epss 0.06

    Beckhoff IPC Diagnostics before 1.8 does not properly restrict access to functions in /config, which allows remote attackers to cause a denial of service (reboot or shutdown), create arbitrary users, or possibly have unspecified other impact via a crafted request, as…

  • CVE-2015-2267Jun 1, 2015
    risk 0.00cvss epss 0.02

    mdeploy.php in Moodle through 2.5.9, 2.6.x before 2.6.9, 2.7.x before 2.7.6, and 2.8.x before 2.8.4 allows remote authenticated users to bypass intended access restrictions and extract archives to arbitrary directories via a crafted dataroot value.

  • CVE-2015-1937May 30, 2015
    risk 0.00cvss epss 0.02

    IBM PowerVC 1.2.0.x through 1.2.0.4, 1.2.1.x through 1.2.1.2, and 1.2.2.x through 1.2.2.2 does not require authentication for the ceilometer NoSQL database, which allows remote attackers to read or write to arbitrary database records, and consequently obtain administrator…

  • CVE-2015-0755May 29, 2015
    risk 0.00cvss epss 0.00

    The Posture module for Cisco Identity Services Engine (ISE), as distributed in Cisco AnyConnect Secure Mobility Client 4.0(64), allows local users to gain privileges via unspecified commands, aka Bug ID CSCut05797.

  • CVE-2015-0180May 25, 2015
    risk 0.00cvss epss 0.01

    The Connector Migration Tool in IBM InfoSphere Information Server 8.1 through 11.3 allows remote authenticated users to bypass intended restrictions on job creation and modification via unspecified vectors.

  • CVE-2014-2174May 25, 2015
    risk 0.00cvss epss 0.01

    Cisco TelePresence T, TelePresence TE, and TelePresence TC before 7.1 do not properly implement access control, which allows remote attackers to obtain root privileges by sending packets on the local network and allows physically proximate attackers to obtain root privileges via…

  • CVE-2015-3911May 21, 2015
    risk 0.00cvss epss 0.01

    Huawei E587 Mobile WiFi with firmware before 11.203.30.00.00 allows remote attackers to bypass authentication, change configurations, send messages, and cause a denial of service (device restart) via unspecified vectors.

  • CVE-2015-1253May 20, 2015
    risk 0.00cvss epss 0.02

    core/html/parser/HTMLConstructionSite.cpp in the DOM implementation in Blink, as used in Google Chrome before 43.0.2357.65, allows remote attackers to bypass the Same Origin Policy via crafted JavaScript code that appends a child to a SCRIPT element, related to the insert and…

  • CVE-2015-3407May 19, 2015
    risk 0.00cvss epss 0.02

    Module::Signature before 0.74 allows remote attackers to bypass signature verification for files via a signature file that does not list the files.

  • CVE-2015-3644May 14, 2015
    risk 0.00cvss epss 0.02

    Stunnel 5.00 through 5.13, when using the redirect option, does not redirect client connections to the expected server after the initial connection, which allows remote attackers to bypass authentication.

  • CVE-2015-0531May 7, 2015
    risk 0.00cvss epss 0.02

    EMC SourceOne Email Management before 7.2 does not have a lockout mechanism for invalid login attempts, which makes it easier for remote attackers to obtain access via a brute-force attack.

  • CVE-2015-0914May 1, 2015
    risk 0.00cvss epss 0.02

    EasyCTF before 1.4 does not validate the session ID, which allows remote attackers to obtain access via a crafted HTTP request.

  • CVE-2015-1151Apr 28, 2015
    risk 0.00cvss epss 0.02

    Wiki Server in Apple OS X Server before 4.1 allows remote attackers to bypass intended restrictions on Activity and People pages by connecting from an iPad client.