VYPR

CWE-284

Improper Access Control

PillarIncomplete

Description

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-19 · CAPEC-441 · CAPEC-478 · CAPEC-479 · CAPEC-502 · CAPEC-503 · CAPEC-536 · CAPEC-546 · CAPEC-550 · CAPEC-551 · CAPEC-552 · CAPEC-556 · CAPEC-558 · CAPEC-562 · CAPEC-563 · CAPEC-564 · CAPEC-578

CVEs mapped to this weakness (2,700)

page 131 of 135
  • CVE-2015-0297Apr 24, 2015
    risk 0.00cvss epss 0.02

    Red Hat JBoss Operations Network 3.3.1 does not properly restrict access to certain APIs, which allows remote attackers to execute arbitrary Java methods via the (1) ServerInvokerServlet or (2) SchedulerService or (3) cause a denial of service (disk consumption) via the…

  • CVE-2015-2575Apr 16, 2015
    risk 0.00cvss epss 0.04

    Unspecified vulnerability in the MySQL Connectors component in Oracle MySQL 5.1.34 and earlier allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Connector/J.

  • CVE-2015-0840Apr 13, 2015
    risk 0.00cvss epss 0.02

    The dpkg-source command in Debian dpkg before 1.16.16 and 1.17.x before 1.17.25 allows remote attackers to bypass signature verification via a crafted Debian source control file (.dsc).

  • CVE-2015-0675Apr 13, 2015
    risk 0.00cvss epss 0.01

    The failover ipsec implementation in Cisco Adaptive Security Appliance (ASA) Software 9.1 before 9.1(6), 9.2 before 9.2(3.3), and 9.3 before 9.3(3) does not properly validate failover communication messages, which allows remote attackers to reconfigure an ASA device, and…

  • CVE-2015-0694Apr 11, 2015
    risk 0.00cvss epss 0.02

    Cisco ASR 9000 devices with software 5.3.0.BASE do not recognize that certain ACL entries have a single-host constraint, which allows remote attackers to bypass intended network-resource access restrictions by using an address that was not supposed to have been allowed, aka Bug…

  • CVE-2015-1115Apr 10, 2015
    risk 0.00cvss epss 0.00

    The Telephony component in Apple iOS before 8.3 allows attackers to bypass a sandbox protection mechanism and access unintended telephone capabilities via a crafted app.

  • CVE-2015-0119Apr 6, 2015
    risk 0.00cvss epss 0.03

    FastBack Mount in IBM Tivoli Storage Manager FastBack 6.1.x before 6.1.11.1 allows remote attackers to execute arbitrary code by connecting to the Mount port.

  • CVE-2015-2816Apr 1, 2015
    risk 0.00cvss epss 0.03

    The XcListener in SAP Afaria 7.0.6001.5 does not properly restrict access, which allows remote attackers to have unspecified impact via a crafted request, aka SAP Security Note 2134905.

  • CVE-2015-2792Mar 30, 2015
    risk 0.00cvss epss 0.04

    The WPML plugin before 3.1.9 for WordPress does not properly handle multiple actions in a request, which allows remote attackers to bypass nonce checks and perform arbitrary actions via a request containing an action POST parameter, an action GET parameter, and a valid nonce for…

  • CVE-2015-2172Mar 30, 2015
    risk 0.00cvss epss 0.03

    DokuWiki before 2014-05-05d and before 2014-09-29c does not properly check permissions for the ACL plugins, which allows remote authenticated users to gain privileges and add or delete ACL rules via a request to the XMLRPC API.

  • CVE-2015-2559Mar 25, 2015
    risk 0.00cvss epss 0.02

    Drupal 6.x before 6.35 and 7.x before 7.35 allows remote authenticated users to reset the password of other accounts by leveraging an account with the same password hash as another account and a crafted password reset URL.

  • CVE-2015-0667Mar 18, 2015
    risk 0.00cvss epss 0.02

    The Management Interface on Cisco Content Services Switch (CSS) 11500 devices 8.20.4.02 and earlier allows remote attackers to bypass intended restrictions on local-network device access via crafted SSH packets, aka Bug ID CSCut14855.

  • CVE-2015-2107Mar 14, 2015
    risk 0.00cvss epss 0.00

    HP Operations Manager i Management Pack 1.x before 1.01 for SAP allows local users to execute OS commands by leveraging SAP administrative privileges.

  • CVE-2015-0660Mar 14, 2015
    risk 0.00cvss epss 0.00

    Cisco Virtual TelePresence Server Software does not properly restrict use of the serial port, which allows local users to execute arbitrary OS commands as root by leveraging vSphere controller administrative privileges, aka Bug ID CSCus61123.

  • CVE-2015-1464Mar 9, 2015
    risk 0.00cvss epss 0.02

    RT (aka Request Tracker) before 4.0.23 and 4.2.x before 4.2.10 allows remote attackers to hijack sessions via an RSS feed URL.

  • CVE-2015-0820Feb 25, 2015
    risk 0.00cvss epss 0.02

    Mozilla Firefox before 36.0 does not properly restrict transitions of JavaScript objects from a non-extensible state to an extensible state, which allows remote attackers to bypass a Caja Compiler sandbox protection mechanism or a Secure EcmaScript sandbox protection mechanism…

  • CVE-2014-9422Feb 19, 2015
    risk 0.00cvss epss 0.03

    The check_rpcsec_auth function in kadmin/server/kadm_rpc_svc.c in kadmind in MIT Kerberos 5 (aka krb5) through 1.11.5, 1.12.x through 1.12.2, and 1.13.x before 1.13.1 allows remote authenticated users to bypass a kadmin/* authorization check and obtain administrative access by…

  • CVE-2014-8757Feb 17, 2015
    risk 0.00cvss epss 0.05

    LG On-Screen Phone (OSP) before 4.3.010 allows remote attackers to bypass authorization via a crafted request.

  • CVE-2014-6195Feb 14, 2015
    risk 0.00cvss epss 0.00

    The (1) Java GUI and (2) Web GUI components in the IBM Tivoli Storage Manager (TSM) Backup-Archive client 5.4 and 5.5 before 5.5.4.4 on AIX, Linux, and Solaris; 5.4.x and 5.5.x on Windows and z/OS; 6.1 before 6.1.5.7 on z/OS; 6.1 and 6.2 before 6.2.5.2 on Windows, before 6.2.5.3…

  • CVE-2015-0929Feb 3, 2015
    risk 0.00cvss epss 0.03

    time.htm in the web interface on SerVision HVG Video Gateway devices with firmware before 2.2.26a78 allows remote attackers to bypass authentication and obtain administrative access by leveraging a cookie received in an HTTP response.