VYPR

CWE-284

Improper Access Control

PillarIncomplete

Description

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-19 · CAPEC-441 · CAPEC-478 · CAPEC-479 · CAPEC-502 · CAPEC-503 · CAPEC-536 · CAPEC-546 · CAPEC-550 · CAPEC-551 · CAPEC-552 · CAPEC-556 · CAPEC-558 · CAPEC-562 · CAPEC-563 · CAPEC-564 · CAPEC-578

CVEs mapped to this weakness (2,700)

page 132 of 135
  • CVE-2015-0926Feb 1, 2015
    risk 0.00cvss epss 0.00

    Labtech before 100.237 on Linux uses world-writable permissions for root-executed scripts, which allows local users to gain privileges by modifying a script file.

  • CVE-2014-8833Jan 30, 2015
    risk 0.00cvss epss 0.00

    SpotlightIndex in Apple OS X before 10.10.2 does not properly perform deserialization during access to a permission cache, which allows local users to read search results associated with other users' protected files via a Spotlight query.

  • CVE-2014-8827Jan 30, 2015
    risk 0.00cvss epss 0.00

    LoginWindow in Apple OS X before 10.10.2 does not transition to the lock-screen state immediately upon being woken from sleep, which allows physically proximate attackers to obtain sensitive information by reading the screen.

  • CVE-2014-9648Jan 27, 2015
    risk 0.00cvss epss 0.01

    components/navigation_interception/intercept_navigation_resource_throttle.cc in Google Chrome before 40.0.2214.91 on Android does not properly restrict use of intent: URLs to open an application after navigation to a web site, which allows remote attackers to cause a denial of…

  • CVE-2014-9197Jan 27, 2015
    risk 0.00cvss epss 0.02

    The Schneider Electric ETG3000 FactoryCast HMI Gateway with firmware before 1.60 IR 04 stores rde.jar under the web root with insufficient access control, which allows remote attackers to obtain sensitive setup and configuration information via a direct request.

  • CVE-2015-1307Jan 26, 2015
    risk 0.00cvss epss 0.01

    plasma-workspace before 5.1.95 allows remote attackers to obtain passwords via a Trojan horse Look and Feel package.

  • CVE-2014-9572Jan 26, 2015
    risk 0.00cvss epss 0.02

    MantisBT before 1.2.19 and 1.3.x before 1.3.0-beta.2 does not properly restrict access to /*/install.php, which allows remote attackers to obtain database credentials via the install parameter with the value 4.

  • CVE-2014-1949Jan 16, 2015
    risk 0.00cvss epss 0.00

    GTK+ 3.10.9 and earlier, as used in cinnamon-screensaver, gnome-screensaver, and other applications, allows physically proximate attackers to bypass the lock screen by pressing the menu button.

  • CVE-2014-1449Dec 25, 2014
    risk 0.00cvss epss 0.02

    The Maxthon Cloud Browser application before 4.1.6.2000 for Android allows remote attackers to spoof the address bar via crafted JavaScript code that uses the history API.

  • CVE-2014-7193Dec 25, 2014
    risk 0.00cvss epss 0.01

    The Crumb plugin before 3.0.0 for Node.js does not properly restrict token access in situations where a hapi route handler has CORS enabled, which allows remote attackers to obtain sensitive information, and potentially obtain the ability to spoof requests to non-CORS routes,…

  • CVE-2014-6078Dec 18, 2014
    risk 0.00cvss epss 0.01

    IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 do not have a lockout period after invalid login attempts, which makes it easier for remote attackers to obtain admin access via a brute-force…

  • CVE-2014-9388Dec 17, 2014
    risk 0.00cvss epss 0.02

    bug_report.php in MantisBT before 1.2.18 allows remote attackers to assign arbitrary issues via the handler_id parameter.

  • CVE-2014-8632Dec 11, 2014
    risk 0.00cvss epss 0.01

    The structured-clone implementation in Mozilla Firefox before 34.0 and SeaMonkey before 2.31 does not properly interact with XrayWrapper property filtering, which allows remote attackers to bypass intended DOM object restrictions by leveraging property availability after…

  • CVE-2014-8631Dec 11, 2014
    risk 0.00cvss epss 0.02

    The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 34.0 and SeaMonkey before 2.31 supports native-interface passing, which allows remote attackers to bypass intended DOM object restrictions via a call to an unspecified method.

  • CVE-2014-1589Dec 11, 2014
    risk 0.00cvss epss 0.02

    Mozilla Firefox before 34.0 and SeaMonkey before 2.31 provide stylesheets with an incorrect primary namespace, which allows remote attackers to bypass intended access restrictions via an XBL binding.

  • CVE-2014-9117Dec 6, 2014
    risk 0.00cvss epss 0.02

    MantisBT before 1.2.18 uses the public_key parameter value as the key to the CAPTCHA answer, which allows remote attackers to bypass the CAPTCHA protection mechanism by leveraging knowledge of a CAPTCHA answer for a public_key parameter value, as demonstrated by E4652 for the…

  • CVE-2014-9151Dec 1, 2014
    risk 0.00cvss epss 0.01

    The Services module 7.x-3.x before 7.x-3.10 for Drupal does not properly limit the rate of authentication attempts, which makes it easier for remote attackers to obtain access via a brute-force attack on the administrative password.

  • CVE-2014-6627Nov 19, 2014
    risk 0.00cvss epss 0.02

    Aruba Networks ClearPass before 6.3.5 and 6.4.x before 6.4.1 allows remote attackers to execute arbitrary commands via unspecified vectors, a different vulnerability than CVE-2014-5342.

  • CVE-2014-6626Nov 19, 2014
    risk 0.00cvss epss 0.02

    Aruba Networks ClearPass before 6.3.6 and 6.4.x before 6.4.1 does not properly restrict access to unspecified administrative functions, which allows remote attackers to bypass authentication and execute administrative actions via unknown vectors.

  • CVE-2014-6625Nov 19, 2014
    risk 0.00cvss epss 0.02

    The Policy Manager in Aruba Networks ClearPass before 6.3.6 and 6.4.x before 6.4.1 allows remote authenticated users to gain privileges via unspecified vectors.