VYPR

CWE-284

Improper Access Control

PillarIncomplete

Description

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-19 · CAPEC-441 · CAPEC-478 · CAPEC-479 · CAPEC-502 · CAPEC-503 · CAPEC-536 · CAPEC-546 · CAPEC-550 · CAPEC-551 · CAPEC-552 · CAPEC-556 · CAPEC-558 · CAPEC-562 · CAPEC-563 · CAPEC-564 · CAPEC-578

CVEs mapped to this weakness (2,700)

page 14 of 135
  • CVE-2025-20341HigNov 13, 2025
    risk 0.57cvss 8.8epss 0.01

    A vulnerability in Cisco Catalyst Center Virtual Appliance could allow an authenticated, remote attacker to elevate privileges to Administrator on an affected system. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this…

  • CVE-2025-62159HigOct 10, 2025
    risk 0.57cvss epss 0.00

    External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. A vulnerability was discovered in the BeyondTrust provider implementation for External Secrets Operator versions 0.10.1 through 0.19.2. The provider…

  • CVE-2025-10957HigSep 25, 2025
    risk 0.57cvss epss 0.00

    This vulnerability exists in the Syrotech SY-GPON-2010-WADONT router due to improper access control in its FTP service. A remote attacker could exploit this vulnerability by establishing an FTP connection using default credentials, potentially gaining unauthorized access to…

  • CVE-2025-43270HigJul 30, 2025
    risk 0.57cvss 8.8epss 0.00

    An access issue was addressed with additional sandbox restrictions. This issue is fixed in macOS Sequoia 15.6, macOS Sonoma 14.7.7, macOS Ventura 13.7.7. An app may gain unauthorized access to Local Network.

  • CVE-2025-45081HigJul 1, 2025
    risk 0.57cvss 8.8epss 0.00

    Misconfigured settings in IITB SSO v1.1.0 allow attackers to access sensitive application data.

  • CVE-2024-37355HigFeb 12, 2025
    risk 0.57cvss 8.8epss 0.00

    Improper access control in some Intel(R) Graphics software may allow an authenticated user to potentially enable escalation of privilege via local access.

  • CVE-2024-51734HigNov 4, 2024
    risk 0.57cvss epss 0.00

    Zope AccessControl provides a general security framework for use in Zope. In affected versions anonymous users can delete the user data maintained by an `AccessControl.userfolder.UserFolder` which may prevent any privileged access. This problem has been fixed in version 7.2.…

  • CVE-2024-46280HigSep 30, 2024
    risk 0.57cvss 8.8epss 0.00

    PIX-LINK LV-WR22 RE3002-P1-01_V117.0 is vulnerable to Improper Access Control. The TELNET service is enabled with weak credentials for a root-level account, without the possibility of changing them.

  • CVE-2024-45982HigSep 26, 2024
    risk 0.57cvss 8.8epss 0.00

    A host header injection vulnerability in scheduleR v0.0.18 allows attackers to obtain the password reset token via user interaction with a crafted password reset link. This allows attackers to arbitrarily reset other users' passwords and compromise their accounts.

  • CVE-2024-40531HigAug 5, 2024
    risk 0.57cvss 8.8epss 0.00

    A mass assignment vulnerability exists in Pantera CRM versions 401.152 and 402.072. This flaw allows authenticated users to modify any user attribute, including roles, by injecting additional parameters via profile management functions.

  • CVE-2022-45929HigJun 20, 2024
    risk 0.57cvss 8.8epss 0.00

    Northern.tech Mender 3.3.x before 3.3.2, 3.5.x before 3.5.0, and 3.6.x before 3.6.0 has Incorrect Access Control and allows users to change their roles and could allow privilege escalation from a low-privileged read-only user to a high-privileged user.

  • CVE-2024-27855HigJun 10, 2024
    risk 0.57cvss 8.8epss 0.01

    The issue was addressed with improved checks. This issue is fixed in iOS 16.7.8 and iPadOS 16.7.8, iOS 17.5 and iPadOS 17.5, macOS Sonoma 14.5, macOS Ventura 13.6.7. A shortcut may be able to use sensitive data with certain actions without prompting the user.

  • CVE-2024-33227HigMay 22, 2024
    risk 0.57cvss 8.8epss 0.00

    An issue in the component ddcdrv.sys of Nicomsoft WinI2C/DDC v3.7.4.0 allows attackers to escalate privileges and execute arbitrary code via sending crafted IOCTL requests.

  • CVE-2022-32507HigMay 14, 2024
    risk 0.57cvss 8.8epss 0.01

    An issue was discovered on certain Nuki Home Solutions devices. Some BLE commands, which should have been designed to be only called from privileged accounts, could also be called from unprivileged accounts. This demonstrates that no access controls were implemented for the…

  • CVE-2023-38298HigApr 22, 2024
    risk 0.57cvss 8.8epss 0.00

    Various software builds for the following TCL devices (30Z, A3X, 20XE, 10L) leak the device IMEI to a system property that can be accessed by any local app on the device without any permissions or special privileges. Google restricted third-party apps from directly obtaining…

  • CVE-2023-50702HigMar 26, 2024
    risk 0.57cvss 8.8epss 0.01

    Sikka SSCWindowsService 5 2023-09-14 executes a program as LocalSystem but allows full control by low-privileged users (and low-privileged users have write access to %PROGRAMDATA%\SSCService). Consequently, low-privileged users can execute arbitrary code as LocalSystem.

  • CVE-2021-4361HigJun 7, 2023
    risk 0.57cvss 8.8epss 0.01

    The JobSearch WP Job Board plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the jobsearch_job_integrations_settin_save AJAX action in versions up to, and including, 1.8.1. This makes it possible for authenticated attackers to update…

  • CVE-2020-36700HigJun 7, 2023
    risk 0.57cvss 8.8epss 0.01

    The Page Builder: KingComposer plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 2.9.3. This is due to a security nonce being leaked in the '/wp-admin/index.php' page. This makes it possible for authenticated attackers to change…

  • CVE-2018-0436HigOct 5, 2018
    risk 0.57cvss 8.7epss 0.01

    A vulnerability in Cisco Webex Teams, formerly Cisco Spark, could allow an authenticated, remote attacker to view and modify data for an organization other than their own organization. The vulnerability exists because the affected software performs insufficient checks for…

  • CVE-2018-0343HigJul 18, 2018
    risk 0.57cvss 8.8epss 0.02

    A vulnerability in the configuration and management service of the Cisco SD-WAN Solution could allow an authenticated, remote attacker to execute arbitrary code with vmanage user privileges or cause a denial of service (DoS) condition on an affected system. The vulnerability is…