CWE-284
Improper Access Control
Description
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Hierarchy (View 1000)
Parents
none
Children
- CWE-1191
- CWE-1220
- CWE-1224
- CWE-1231
- CWE-1233
- CWE-1252
- CWE-1257
- CWE-1259
- CWE-1260
- CWE-1262
- CWE-1263
- CWE-1267
- CWE-1270
- CWE-1274
- CWE-1276
- CWE-1280
- CWE-1283
- CWE-1290
- CWE-1292
- CWE-1294
- CWE-1296
- CWE-1304
- CWE-1311
- CWE-1312
- CWE-1313
- CWE-1315
- CWE-1316
- CWE-1317
- CWE-1320
- CWE-1323
- CWE-1334
- CWE-269
- CWE-282
- CWE-285
- CWE-286
- CWE-287
- CWE-346
- CWE-749
- CWE-923
Related attack patterns (CAPEC)
CAPEC-19 · CAPEC-441 · CAPEC-478 · CAPEC-479 · CAPEC-502 · CAPEC-503 · CAPEC-536 · CAPEC-546 · CAPEC-550 · CAPEC-551 · CAPEC-552 · CAPEC-556 · CAPEC-558 · CAPEC-562 · CAPEC-563 · CAPEC-564 · CAPEC-578
CVEs mapped to this weakness (2,700)
page 14 of 135| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-20341 | Hig | 0.57 | 8.8 | 0.01 | Nov 13, 2025 | A vulnerability in Cisco Catalyst Center Virtual Appliance could allow an authenticated, remote attacker to elevate privileges to Administrator on an affected system. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this… | ||
| CVE-2025-62159 | Hig | 0.57 | — | 0.00 | Oct 10, 2025 | External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. A vulnerability was discovered in the BeyondTrust provider implementation for External Secrets Operator versions 0.10.1 through 0.19.2. The provider… | ||
| CVE-2025-10957 | Hig | 0.57 | — | 0.00 | Sep 25, 2025 | This vulnerability exists in the Syrotech SY-GPON-2010-WADONT router due to improper access control in its FTP service. A remote attacker could exploit this vulnerability by establishing an FTP connection using default credentials, potentially gaining unauthorized access to… | ||
| CVE-2025-43270 | Hig | 0.57 | 8.8 | 0.00 | Jul 30, 2025 | An access issue was addressed with additional sandbox restrictions. This issue is fixed in macOS Sequoia 15.6, macOS Sonoma 14.7.7, macOS Ventura 13.7.7. An app may gain unauthorized access to Local Network. | ||
| CVE-2025-45081 | — | Hig | 0.57 | 8.8 | 0.00 | Jul 1, 2025 | Misconfigured settings in IITB SSO v1.1.0 allow attackers to access sensitive application data. | |
| CVE-2024-37355 | — | Hig | 0.57 | 8.8 | 0.00 | Feb 12, 2025 | Improper access control in some Intel(R) Graphics software may allow an authenticated user to potentially enable escalation of privilege via local access. | |
| CVE-2024-51734 | Hig | 0.57 | — | 0.00 | Nov 4, 2024 | Zope AccessControl provides a general security framework for use in Zope. In affected versions anonymous users can delete the user data maintained by an `AccessControl.userfolder.UserFolder` which may prevent any privileged access. This problem has been fixed in version 7.2.… | ||
| CVE-2024-46280 | Hig | 0.57 | 8.8 | 0.00 | Sep 30, 2024 | PIX-LINK LV-WR22 RE3002-P1-01_V117.0 is vulnerable to Improper Access Control. The TELNET service is enabled with weak credentials for a root-level account, without the possibility of changing them. | ||
| CVE-2024-45982 | Hig | 0.57 | 8.8 | 0.00 | Sep 26, 2024 | A host header injection vulnerability in scheduleR v0.0.18 allows attackers to obtain the password reset token via user interaction with a crafted password reset link. This allows attackers to arbitrarily reset other users' passwords and compromise their accounts. | ||
| CVE-2024-40531 | Hig | 0.57 | 8.8 | 0.00 | Aug 5, 2024 | A mass assignment vulnerability exists in Pantera CRM versions 401.152 and 402.072. This flaw allows authenticated users to modify any user attribute, including roles, by injecting additional parameters via profile management functions. | ||
| CVE-2022-45929 | Hig | 0.57 | 8.8 | 0.00 | Jun 20, 2024 | Northern.tech Mender 3.3.x before 3.3.2, 3.5.x before 3.5.0, and 3.6.x before 3.6.0 has Incorrect Access Control and allows users to change their roles and could allow privilege escalation from a low-privileged read-only user to a high-privileged user. | ||
| CVE-2024-27855 | Hig | 0.57 | 8.8 | 0.01 | Jun 10, 2024 | The issue was addressed with improved checks. This issue is fixed in iOS 16.7.8 and iPadOS 16.7.8, iOS 17.5 and iPadOS 17.5, macOS Sonoma 14.5, macOS Ventura 13.6.7. A shortcut may be able to use sensitive data with certain actions without prompting the user. | ||
| CVE-2024-33227 | Hig | 0.57 | 8.8 | 0.00 | May 22, 2024 | An issue in the component ddcdrv.sys of Nicomsoft WinI2C/DDC v3.7.4.0 allows attackers to escalate privileges and execute arbitrary code via sending crafted IOCTL requests. | ||
| CVE-2022-32507 | Hig | 0.57 | 8.8 | 0.01 | May 14, 2024 | An issue was discovered on certain Nuki Home Solutions devices. Some BLE commands, which should have been designed to be only called from privileged accounts, could also be called from unprivileged accounts. This demonstrates that no access controls were implemented for the… | ||
| CVE-2023-38298 | Hig | 0.57 | 8.8 | 0.00 | Apr 22, 2024 | Various software builds for the following TCL devices (30Z, A3X, 20XE, 10L) leak the device IMEI to a system property that can be accessed by any local app on the device without any permissions or special privileges. Google restricted third-party apps from directly obtaining… | ||
| CVE-2023-50702 | Hig | 0.57 | 8.8 | 0.01 | Mar 26, 2024 | Sikka SSCWindowsService 5 2023-09-14 executes a program as LocalSystem but allows full control by low-privileged users (and low-privileged users have write access to %PROGRAMDATA%\SSCService). Consequently, low-privileged users can execute arbitrary code as LocalSystem. | ||
| CVE-2021-4361 | Hig | 0.57 | 8.8 | 0.01 | Jun 7, 2023 | The JobSearch WP Job Board plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the jobsearch_job_integrations_settin_save AJAX action in versions up to, and including, 1.8.1. This makes it possible for authenticated attackers to update… | ||
| CVE-2020-36700 | Hig | 0.57 | 8.8 | 0.01 | Jun 7, 2023 | The Page Builder: KingComposer plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 2.9.3. This is due to a security nonce being leaked in the '/wp-admin/index.php' page. This makes it possible for authenticated attackers to change… | ||
| CVE-2018-0436 | Hig | 0.57 | 8.7 | 0.01 | Oct 5, 2018 | A vulnerability in Cisco Webex Teams, formerly Cisco Spark, could allow an authenticated, remote attacker to view and modify data for an organization other than their own organization. The vulnerability exists because the affected software performs insufficient checks for… | ||
| CVE-2018-0343 | Hig | 0.57 | 8.8 | 0.02 | Jul 18, 2018 | A vulnerability in the configuration and management service of the Cisco SD-WAN Solution could allow an authenticated, remote attacker to execute arbitrary code with vmanage user privileges or cause a denial of service (DoS) condition on an affected system. The vulnerability is… |
- risk 0.57cvss 8.8epss 0.01
A vulnerability in Cisco Catalyst Center Virtual Appliance could allow an authenticated, remote attacker to elevate privileges to Administrator on an affected system. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this…
- risk 0.57cvss —epss 0.00
External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. A vulnerability was discovered in the BeyondTrust provider implementation for External Secrets Operator versions 0.10.1 through 0.19.2. The provider…
- risk 0.57cvss —epss 0.00
This vulnerability exists in the Syrotech SY-GPON-2010-WADONT router due to improper access control in its FTP service. A remote attacker could exploit this vulnerability by establishing an FTP connection using default credentials, potentially gaining unauthorized access to…
- risk 0.57cvss 8.8epss 0.00
An access issue was addressed with additional sandbox restrictions. This issue is fixed in macOS Sequoia 15.6, macOS Sonoma 14.7.7, macOS Ventura 13.7.7. An app may gain unauthorized access to Local Network.
- risk 0.57cvss 8.8epss 0.00
Misconfigured settings in IITB SSO v1.1.0 allow attackers to access sensitive application data.
- risk 0.57cvss 8.8epss 0.00
Improper access control in some Intel(R) Graphics software may allow an authenticated user to potentially enable escalation of privilege via local access.
- risk 0.57cvss —epss 0.00
Zope AccessControl provides a general security framework for use in Zope. In affected versions anonymous users can delete the user data maintained by an `AccessControl.userfolder.UserFolder` which may prevent any privileged access. This problem has been fixed in version 7.2.…
- risk 0.57cvss 8.8epss 0.00
PIX-LINK LV-WR22 RE3002-P1-01_V117.0 is vulnerable to Improper Access Control. The TELNET service is enabled with weak credentials for a root-level account, without the possibility of changing them.
- risk 0.57cvss 8.8epss 0.00
A host header injection vulnerability in scheduleR v0.0.18 allows attackers to obtain the password reset token via user interaction with a crafted password reset link. This allows attackers to arbitrarily reset other users' passwords and compromise their accounts.
- risk 0.57cvss 8.8epss 0.00
A mass assignment vulnerability exists in Pantera CRM versions 401.152 and 402.072. This flaw allows authenticated users to modify any user attribute, including roles, by injecting additional parameters via profile management functions.
- risk 0.57cvss 8.8epss 0.00
Northern.tech Mender 3.3.x before 3.3.2, 3.5.x before 3.5.0, and 3.6.x before 3.6.0 has Incorrect Access Control and allows users to change their roles and could allow privilege escalation from a low-privileged read-only user to a high-privileged user.
- risk 0.57cvss 8.8epss 0.01
The issue was addressed with improved checks. This issue is fixed in iOS 16.7.8 and iPadOS 16.7.8, iOS 17.5 and iPadOS 17.5, macOS Sonoma 14.5, macOS Ventura 13.6.7. A shortcut may be able to use sensitive data with certain actions without prompting the user.
- risk 0.57cvss 8.8epss 0.00
An issue in the component ddcdrv.sys of Nicomsoft WinI2C/DDC v3.7.4.0 allows attackers to escalate privileges and execute arbitrary code via sending crafted IOCTL requests.
- risk 0.57cvss 8.8epss 0.01
An issue was discovered on certain Nuki Home Solutions devices. Some BLE commands, which should have been designed to be only called from privileged accounts, could also be called from unprivileged accounts. This demonstrates that no access controls were implemented for the…
- risk 0.57cvss 8.8epss 0.00
Various software builds for the following TCL devices (30Z, A3X, 20XE, 10L) leak the device IMEI to a system property that can be accessed by any local app on the device without any permissions or special privileges. Google restricted third-party apps from directly obtaining…
- risk 0.57cvss 8.8epss 0.01
Sikka SSCWindowsService 5 2023-09-14 executes a program as LocalSystem but allows full control by low-privileged users (and low-privileged users have write access to %PROGRAMDATA%\SSCService). Consequently, low-privileged users can execute arbitrary code as LocalSystem.
- risk 0.57cvss 8.8epss 0.01
The JobSearch WP Job Board plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the jobsearch_job_integrations_settin_save AJAX action in versions up to, and including, 1.8.1. This makes it possible for authenticated attackers to update…
- risk 0.57cvss 8.8epss 0.01
The Page Builder: KingComposer plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 2.9.3. This is due to a security nonce being leaked in the '/wp-admin/index.php' page. This makes it possible for authenticated attackers to change…
- risk 0.57cvss 8.7epss 0.01
A vulnerability in Cisco Webex Teams, formerly Cisco Spark, could allow an authenticated, remote attacker to view and modify data for an organization other than their own organization. The vulnerability exists because the affected software performs insufficient checks for…
- risk 0.57cvss 8.8epss 0.02
A vulnerability in the configuration and management service of the Cisco SD-WAN Solution could allow an authenticated, remote attacker to execute arbitrary code with vmanage user privileges or cause a denial of service (DoS) condition on an affected system. The vulnerability is…