VYPR

CWE-284

Improper Access Control

PillarIncomplete

Description

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-19 · CAPEC-441 · CAPEC-478 · CAPEC-479 · CAPEC-502 · CAPEC-503 · CAPEC-536 · CAPEC-546 · CAPEC-550 · CAPEC-551 · CAPEC-552 · CAPEC-556 · CAPEC-558 · CAPEC-562 · CAPEC-563 · CAPEC-564 · CAPEC-578

CVEs mapped to this weakness (2,700)

page 15 of 135
  • CVE-2018-4845HigJun 26, 2018
    risk 0.57cvss 8.8epss 0.01

    A vulnerability has been identified in RAPIDLab 1200 systems / RAPIDPoint 400 systems / RAPIDPoint 500 systems (All versions_without_ use of Siemens Healthineers Informatics products), RAPIDLab 1200 Series (All versions < V3.3 _with_ Siemens Healthineers Informatics products),…

  • CVE-2016-9905HigJun 11, 2018
    risk 0.57cvss 8.8epss 0.02

    A potentially exploitable crash in "EnumerateSubDocuments" while adding or removing sub-documents. This vulnerability affects Firefox ESR < 45.6 and Thunderbird < 45.6.

  • CVE-2014-5279HigFeb 6, 2018
    risk 0.57cvss 8.8epss 0.03

    The Docker daemon managed by boot2docker 1.2 and earlier improperly enables unauthenticated TCP connections by default, which makes it easier for remote attackers to gain privileges or execute arbitrary code from children containers.

  • CVE-2017-12262HigNov 2, 2017
    risk 0.57cvss 8.8epss 0.01

    A vulnerability within the firewall configuration of the Cisco Application Policy Infrastructure Controller Enterprise Module (APIC-EM) could allow an unauthenticated, adjacent attacker to gain privileged access to services only available on the internal network of the device.…

  • CVE-2013-4246HigOct 30, 2017
    risk 0.57cvss 8.8epss 0.03

    libsvn_fs_fs/fs_fs.c in Apache Subversion 1.8.x before 1.8.2 might allow remote authenticated users with commit access to corrupt FSFS repositories and cause a denial of service or obtain sensitive information by editing packed revision properties.

  • CVE-2017-8448HigSep 29, 2017
    risk 0.57cvss 8.8epss 0.01

    An error was found in the permission model used by X-Pack Alerting 5.0.0 to 5.6.0 whereby users mapped to certain built-in roles could create a watch that results in that user gaining elevated privileges.

  • CVE-2014-9831HigAug 7, 2017
    risk 0.57cvss 8.8epss 0.02

    coders/wpg.c in ImageMagick allows remote attackers to have unspecified impact via a corrupted wpg file.

  • CVE-2014-9830HigAug 7, 2017
    risk 0.57cvss 8.8epss 0.02

    coders/sun.c in ImageMagick allows remote attackers to have unspecified impact via a corrupted sun file.

  • CVE-2014-9828HigAug 7, 2017
    risk 0.57cvss 8.8epss 0.02

    coders/psd.c in ImageMagick allows remote attackers to have unspecified impact via a crafted psd file.

  • CVE-2014-9827HigAug 7, 2017
    risk 0.57cvss 8.8epss 0.02

    coders/xpm.c in ImageMagick allows remote attackers to have unspecified impact via a crafted xpm file.

  • CVE-2016-7824HigJun 9, 2017
    risk 0.57cvss 8.8epss 0.02

    Buffalo NC01WH devices with firmware version 1.0.0.8 and earlier allows authenticated attackers to bypass access restriction to enable the debug option via unspecified vectors.

  • CVE-2016-7811HigJun 9, 2017
    risk 0.57cvss 8.8epss 0.01

    Corega CG-WLR300NX firmware Ver. 1.20 and earlier allows an attacker on the same network segment to bypass access restriction to perform arbitrary operations via unspecified vectors.

  • CVE-2017-8438HigJun 5, 2017
    risk 0.57cvss 8.8epss 0.01

    Elastic X-Pack Security versions 5.0.0 to 5.4.0 contain a privilege escalation bug in the run_as functionality. This bug prevents transitioning into the specified user specified in a run_as request. If a role has been created using a template that contains the _user properties,…

  • CVE-2016-2433HigApr 21, 2017
    risk 0.57cvss 8.8epss 0.01

    The Broadcom Wi-Fi driver for Android, as used by BlackBerry smartphones before Build AAE570, allows remote attackers to execute arbitrary code in the context of the kernel.

  • CVE-2014-4707HigApr 2, 2017
    risk 0.57cvss 8.8epss 0.01

    Huawei Campus S7700 with software V200R001C00SPC300, V200R002C00SPC100, V200R003C00SPC300; S9300 with software V200R001C00SPC300, V200R002C00SPC100, V200R003C00SPC300; S9700 with software V200R001C00SPC300, V200R002C00SPC100, V200R003C00SPC300 allow unauthorized users to upgrade…

  • CVE-2016-10144CriMar 24, 2017
    risk 0.57cvss 9.8epss 0.05

    coders/ipl.c in ImageMagick allows remote attackers to have unspecific impact by leveraging a missing malloc check.

  • CVE-2016-5750HigMar 23, 2017
    risk 0.57cvss 8.8epss 0.01

    The certificate upload feature in iManager in NetIQ Access Manager 4.1 before 4.1.2 Hot Fix 1 and 4.2 before 4.2.2 could be used to upload JSP pages that would be executed as the iManager user, allowing code execution by logged-in remote users.

  • CVE-2016-10193CriMar 3, 2017
    risk 0.57cvss 9.8epss 0.02

    The espeak-ruby gem before 1.0.3 for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a string to the speak, save, bytes or bytes_wav method in lib/espeak/speech.rb.

  • CVE-2015-8832HigFeb 9, 2017
    risk 0.57cvss 8.8epss 0.03

    Multiple incomplete blacklist vulnerabilities in inc/core/class.dc.core.php in Dotclear before 2.8.2 allow remote authenticated users with "manage their own media items" and "manage their own entries and comments" permissions to execute arbitrary PHP code by uploading a file…

  • CVE-2016-8932HigFeb 1, 2017
    risk 0.57cvss 8.8epss 0.02

    IBM Kenexa LMS on Cloud could allow a remote attacker to upload arbitrary files, which could allow the attacker to execute arbitrary code on the vulnerable server.