VYPR

CWE-284

Improper Access Control

PillarIncomplete

Description

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-19 · CAPEC-441 · CAPEC-478 · CAPEC-479 · CAPEC-502 · CAPEC-503 · CAPEC-536 · CAPEC-546 · CAPEC-550 · CAPEC-551 · CAPEC-552 · CAPEC-556 · CAPEC-558 · CAPEC-562 · CAPEC-563 · CAPEC-564 · CAPEC-578

CVEs mapped to this weakness (2,700)

page 18 of 135
  • CVE-2016-1301HigFeb 7, 2016
    risk 0.57cvss 8.8epss 0.02

    The RBAC implementation in Cisco ASA-CX Content-Aware Security software before 9.3.1.1(112) and Cisco Prime Security Manager (PRSM) software before 9.3.1.1(112) allows remote authenticated users to change arbitrary passwords via a crafted HTTP request, aka Bug ID CSCuo94842.

  • CVE-2016-2049HigFeb 1, 2016
    risk 0.57cvss 8.8epss 0.02

    examples/consumer/common.php in JanRain PHP OpenID library (aka php-openid) improperly checks the openid.realm parameter against the SERVER_NAME element in the SERVER superglobal array, which might allow remote attackers to hijack the authentication of arbitrary users via…

  • CVE-2026-7862HigMay 28, 2026
    risk 0.56cvss 8.6epss 0.00

    The Eupago Gateway For Woocommerce WordPress plugin before 4.7.2 does not properly restrict access to its refund request handler, allowing unauthenticated attackers to initiate refunds against any WooCommerce order using the merchant's payment gateway credentials, and for…

  • CVE-2026-35435HigMay 7, 2026
    risk 0.56cvss 8.6epss 0.01

    Improper access control in Azure AI Foundry M365 published agents allows an unauthorized attacker to elevate privileges over a network.

  • CVE-2026-40866HigApr 21, 2026
    risk 0.56cvss epss 0.00

    Horilla is a free and open source Human Resource Management System (HRMS). In 1.5.0, an insecure direct object reference in the employee document upload endpoint allows any authenticated user to overwrite or replace or corrupt another employee’s document by changing the…

  • CVE-2026-24302HigFeb 5, 2026
    risk 0.56cvss 8.6epss 0.02

    Improper access control in Azure Arc allows an unauthorized attacker to elevate privileges over a network.

  • CVE-2025-39247HigAug 29, 2025
    risk 0.56cvss 8.6epss 0.01

    There is an Access Control Vulnerability in some HikCentral Professional versions. This could allow an unauthenticated user to obtain the admin permission.

  • CVE-2024-0258HigMar 8, 2024
    risk 0.56cvss 8.6epss 0.00

    The issue was addressed with improved memory handling. This issue is fixed in iOS 17.4 and iPadOS 17.4, macOS Sonoma 14.4, tvOS 17.4, watchOS 10.4. An app may be able to execute arbitrary code out of its sandbox or with certain elevated privileges.

  • CVE-2024-0324HigFeb 5, 2024
    risk 0.56cvss 8.2epss 0.02

    The User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wppb_two_factor_authentication_settings_update' function in all…

  • CVE-2022-24036HigNov 16, 2022
    risk 0.56cvss 8.6epss 0.01

    Karmasis Informatics Infraskope SIEM+ has an unauthenticated access vulnerability which could allow an unauthenticated attacker to modificate logs.

  • CVE-2016-7212HigNov 10, 2016
    risk 0.56cvss 7.8epss 0.70

    Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, and 1607, and Windows Server 2016 allow remote attackers to execute arbitrary code via a crafted image file, aka…

  • CVE-2016-5588HigOct 25, 2016
    risk 0.56cvss 8.6epss 0.02

    Unspecified vulnerability in the Oracle Outside In Technology component in Oracle Fusion Middleware 8.4.0 and 8.5.1 through 8.5.3 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Outside In Filters, a different vulnerability…

  • CVE-2016-5579HigOct 25, 2016
    risk 0.56cvss 8.6epss 0.02

    Unspecified vulnerability in the Oracle Outside In Technology component in Oracle Fusion Middleware 8.4.0 and 8.5.1 through 8.5.3 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Outside In Filters, a different vulnerability…

  • CVE-2016-5578HigOct 25, 2016
    risk 0.56cvss 8.6epss 0.02

    Unspecified vulnerability in the Oracle Outside In Technology component in Oracle Fusion Middleware 8.4.0 and 8.5.1 through 8.5.3 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Outside In Filters, a different vulnerability…

  • CVE-2016-5577HigOct 25, 2016
    risk 0.56cvss 8.6epss 0.02

    Unspecified vulnerability in the Oracle Outside In Technology component in Oracle Fusion Middleware 8.4.0 and 8.5.1 through 8.5.3 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Outside In Filters, a different vulnerability…

  • CVE-2016-5574HigOct 25, 2016
    risk 0.56cvss 8.6epss 0.02

    Unspecified vulnerability in the Oracle Outside In Technology component in Oracle Fusion Middleware 8.4.0 and 8.5.1 through 8.5.3 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Outside In Filters, a different vulnerability…

  • CVE-2026-45178HigJun 11, 2026
    risk 0.55cvss epss 0.00

    Idira Secrets Manager Self-Hosted versions 13.8.0 and lower exhibit improper access control within internal cluster endpoints. A remote, authenticated attacker possessing standard node-level credentials could leverage these endpoints to potentially retrieve unauthorized secrets…

  • CVE-2026-46441CriJun 8, 2026
    risk 0.55cvss 9.6epss 0.00

    Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, a mass assignment vulnerability exists in the assistant update endpoint of FlowiseAI. The endpoint allows authenticated users to modify server-controlled properties…

  • CVE-2026-42861CriJun 8, 2026
    risk 0.55cvss 9.6epss 0.00

    Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, a mass assignment vulnerability exists in the variable update endpoint of FlowiseAI. The endpoint allows authenticated users to modify server-controlled properties…

  • CVE-2026-46820HigMay 28, 2026
    risk 0.55cvss 8.5epss 0.00

    Vulnerability in the Oracle Financials Common Modules product of Oracle E-Business Suite (component: Common Components). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to…