VYPR

CWE-284

Improper Access Control

PillarIncomplete

Description

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-19 · CAPEC-441 · CAPEC-478 · CAPEC-479 · CAPEC-502 · CAPEC-503 · CAPEC-536 · CAPEC-546 · CAPEC-550 · CAPEC-551 · CAPEC-552 · CAPEC-556 · CAPEC-558 · CAPEC-562 · CAPEC-563 · CAPEC-564 · CAPEC-578

CVEs mapped to this weakness (2,700)

page 19 of 135
  • CVE-2026-9789HigMay 28, 2026
    risk 0.55cvss epss 0.00

    A Local Privilege Escalation (LPE) vulnerability affects Acer NitroSense software versions prior to 3.01.3052. The vulnerability stems from the the PSAdminAgent service, which creates a Named Pipe with a weak Access Control List (ACL). This allows any authenticated local user to…

  • CVE-2026-9489HigMay 25, 2026
    risk 0.55cvss epss 0.00

    NitroSense 3.x before 3.01.3052 contains Local Privilege Escalation (LPE) vulnerability.The program exposes a Windows Named Pipe that uses a custom protocol to invoke internal functions. However, this Named Pipe is misconfigured, allowing any authenticated local user to execute…

  • CVE-2026-7373HigMay 15, 2026
    risk 0.55cvss epss 0.00

    Rapid7 Metasploit Pro is vulnerable to a local privilege escalation attack that allows a user to gain SYSTEM level control of a Windows host. When started the metasploitPostgreSQL service would start the postgres.exe child process which would in turn load an OpenSSL…

  • CVE-2026-8069HigMay 8, 2026
    risk 0.55cvss epss 0.00

    PredatorSense version 3.00.3136 to 3.00.3196 contain Local Privilege Escalation (LPE) vulnerability.The program exposes a Windows Named Pipe that uses a custom protocol to invoke internal functions. However, this Named Pipe is misconfigured, allowing any authenticated local user…

  • CVE-2026-21997HigApr 21, 2026
    risk 0.55cvss 8.5epss 0.00

    Vulnerability in the Oracle Life Sciences Empirica Signal product of Oracle Life Science Applications (component: Common Core). Supported versions that are affected are 9.2.1-9.2.3. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to…

  • CVE-2025-14338HigJan 14, 2026
    risk 0.55cvss epss 0.00

    Polkit authentication dis isabled by default and a race condition in the Polkit authorization check in versions before v0.69.0 can lead to the same issues as in CVE-2025-66005.

  • CVE-2025-66223HigNov 29, 2025
    risk 0.55cvss epss 0.00

    OpenObserve is a cloud-native observability platform. Prior to version 0.16.0, organization invitation tokens do not expire once issued, remain valid even after the invited user is removed from the organization, and allow multiple invitations to the same email with different…

  • CVE-2025-10847HigOct 1, 2025
    risk 0.55cvss epss 0.00

    DX Unified Infrastructure Management (Nimsoft/UIM) and below contains an improper ACL handling vulnerability in the robot (controller) component. A remote attacker can execute commands, read from, or write to the target system.

  • CVE-2025-32992HigAug 18, 2025
    risk 0.55cvss 8.5epss 0.00

    Thermo Fisher Scientific ePort through 3.0.0 has Incorrect Access Control.

  • CVE-2024-41605HigSep 26, 2024
    risk 0.55cvss 8.4epss 0.00

    In Foxit PDF Reader before 2024.3, and PDF Editor before 2024.3 and 13.x before 13.1.4, an attacker can replace an update file with a Trojan horse via side loading, because the update service lacks integrity validation for the updater. Attacker-controlled code may thus be…

  • CVE-2024-5650HigJun 17, 2024
    risk 0.55cvss 8.5epss 0.00

    DLL Hijacking vulnerability has been found in CENTUM CAMS Log server provided by Yokogawa Electric Corporation. If an attacker is somehow able to intrude into a computer that installed affected product or access to a shared folder, by replacing the DLL file with a tampered one,…

  • CVE-2024-33396HigMay 2, 2024
    risk 0.55cvss 8.4epss 0.00

    An issue in karmada-io karmada v1.9.0 and before allows a local attacker to execute arbitrary code via a crafted command to get the token component.

  • CVE-2023-38297HigApr 22, 2024
    risk 0.55cvss 8.4epss 0.01

    An issue was discovered in a third-party com.factory.mmigroup component, shipped on devices from multiple device manufacturers. Certain software builds for various Android devices contain a vulnerable pre-installed app with a package name of com.factory.mmigroup…

  • CVE-2016-4383HigJun 27, 2017
    risk 0.55cvss 8.4epss 0.03

    The glance-manage db in all versions of HPE Helion Openstack Glance allows deleted image ids to be reassigned, which allows remote authenticated users to cause other users to boot into a modified image without notification of the change.

  • CVE-2016-9976HigMay 3, 2017
    risk 0.55cvss 8.4epss 0.02

    IBM Maximo Asset Management 7.1, 7.5, and 7.6 could allow a remote attacker to include arbitrary files. A remote attacker could send a specially-crafted URL request, which could allow the attacker to execute arbitrary code on the vulnerable server. IBM X-Force ID: 120252.

  • CVE-2017-3523HigApr 24, 2017
    risk 0.55cvss 8.5epss 0.03

    Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 5.1.40 and earlier. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise…

  • CVE-2015-4624HigMar 31, 2017
    risk 0.55cvss 7.5epss 0.37

    Hak5 WiFi Pineapple 2.0 through 2.3 uses predictable CSRF tokens.

  • CVE-2016-0392HigJun 19, 2016
    risk 0.55cvss 8.4epss 0.01

    IBM General Parallel File System (GPFS) in GPFS Storage Server 2.0.0 through 2.0.7 and Elastic Storage Server 2.5.x through 2.5.5, 3.x before 3.5.5, and 4.x before 4.0.3, as distributed in Spectrum Scale RAID, allows local users to gain privileges via a crafted parameter to a…

  • CVE-2015-6862HigJan 8, 2016
    risk 0.55cvss 8.4epss 0.01

    HPE UCMDB Browser before 4.02 allows remote attackers to obtain sensitive information or bypass intended access restrictions via unspecified vectors.

  • CVE-2026-42569CriMay 9, 2026
    risk 0.54cvss 9.4epss 0.01

    phpVMS is a PHP application to run and simulate an airline. Prior to version 7.0.6, a critical vulnerability in phpVMS allowed unauthenticated access to a legacy import feature. This issue has been patched in version 7.0.6.