CWE-284
Improper Access Control
Description
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Hierarchy (View 1000)
Parents
none
Children
- CWE-1191
- CWE-1220
- CWE-1224
- CWE-1231
- CWE-1233
- CWE-1252
- CWE-1257
- CWE-1259
- CWE-1260
- CWE-1262
- CWE-1263
- CWE-1267
- CWE-1270
- CWE-1274
- CWE-1276
- CWE-1280
- CWE-1283
- CWE-1290
- CWE-1292
- CWE-1294
- CWE-1296
- CWE-1304
- CWE-1311
- CWE-1312
- CWE-1313
- CWE-1315
- CWE-1316
- CWE-1317
- CWE-1320
- CWE-1323
- CWE-1334
- CWE-269
- CWE-282
- CWE-285
- CWE-286
- CWE-287
- CWE-346
- CWE-749
- CWE-923
Related attack patterns (CAPEC)
CAPEC-19 · CAPEC-441 · CAPEC-478 · CAPEC-479 · CAPEC-502 · CAPEC-503 · CAPEC-536 · CAPEC-546 · CAPEC-550 · CAPEC-551 · CAPEC-552 · CAPEC-556 · CAPEC-558 · CAPEC-562 · CAPEC-563 · CAPEC-564 · CAPEC-578
CVEs mapped to this weakness (2,700)
page 2 of 135| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-2699 | Cri | 0.66 | 9.8 | 0.49 | Apr 2, 2026 | Customer Managed ShareFile Storage Zones Controller (SZC) allows an unauthenticated attacker to access restricted configuration pages. This leads to changing system configuration and potential remote code execution. | ||
| CVE-2024-46627 | Cri | 0.66 | 9.1 | 0.04 | Sep 26, 2024 | Incorrect access control in BECN DATAGERRY v2.2 allows attackers to execute arbitrary commands via crafted web requests. | ||
| CVE-2016-1000031 | Cri | 0.66 | 9.8 | 0.35 | Oct 25, 2016 | Apache Commons FileUpload before 1.3.3 DiskFileItem File Manipulation Remote Code Execution | ||
| CVE-2016-1044 | Cri | 0.66 | 10.0 | 0.07 | May 11, 2016 | Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat Reader DC Classic before 15.006.30172, and Acrobat and Acrobat Reader DC Continuous before 15.016.20039 on Windows and OS X allow attackers to bypass JavaScript API execution restrictions via unspecified vectors, a… | ||
| CVE-2016-1041 | Cri | 0.66 | 10.0 | 0.06 | May 11, 2016 | Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat Reader DC Classic before 15.006.30172, and Acrobat and Acrobat Reader DC Continuous before 15.016.20039 on Windows and OS X allow attackers to bypass JavaScript API execution restrictions via unspecified vectors, a… | ||
| CVE-2016-1038 | Cri | 0.66 | 10.0 | 0.07 | May 11, 2016 | Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat Reader DC Classic before 15.006.30172, and Acrobat and Acrobat Reader DC Continuous before 15.016.20039 on Windows and OS X allow attackers to bypass JavaScript API execution restrictions via unspecified vectors, a… | ||
| CVE-2026-46840 | Cri | 0.65 | 10.0 | 0.01 | May 28, 2026 | Vulnerability in Oracle REST Data Services (component: Backend-as-a-Service). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle REST Data Services. While… | ||
| CVE-2026-34234 | Cri | 0.65 | 10.0 | 0.01 | May 19, 2026 | CtrlPanel is open-source billing software for hosting providers. In versions 1.1.1 and prior, the web-based installer (public/installer/index.php) is vulnerable to unauthenticated Remote Code Execution (RCE) because it performs the install.lock check only after including and… | ||
| CVE-2026-34444 | Cri | 0.65 | 10.0 | 0.01 | Apr 6, 2026 | Lupa integrates the runtimes of Lua or LuaJIT2 into CPython. In 2.6 and earlier, attribute_filter is not consistently applied when attributes are accessed through built-in functions like getattr and setattr. This allows an attacker to bypass the intended restrictions and… | ||
| CVE-2026-2768 | Cri | 0.65 | 10.0 | 0.00 | Feb 24, 2026 | Sandbox escape in the Storage: IndexedDB component. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8. | ||
| CVE-2026-0881 | Cri | 0.65 | 10.0 | 0.00 | Jan 13, 2026 | Sandbox escape in the Messaging System component. This vulnerability was fixed in Firefox 147 and Thunderbird 147. | ||
| CVE-2025-29270 | Cri | 0.65 | 10.0 | 0.00 | Oct 31, 2025 | Incorrect access control in the realtime.cgi endpoint of Deep Sea Electronics devices DSE855 v1.1.0 to v1.1.26 allows attackers to gain access to the admin panel and complete control of the device. | ||
| CVE-2018-10630 | Cri | 0.65 | 9.8 | 0.11 | Aug 10, 2018 | For Crestron TSW-X60 version prior to 2.001.0037.001 and MC3 version prior to 1.502.0047.001, The devices are shipped with authentication disabled, and there is no indication to users that they need to take steps to enable it. When compromised, the access to the CTP console is… | ||
| CVE-2017-7928 | Cri | 0.65 | 10.0 | 0.02 | Aug 7, 2017 | An Improper Access Control issue was discovered in Schweitzer Engineering Laboratories (SEL) SEL-3620 and SEL-3622 Security Gateway Versions R202 and, R203, R203-V1, R203-V2 and, R204, R204-V1. The device does not properly enforce access control while configured for NAT port… | ||
| CVE-2016-8938 | Cri | 0.65 | 10.0 | 0.03 | Feb 1, 2017 | IBM UrbanCode Deploy could allow a user to execute code using a specially crafted file upload that would replace code on the server. This code could be executed on the UCD agent machines that host customer's production applications. | ||
| CVE-2015-7545 | Cri | 0.65 | 9.8 | 0.20 | Apr 13, 2016 | The (1) git-remote-ext and (2) unspecified other remote helper programs in Git before 2.3.10, 2.4.x before 2.4.10, 2.5.x before 2.5.4, and 2.6.x before 2.6.1 do not properly restrict the allowed protocols, which might allow remote attackers to execute arbitrary code via a URL in… | ||
| CVE-2026-39006 | Cri | 0.64 | 9.8 | 0.01 | Jun 15, 2026 | An issue in SNMP4J-Agent 3.8.3 allows a remote attacker to execute arbitrary code via the snmp4jCfgStoragePath component. | ||
| CVE-2026-35904 | Cri | 0.64 | 9.8 | 0.01 | Jun 4, 2026 | Incorrect access control in the web management interface of T3 Technology CPE models T625Pro v1.0.07, T6825G v1.0.03, and T7281 v1.0.03 allows unauthorized attackers to enable the Telnet service via sending a crafted request to a vulnerable CGI component. | ||
| CVE-2026-7198 | Cri | 0.64 | 9.8 | 0.00 | Jun 2, 2026 | CWE-284: Improper Access Control in web services in Progress Sitefinity 15.4.8623 before 15.4.8630 allows a remote unauthenticated attacker to access content that should be restricted, resulting in full compromise of confidentiality, integrity, and availability of affected… | ||
| CVE-2026-46839 | Cri | 0.64 | 9.9 | 0.00 | May 28, 2026 | Vulnerability in Oracle REST Data Services (component: Core). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle REST Data Services. While the vulnerability… |
- risk 0.66cvss 9.8epss 0.49
Customer Managed ShareFile Storage Zones Controller (SZC) allows an unauthenticated attacker to access restricted configuration pages. This leads to changing system configuration and potential remote code execution.
- risk 0.66cvss 9.1epss 0.04
Incorrect access control in BECN DATAGERRY v2.2 allows attackers to execute arbitrary commands via crafted web requests.
- risk 0.66cvss 9.8epss 0.35
Apache Commons FileUpload before 1.3.3 DiskFileItem File Manipulation Remote Code Execution
- risk 0.66cvss 10.0epss 0.07
Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat Reader DC Classic before 15.006.30172, and Acrobat and Acrobat Reader DC Continuous before 15.016.20039 on Windows and OS X allow attackers to bypass JavaScript API execution restrictions via unspecified vectors, a…
- risk 0.66cvss 10.0epss 0.06
Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat Reader DC Classic before 15.006.30172, and Acrobat and Acrobat Reader DC Continuous before 15.016.20039 on Windows and OS X allow attackers to bypass JavaScript API execution restrictions via unspecified vectors, a…
- risk 0.66cvss 10.0epss 0.07
Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat Reader DC Classic before 15.006.30172, and Acrobat and Acrobat Reader DC Continuous before 15.016.20039 on Windows and OS X allow attackers to bypass JavaScript API execution restrictions via unspecified vectors, a…
- risk 0.65cvss 10.0epss 0.01
Vulnerability in Oracle REST Data Services (component: Backend-as-a-Service). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle REST Data Services. While…
- risk 0.65cvss 10.0epss 0.01
CtrlPanel is open-source billing software for hosting providers. In versions 1.1.1 and prior, the web-based installer (public/installer/index.php) is vulnerable to unauthenticated Remote Code Execution (RCE) because it performs the install.lock check only after including and…
- risk 0.65cvss 10.0epss 0.01
Lupa integrates the runtimes of Lua or LuaJIT2 into CPython. In 2.6 and earlier, attribute_filter is not consistently applied when attributes are accessed through built-in functions like getattr and setattr. This allows an attacker to bypass the intended restrictions and…
- risk 0.65cvss 10.0epss 0.00
Sandbox escape in the Storage: IndexedDB component. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.
- risk 0.65cvss 10.0epss 0.00
Sandbox escape in the Messaging System component. This vulnerability was fixed in Firefox 147 and Thunderbird 147.
- risk 0.65cvss 10.0epss 0.00
Incorrect access control in the realtime.cgi endpoint of Deep Sea Electronics devices DSE855 v1.1.0 to v1.1.26 allows attackers to gain access to the admin panel and complete control of the device.
- risk 0.65cvss 9.8epss 0.11
For Crestron TSW-X60 version prior to 2.001.0037.001 and MC3 version prior to 1.502.0047.001, The devices are shipped with authentication disabled, and there is no indication to users that they need to take steps to enable it. When compromised, the access to the CTP console is…
- risk 0.65cvss 10.0epss 0.02
An Improper Access Control issue was discovered in Schweitzer Engineering Laboratories (SEL) SEL-3620 and SEL-3622 Security Gateway Versions R202 and, R203, R203-V1, R203-V2 and, R204, R204-V1. The device does not properly enforce access control while configured for NAT port…
- risk 0.65cvss 10.0epss 0.03
IBM UrbanCode Deploy could allow a user to execute code using a specially crafted file upload that would replace code on the server. This code could be executed on the UCD agent machines that host customer's production applications.
- risk 0.65cvss 9.8epss 0.20
The (1) git-remote-ext and (2) unspecified other remote helper programs in Git before 2.3.10, 2.4.x before 2.4.10, 2.5.x before 2.5.4, and 2.6.x before 2.6.1 do not properly restrict the allowed protocols, which might allow remote attackers to execute arbitrary code via a URL in…
- risk 0.64cvss 9.8epss 0.01
An issue in SNMP4J-Agent 3.8.3 allows a remote attacker to execute arbitrary code via the snmp4jCfgStoragePath component.
- risk 0.64cvss 9.8epss 0.01
Incorrect access control in the web management interface of T3 Technology CPE models T625Pro v1.0.07, T6825G v1.0.03, and T7281 v1.0.03 allows unauthorized attackers to enable the Telnet service via sending a crafted request to a vulnerable CGI component.
- risk 0.64cvss 9.8epss 0.00
CWE-284: Improper Access Control in web services in Progress Sitefinity 15.4.8623 before 15.4.8630 allows a remote unauthenticated attacker to access content that should be restricted, resulting in full compromise of confidentiality, integrity, and availability of affected…
- risk 0.64cvss 9.9epss 0.00
Vulnerability in Oracle REST Data Services (component: Core). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle REST Data Services. While the vulnerability…