VYPR

CWE-284

Improper Access Control

PillarIncomplete

Description

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-19 · CAPEC-441 · CAPEC-478 · CAPEC-479 · CAPEC-502 · CAPEC-503 · CAPEC-536 · CAPEC-546 · CAPEC-550 · CAPEC-551 · CAPEC-552 · CAPEC-556 · CAPEC-558 · CAPEC-562 · CAPEC-563 · CAPEC-564 · CAPEC-578

CVEs mapped to this weakness (2,700)

page 22 of 135
  • CVE-2015-7887HigAug 7, 2017
    risk 0.53cvss 8.1epss 0.01

    NetApp SnapCenter Server 1.0 allows remote authenticated users to list and delete backups.

  • CVE-2016-6098HigJun 8, 2017
    risk 0.53cvss 8.1epss 0.01

    IBM Tivoli Key Lifecycle Manager 2.0.1, 2.5, and 2.6 specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

  • CVE-2016-1518HigApr 21, 2017
    risk 0.53cvss 8.1epss 0.02

    The auto-provisioning mechanism in the Grandstream Wave app 1.0.1.26 and earlier for Android and Grandstream Video IP phones allows man-in-the-middle attackers to spoof provisioning data and consequently modify device functionality, obtain sensitive information from system logs,…

  • CVE-2016-4850HigApr 20, 2017
    risk 0.53cvss 8.1epss 0.02

    LINE for Windows before 4.8.3 allows man-in-the-middle attackers to execute arbitrary code.

  • CVE-2016-1894HigFeb 7, 2017
    risk 0.53cvss 8.1epss 0.03

    NetApp OnCommand Workflow Automation before 3.1P2 allows remote attackers to bypass authentication via unspecified vectors.

  • CVE-2016-6105HigFeb 1, 2017
    risk 0.53cvss 8.2epss 0.02

    IBM Tivoli Key Lifecycle Manager 2.5 and 2.6 do not perform an authentication check for a critical resource or functionality allowing anonymous users access to protected areas.

  • CVE-2016-8315HigJan 27, 2017
    risk 0.53cvss 8.1epss 0.01

    Vulnerability in the Oracle FLEXCUBE Investor Servicing component of Oracle Financial Services Applications (subcomponent: Infrastructure Code). Supported versions that are affected are 12.0.1, 12.0.2,12.0.4,12.1.0 and 12.3.0. Easily exploitable vulnerability allows low…

  • CVE-2016-8312HigJan 27, 2017
    risk 0.53cvss 8.2epss 0.02

    Vulnerability in the Oracle FLEXCUBE Private Banking component of Oracle Financial Services Applications (subcomponent: Product / Instrument Search). Supported versions that are affected are 2.0.1, 2.2.0 and 12.0.1. Easily exploitable vulnerability allows unauthenticated…

  • CVE-2016-8298HigJan 27, 2017
    risk 0.53cvss 8.1epss 0.01

    Vulnerability in the Oracle FLEXCUBE Private Banking component of Oracle Financial Services Applications (subcomponent: Product / Instrument Search). Supported versions that are affected are 2.0.1, 2.2.0 and 12.0.1. Easily exploitable vulnerability allows low privileged attacker…

  • CVE-2016-8297HigJan 27, 2017
    risk 0.53cvss 8.1epss 0.01

    Vulnerability in the Oracle FLEXCUBE Universal Banking component of Oracle Financial Services Applications (subcomponent: Core). Supported versions that are affected are 11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0 and 12.2.0. Easily exploitable vulnerability allows low…

  • CVE-2016-7967HigDec 23, 2016
    risk 0.53cvss 8.1epss 0.02

    KMail since version 5.3.0 used a QWebEngine based viewer that had JavaScript enabled. Since the generated html is executed in the local file security context by default access to remote and local URLs was enabled.

  • CVE-2016-9838HigDec 16, 2016
    risk 0.53cvss 7.5epss 0.14

    An issue was discovered in components/com_users/models/registration.php in Joomla! before 3.6.5. Incorrect filtering of registration form data stored to the session on a validation error enables a user to gain access to a registered user's account and reset the user's group…

  • CVE-2016-2887HigNov 30, 2016
    risk 0.53cvss 8.1epss 0.01

    IBM IMS Enterprise Suite Data Provider before 3.2.0.1 for Microsoft .NET allows remote authenticated users to obtain sensitive information or modify data via unspecified vectors.

  • CVE-2016-2929HigNov 25, 2016
    risk 0.53cvss 8.1epss 0.01

    IBM BigFix Remote Control before 9.1.3 does not properly restrict password choices, which makes it easier for remote attackers to obtain access via a brute-force approach.

  • CVE-2016-8293HigOct 25, 2016
    risk 0.53cvss 8.2epss 0.02

    Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.54 and 8.55 allows remote attackers to affect confidentiality and integrity via vectors related to Integration Broker, a different vulnerability than CVE-2016-5529 and…

  • CVE-2016-8291HigOct 25, 2016
    risk 0.53cvss 8.2epss 0.02

    Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.54 and 8.55 allows remote attackers to affect confidentiality and integrity via vectors related to Mobile Application Platform.

  • CVE-2016-5619HigOct 25, 2016
    risk 0.53cvss 8.1epss 0.02

    Unspecified vulnerability in the Oracle FLEXCUBE Universal Banking component in Oracle Financial Services Applications 11.3.0, 11.4.0, 12.0.1 through 12.0.3, 12.1.0, and 12.2.0 allows remote authenticated users to affect confidentiality and integrity via vectors related to…

  • CVE-2016-5595HigOct 25, 2016
    risk 0.53cvss 8.2epss 0.02

    Unspecified vulnerability in the Oracle Customer Interaction History component in Oracle E-Business Suite 12.1.1 through 12.1.3, 12.2.3, and 12.2.4 allows remote attackers to affect confidentiality and integrity via unknown vectors, a different vulnerability than CVE-2016-5592.

  • CVE-2016-5593HigOct 25, 2016
    risk 0.53cvss 8.2epss 0.02

    Unspecified vulnerability in the Oracle Customer Interaction History component in Oracle E-Business Suite 12.1.1 through 12.1.3, 12.2.3, and 12.2.4 allows remote attackers to affect confidentiality and integrity via unknown vectors, a different vulnerability than CVE-2016-5587…

  • CVE-2016-5592HigOct 25, 2016
    risk 0.53cvss 8.2epss 0.02

    Unspecified vulnerability in the Oracle Customer Interaction History component in Oracle E-Business Suite 12.1.1 through 12.1.3, 12.2.3, and 12.2.4 allows remote attackers to affect confidentiality and integrity via unknown vectors, a different vulnerability than CVE-2016-5595.