CWE-284
Improper Access Control
Description
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Hierarchy (View 1000)
Parents
none
Children
- CWE-1191
- CWE-1220
- CWE-1224
- CWE-1231
- CWE-1233
- CWE-1252
- CWE-1257
- CWE-1259
- CWE-1260
- CWE-1262
- CWE-1263
- CWE-1267
- CWE-1270
- CWE-1274
- CWE-1276
- CWE-1280
- CWE-1283
- CWE-1290
- CWE-1292
- CWE-1294
- CWE-1296
- CWE-1304
- CWE-1311
- CWE-1312
- CWE-1313
- CWE-1315
- CWE-1316
- CWE-1317
- CWE-1320
- CWE-1323
- CWE-1334
- CWE-269
- CWE-282
- CWE-285
- CWE-286
- CWE-287
- CWE-346
- CWE-749
- CWE-923
Related attack patterns (CAPEC)
CAPEC-19 · CAPEC-441 · CAPEC-478 · CAPEC-479 · CAPEC-502 · CAPEC-503 · CAPEC-536 · CAPEC-546 · CAPEC-550 · CAPEC-551 · CAPEC-552 · CAPEC-556 · CAPEC-558 · CAPEC-562 · CAPEC-563 · CAPEC-564 · CAPEC-578
CVEs mapped to this weakness (2,700)
page 24 of 135| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-40569 | Cri | 0.52 | 9.0 | 0.00 | Apr 21, 2026 | FreeScout is a free self-hosted help desk and shared mailbox. Versions prior to 1.8.213 have a mass assignment vulnerability in the mailbox connection settings endpoints of FreeScout (`connectionIncomingSave()` at `app/Http/Controllers/MailboxesController.php:468` and… | ||
| CVE-2026-34456 | Cri | 0.52 | 9.1 | 0.00 | Apr 1, 2026 | Reviactyl is an open-source game server management panel built using Laravel, React, FilamentPHP, Vite, and Go. From version 26.2.0-beta.1 to before version 26.2.0-beta.5, a vulnerability in the OAuth authentication flow allowed automatic linking of social accounts based solely… | ||
| CVE-2025-7016 | Hig | 0.52 | 8.0 | 0.00 | Jan 29, 2026 | Improper Access Control vulnerability in Akın Software Computer Import Export Industry and Trade Ltd. QR Menu allows Authentication Abuse. This issue affects QR Menu: before s1.05.12. | ||
| CVE-2025-48860 | Hig | 0.52 | 8.0 | 0.00 | Aug 14, 2025 | A vulnerability in the web application of the ctrlX OS setup mechanism facilitated an authenticated (low privileged) attacker to gain remote access to backup archives created by a user with elevated permissions. Depending on the content of the backup archive, the attacker may… | ||
| CVE-2023-38296 | Hig | 0.52 | 8.0 | 0.00 | Apr 22, 2024 | Various software builds for the following TCL 30Z and TCL A3X devices leak the ICCID to a system property that can be accessed by any local app on the device without any permissions or special privileges. Google restricted third-party apps from directly obtaining non-resettable… | ||
| CVE-2016-7248 | Hig | 0.52 | 7.8 | 0.22 | Nov 10, 2016 | Microsoft Video Control in Microsoft Windows Vista SP2, Windows 7 SP1, Windows 8.1, Windows RT 8.1, and Windows 10 Gold, 1511, and 1607 allows remote attackers to execute arbitrary code via a crafted file, aka "Microsoft Video Control Remote Code Execution Vulnerability." | ||
| CVE-2016-0142 | Hig | 0.52 | 7.8 | 0.20 | Oct 14, 2016 | Video Control in Microsoft Windows Vista SP2, Windows 7 SP1, Windows 8.1, Windows RT 8.1, and Windows 10 Gold, 1511, and 1607 allows remote attackers to execute arbitrary code via a crafted web page, aka "Microsoft Video Control Remote Code Execution Vulnerability." | ||
| CVE-2016-0182 | Hig | 0.52 | 7.8 | 0.20 | May 11, 2016 | Windows Journal in Microsoft Windows Vista SP2, Windows 7 SP1, Windows 8.1, Windows RT 8.1, and Windows 10 Gold and 1511 allows remote attackers to execute arbitrary code via a crafted Journal (aka .jnt) file, aka "Windows Journal Memory Corruption Vulnerability." | ||
| CVE-2016-0153 | Hig | 0.52 | 7.8 | 0.21 | Apr 12, 2016 | OLE in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT 8.1 allows remote attackers to execute arbitrary code via a crafted file, aka "Windows OLE Remote Code Execution Vulnerability." | ||
| CVE-2012-6435 | Hig | 0.52 | 7.5 | 0.42 | Jan 24, 2013 | When an affected product receives a valid CIP message from an unauthorized or unintended source to Port 2222/TCP, Port 2222/UDP, Port 44818/TCP, or Port 44818/UDP that instructs the CPU to stop logic execution and enter a fault state, a DoS can occur. This situation could cause… | ||
| CVE-2026-49161 | Hig | 0.51 | 7.8 | 0.00 | Jun 9, 2026 | Improper access control in Microsoft PC Manager allows an authorized attacker to bypass a security feature locally. | ||
| CVE-2026-48578 | Hig | 0.51 | 7.9 | 0.00 | Jun 9, 2026 | Protection mechanism failure in Windows Secure Boot allows an authorized attacker to bypass a security feature locally. | ||
| CVE-2026-45658 | Hig | 0.51 | 7.8 | 0.00 | Jun 9, 2026 | Protection mechanism failure in Windows BitLocker allows an unauthorized attacker to bypass a security feature with a physical attack. | ||
| CVE-2026-45654 | Hig | 0.51 | 7.9 | 0.00 | Jun 9, 2026 | Protection mechanism failure in Windows Secure Boot allows an authorized attacker to bypass a security feature locally. | ||
| CVE-2026-42829 | Hig | 0.51 | 7.8 | 0.00 | Jun 9, 2026 | Improper access control in Windows Administrator Protection allows an authorized attacker to bypass a security feature locally. | ||
| CVE-2026-41092 | Hig | 0.51 | 7.8 | 0.00 | Jun 9, 2026 | Improper access control in Microsoft Kinect allows an authorized attacker to elevate privileges locally. | ||
| CVE-2026-40715 | Hig | 0.51 | 7.8 | 0.00 | Jun 2, 2026 | Dell ThinOS 10, versions prior to ThinOS10 2602_10.0765, contain an Improper Access Control vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Privilege Escalation. | ||
| CVE-2025-22426 | Hig | 0.51 | 7.8 | 0.00 | Jun 1, 2026 | In many functions of ComputerEngine.java, there is a possible way to access URIs across users due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | ||
| CVE-2026-0856 | Hig | 0.51 | 7.8 | 0.00 | May 20, 2026 | Improper Access Control vulnerability in Mesalvo Meona Client Launcher Component, Mesalvo Meona Server Component enables a normal user gaining access to the admin panel. This issue affects Meona Client Launcher Component: through 19.06.2020 15:11:49; Meona Server Component:… | ||
| CVE-2026-40381 | Hig | 0.51 | 7.8 | 0.00 | May 12, 2026 | Improper access control in Azure Connected Machine Agent allows an authorized attacker to elevate privileges locally. |
- risk 0.52cvss 9.0epss 0.00
FreeScout is a free self-hosted help desk and shared mailbox. Versions prior to 1.8.213 have a mass assignment vulnerability in the mailbox connection settings endpoints of FreeScout (`connectionIncomingSave()` at `app/Http/Controllers/MailboxesController.php:468` and…
- risk 0.52cvss 9.1epss 0.00
Reviactyl is an open-source game server management panel built using Laravel, React, FilamentPHP, Vite, and Go. From version 26.2.0-beta.1 to before version 26.2.0-beta.5, a vulnerability in the OAuth authentication flow allowed automatic linking of social accounts based solely…
- risk 0.52cvss 8.0epss 0.00
Improper Access Control vulnerability in Akın Software Computer Import Export Industry and Trade Ltd. QR Menu allows Authentication Abuse. This issue affects QR Menu: before s1.05.12.
- risk 0.52cvss 8.0epss 0.00
A vulnerability in the web application of the ctrlX OS setup mechanism facilitated an authenticated (low privileged) attacker to gain remote access to backup archives created by a user with elevated permissions. Depending on the content of the backup archive, the attacker may…
- risk 0.52cvss 8.0epss 0.00
Various software builds for the following TCL 30Z and TCL A3X devices leak the ICCID to a system property that can be accessed by any local app on the device without any permissions or special privileges. Google restricted third-party apps from directly obtaining non-resettable…
- risk 0.52cvss 7.8epss 0.22
Microsoft Video Control in Microsoft Windows Vista SP2, Windows 7 SP1, Windows 8.1, Windows RT 8.1, and Windows 10 Gold, 1511, and 1607 allows remote attackers to execute arbitrary code via a crafted file, aka "Microsoft Video Control Remote Code Execution Vulnerability."
- risk 0.52cvss 7.8epss 0.20
Video Control in Microsoft Windows Vista SP2, Windows 7 SP1, Windows 8.1, Windows RT 8.1, and Windows 10 Gold, 1511, and 1607 allows remote attackers to execute arbitrary code via a crafted web page, aka "Microsoft Video Control Remote Code Execution Vulnerability."
- risk 0.52cvss 7.8epss 0.20
Windows Journal in Microsoft Windows Vista SP2, Windows 7 SP1, Windows 8.1, Windows RT 8.1, and Windows 10 Gold and 1511 allows remote attackers to execute arbitrary code via a crafted Journal (aka .jnt) file, aka "Windows Journal Memory Corruption Vulnerability."
- risk 0.52cvss 7.8epss 0.21
OLE in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT 8.1 allows remote attackers to execute arbitrary code via a crafted file, aka "Windows OLE Remote Code Execution Vulnerability."
- risk 0.52cvss 7.5epss 0.42
When an affected product receives a valid CIP message from an unauthorized or unintended source to Port 2222/TCP, Port 2222/UDP, Port 44818/TCP, or Port 44818/UDP that instructs the CPU to stop logic execution and enter a fault state, a DoS can occur. This situation could cause…
- risk 0.51cvss 7.8epss 0.00
Improper access control in Microsoft PC Manager allows an authorized attacker to bypass a security feature locally.
- risk 0.51cvss 7.9epss 0.00
Protection mechanism failure in Windows Secure Boot allows an authorized attacker to bypass a security feature locally.
- risk 0.51cvss 7.8epss 0.00
Protection mechanism failure in Windows BitLocker allows an unauthorized attacker to bypass a security feature with a physical attack.
- risk 0.51cvss 7.9epss 0.00
Protection mechanism failure in Windows Secure Boot allows an authorized attacker to bypass a security feature locally.
- risk 0.51cvss 7.8epss 0.00
Improper access control in Windows Administrator Protection allows an authorized attacker to bypass a security feature locally.
- risk 0.51cvss 7.8epss 0.00
Improper access control in Microsoft Kinect allows an authorized attacker to elevate privileges locally.
- risk 0.51cvss 7.8epss 0.00
Dell ThinOS 10, versions prior to ThinOS10 2602_10.0765, contain an Improper Access Control vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Privilege Escalation.
- risk 0.51cvss 7.8epss 0.00
In many functions of ComputerEngine.java, there is a possible way to access URIs across users due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
- risk 0.51cvss 7.8epss 0.00
Improper Access Control vulnerability in Mesalvo Meona Client Launcher Component, Mesalvo Meona Server Component enables a normal user gaining access to the admin panel. This issue affects Meona Client Launcher Component: through 19.06.2020 15:11:49; Meona Server Component:…
- risk 0.51cvss 7.8epss 0.00
Improper access control in Azure Connected Machine Agent allows an authorized attacker to elevate privileges locally.