CWE-284
Improper Access Control
Description
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Hierarchy (View 1000)
Parents
none
Children
- CWE-1191
- CWE-1220
- CWE-1224
- CWE-1231
- CWE-1233
- CWE-1252
- CWE-1257
- CWE-1259
- CWE-1260
- CWE-1262
- CWE-1263
- CWE-1267
- CWE-1270
- CWE-1274
- CWE-1276
- CWE-1280
- CWE-1283
- CWE-1290
- CWE-1292
- CWE-1294
- CWE-1296
- CWE-1304
- CWE-1311
- CWE-1312
- CWE-1313
- CWE-1315
- CWE-1316
- CWE-1317
- CWE-1320
- CWE-1323
- CWE-1334
- CWE-269
- CWE-282
- CWE-285
- CWE-286
- CWE-287
- CWE-346
- CWE-749
- CWE-923
Related attack patterns (CAPEC)
CAPEC-19 · CAPEC-441 · CAPEC-478 · CAPEC-479 · CAPEC-502 · CAPEC-503 · CAPEC-536 · CAPEC-546 · CAPEC-550 · CAPEC-551 · CAPEC-552 · CAPEC-556 · CAPEC-558 · CAPEC-562 · CAPEC-563 · CAPEC-564 · CAPEC-578
CVEs mapped to this weakness (2,700)
page 3 of 135| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-46824 | Cri | 0.64 | 9.9 | 0.00 | May 28, 2026 | Vulnerability in the Oracle Universal Work Queue product of Oracle E-Business Suite (component: Work Provider Site Level Administration). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access… | ||
| CVE-2026-46822 | Cri | 0.64 | 9.9 | 0.00 | May 28, 2026 | Vulnerability in the Oracle iAssets product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle… | ||
| CVE-2026-46775 | Cri | 0.64 | 9.9 | 0.00 | May 28, 2026 | Vulnerability in Oracle REST Data Services (component: Core). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle REST Data Services. While the vulnerability… | ||
| CVE-2026-48904 | Cri | 0.64 | 9.8 | 0.00 | May 26, 2026 | An improper access check allows privelege escalation through the com_users group editing webservice endpoint. | ||
| CVE-2026-48899 | Cri | 0.64 | 9.8 | 0.00 | May 26, 2026 | An improper access check allows privilege escalation through the com_users batch task. | ||
| CVE-2026-48898 | Cri | 0.64 | 9.8 | 0.00 | May 26, 2026 | An improper access check allows privilege escalation through the com_users batch task. | ||
| CVE-2026-35223 | Cri | 0.64 | 9.8 | 0.00 | May 26, 2026 | An improper access check allows unauthorized access to com_config webservice endpoints. | ||
| CVE-2026-44277 | Cri | 0.64 | 9.8 | 0.01 | May 12, 2026 | A improper access control vulnerability in Fortinet FortiAuthenticator 8.0.2, FortiAuthenticator 8.0.0, FortiAuthenticator 6.6.0 through 6.6.8, FortiAuthenticator 6.5.0 through 6.5.6 may allow attacker to execute unauthorized code or commands via crafted requests. | ||
| CVE-2026-42823 | Cri | 0.64 | 9.9 | 0.01 | May 12, 2026 | Improper access control in Azure Logic Apps allows an authorized attacker to elevate privileges over a network. | ||
| CVE-2025-69691 | Cri | 0.64 | 9.9 | 0.01 | May 8, 2026 | Netgate pfSense CE 2.8.0 allows code execution in the XMLRPC API via pfsense.exec_php. NOTE: the Supplier disputes this because the API call is only available to admins and they are intentionally allowed to execute PHP code. | ||
| CVE-2026-33109 | Cri | 0.64 | 9.9 | 0.01 | May 7, 2026 | Improper access control in Azure Managed Instance for Apache Cassandra allows an authorized attacker to execute code over a network. | ||
| CVE-2026-31843 | Cri | 0.64 | 9.8 | 0.02 | Apr 16, 2026 | The goodoneuz/pay-uz Laravel package (<= 2.2.24) contains a critical vulnerability in the /payment/api/editable/update endpoint that allows unauthenticated attackers to overwrite existing PHP payment hook files. The endpoint is exposed via Route::any() without authentication… | ||
| CVE-2026-22564 | Cri | 0.64 | 9.8 | 0.00 | Apr 13, 2026 | An Improper Access Control vulnerability could allow a malicious actor with access to the UniFi Play network to enable SSH to make unauthorized changes to the system. Affected Products: UniFi Play PowerAmp (Version 1.0.35 and earlier) UniFi Play Audio Port (Version… | ||
| CVE-2026-31282 | Cri | 0.64 | 9.8 | 0.00 | Apr 13, 2026 | Totara LMS v19.1.5 and before is vulnerable to Incorrect Access Control. The login page code can be manipulated to reveal the login form. An attacker can chain that with missing rate-limit on the login form to launch a brute force attack. NOTE: this is disputed by the Supplier… | ||
| CVE-2026-31272 | Cri | 0.64 | 9.8 | 0.01 | Apr 7, 2026 | MRCMS 3.1.2 contains an access control vulnerability. The save() method in src/main/java/org/marker/mushroom/controller/UserController.java lacks proper authorization validation, enabling direct addition of super administrator accounts without authentication. | ||
| CVE-2026-21994 | Cri | 0.64 | 9.8 | 0.00 | Mar 17, 2026 | Vulnerability in the Oracle Edge Cloud Infrastructure Designer and Visualisation Toolkit product of Oracle Open Source Projects (component: Desktop). The supported version that is affected is 0.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network… | ||
| CVE-2025-66956 | Cri | 0.64 | 9.9 | 0.01 | Mar 11, 2026 | Insecure Access Control in Contact Plan, E-Mail, SMS and Fax components in Asseco SEE Live 2.0 allows remote attackers to access and execute attachments via a computable URL. | ||
| CVE-2026-2550 | Cri | 0.64 | 9.8 | 0.01 | Feb 16, 2026 | A vulnerability was found in EFM iptime A6004MX 14.18.2. Affected is the function commit_vpncli_file_upload of the file /cgi/timepro.cgi. The manipulation results in unrestricted upload. The attack may be performed from remote. The exploit has been made public and could be used.… | ||
| CVE-2025-8025 | Cri | 0.64 | 9.8 | 0.01 | Feb 11, 2026 | Missing Authentication for Critical Function, Improper Access Control vulnerability in Dinosoft Business Solutions Dinosoft ERP allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Dinosoft ERP: from < 3.0.1 through 11022026. NOTE: The vendor was… | ||
| CVE-2025-43027 | Cri | 0.64 | 9.8 | 0.00 | Oct 30, 2025 | A critical severity vulnerability has been identified in the ALPR Manager role of Security Center that could allow attackers to gain administrative access to the Genetec Security Center system. The Genetec engineering team discovered this issue internally. There is currently no… |
- risk 0.64cvss 9.9epss 0.00
Vulnerability in the Oracle Universal Work Queue product of Oracle E-Business Suite (component: Work Provider Site Level Administration). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access…
- risk 0.64cvss 9.9epss 0.00
Vulnerability in the Oracle iAssets product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle…
- risk 0.64cvss 9.9epss 0.00
Vulnerability in Oracle REST Data Services (component: Core). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle REST Data Services. While the vulnerability…
- risk 0.64cvss 9.8epss 0.00
An improper access check allows privelege escalation through the com_users group editing webservice endpoint.
- risk 0.64cvss 9.8epss 0.00
An improper access check allows privilege escalation through the com_users batch task.
- risk 0.64cvss 9.8epss 0.00
An improper access check allows privilege escalation through the com_users batch task.
- risk 0.64cvss 9.8epss 0.00
An improper access check allows unauthorized access to com_config webservice endpoints.
- risk 0.64cvss 9.8epss 0.01
A improper access control vulnerability in Fortinet FortiAuthenticator 8.0.2, FortiAuthenticator 8.0.0, FortiAuthenticator 6.6.0 through 6.6.8, FortiAuthenticator 6.5.0 through 6.5.6 may allow attacker to execute unauthorized code or commands via crafted requests.
- risk 0.64cvss 9.9epss 0.01
Improper access control in Azure Logic Apps allows an authorized attacker to elevate privileges over a network.
- risk 0.64cvss 9.9epss 0.01
Netgate pfSense CE 2.8.0 allows code execution in the XMLRPC API via pfsense.exec_php. NOTE: the Supplier disputes this because the API call is only available to admins and they are intentionally allowed to execute PHP code.
- risk 0.64cvss 9.9epss 0.01
Improper access control in Azure Managed Instance for Apache Cassandra allows an authorized attacker to execute code over a network.
- risk 0.64cvss 9.8epss 0.02
The goodoneuz/pay-uz Laravel package (<= 2.2.24) contains a critical vulnerability in the /payment/api/editable/update endpoint that allows unauthenticated attackers to overwrite existing PHP payment hook files. The endpoint is exposed via Route::any() without authentication…
- risk 0.64cvss 9.8epss 0.00
An Improper Access Control vulnerability could allow a malicious actor with access to the UniFi Play network to enable SSH to make unauthorized changes to the system. Affected Products: UniFi Play PowerAmp (Version 1.0.35 and earlier) UniFi Play Audio Port (Version…
- risk 0.64cvss 9.8epss 0.00
Totara LMS v19.1.5 and before is vulnerable to Incorrect Access Control. The login page code can be manipulated to reveal the login form. An attacker can chain that with missing rate-limit on the login form to launch a brute force attack. NOTE: this is disputed by the Supplier…
- risk 0.64cvss 9.8epss 0.01
MRCMS 3.1.2 contains an access control vulnerability. The save() method in src/main/java/org/marker/mushroom/controller/UserController.java lacks proper authorization validation, enabling direct addition of super administrator accounts without authentication.
- risk 0.64cvss 9.8epss 0.00
Vulnerability in the Oracle Edge Cloud Infrastructure Designer and Visualisation Toolkit product of Oracle Open Source Projects (component: Desktop). The supported version that is affected is 0.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network…
- risk 0.64cvss 9.9epss 0.01
Insecure Access Control in Contact Plan, E-Mail, SMS and Fax components in Asseco SEE Live 2.0 allows remote attackers to access and execute attachments via a computable URL.
- risk 0.64cvss 9.8epss 0.01
A vulnerability was found in EFM iptime A6004MX 14.18.2. Affected is the function commit_vpncli_file_upload of the file /cgi/timepro.cgi. The manipulation results in unrestricted upload. The attack may be performed from remote. The exploit has been made public and could be used.…
- risk 0.64cvss 9.8epss 0.01
Missing Authentication for Critical Function, Improper Access Control vulnerability in Dinosoft Business Solutions Dinosoft ERP allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Dinosoft ERP: from < 3.0.1 through 11022026. NOTE: The vendor was…
- risk 0.64cvss 9.8epss 0.00
A critical severity vulnerability has been identified in the ALPR Manager role of Security Center that could allow attackers to gain administrative access to the Genetec Security Center system. The Genetec engineering team discovered this issue internally. There is currently no…