CWE-284
Improper Access Control
Description
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Hierarchy (View 1000)
Parents
none
Children
- CWE-1191
- CWE-1220
- CWE-1224
- CWE-1231
- CWE-1233
- CWE-1252
- CWE-1257
- CWE-1259
- CWE-1260
- CWE-1262
- CWE-1263
- CWE-1267
- CWE-1270
- CWE-1274
- CWE-1276
- CWE-1280
- CWE-1283
- CWE-1290
- CWE-1292
- CWE-1294
- CWE-1296
- CWE-1304
- CWE-1311
- CWE-1312
- CWE-1313
- CWE-1315
- CWE-1316
- CWE-1317
- CWE-1320
- CWE-1323
- CWE-1334
- CWE-269
- CWE-282
- CWE-285
- CWE-286
- CWE-287
- CWE-346
- CWE-749
- CWE-923
Related attack patterns (CAPEC)
CAPEC-19 · CAPEC-441 · CAPEC-478 · CAPEC-479 · CAPEC-502 · CAPEC-503 · CAPEC-536 · CAPEC-546 · CAPEC-550 · CAPEC-551 · CAPEC-552 · CAPEC-556 · CAPEC-558 · CAPEC-562 · CAPEC-563 · CAPEC-564 · CAPEC-578
CVEs mapped to this weakness (2,700)
page 35 of 135| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-40786 | Hig | 0.49 | 7.5 | 0.01 | Jul 29, 2024 | This issue was addressed through improved state management. This issue is fixed in iOS 16.7.9 and iPadOS 16.7.9, iOS 17.6 and iPadOS 17.6, macOS Ventura 13.6.8. An attacker may be able to view sensitive user information. | ||
| CVE-2024-39697 | Hig | 0.49 | 8.6 | 0.01 | Jul 9, 2024 | phonenumber is a library for parsing, formatting and validating international phone numbers. Since 0.3.4, the phonenumber parsing code may panic due to a panic-guarded out-of-bounds access on the phonenumber string. In a typical deployment of rust-phonenumber, this may get… | ||
| CVE-2024-2019 | Hig | 0.49 | 7.5 | 0.00 | Jun 4, 2024 | The WP-DB-Table-Editor plugin for WordPress is vulnerable to unauthorized access of data, modification of data, and loss of data due to lack of a default capability requirement on the 'dbte_render' function in all versions up to, and including, 1.8.4. This makes it possible for… | ||
| CVE-2024-4988 | Hig | 0.49 | 7.5 | 0.00 | May 21, 2024 | The mobile application (com.transsion.videocallenhancer) interface has improper permission control, which can lead to the risk of private file leakage. | ||
| CVE-2024-29207 | Hig | 0.49 | 7.5 | 0.00 | May 7, 2024 | An Improper Certificate Validation could allow a malicious actor with access to an adjacent network to take control of the system. Affected Products: UniFi Connect Application (Version 3.7.9 and earlier) UniFi Connect EV Station (Version 1.1.18 and earlier) UniFi… | ||
| CVE-2024-31964 | Hig | 0.49 | 7.5 | 0.01 | May 2, 2024 | A vulnerability on Mitel 6800 Series and 6900 Series SIP Phones through 6.3 SP3 HF4, 6900w Series SIP Phone through 6.3.3, and 6970 Conference Unit through 5.1.1 SP8 allows an unauthenticated attacker to conduct an authentication bypass attack due to improper authentication… | ||
| CVE-2024-4225 | Hig | 0.49 | 7.6 | 0.00 | Apr 30, 2024 | Multiple security vulnerabilities has been discovered in web interface of NetGuardian DIN Remote Telemetry Unit (RTU), by DPS Telecom. Attackers can exploit those security vulnerabilities to perform critical actions such as escalate user's privilege, steal user's credential,… | ||
| CVE-2024-1308 | Hig | 0.49 | 7.5 | 0.01 | Apr 9, 2024 | The WooCommerce Cloak Affiliate Links plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'permalink_settings_save' function in all versions up to, and including, 1.0.33. This makes it possible for unauthenticated… | ||
| CVE-2023-36106 | Hig | 0.49 | 7.5 | 0.01 | Aug 17, 2023 | An incorrect access control vulnerability in powerjob 4.3.2 and earlier allows remote attackers to obtain sensitive information via the interface for querying via appId parameter to /container/list. | ||
| CVE-2023-3273 | Hig | 0.49 | 7.5 | 0.01 | Jul 10, 2023 | Improper Access Control in the SICK ICR890-4 could allow an unauthenticated remote attacker to affect the availability of the device by changing settings of the device such as the IP address based on missing access control. | ||
| CVE-2023-23446 | Hig | 0.49 | 7.5 | 0.01 | May 15, 2023 | Improper Access Control in SICK FTMg AIR FLOW SENSOR with Partnumbers 1100214, 1100215, 1100216, 1120114, 1120116, 1122524, 1122526 allows an unprivileged remote attacker to download files by using a therefore unpriviledged account via the REST interface. | ||
| CVE-2023-23445 | Hig | 0.49 | 7.5 | 0.01 | May 15, 2023 | Improper Access Control in SICK FTMg AIR FLOW SENSOR with Partnumbers 1100214, 1100215, 1100216, 1120114, 1120116, 1122524, 1122526 allows an unprivileged remote attacker to gain unauthorized access to data fields by using a therefore unpriviledged account via the REST interface. | ||
| CVE-2023-21893 | Hig | 0.49 | 7.5 | 0.01 | Jan 18, 2023 | Vulnerability in the Oracle Data Provider for .NET component of Oracle Database Server. Supported versions that are affected are 19c and 21c. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TCPS to compromise Oracle Data Provider for… | ||
| CVE-2022-43429 | Hig | 0.49 | 7.5 | 0.01 | Oct 19, 2022 | Jenkins Compuware Topaz for Total Test Plugin 2.4.8 and earlier implements an agent/controller message that does not limit where it can be executed, allowing attackers able to control agent processes to read arbitrary files on the Jenkins controller file system. | ||
| CVE-2022-21476 | Hig | 0.49 | 7.5 | 0.04 | Apr 19, 2022 | Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2.… | ||
| CVE-2022-25481 | — | Hig | 0.49 | 7.5 | 0.05 | Mar 21, 2022 | ThinkPHP Framework v5.0.24 was discovered to be configured without the PATHINFO parameter. This allows attackers to access all system environment parameters from index.php. NOTE: this is disputed by a third party because system environment exposure is an intended feature of the… | |
| CVE-2020-10937 | — | Hig | 0.49 | 7.5 | 0.01 | Nov 2, 2020 | An issue was discovered in IPFS (aka go-ipfs) 0.4.23. An attacker can generate ephemeral identities (Sybils) and leverage the IPFS connection management reputation system to poison other nodes' routing tables, eclipsing the nodes that are the target of the attack from the rest… | |
| CVE-2019-12999 | — | Hig | 0.49 | 7.5 | 0.02 | Jan 31, 2020 | Lightning Network Daemon (lnd) before 0.7 allows attackers to trigger loss of funds because of Incorrect Access Control. | |
| CVE-2019-12472 | — | Hig | 0.49 | 7.5 | 0.01 | Jul 10, 2019 | An Incorrect Access Control vulnerability was found in Wikimedia MediaWiki 1.18.0 through 1.32.1. It is possible to bypass the limits on IP range blocks ($wgBlockCIDRLimit) by using the API. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6. | |
| CVE-2013-2972 | Hig | 0.49 | 7.5 | 0.02 | Jul 11, 2018 | IBM WebSphere Cast Iron 6.3 allows remote attackers to bypass intended access restrictions via unspecified vectors. IBM X-Force ID: 83868. |
- risk 0.49cvss 7.5epss 0.01
This issue was addressed through improved state management. This issue is fixed in iOS 16.7.9 and iPadOS 16.7.9, iOS 17.6 and iPadOS 17.6, macOS Ventura 13.6.8. An attacker may be able to view sensitive user information.
- risk 0.49cvss 8.6epss 0.01
phonenumber is a library for parsing, formatting and validating international phone numbers. Since 0.3.4, the phonenumber parsing code may panic due to a panic-guarded out-of-bounds access on the phonenumber string. In a typical deployment of rust-phonenumber, this may get…
- risk 0.49cvss 7.5epss 0.00
The WP-DB-Table-Editor plugin for WordPress is vulnerable to unauthorized access of data, modification of data, and loss of data due to lack of a default capability requirement on the 'dbte_render' function in all versions up to, and including, 1.8.4. This makes it possible for…
- risk 0.49cvss 7.5epss 0.00
The mobile application (com.transsion.videocallenhancer) interface has improper permission control, which can lead to the risk of private file leakage.
- risk 0.49cvss 7.5epss 0.00
An Improper Certificate Validation could allow a malicious actor with access to an adjacent network to take control of the system. Affected Products: UniFi Connect Application (Version 3.7.9 and earlier) UniFi Connect EV Station (Version 1.1.18 and earlier) UniFi…
- risk 0.49cvss 7.5epss 0.01
A vulnerability on Mitel 6800 Series and 6900 Series SIP Phones through 6.3 SP3 HF4, 6900w Series SIP Phone through 6.3.3, and 6970 Conference Unit through 5.1.1 SP8 allows an unauthenticated attacker to conduct an authentication bypass attack due to improper authentication…
- risk 0.49cvss 7.6epss 0.00
Multiple security vulnerabilities has been discovered in web interface of NetGuardian DIN Remote Telemetry Unit (RTU), by DPS Telecom. Attackers can exploit those security vulnerabilities to perform critical actions such as escalate user's privilege, steal user's credential,…
- risk 0.49cvss 7.5epss 0.01
The WooCommerce Cloak Affiliate Links plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'permalink_settings_save' function in all versions up to, and including, 1.0.33. This makes it possible for unauthenticated…
- risk 0.49cvss 7.5epss 0.01
An incorrect access control vulnerability in powerjob 4.3.2 and earlier allows remote attackers to obtain sensitive information via the interface for querying via appId parameter to /container/list.
- risk 0.49cvss 7.5epss 0.01
Improper Access Control in the SICK ICR890-4 could allow an unauthenticated remote attacker to affect the availability of the device by changing settings of the device such as the IP address based on missing access control.
- risk 0.49cvss 7.5epss 0.01
Improper Access Control in SICK FTMg AIR FLOW SENSOR with Partnumbers 1100214, 1100215, 1100216, 1120114, 1120116, 1122524, 1122526 allows an unprivileged remote attacker to download files by using a therefore unpriviledged account via the REST interface.
- risk 0.49cvss 7.5epss 0.01
Improper Access Control in SICK FTMg AIR FLOW SENSOR with Partnumbers 1100214, 1100215, 1100216, 1120114, 1120116, 1122524, 1122526 allows an unprivileged remote attacker to gain unauthorized access to data fields by using a therefore unpriviledged account via the REST interface.
- risk 0.49cvss 7.5epss 0.01
Vulnerability in the Oracle Data Provider for .NET component of Oracle Database Server. Supported versions that are affected are 19c and 21c. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TCPS to compromise Oracle Data Provider for…
- risk 0.49cvss 7.5epss 0.01
Jenkins Compuware Topaz for Total Test Plugin 2.4.8 and earlier implements an agent/controller message that does not limit where it can be executed, allowing attackers able to control agent processes to read arbitrary files on the Jenkins controller file system.
- risk 0.49cvss 7.5epss 0.04
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2.…
- risk 0.49cvss 7.5epss 0.05
ThinkPHP Framework v5.0.24 was discovered to be configured without the PATHINFO parameter. This allows attackers to access all system environment parameters from index.php. NOTE: this is disputed by a third party because system environment exposure is an intended feature of the…
- risk 0.49cvss 7.5epss 0.01
An issue was discovered in IPFS (aka go-ipfs) 0.4.23. An attacker can generate ephemeral identities (Sybils) and leverage the IPFS connection management reputation system to poison other nodes' routing tables, eclipsing the nodes that are the target of the attack from the rest…
- risk 0.49cvss 7.5epss 0.02
Lightning Network Daemon (lnd) before 0.7 allows attackers to trigger loss of funds because of Incorrect Access Control.
- risk 0.49cvss 7.5epss 0.01
An Incorrect Access Control vulnerability was found in Wikimedia MediaWiki 1.18.0 through 1.32.1. It is possible to bypass the limits on IP range blocks ($wgBlockCIDRLimit) by using the API. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6.
- risk 0.49cvss 7.5epss 0.02
IBM WebSphere Cast Iron 6.3 allows remote attackers to bypass intended access restrictions via unspecified vectors. IBM X-Force ID: 83868.