VYPR

CWE-284

Improper Access Control

PillarIncomplete

Description

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-19 · CAPEC-441 · CAPEC-478 · CAPEC-479 · CAPEC-502 · CAPEC-503 · CAPEC-536 · CAPEC-546 · CAPEC-550 · CAPEC-551 · CAPEC-552 · CAPEC-556 · CAPEC-558 · CAPEC-562 · CAPEC-563 · CAPEC-564 · CAPEC-578

CVEs mapped to this weakness (2,700)

page 35 of 135
  • CVE-2024-40786HigJul 29, 2024
    risk 0.49cvss 7.5epss 0.01

    This issue was addressed through improved state management. This issue is fixed in iOS 16.7.9 and iPadOS 16.7.9, iOS 17.6 and iPadOS 17.6, macOS Ventura 13.6.8. An attacker may be able to view sensitive user information.

  • CVE-2024-39697HigJul 9, 2024
    risk 0.49cvss 8.6epss 0.01

    phonenumber is a library for parsing, formatting and validating international phone numbers. Since 0.3.4, the phonenumber parsing code may panic due to a panic-guarded out-of-bounds access on the phonenumber string. In a typical deployment of rust-phonenumber, this may get…

  • CVE-2024-2019HigJun 4, 2024
    risk 0.49cvss 7.5epss 0.00

    The WP-DB-Table-Editor plugin for WordPress is vulnerable to unauthorized access of data, modification of data, and loss of data due to lack of a default capability requirement on the 'dbte_render' function in all versions up to, and including, 1.8.4. This makes it possible for…

  • CVE-2024-4988HigMay 21, 2024
    risk 0.49cvss 7.5epss 0.00

    The mobile application (com.transsion.videocallenhancer) interface has improper permission control, which can lead to the risk of private file leakage.

  • CVE-2024-29207HigMay 7, 2024
    risk 0.49cvss 7.5epss 0.00

    An Improper Certificate Validation could allow a malicious actor with access to an adjacent network to take control of the system. Affected Products: UniFi Connect Application (Version 3.7.9 and earlier) UniFi Connect EV Station (Version 1.1.18 and earlier) UniFi…

  • CVE-2024-31964HigMay 2, 2024
    risk 0.49cvss 7.5epss 0.01

    A vulnerability on Mitel 6800 Series and 6900 Series SIP Phones through 6.3 SP3 HF4, 6900w Series SIP Phone through 6.3.3, and 6970 Conference Unit through 5.1.1 SP8 allows an unauthenticated attacker to conduct an authentication bypass attack due to improper authentication…

  • CVE-2024-4225HigApr 30, 2024
    risk 0.49cvss 7.6epss 0.00

    Multiple security vulnerabilities has been discovered in web interface of NetGuardian DIN Remote Telemetry Unit (RTU), by DPS Telecom. Attackers can exploit those security vulnerabilities to perform critical actions such as escalate user's privilege, steal user's credential,…

  • CVE-2024-1308HigApr 9, 2024
    risk 0.49cvss 7.5epss 0.01

    The WooCommerce Cloak Affiliate Links plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'permalink_settings_save' function in all versions up to, and including, 1.0.33. This makes it possible for unauthenticated…

  • CVE-2023-36106HigAug 17, 2023
    risk 0.49cvss 7.5epss 0.01

    An incorrect access control vulnerability in powerjob 4.3.2 and earlier allows remote attackers to obtain sensitive information via the interface for querying via appId parameter to /container/list.

  • CVE-2023-3273HigJul 10, 2023
    risk 0.49cvss 7.5epss 0.01

    Improper Access Control in the SICK ICR890-4 could allow an unauthenticated remote attacker to affect the availability of the device by changing settings of the device such as the IP address based on missing access control.

  • CVE-2023-23446HigMay 15, 2023
    risk 0.49cvss 7.5epss 0.01

    Improper Access Control in SICK FTMg AIR FLOW SENSOR with Partnumbers 1100214, 1100215, 1100216, 1120114, 1120116, 1122524, 1122526 allows an unprivileged remote attacker to download files by using a therefore unpriviledged account via the REST interface.

  • CVE-2023-23445HigMay 15, 2023
    risk 0.49cvss 7.5epss 0.01

    Improper Access Control in SICK FTMg AIR FLOW SENSOR with Partnumbers 1100214, 1100215, 1100216, 1120114, 1120116, 1122524, 1122526 allows an unprivileged remote attacker to gain unauthorized access to data fields by using a therefore unpriviledged account via the REST interface.

  • CVE-2023-21893HigJan 18, 2023
    risk 0.49cvss 7.5epss 0.01

    Vulnerability in the Oracle Data Provider for .NET component of Oracle Database Server. Supported versions that are affected are 19c and 21c. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TCPS to compromise Oracle Data Provider for…

  • CVE-2022-43429HigOct 19, 2022
    risk 0.49cvss 7.5epss 0.01

    Jenkins Compuware Topaz for Total Test Plugin 2.4.8 and earlier implements an agent/controller message that does not limit where it can be executed, allowing attackers able to control agent processes to read arbitrary files on the Jenkins controller file system.

  • CVE-2022-21476HigApr 19, 2022
    risk 0.49cvss 7.5epss 0.04

    Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2.…

  • CVE-2022-25481HigMar 21, 2022
    risk 0.49cvss 7.5epss 0.05

    ThinkPHP Framework v5.0.24 was discovered to be configured without the PATHINFO parameter. This allows attackers to access all system environment parameters from index.php. NOTE: this is disputed by a third party because system environment exposure is an intended feature of the…

  • CVE-2020-10937HigNov 2, 2020
    risk 0.49cvss 7.5epss 0.01

    An issue was discovered in IPFS (aka go-ipfs) 0.4.23. An attacker can generate ephemeral identities (Sybils) and leverage the IPFS connection management reputation system to poison other nodes' routing tables, eclipsing the nodes that are the target of the attack from the rest…

  • CVE-2019-12999HigJan 31, 2020
    risk 0.49cvss 7.5epss 0.02

    Lightning Network Daemon (lnd) before 0.7 allows attackers to trigger loss of funds because of Incorrect Access Control.

  • CVE-2019-12472HigJul 10, 2019
    risk 0.49cvss 7.5epss 0.01

    An Incorrect Access Control vulnerability was found in Wikimedia MediaWiki 1.18.0 through 1.32.1. It is possible to bypass the limits on IP range blocks ($wgBlockCIDRLimit) by using the API. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6.

  • CVE-2013-2972HigJul 11, 2018
    risk 0.49cvss 7.5epss 0.02

    IBM WebSphere Cast Iron 6.3 allows remote attackers to bypass intended access restrictions via unspecified vectors. IBM X-Force ID: 83868.