VYPR

CWE-284

Improper Access Control

PillarIncomplete

Description

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-19 · CAPEC-441 · CAPEC-478 · CAPEC-479 · CAPEC-502 · CAPEC-503 · CAPEC-536 · CAPEC-546 · CAPEC-550 · CAPEC-551 · CAPEC-552 · CAPEC-556 · CAPEC-558 · CAPEC-562 · CAPEC-563 · CAPEC-564 · CAPEC-578

CVEs mapped to this weakness (2,700)

page 39 of 135
  • CVE-2016-5650HigAug 24, 2016
    risk 0.49cvss 7.5epss 0.02

    ZModo ZP-NE14-S and ZP-IBH-13W devices do not enforce a WPA2 configuration setting, which allows remote attackers to trigger association with an arbitrary access point by using a recognized SSID value.

  • CVE-2016-5736HigAug 19, 2016
    risk 0.49cvss 7.5epss 0.02

    The default configuration of the IPsec IKE peer listener in F5 BIG-IP LTM, Analytics, APM, ASM, and Link Controller 11.2.1 before HF16, 11.4.x, 11.5.x before 11.5.4 HF2, 11.6.x before 11.6.1, and 12.x before 12.0.0 HF2; BIG-IP AAM, AFM, and PEM 11.4.x, 11.5.x before 11.5.4 HF2,…

  • CVE-2015-3854HigAug 7, 2016
    risk 0.49cvss 7.5epss 0.01

    packages/SystemUI/src/com/android/systemui/power/PowerNotificationWarnings.java in Android 5.x allows attackers to bypass a DEVICE_POWER permission requirement via a broadcast intent with the PNW.stopSaver action, aka internal bug 20918350.

  • CVE-2014-9901HigAug 5, 2016
    risk 0.49cvss 7.5epss 0.01

    The Qualcomm Wi-Fi driver in Android before 2016-08-05 on Nexus 7 (2013) devices makes incorrect snprintf calls, which allows remote attackers to cause a denial of service (device hang or reboot) via crafted frames, aka Android internal bug 28670333 and Qualcomm internal bug…

  • CVE-2016-4591HigJul 22, 2016
    risk 0.49cvss 7.5epss 0.04

    WebKit in Apple iOS before 9.3.3, Safari before 9.1.2, and tvOS before 9.2.2 mishandles the location variable, which allows remote attackers to access the local filesystem via unspecified vectors.

  • CVE-2016-5366HigJun 14, 2016
    risk 0.49cvss 7.5epss 0.01

    Huawei Honor WS851 routers with software 1.1.21.1 and earlier allow remote attackers to modify configuration data via vectors related to a "file injection vulnerability," aka HWPSIRT-2016-05052.

  • CVE-2016-4810HigJun 1, 2016
    risk 0.49cvss 7.5epss 0.01

    Citrix Studio before 7.6.1000, Citrix XenDesktop 7.x before 7.6 LTSR Cumulative Update 1 (CU1), and Citrix XenApp 7.5 and 7.6 allow attackers to set Access Policy rules on the XenDesktop Delivery Controller via unspecified vectors.

  • CVE-2016-4502HigMay 31, 2016
    risk 0.49cvss 7.5epss 0.02

    Environmental Systems Corporation (ESC) 8832 Data Controller 3.02 and earlier allows remote attackers to bypass intended access restrictions and execute arbitrary functions via a modified parameter.

  • CVE-2016-1842HigMay 20, 2016
    risk 0.49cvss 7.5epss 0.02

    MapKit in Apple iOS before 9.3.2, OS X before 10.11.5, and watchOS before 2.2.1 does not use HTTPS for shared links, which allows remote attackers to obtain sensitive information by sniffing the network for HTTP traffic.

  • CVE-2016-1656HigApr 18, 2016
    risk 0.49cvss 7.5epss 0.01

    The download implementation in Google Chrome before 50.0.2661.75 on Android allows remote attackers to bypass intended pathname restrictions via unspecified vectors.

  • CVE-2016-3165HigApr 12, 2016
    risk 0.49cvss 7.5epss 0.01

    The Form API in Drupal 6.x before 6.38 ignores access restrictions on submit buttons, which might allow remote attackers to bypass intended access restrictions by leveraging permission to submit a form with a button that has "#access" set to FALSE in the server-side form…

  • CVE-2016-2272HigApr 6, 2016
    risk 0.49cvss 7.5epss 0.01

    Eaton Lighting EG2 Web Control 4.04P and earlier allows remote attackers to have an unspecified impact via a modified cookie.

  • CVE-2015-8523HigApr 5, 2016
    risk 0.49cvss 7.5epss 0.01

    The server in IBM Tivoli Storage Manager FastBack 5.5.x and 6.x before 6.1.12.2 allows remote attackers to cause a denial of service (service crash) via crafted packets to a TCP port.

  • CVE-2016-1315HigFeb 12, 2016
    risk 0.49cvss 7.5epss 0.01

    The proxy engine in Cisco Advanced Malware Protection (AMP), when used with Email Security Appliance (ESA) 9.5.0-201, 9.6.0-051, and 9.7.0-125, allows remote attackers to bypass intended content restrictions via a malformed e-mail message containing an encoded file, aka Bug ID…

  • CVE-2026-49824HigJun 10, 2026
    risk 0.48cvss 8.5epss 0.00

    Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, the Fission Function admission webhook (pkg/webhook/function.go) validated that spec.secrets[].namespace and…

  • CVE-2026-46818HigMay 28, 2026
    risk 0.48cvss 7.4epss 0.00

    Vulnerability in the Oracle Payments product of Oracle E-Business Suite (component: File Transmission). Supported versions that are affected are 12.2.3-12.2.15. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle…

  • CVE-2026-35570HigApr 21, 2026
    risk 0.48cvss 8.4epss 0.00

    OpenClaude is an open-source coding-agent command line interface for cloud and local model providers. Versions prior to 0.5.1 have a logic flaw in `bashToolHasPermission()` inside `src/tools/BashTool/bashPermissions.ts`. When the sandbox auto-allow feature is active and no…

  • CVE-2026-39942HigApr 9, 2026
    risk 0.48cvss 8.5epss 0.00

    Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, the PATCH /files/{id} endpoint accepts a user-controlled filename_disk parameter. By setting this value to match the storage path of another user's file, an attacker can overwrite…

  • CVE-2025-15503HigJan 10, 2026
    risk 0.48cvss 7.3epss 0.02

    A security flaw has been discovered in Sangfor Operation and Maintenance Management System up to 3.0.8. The impacted element is an unknown function of the file /fort/trust/version/common/common.jsp. Performing a manipulation of the argument File results in unrestricted upload.…

  • CVE-2025-55012HigAug 11, 2025
    risk 0.48cvss epss 0.00

    Zed is a multiplayer code editor. Prior to version 0.197.3, in the Zed Agent Panel allowed for an AI agent to achieve Remote Code Execution (RCE) by bypassing user permission checks. An AI Agent could have exploited a permissions bypass vulnerability to create or modify a…