CWE-284
Improper Access Control
Description
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Hierarchy (View 1000)
Parents
none
Children
- CWE-1191
- CWE-1220
- CWE-1224
- CWE-1231
- CWE-1233
- CWE-1252
- CWE-1257
- CWE-1259
- CWE-1260
- CWE-1262
- CWE-1263
- CWE-1267
- CWE-1270
- CWE-1274
- CWE-1276
- CWE-1280
- CWE-1283
- CWE-1290
- CWE-1292
- CWE-1294
- CWE-1296
- CWE-1304
- CWE-1311
- CWE-1312
- CWE-1313
- CWE-1315
- CWE-1316
- CWE-1317
- CWE-1320
- CWE-1323
- CWE-1334
- CWE-269
- CWE-282
- CWE-285
- CWE-286
- CWE-287
- CWE-346
- CWE-749
- CWE-923
Related attack patterns (CAPEC)
CAPEC-19 · CAPEC-441 · CAPEC-478 · CAPEC-479 · CAPEC-502 · CAPEC-503 · CAPEC-536 · CAPEC-546 · CAPEC-550 · CAPEC-551 · CAPEC-552 · CAPEC-556 · CAPEC-558 · CAPEC-562 · CAPEC-563 · CAPEC-564 · CAPEC-578
CVEs mapped to this weakness (2,700)
page 4 of 135| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-57266 | Cri | 0.64 | 9.8 | 0.00 | Sep 29, 2025 | An issue was discovered in file AssistantController.java in ThriveX Blogging Framework 2.5.9 thru 3.1.3 allowing unauthenticated attackers to gain sensitive information such as API Keys via the /api/assistant/list endpoint. | ||
| CVE-2022-43110 | Cri | 0.64 | 9.8 | 0.01 | Aug 22, 2025 | Voltronic Power ViewPower through 1.04-21353 and PowerShield Netguard before 1.04-23292 allows a remote attacker to configure the system via an unspecified web interface. An unauthenticated remote attacker can make changes to the system including: changing the web interface… | ||
| CVE-2024-57155 | — | Cri | 0.64 | 9.8 | 0.00 | Aug 20, 2025 | Incorrect access control in radar v1.0.8 allows attackers to bypass authentication and access sensitive APIs without a token. | |
| CVE-2024-57154 | Cri | 0.64 | 9.8 | 0.00 | Aug 20, 2025 | Incorrect access control in dts-shop v0.0.1-SNAPSHOT allows attackers to bypass authentication via sending a crafted payload to /admin/auth/index. | ||
| CVE-2024-57157 | Cri | 0.64 | 9.8 | 0.00 | Aug 20, 2025 | Incorrect access control in Jantent v1.1 allows attackers to bypass authentication and access sensitive APIs without a token. | ||
| CVE-2025-30127 | Cri | 0.64 | 9.8 | 0.00 | Aug 6, 2025 | An issue was discovered on Marbella KR8s Dashcam FF 2.0.8 devices. Once access is gained either by default, common, or cracked passwords, the video recordings (containing sensitive routes, conversations, and footage) are open for downloading by creating a socket to command port… | ||
| CVE-2025-50870 | — | Cri | 0.64 | 9.8 | 0.00 | Aug 1, 2025 | Institute-of-Current-Students 1.0 is vulnerable to Incorrect Access Control in the mydetailsstudent.php endpoint. The myds GET parameter accepts an email address as input and directly returns the corresponding student's personal information without validating the identity or… | |
| CVE-2025-43232 | Cri | 0.64 | 9.8 | 0.01 | Jul 30, 2025 | A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15.6, macOS Sonoma 14.7.7, macOS Ventura 13.7.7. An app may be able to bypass certain Privacy preferences. | ||
| CVE-2025-43184 | Cri | 0.64 | 9.8 | 0.01 | Jul 30, 2025 | This issue was addressed by adding an additional prompt for user consent. This issue is fixed in macOS Sequoia 15.4, macOS Sonoma 14.7.7, macOS Ventura 13.7.7. A shortcut may be able to bypass sensitive Shortcuts app settings. | ||
| CVE-2025-52101 | Cri | 0.64 | 9.8 | 0.00 | Jul 1, 2025 | linjiashop <=0.9 is vulnerable to Incorrect Access Control. When using the default-generated JWT authentication, attackers can bypass the authentication and retrieve the encrypted "password" and "salt". The password can then be obtained through brute-force cracking. | ||
| CVE-2024-45208 | Cri | 0.64 | 9.8 | 0.01 | Jun 19, 2025 | The Versa Director SD-WAN orchestration platform which makes use of Cisco NCS application service. Active and Standby Directors communicate over TCP ports 4566 and 4570 to exchange High Availability (HA) information using a shared password. Affected versions of Versa Director… | ||
| CVE-2025-25962 | Cri | 0.64 | 9.8 | 0.00 | Apr 29, 2025 | An issue in Coresmartcontracts Uniswap v.3.0 and fixed in v.4.0 allows a remote attacker to escalate privileges via the _modifyPosition function | ||
| CVE-2025-30462 | Cri | 0.64 | 9.8 | 0.01 | Mar 31, 2025 | A library injection issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15.4, macOS Sonoma 14.7.5, macOS Ventura 13.7.5. Apps that appear to use App Sandbox may be able to launch without restrictions. | ||
| CVE-2025-30433 | Cri | 0.64 | 9.8 | 0.01 | Mar 31, 2025 | This issue was addressed with improved access restrictions. This issue is fixed in iOS 18.4 and iPadOS 18.4, iPadOS 17.7.6, macOS Sequoia 15.4, macOS Sonoma 14.7.5, macOS Ventura 13.7.5, visionOS 2.4, watchOS 11.4. A shortcut may be able to access files that are normally… | ||
| CVE-2025-24241 | Cri | 0.64 | 9.8 | 0.01 | Mar 31, 2025 | A configuration issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15.4, macOS Sonoma 14.7.5, macOS Ventura 13.7.5. An app may be able to trick a user into copying sensitive data to the pasteboard. | ||
| CVE-2025-29315 | Cri | 0.64 | 9.8 | 0.00 | Mar 24, 2025 | An issue in the Shiro-based RBAC (Role-based Access Control) mechanism of OpenDaylight Service Function Chaining (SFC) Subproject SFC Sodium-SR4 and below allows attackers to execute privileged operations via a crafted request. | ||
| CVE-2024-39327 | Cri | 0.64 | 9.9 | 0.00 | Feb 18, 2025 | Incorrect Access Control vulnerability in Atos Eviden IDRA before 2.6.1 could allow the possibility to obtain CA signing in an illegitimate way. | ||
| CVE-2024-10124 | Cri | 0.64 | 9.8 | 0.31 | Dec 12, 2024 | The Vayu Blocks – Gutenberg Blocks for WordPress & WooCommerce plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation and activation due to a missing capability check on the tp_install() function in all versions up to, and including, 1.1.1. This makes… | ||
| CVE-2024-45489 | Cri | 0.64 | 9.8 | 0.01 | Sep 20, 2024 | Arc before 2024-08-26 allows remote code execution in JavaScript boosts. Boosts that run JavaScript cannot be shared by default; however (because of misconfigured Firebase ACLs), it is possible to create or update a boost using another user's ID. This installs the boost in the… | ||
| CVE-2024-42559 | Cri | 0.64 | 9.8 | 0.01 | Aug 20, 2024 | An issue in the login component (process_login.php) of Hotel Management System commit 79d688 allows attackers to authenticate without providing a valid password. |
- risk 0.64cvss 9.8epss 0.00
An issue was discovered in file AssistantController.java in ThriveX Blogging Framework 2.5.9 thru 3.1.3 allowing unauthenticated attackers to gain sensitive information such as API Keys via the /api/assistant/list endpoint.
- risk 0.64cvss 9.8epss 0.01
Voltronic Power ViewPower through 1.04-21353 and PowerShield Netguard before 1.04-23292 allows a remote attacker to configure the system via an unspecified web interface. An unauthenticated remote attacker can make changes to the system including: changing the web interface…
- risk 0.64cvss 9.8epss 0.00
Incorrect access control in radar v1.0.8 allows attackers to bypass authentication and access sensitive APIs without a token.
- risk 0.64cvss 9.8epss 0.00
Incorrect access control in dts-shop v0.0.1-SNAPSHOT allows attackers to bypass authentication via sending a crafted payload to /admin/auth/index.
- risk 0.64cvss 9.8epss 0.00
Incorrect access control in Jantent v1.1 allows attackers to bypass authentication and access sensitive APIs without a token.
- risk 0.64cvss 9.8epss 0.00
An issue was discovered on Marbella KR8s Dashcam FF 2.0.8 devices. Once access is gained either by default, common, or cracked passwords, the video recordings (containing sensitive routes, conversations, and footage) are open for downloading by creating a socket to command port…
- risk 0.64cvss 9.8epss 0.00
Institute-of-Current-Students 1.0 is vulnerable to Incorrect Access Control in the mydetailsstudent.php endpoint. The myds GET parameter accepts an email address as input and directly returns the corresponding student's personal information without validating the identity or…
- risk 0.64cvss 9.8epss 0.01
A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15.6, macOS Sonoma 14.7.7, macOS Ventura 13.7.7. An app may be able to bypass certain Privacy preferences.
- risk 0.64cvss 9.8epss 0.01
This issue was addressed by adding an additional prompt for user consent. This issue is fixed in macOS Sequoia 15.4, macOS Sonoma 14.7.7, macOS Ventura 13.7.7. A shortcut may be able to bypass sensitive Shortcuts app settings.
- risk 0.64cvss 9.8epss 0.00
linjiashop <=0.9 is vulnerable to Incorrect Access Control. When using the default-generated JWT authentication, attackers can bypass the authentication and retrieve the encrypted "password" and "salt". The password can then be obtained through brute-force cracking.
- risk 0.64cvss 9.8epss 0.01
The Versa Director SD-WAN orchestration platform which makes use of Cisco NCS application service. Active and Standby Directors communicate over TCP ports 4566 and 4570 to exchange High Availability (HA) information using a shared password. Affected versions of Versa Director…
- risk 0.64cvss 9.8epss 0.00
An issue in Coresmartcontracts Uniswap v.3.0 and fixed in v.4.0 allows a remote attacker to escalate privileges via the _modifyPosition function
- risk 0.64cvss 9.8epss 0.01
A library injection issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15.4, macOS Sonoma 14.7.5, macOS Ventura 13.7.5. Apps that appear to use App Sandbox may be able to launch without restrictions.
- risk 0.64cvss 9.8epss 0.01
This issue was addressed with improved access restrictions. This issue is fixed in iOS 18.4 and iPadOS 18.4, iPadOS 17.7.6, macOS Sequoia 15.4, macOS Sonoma 14.7.5, macOS Ventura 13.7.5, visionOS 2.4, watchOS 11.4. A shortcut may be able to access files that are normally…
- risk 0.64cvss 9.8epss 0.01
A configuration issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15.4, macOS Sonoma 14.7.5, macOS Ventura 13.7.5. An app may be able to trick a user into copying sensitive data to the pasteboard.
- risk 0.64cvss 9.8epss 0.00
An issue in the Shiro-based RBAC (Role-based Access Control) mechanism of OpenDaylight Service Function Chaining (SFC) Subproject SFC Sodium-SR4 and below allows attackers to execute privileged operations via a crafted request.
- risk 0.64cvss 9.9epss 0.00
Incorrect Access Control vulnerability in Atos Eviden IDRA before 2.6.1 could allow the possibility to obtain CA signing in an illegitimate way.
- risk 0.64cvss 9.8epss 0.31
The Vayu Blocks – Gutenberg Blocks for WordPress & WooCommerce plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation and activation due to a missing capability check on the tp_install() function in all versions up to, and including, 1.1.1. This makes…
- risk 0.64cvss 9.8epss 0.01
Arc before 2024-08-26 allows remote code execution in JavaScript boosts. Boosts that run JavaScript cannot be shared by default; however (because of misconfigured Firebase ACLs), it is possible to create or update a boost using another user's ID. This installs the boost in the…
- risk 0.64cvss 9.8epss 0.01
An issue in the login component (process_login.php) of Hotel Management System commit 79d688 allows attackers to authenticate without providing a valid password.