VYPR

CWE-284

Improper Access Control

PillarIncomplete

Description

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-19 · CAPEC-441 · CAPEC-478 · CAPEC-479 · CAPEC-502 · CAPEC-503 · CAPEC-536 · CAPEC-546 · CAPEC-550 · CAPEC-551 · CAPEC-552 · CAPEC-556 · CAPEC-558 · CAPEC-562 · CAPEC-563 · CAPEC-564 · CAPEC-578

CVEs mapped to this weakness (2,700)

page 4 of 135
  • CVE-2025-57266CriSep 29, 2025
    risk 0.64cvss 9.8epss 0.00

    An issue was discovered in file AssistantController.java in ThriveX Blogging Framework 2.5.9 thru 3.1.3 allowing unauthenticated attackers to gain sensitive information such as API Keys via the /api/assistant/list endpoint.

  • CVE-2022-43110CriAug 22, 2025
    risk 0.64cvss 9.8epss 0.01

    Voltronic Power ViewPower through 1.04-21353 and PowerShield Netguard before 1.04-23292 allows a remote attacker to configure the system via an unspecified web interface. An unauthenticated remote attacker can make changes to the system including: changing the web interface…

  • CVE-2024-57155CriAug 20, 2025
    risk 0.64cvss 9.8epss 0.00

    Incorrect access control in radar v1.0.8 allows attackers to bypass authentication and access sensitive APIs without a token.

  • CVE-2024-57154CriAug 20, 2025
    risk 0.64cvss 9.8epss 0.00

    Incorrect access control in dts-shop v0.0.1-SNAPSHOT allows attackers to bypass authentication via sending a crafted payload to /admin/auth/index.

  • CVE-2024-57157CriAug 20, 2025
    risk 0.64cvss 9.8epss 0.00

    Incorrect access control in Jantent v1.1 allows attackers to bypass authentication and access sensitive APIs without a token.

  • CVE-2025-30127CriAug 6, 2025
    risk 0.64cvss 9.8epss 0.00

    An issue was discovered on Marbella KR8s Dashcam FF 2.0.8 devices. Once access is gained either by default, common, or cracked passwords, the video recordings (containing sensitive routes, conversations, and footage) are open for downloading by creating a socket to command port…

  • CVE-2025-50870CriAug 1, 2025
    risk 0.64cvss 9.8epss 0.00

    Institute-of-Current-Students 1.0 is vulnerable to Incorrect Access Control in the mydetailsstudent.php endpoint. The myds GET parameter accepts an email address as input and directly returns the corresponding student's personal information without validating the identity or…

  • CVE-2025-43232CriJul 30, 2025
    risk 0.64cvss 9.8epss 0.01

    A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15.6, macOS Sonoma 14.7.7, macOS Ventura 13.7.7. An app may be able to bypass certain Privacy preferences.

  • CVE-2025-43184CriJul 30, 2025
    risk 0.64cvss 9.8epss 0.01

    This issue was addressed by adding an additional prompt for user consent. This issue is fixed in macOS Sequoia 15.4, macOS Sonoma 14.7.7, macOS Ventura 13.7.7. A shortcut may be able to bypass sensitive Shortcuts app settings.

  • CVE-2025-52101CriJul 1, 2025
    risk 0.64cvss 9.8epss 0.00

    linjiashop <=0.9 is vulnerable to Incorrect Access Control. When using the default-generated JWT authentication, attackers can bypass the authentication and retrieve the encrypted "password" and "salt". The password can then be obtained through brute-force cracking.

  • CVE-2024-45208CriJun 19, 2025
    risk 0.64cvss 9.8epss 0.01

    The Versa Director SD-WAN orchestration platform which makes use of Cisco NCS application service. Active and Standby Directors communicate over TCP ports 4566 and 4570 to exchange High Availability (HA) information using a shared password. Affected versions of Versa Director…

  • CVE-2025-25962CriApr 29, 2025
    risk 0.64cvss 9.8epss 0.00

    An issue in Coresmartcontracts Uniswap v.3.0 and fixed in v.4.0 allows a remote attacker to escalate privileges via the _modifyPosition function

  • CVE-2025-30462CriMar 31, 2025
    risk 0.64cvss 9.8epss 0.01

    A library injection issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15.4, macOS Sonoma 14.7.5, macOS Ventura 13.7.5. Apps that appear to use App Sandbox may be able to launch without restrictions.

  • CVE-2025-30433CriMar 31, 2025
    risk 0.64cvss 9.8epss 0.01

    This issue was addressed with improved access restrictions. This issue is fixed in iOS 18.4 and iPadOS 18.4, iPadOS 17.7.6, macOS Sequoia 15.4, macOS Sonoma 14.7.5, macOS Ventura 13.7.5, visionOS 2.4, watchOS 11.4. A shortcut may be able to access files that are normally…

  • CVE-2025-24241CriMar 31, 2025
    risk 0.64cvss 9.8epss 0.01

    A configuration issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15.4, macOS Sonoma 14.7.5, macOS Ventura 13.7.5. An app may be able to trick a user into copying sensitive data to the pasteboard.

  • CVE-2025-29315CriMar 24, 2025
    risk 0.64cvss 9.8epss 0.00

    An issue in the Shiro-based RBAC (Role-based Access Control) mechanism of OpenDaylight Service Function Chaining (SFC) Subproject SFC Sodium-SR4 and below allows attackers to execute privileged operations via a crafted request.

  • CVE-2024-39327CriFeb 18, 2025
    risk 0.64cvss 9.9epss 0.00

    Incorrect Access Control vulnerability in Atos Eviden IDRA before 2.6.1 could allow the possibility to obtain CA signing in an illegitimate way.

  • CVE-2024-10124CriDec 12, 2024
    risk 0.64cvss 9.8epss 0.31

    The Vayu Blocks – Gutenberg Blocks for WordPress & WooCommerce plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation and activation due to a missing capability check on the tp_install() function in all versions up to, and including, 1.1.1. This makes…

  • CVE-2024-45489CriSep 20, 2024
    risk 0.64cvss 9.8epss 0.01

    Arc before 2024-08-26 allows remote code execution in JavaScript boosts. Boosts that run JavaScript cannot be shared by default; however (because of misconfigured Firebase ACLs), it is possible to create or update a boost using another user's ID. This installs the boost in the…

  • CVE-2024-42559CriAug 20, 2024
    risk 0.64cvss 9.8epss 0.01

    An issue in the login component (process_login.php) of Hotel Management System commit 79d688 allows attackers to authenticate without providing a valid password.