VYPR

CWE-284

Improper Access Control

PillarIncomplete

Description

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-19 · CAPEC-441 · CAPEC-478 · CAPEC-479 · CAPEC-502 · CAPEC-503 · CAPEC-536 · CAPEC-546 · CAPEC-550 · CAPEC-551 · CAPEC-552 · CAPEC-556 · CAPEC-558 · CAPEC-562 · CAPEC-563 · CAPEC-564 · CAPEC-578

CVEs mapped to this weakness (2,700)

page 45 of 135
  • CVE-2021-36036HigSep 6, 2023
    risk 0.47cvss 7.2epss 0.02

    Magento versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper access control vulnerability within Magento's Media Gallery Upload workflow. By storing a specially crafted file in the website gallery, an authenticated attacker…

  • CVE-2022-43759HigFeb 7, 2023
    risk 0.47cvss 7.2epss 0.01

    A Improper Privilege Management vulnerability in SUSE Rancher, allows users with access to the escalate verb on PRTBs to escalate permissions for any -promoted resource in any cluster. This issue affects: SUSE Rancher Rancher versions prior to 2.5.17; Rancher versions prior to…

  • CVE-2016-5714HigOct 18, 2017
    risk 0.47cvss 7.2epss 0.02

    Puppet Enterprise 2015.3.3 and 2016.x before 2016.4.0, and Puppet Agent 1.3.6 through 1.7.0 allow remote attackers to bypass a host whitelist protection mechanism and execute arbitrary code on Puppet nodes via vectors related to command validation, aka "Puppet Execution Protocol…

  • CVE-2015-4649HigAug 29, 2017
    risk 0.47cvss 7.2epss 0.02

    Aruba Networks ClearPass Policy Manager before 6.4.7 and 6.5.x before 6.5.2 allows remote authenticated administrators to gain root privileges via unspecified vectors, a different vulnerability than CVE-2015-3654.

  • CVE-2015-3657HigAug 29, 2017
    risk 0.47cvss 7.2epss 0.01

    Aruba Networks ClearPass Policy Manager before 6.4.7 and 6.5.x before 6.5.2 allows remote authenticated lower-level administrators to gain "Super Admin" privileges via unspecified vectors.

  • CVE-2015-3654HigAug 29, 2017
    risk 0.47cvss 7.2epss 0.02

    Aruba Networks ClearPass Policy Manager before 6.4.7 and 6.5.x before 6.5.2 allows remote authenticated administrators to gain root privileges via unspecified vectors, a different vulnerability than CVE-2015-4649.

  • CVE-2015-3653HigAug 29, 2017
    risk 0.47cvss 7.2epss 0.02

    Aruba Networks ClearPass Policy Manager before 6.4.7 and 6.5.x before 6.5.2 allows remote authenticated administrators to write to arbitrary files within the underlying operating system and consequently cause a denial of service or gain privileges by leveraging incorrect…

  • CVE-2017-6016HigMay 19, 2017
    risk 0.47cvss 7.3epss 0.00

    An Improper Access Control issue was discovered in LCDS - Leao Consultoria e Desenvolvimento de Sistemas LTDA ME LAquis SCADA. The following versions are affected: Versions 4.1 and prior versions released before January 20, 2017. An Improper Access Control vulnerability has been…

  • CVE-2016-8032HigMar 31, 2017
    risk 0.47cvss 7.3epss 0.00

    Software Integrity Attacks vulnerability in Intel Security Anti-Virus Engine (AVE) 5200 through 5800 allows local attackers to bypass local security protection via a crafted input file.

  • CVE-2016-9111MedNov 7, 2016
    risk 0.47cvss 6.8epss 0.02

    Incorrect access control mechanisms in Citrix Receiver Desktop Lock 4.5 allow an attacker to bypass the authentication requirement by leveraging physical access to a VDI for temporary disconnection of a LAN cable. NOTE: as of 20161208, the vendor could not reproduce the issue,…

  • CVE-2016-3319HigAug 9, 2016
    risk 0.47cvss 7.0epss 0.19

    The PDF library in Microsoft Windows 8.1, Windows Server 2012 Gold and R2, Windows 10 Gold and 1511, and Microsoft Edge allows remote attackers to execute arbitrary code via a crafted PDF file, aka "Microsoft PDF Remote Code Execution Vulnerability."

  • CVE-2026-53855HigJun 16, 2026
    risk 0.46cvss 8.1epss 0.00

    OpenClaw before 2026.4.2 contains an inline-eval bypass vulnerability allowing authenticated operators to weaken strict allowlist checks via shell positional parameters. Attackers can combine allowlisted tools with shell positional arguments to place inline-eval content in shell…

  • CVE-2026-5230HigJun 15, 2026
    risk 0.46cvss 7.1epss 0.00

    Improper Access Control, Missing Authorization vulnerability in MIA Technology Inc. Pizzy Library allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Pizzy Library: from 1.0.0.26250 before 1.3.9.26250.

  • CVE-2026-45649HigJun 9, 2026
    risk 0.46cvss 7.1epss 0.00

    Improper access control in Office for Android allows an unauthorized attacker to perform spoofing locally.

  • CVE-2026-42863HigJun 8, 2026
    risk 0.46cvss 8.1epss 0.00

    Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, a mass assignment vulnerability exists in the chatflow update endpoint of FlowiseAI. The endpoint allows clients to modify server-controlled properties such as…

  • CVE-2026-45707HigMay 29, 2026
    risk 0.46cvss 8.1epss 0.00

    n8n-MCP is an MCP server that provides AI assistants access to n8n node documentation, properties, and operations. Prior to 2.51.2, when ENABLE_MULTI_TENANT=true, the HTTP transport documents that the target n8n instance is selected per-request from x-n8n-url / x-n8n-key…

  • CVE-2026-45301HigMay 15, 2026
    risk 0.46cvss 8.1epss 0.00

    Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.3.16, a missing permission check in all files related API endpoints allows any authenticated user to list, access and delete every file uploaded by every user to the…

  • CVE-2026-33377HigMay 13, 2026
    risk 0.46cvss 7.1epss 0.00

    An Editor can overwrite a dashboard not owned by them to acquire admin on that specific dashboard. The user must have write access to the dashboard to escalate privilege.

  • CVE-2026-41102HigMay 12, 2026
    risk 0.46cvss 7.1epss 0.00

    Improper access control in Microsoft Office PowerPoint allows an authorized attacker to perform spoofing locally.

  • CVE-2026-41101HigMay 12, 2026
    risk 0.46cvss 7.1epss 0.00

    Improper access control in Microsoft Office Word allows an authorized attacker to perform spoofing locally.