CWE-284
Improper Access Control
PillarIncomplete
Description
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Hierarchy (View 1000)
Parents
none
Children
- CWE-1191
- CWE-1220
- CWE-1224
- CWE-1231
- CWE-1233
- CWE-1252
- CWE-1257
- CWE-1259
- CWE-1260
- CWE-1262
- CWE-1263
- CWE-1267
- CWE-1270
- CWE-1274
- CWE-1276
- CWE-1280
- CWE-1283
- CWE-1290
- CWE-1292
- CWE-1294
- CWE-1296
- CWE-1304
- CWE-1311
- CWE-1312
- CWE-1313
- CWE-1315
- CWE-1316
- CWE-1317
- CWE-1320
- CWE-1323
- CWE-1334
- CWE-269
- CWE-282
- CWE-285
- CWE-286
- CWE-287
- CWE-346
- CWE-749
- CWE-923
Related attack patterns (CAPEC)
CAPEC-19 · CAPEC-441 · CAPEC-478 · CAPEC-479 · CAPEC-502 · CAPEC-503 · CAPEC-536 · CAPEC-546 · CAPEC-550 · CAPEC-551 · CAPEC-552 · CAPEC-556 · CAPEC-558 · CAPEC-562 · CAPEC-563 · CAPEC-564 · CAPEC-578
CVEs mapped to this weakness (1,922)
page 46 of 97| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2016-0317 | Med | 0.42 | 6.5 | 0.00 | Nov 25, 2016 | Lifecycle Query Engine (LQE) in IBM Jazz Reporting Service 6.0 and 6.0.1 before 6.0.1 iFix006 allows remote attackers to conduct clickjacking attacks via unspecified vectors. | |
| CVE-2016-7165 | Med | 0.42 | 6.4 | 0.00 | Nov 15, 2016 | A vulnerability has been identified in Primary Setup Tool (PST) (All versions < V4.2 HF1), SIMATIC IT Production Suite (All versions < V7.0 SP1 HFX 2), SIMATIC NET PC-Software (All versions < V14), SIMATIC PCS 7 V7.1 (All versions), SIMATIC PCS 7 V8.0 (All versions), SIMATIC PCS 7 V8.1 (All versions), SIMATIC PCS 7 V8.2 (All versions < V8.2 SP1), SIMATIC STEP 7 (TIA Portal) V13 (All versions < V13 SP2), SIMATIC STEP 7 V5.X (All versions < V5.5 SP4 HF11), SIMATIC WinCC (TIA Portal) Basic, Comfort, Advanced (All versions < V14), SIMATIC WinCC (TIA Portal) Professional V13 (All versions < V13 SP2), SIMATIC WinCC (TIA Portal) Professional V14 (All versions < V14 SP1), SIMATIC WinCC Runtime Professional V13 (All versions < V13 SP2), SIMATIC WinCC Runtime Professional V14 (All versions < V14 SP1), SIMATIC WinCC V7.0 SP2 and earlier versions (All versions < V7.0 SP2 Upd 12), SIMATIC WinCC V7.0 SP3 (All versions < V7.0 SP3 Upd 8), SIMATIC WinCC V7.2 (All versions < V7.2 Upd 14), SIMATIC WinCC V7.3 (All versions < V7.3 Upd 11), SIMATIC WinCC V7.4 (All versions < V7.4 SP1), SIMIT V9.0 (All versions < V9.0 SP1), SINEMA Remote Connect Client (All versions < V1.0 SP3), SINEMA Server (All versions < V13 SP2), SOFTNET Security Client V5.0 (All versions), Security Configuration Tool (SCT) (All versions < V4.3 HF1), TeleControl Server Basic (All versions < V3.0 SP2), WinAC RTX 2010 SP2 (All versions), WinAC RTX F 2010 SP2 (All versions). Unquoted service paths could allow local Microsoft Windows operating system users to escalate their privileges if the affected products are not installed under their default path ("C:\Program Files\*" or the localized equivalent). | |
| CVE-2016-5585 | Med | 0.42 | 6.5 | 0.00 | Oct 25, 2016 | Unspecified vulnerability in the Oracle Interaction Center Intelligence component in Oracle E-Business Suite 12.1.1 through 12.1.3 allows remote attackers to affect confidentiality and integrity via unknown vectors. | |
| CVE-2016-5571 | Med | 0.42 | 6.5 | 0.00 | Oct 25, 2016 | Unspecified vulnerability in the Oracle Applications DBA component in Oracle E-Business Suite 12.1.3 and 12.2.3 through 12.2.6 allows remote administrators to affect confidentiality and integrity via vectors related to AD Utilities, a different vulnerability than CVE-2016-5567. | |
| CVE-2016-5570 | Med | 0.42 | 6.5 | 0.00 | Oct 25, 2016 | Unspecified vulnerability in the Oracle Applications DBA component in Oracle E-Business Suite 12.2.3 through 12.2.6 allows remote administrators to affect confidentiality and integrity via vectors related to AD Utilities. | |
| CVE-2016-5534 | Med | 0.42 | 6.5 | 0.00 | Oct 25, 2016 | Unspecified vulnerability in the Siebel Apps - Customer Order Management component in Oracle Siebel CRM 16.1 allows remote authenticated users to affect confidentiality via unknown vectors. | |
| CVE-2016-5521 | Med | 0.42 | 6.5 | 0.00 | Oct 25, 2016 | Unspecified vulnerability in the Oracle Agile PLM component in Oracle Supply Chain Products Suite 9.3.4 and 9.3.5 allows remote attackers to affect confidentiality and integrity via unknown vectors, a different vulnerability than CVE-2016-5512. | |
| CVE-2016-5497 | Med | 0.42 | 6.4 | 0.00 | Oct 25, 2016 | Unspecified vulnerability in the RDBMS Security component in Oracle Database Server 12.1.0.2 allows local users to affect confidentiality, integrity, and availability via unknown vectors. | |
| CVE-2016-4407 | Med | 0.42 | 6.5 | 0.00 | Oct 13, 2016 | The DSA algorithm implementation in SAP SAPCRYPTOLIB 5.555.38 does not properly check signatures, which allows remote authenticated users to impersonate arbitrary users via unspecified vectors, aka SAP Security Note 2223008. | |
| CVE-2016-3882 | Med | 0.42 | 6.5 | 0.00 | Oct 10, 2016 | Off-by-one error in server/wifi/anqp/VenueNameElement.java in Wi-Fi in Android 6.x before 2016-10-01 and 7.0 before 2016-10-01 allows remote attackers to cause a denial of service (reboot) via an access point that provides a crafted (1) Venue Group or (2) Venue Type value, aka internal bug 29464811. | |
| CVE-2016-5176 | Med | 0.42 | 6.5 | 0.00 | Sep 29, 2016 | Google Chrome before 53.0.2785.113 allows remote attackers to bypass the SafeBrowsing protection mechanism via unspecified vectors. | |
| CVE-2016-6826 | Med | 0.42 | 6.5 | 0.00 | Sep 26, 2016 | Huawei AnyMail before 2.6.0301.0060 allows remote attackers to cause a denial of service (application crash) via a crafted compressed email attachment. | |
| CVE-2016-4760 | Med | 0.42 | 6.5 | 0.01 | Sep 25, 2016 | WebKit in Apple iOS before 10, iTunes before 12.5.1 on Windows, and Safari before 10 allows remote attackers to conduct DNS rebinding attacks against non-HTTP Safari sessions by leveraging HTTP/0.9 support. | |
| CVE-2016-5954 | Med | 0.42 | 6.5 | 0.01 | Sep 12, 2016 | IBM WebSphere Portal 6.1.0 through 6.1.0.6 CF27, 6.1.5 through 6.1.5.3 CF27, 7.0.0 through 7.0.0.2 CF30, 8.0.0 through 8.0.0.1 CF21, and 8.5.0 before CF12 allows remote authenticated users to cause a denial of service by uploading temporary files. | |
| CVE-2016-5404 | Med | 0.42 | 6.5 | 0.00 | Sep 7, 2016 | The cert_revoke command in FreeIPA does not check for the "revoke certificate" permission, which allows remote authenticated users to revoke arbitrary certificates by leveraging the "retrieve certificate" permission. | |
| CVE-2016-2989 | Med | 0.42 | 6.5 | 0.00 | Aug 8, 2016 | Open redirect vulnerability in the Connections Portlets component 5.x before 5.0.2 for IBM WebSphere Portal allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. | |
| CVE-2016-5130 | Med | 0.42 | 6.5 | 0.01 | Jul 23, 2016 | content/renderer/history_controller.cc in Google Chrome before 52.0.2743.82 does not properly restrict multiple uses of a JavaScript forward method, which allows remote attackers to spoof the URL display via a crafted web site. | |
| CVE-2016-0349 | Med | 0.42 | 6.5 | 0.00 | Jun 30, 2016 | IBM Business Process Manager 8.5.6 through 8.5.6.2 and 8.5.7 before 8.5.7.CF201606 allows remote authenticated users to bypass intended access restrictions and update process-instance variables via a REST API call. | |
| CVE-2016-1190 | Med | 0.42 | 6.5 | 0.00 | Jun 25, 2016 | Cybozu Garoon 3.1 through 4.2 allows remote authenticated users to bypass intended restrictions on MultiReport reading via unspecified vectors. | |
| CVE-2016-2829 | Med | 0.42 | 6.5 | 0.00 | Jun 13, 2016 | Mozilla Firefox before 47.0 allows remote attackers to spoof permission notifications via a crafted web site that rapidly triggers permission requests, as demonstrated by the microphone permission or the geolocation permission. |