VYPR

CWE-284

Improper Access Control

PillarIncomplete

Description

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-19 · CAPEC-441 · CAPEC-478 · CAPEC-479 · CAPEC-502 · CAPEC-503 · CAPEC-536 · CAPEC-546 · CAPEC-550 · CAPEC-551 · CAPEC-552 · CAPEC-556 · CAPEC-558 · CAPEC-562 · CAPEC-563 · CAPEC-564 · CAPEC-578

CVEs mapped to this weakness (2,700)

page 47 of 135
  • CVE-2024-47975HigOct 7, 2024
    risk 0.46cvss 7.0epss 0.00

    Improper access control validation in firmware of some Solidigm DC Products may allow an attacker with physical access to gain unauthorized access or an attacker with local access to potentially enable denial of service.

  • CVE-2023-6968HigJun 6, 2024
    risk 0.46cvss 8.1epss 0.00

    The The Moneytizer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 9.6.3. This is due to missing or incorrect nonce validation on multiple AJAX functions. This makes it possible for unauthenticated attackers to to update and…

  • CVE-2023-6966HigJun 6, 2024
    risk 0.46cvss 8.1epss 0.00

    The The Moneytizer plugin for WordPress is vulnerable to unauthorized access of data, modification of data, and loss of data due to a missing capability check on multiple AJAX functions in the /core/core_ajax.php file in all versions up to, and including, 9.6.3. This makes it…

  • CVE-2022-37410HigMay 16, 2024
    risk 0.46cvss 7.0epss 0.00

    Improper access control for some Intel(R) Thunderbolt driver software before version 89 may allow an authenticated user to potentially enable escalation of privilege via local access.

  • CVE-2024-28960HigMar 29, 2024
    risk 0.46cvss 8.2epss 0.01

    An issue was discovered in Mbed TLS 2.18.0 through 2.28.x before 2.28.8 and 3.x before 3.6.0, and Mbed Crypto. The PSA Crypto API mishandles shared memory.

  • CVE-2023-20587HigFeb 13, 2024
    risk 0.46cvss 7.1epss 0.00

    Improper Access Control in System Management Mode (SMM) may allow an attacker access to the SPI flash potentially leading to arbitrary code execution.

  • CVE-2023-47320HigDec 13, 2023
    risk 0.46cvss 8.1epss 0.01

    Silverpeas Core 6.3.1 is vulnerable to Incorrect Access Control. An attacker with low privileges is able to execute the administrator-only function of putting the application in "Maintenance Mode" due to broken access control. This makes the application unavailable to all users.…

  • CVE-2023-39349HigAug 7, 2023
    risk 0.46cvss 8.1epss 0.01

    Sentry is an error tracking and performance monitoring platform. Starting in version 22.1.0 and prior to version 23.7.2, an attacker with access to a token with few or no scopes can query `/api/0/api-tokens/` for a list of all tokens created by a user, including tokens with…

  • CVE-2021-27098HigMar 5, 2021
    risk 0.46cvss 8.1epss 0.01

    In SPIRE 0.8.1 through 0.8.4 and before versions 0.9.4, 0.10.2, 0.11.3 and 0.12.1, specially crafted requests to the FetchX509SVID RPC of SPIRE Server’s Legacy Node API can result in the possible issuance of an X.509 certificate with a URI SAN for a SPIFFE ID that the agent is…

  • CVE-2019-7611HigMar 25, 2019
    risk 0.46cvss 8.1epss 0.02

    A permission issue was found in Elasticsearch versions before 5.6.15 and 6.6.1 when Field Level Security and Document Level Security are disabled and the _aliases, _shrink, or _split endpoints are used . If the elasticsearch.yml file has xpack.security.dls_fls.enabled set to…

  • CVE-2019-8336HigMar 5, 2019
    risk 0.46cvss 8.1epss 0.01

    HashiCorp Consul (and Consul Enterprise) 1.4.x before 1.4.3 allows a client to bypass intended access restrictions and obtain the privileges of one other arbitrary token within secondary datacenters, because a token with literally "" as its secret is used in unusual…

  • CVE-2018-10500HigSep 24, 2018
    risk 0.46cvss 7.0epss 0.00

    This vulnerability allows local attackers to escalate privileges on vulnerable installations of Samsung Galaxy Apps Fixed in version 6.4.0.15. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.…

  • CVE-2016-8656HigMay 22, 2018
    risk 0.46cvss 7.0epss 0.00

    Jboss jbossas before versions 5.2.0-23, 6.4.13, 7.0.5 is vulnerable to an unsafe file handling in the jboss init script which could result in local privilege escalation.

  • CVE-2016-9599HigApr 24, 2018
    risk 0.46cvss 7.1epss 0.01

    puppet-tripleo before versions 5.5.0, 6.2.0 is vulnerable to an access-control flaw in the IPtables rules management, which allowed the creation of TCP/UDP rules with empty port values. If SSL is enabled, a malicious user could use these open ports to gain access to unauthorized…

  • CVE-2017-1002102HigMar 13, 2018
    risk 0.46cvss 7.1epss 0.01

    In Kubernetes versions 1.3.x, 1.4.x, 1.5.x, 1.6.x and prior to versions 1.7.14, 1.8.9 and 1.9.4 containers using a secret, configMap, projected or downwardAPI volume can trigger deletion of arbitrary files/directories from the nodes where they are running.

  • CVE-2018-1069HigMar 9, 2018
    risk 0.46cvss 7.1epss 0.01

    Red Hat OpenShift Enterprise version 3.7 is vulnerable to access control override for container network filesystems. An attacker could override the UserId and GroupId for GlusterFS and NFS to read and write any data on the network filesystem.

  • CVE-2014-2277HigOct 17, 2017
    risk 0.46cvss 7.1epss 0.00

    The make_temporary_filename function in perltidy 20120701-1 and earlier allows local users to obtain sensitive information or write to arbitrary files via a symlink attack, related to use of the tmpnam function.

  • CVE-2016-7032HigApr 14, 2017
    risk 0.46cvss 7.0epss 0.00

    sudo_noexec.so in Sudo before 1.8.15 on Linux might allow local users to bypass intended noexec command restrictions via an application that calls the (1) system or (2) popen function.

  • CVE-2016-8794HigApr 2, 2017
    risk 0.46cvss 7.1epss 0.01

    Huawei Mate 8 phones with software Versions before NXT-AL10C00B386, Versions before NXT-CL00C92B386, Versions before NXT-DL00C17B386, Versions before NXT-TL00C01B386; Mate S phones with software Versions before CRR-CL00C92B368, Versions before CRR-CL20C92B368, Versions before…

  • CVE-2016-8792HigApr 2, 2017
    risk 0.46cvss 7.1epss 0.01

    Huawei Mate 8 phones with software Versions before NXT-AL10C00B386, Versions before NXT-CL00C92B386, Versions before NXT-DL00C17B386, Versions before NXT-TL00C01B386; Mate S phones with software Versions before CRR-CL00C92B368, Versions before CRR-CL20C92B368, Versions before…