CWE-284
Improper Access Control
PillarIncomplete
Description
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Hierarchy (View 1000)
Parents
none
Children
- CWE-1191
- CWE-1220
- CWE-1224
- CWE-1231
- CWE-1233
- CWE-1252
- CWE-1257
- CWE-1259
- CWE-1260
- CWE-1262
- CWE-1263
- CWE-1267
- CWE-1270
- CWE-1274
- CWE-1276
- CWE-1280
- CWE-1283
- CWE-1290
- CWE-1292
- CWE-1294
- CWE-1296
- CWE-1304
- CWE-1311
- CWE-1312
- CWE-1313
- CWE-1315
- CWE-1316
- CWE-1317
- CWE-1320
- CWE-1323
- CWE-1334
- CWE-269
- CWE-282
- CWE-285
- CWE-286
- CWE-287
- CWE-346
- CWE-749
- CWE-923
Related attack patterns (CAPEC)
CAPEC-19 · CAPEC-441 · CAPEC-478 · CAPEC-479 · CAPEC-502 · CAPEC-503 · CAPEC-536 · CAPEC-546 · CAPEC-550 · CAPEC-551 · CAPEC-552 · CAPEC-556 · CAPEC-558 · CAPEC-562 · CAPEC-563 · CAPEC-564 · CAPEC-578
CVEs mapped to this weakness (1,922)
page 5 of 97| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2015-9047 | Cri | 0.64 | 9.8 | 0.00 | Aug 18, 2017 | In all Qualcomm products with Android releases from CAF using the Linux kernel, a vulnerability exists in GNSS when performing a scan after bootup. | |
| CVE-2015-9040 | Cri | 0.64 | 9.8 | 0.00 | Aug 18, 2017 | In all Qualcomm products with Android releases from CAF using the Linux kernel, a vulnerability exists in a GERAN API. | |
| CVE-2016-8584 | Cri | 0.64 | 9.8 | 0.04 | Apr 28, 2017 | Trend Micro Threat Discovery Appliance 2.6.1062r1 and earlier uses predictable session values, which allows remote attackers to bypass authentication by guessing the value. | |
| CVE-2016-6143 | Cri | 0.64 | 9.8 | 0.06 | Apr 13, 2017 | SAP HANA DB 1.00.73.00.389160 allows remote attackers to execute arbitrary code via vectors involving the audit logs, aka SAP Security Note 2170806. | |
| CVE-2016-4800 | Cri | 0.64 | 9.8 | 0.01 | Apr 13, 2017 | The path normalization mechanism in PathResource class in Eclipse Jetty 9.3.x before 9.3.9 on Windows allows remote attackers to bypass protected resource restrictions and other security constraints via a URL with certain escaped characters, related to backslashes. | |
| CVE-2014-3928 | Cri | 0.64 | 9.8 | 0.01 | Apr 3, 2017 | Cougar-LG stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain credentials. | |
| CVE-2016-6807 | Cri | 0.64 | 9.8 | 0.01 | Mar 28, 2017 | Custom commands may be executed on Ambari Agent (2.4.x, before 2.4.2) hosts without authorization, leading to unauthorized access to operations that may affect the underlying system. Such operations are invoked by the Ambari Agent process on Ambari Agent hosts, as the user executing the Ambari Agent process. | |
| CVE-2016-10144 | Cri | 0.64 | 9.8 | 0.01 | Mar 24, 2017 | coders/ipl.c in ImageMagick allows remote attackers to have unspecific impact by leveraging a missing malloc check. | |
| CVE-2016-5239 | Cri | 0.64 | 9.8 | 0.01 | Mar 15, 2017 | The gnuplot delegate functionality in ImageMagick before 6.9.4-0 and GraphicsMagick allows remote attackers to execute arbitrary commands via unspecified vectors. | |
| CVE-2016-5815 | Cri | 0.64 | 9.8 | 0.01 | Feb 13, 2017 | An issue was discovered on Schneider Electric IONXXXX series power meters ION73XX series, ION75XX series, ION76XX series, ION8650 series, ION8800 series, and PM5XXX series. No authentication is configured by default. An unauthorized user can access the device management portal and make configuration changes. | |
| CVE-2016-7565 | Cri | 0.64 | 9.8 | 0.02 | Feb 13, 2017 | install/index.php in Exponent CMS 2.3.9 allows remote attackers to execute arbitrary commands via shell metacharacters in the sc array parameter. | |
| CVE-2016-2788 | Cri | 0.64 | 9.8 | 0.02 | Feb 13, 2017 | MCollective 2.7.0 and 2.8.x before 2.8.9, as used in Puppet Enterprise, allows remote attackers to execute arbitrary code via vectors related to the mco ping command. | |
| CVE-2016-9005 | Cri | 0.64 | 9.8 | 0.01 | Feb 8, 2017 | IBM System Storage TS3100-TS3200 Tape Library could allow an unauthenticated user with access to the company network, to change a user's password and gain remote access to the system. | |
| CVE-2016-8418 | Cri | 0.64 | 9.8 | 0.04 | Feb 8, 2017 | A remote code execution vulnerability in the Qualcomm crypto driver could enable a remote attacker to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of remote code execution in the context of the kernel. Product: Android. Versions: N/A. Android ID: A-32652894. References: QC-CR#1077457. | |
| CVE-2016-6095 | Cri | 0.64 | 9.8 | 0.00 | Feb 2, 2017 | IBM Tivoli Key Lifecycle Manager 2.5 and 2.6 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials. | |
| CVE-2016-5964 | Cri | 0.64 | 9.8 | 0.00 | Feb 1, 2017 | IBM Security Privileged Identity Manager Virtual Appliance version 2.0.2 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials. | |
| CVE-2016-9412 | Cri | 0.64 | 9.8 | 0.03 | Jan 31, 2017 | MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 allow attackers to have unspecified impact via vectors related to low adminsid and sid entropy. | |
| CVE-2014-8362 | Cri | 0.64 | 9.8 | 0.03 | Jan 23, 2017 | Vivint Sky Control Panel 1.1.1.9926 allows remote attackers to enable and disable the alarm system and modify other security settings via the Web-enabled interface. | |
| CVE-2016-7794 | Cri | 0.64 | 9.8 | 0.06 | Jan 19, 2017 | sociomantic-tsunami git-hub before 0.10.3 allows remote attackers to execute arbitrary code via a crafted repository name. | |
| CVE-2016-8606 | Cri | 0.64 | 9.8 | 0.00 | Jan 12, 2017 | The REPL server (--listen) in GNU Guile 2.0.12 allows an attacker to execute arbitrary code via an HTTP inter-protocol attack. |