VYPR

CWE-284

Improper Access Control

PillarIncomplete

Description

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-19 · CAPEC-441 · CAPEC-478 · CAPEC-479 · CAPEC-502 · CAPEC-503 · CAPEC-536 · CAPEC-546 · CAPEC-550 · CAPEC-551 · CAPEC-552 · CAPEC-556 · CAPEC-558 · CAPEC-562 · CAPEC-563 · CAPEC-564 · CAPEC-578

CVEs mapped to this weakness (2,700)

page 50 of 135
  • CVE-2024-9692MedOct 24, 2024
    risk 0.45cvss epss 0.00

    VIMESA VHF/FM Transmitter Blue Plus is suffering from a Denial-of-Service (DoS) vulnerability. An unauthenticated attacker can issue an unauthorized HTTP GET request to the unprotected endpoint 'doreboot' and restart the transmitter operations.

  • CVE-2024-21644HigJan 8, 2024
    risk 0.45cvss 7.5epss 0.42

    pyLoad is the free and open-source Download Manager written in pure Python. Any unauthenticated user can browse to a specific URL to expose the Flask config, including the `SECRET_KEY` variable. This issue has been patched in version 0.5.0b3.dev77.

  • CVE-2020-5244HigFeb 24, 2020
    risk 0.45cvss 8.0epss 0.02

    In BuddyPress before 5.1.2, requests to a certain REST API endpoint can result in private user data getting exposed. Authentication is not needed. This has been patched in version 5.1.2.

  • CVE-2019-3895HigJun 3, 2019
    risk 0.45cvss 8.0epss 0.01

    An access-control flaw was found in the Octavia service when the cloud platform was deployed using Red Hat OpenStack Platform Director. An attacker could cause new amphorae to run based on any arbitrary image. This meant that a remote attacker could upload a new amphorae image…

  • CVE-2016-2167MedMay 5, 2016
    risk 0.45cvss 6.8epss 0.07

    The canonicalize_username function in svnserve/cyrus_auth.c in Apache Subversion before 1.8.16 and 1.9.x before 1.9.4, when Cyrus SASL authentication is used, allows remote attackers to authenticate and bypass intended access restrictions via a realm string that is a prefix of…

  • CVE-2026-36933MedJun 15, 2026
    risk 0.44cvss 6.8epss 0.00

    An issue in Boyleep K11, y108 firmware v.2.3.0.11291 allows a physically proximate attacker to execute arbitrary code via the factory test feature.

  • CVE-2026-36738MedMay 13, 2026
    risk 0.44cvss 6.8epss 0.00

    U-SPEED AC1200 Gigabit Wi-Fi Router (Model: T18-21K) V1.0 is vulnerable to Incorrect Access Control. The device exposes a UART interface that lacks authentication, authorization, or access control mechanisms. An attacker with physical access to the UART pins can connect to the…

  • CVE-2026-1749MedMay 9, 2026
    risk 0.44cvss 6.8epss 0.00

    There is an Access Control Vulnerability in some HikCentral Professional versions. This could allow an unauthenticated user to obtain the admin permission.

  • CVE-2026-44118HigMay 6, 2026
    risk 0.44cvss 7.8epss 0.00

    OpenClaw before 2026.4.22 derives loopback MCP owner context from spoofable server-issued bearer tokens in request headers. Non-owner loopback clients can present themselves as owner to bypass owner-gated operations by manipulating the sender-owner header metadata.

  • CVE-2026-34325MedApr 21, 2026
    risk 0.44cvss 6.8epss 0.00

    Vulnerability in the Oracle Financial Services Analytical Applications Infrastructure product of Oracle Financial Services Applications (component: User Interface). Supported versions that are affected are 8.0.7.9, 8.0.8.7 and 8.1.2.5. Easily exploitable vulnerability allows…

  • CVE-2026-34314MedApr 21, 2026
    risk 0.44cvss 6.8epss 0.00

    Vulnerability in the Oracle Financial Services Analytical Applications Infrastructure product of Oracle Financial Services Applications (component: Platform). Supported versions that are affected are 8.0.7.9, 8.0.8.7 and 8.1.2.5. Difficult to exploit vulnerability allows low…

  • CVE-2026-4105MedMar 13, 2026
    risk 0.44cvss 6.7epss 0.00

    A flaw was found in systemd. The systemd-machined service contains an Improper Access Control vulnerability due to insufficient validation of the class parameter in the RegisterMachine D-Bus (Desktop Bus) method. A local unprivileged user can exploit this by attempting to…

  • CVE-2025-14095MedDec 17, 2025
    risk 0.44cvss 6.8epss 0.00

    A "Privilege boundary violation" vulnerability is identified affecting multiple Radiometer Products. Exploitation of this vulnerability gives a user with physical access to the analyzer, the possibility to gain unauthorized access to functionalities outside the restricted…

  • CVE-2025-22391MedNov 11, 2025
    risk 0.44cvss 6.7epss 0.00

    Improper access control for some SigTest before version 6.1.10 within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a high complexity attack may enable escalation of privilege. This result…

  • CVE-2025-8762MedAug 13, 2025
    risk 0.44cvss 6.8epss 0.00

    A vulnerability was found in INSTAR 2K+ and 4K 3.11.1 Build 1124. This issue affects some unknown processing of the component UART Interface. The manipulation leads to improper physical access control. It is possible to launch the attack on the physical device. The exploit has…

  • CVE-2025-20099MedAug 12, 2025
    risk 0.44cvss 6.7epss 0.00

    Improper access control for some Intel(R) Rapid Storage Technology installation software may allow an authenticated user to potentially enable escalation of privilege via local access.

  • CVE-2023-28907MedJun 28, 2025
    risk 0.44cvss 6.7epss 0.00

    There is no memory isolation between CPU cores of the MIB3 infotainment. This fact allows an attacker with access to the main operating system to compromise the CPU core responsible for CAN message processing. The vulnerability was originally discovered in Skoda Superb III car…

  • CVE-2024-45371MedMay 13, 2025
    risk 0.44cvss 6.7epss 0.00

    Improper access control for some Intel(R) Arc™ & Iris(R) Xe graphics software before version 32.0.101.6077 may allow an authenticated user to potentially enable denial of service via local access.

  • CVE-2025-24272MedMar 31, 2025
    risk 0.44cvss 6.8epss 0.01

    The issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.4, macOS Sonoma 14.7.5, macOS Ventura 13.7.5. An app may be able to modify protected parts of the file system.

  • CVE-2024-34022MedNov 13, 2024
    risk 0.44cvss 6.7epss 0.00

    Improper Access Control in some Thunderbolt(TM) Share software before version 1.0.49.9 may allow an authenticated user to potentially enable escalation of privilege via local access.