VYPR

CWE-284

Improper Access Control

PillarIncomplete

Description

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-19 · CAPEC-441 · CAPEC-478 · CAPEC-479 · CAPEC-502 · CAPEC-503 · CAPEC-536 · CAPEC-546 · CAPEC-550 · CAPEC-551 · CAPEC-552 · CAPEC-556 · CAPEC-558 · CAPEC-562 · CAPEC-563 · CAPEC-564 · CAPEC-578

CVEs mapped to this weakness (2,700)

page 6 of 135
  • CVE-2014-10059CriApr 18, 2018
    risk 0.64cvss 9.8epss 0.01

    In Android before 2018-04-05 or earlier security patch level on Qualcomm Snapdragon Mobile MDM9615, MDM9625, SD 210/SD 212/SD 205, SD 400, and SD 800, improper access control on ATCMD service allows third party services to access without user knowledge.

  • CVE-2014-10053CriApr 18, 2018
    risk 0.64cvss 9.8epss 0.01

    In Android before 2018-04-05 or earlier security patch level on Qualcomm Snapdragon Automobile, Snapdragon Mobile, and Snapdragon Wear MDM9206, MDM9650, MSM8909W, SD 210/SD 212/SD 205, SD 400, SD 410/12, SD 425, SD 430, SD 615/16/SD 415, SD 450, SD 617, SD 625, SD 650/52, SD…

  • CVE-2014-10050CriApr 18, 2018
    risk 0.64cvss 9.8epss 0.01

    In Android before 2018-04-05 or earlier security patch level on Qualcomm Snapdragon Mobile MSM8996, MSM8939, MSM8976, MSM8917, SDM845, and SDM660, access control collision vulnerability when accessing the replay protected memory block.

  • CVE-2015-0150CriApr 12, 2018
    risk 0.64cvss 9.8epss 0.02

    The remote administration UI in D-Link DIR-815 devices with firmware before 2.07.B01 allows remote attackers to bypass intended access restrictions via unspecified vectors.

  • CVE-2014-2048CriMar 26, 2018
    risk 0.64cvss 9.8epss 0.03

    The user_openid app in ownCloud Server before 5.0.15 allows remote attackers to obtain access by leveraging an insecure OpenID implementation.

  • CVE-2018-7520CriMar 22, 2018
    risk 0.64cvss 9.8epss 0.02

    An improper access control vulnerability has been identified in Geutebruck G-Cam/EFD-2250 Version 1.12.0.4 and Topline TopFD-2125 Version 3.15.1 IP cameras, which could allow a full configuration download, including passwords.

  • CVE-2017-5254HigDec 20, 2017
    risk 0.64cvss 8.8epss 0.54

    In version 3.5 and prior of Cambium Networks ePMP firmware, the non-administrative users 'installer' and 'home' have the capability of changing passwords for other accounts, including admin, after disabling a client-side protection mechanism.

  • CVE-2015-9245CriOct 31, 2017
    risk 0.64cvss 9.8epss 0.02

    Insecure default configuration in Progress Software OpenEdge 10.2x and 11.x allows unauthenticated remote attackers to specify arbitrary URLs from which to load and execute malicious Java classes via port 20931.

  • CVE-2014-3624CriOct 30, 2017
    risk 0.64cvss 9.8epss 0.04

    Apache Traffic Server 5.1.x before 5.1.1 allows remote attackers to bypass access restrictions by leveraging failure to properly tunnel remap requests using CONNECT.

  • CVE-2014-9513CriAug 28, 2017
    risk 0.64cvss 9.8epss 0.04

    Insecure use of temporary files in xbindkeys-config 0.1.3-2 allows remote attackers to execute arbitrary code.

  • CVE-2016-10382CriAug 18, 2017
    risk 0.64cvss 9.8epss 0.01

    In all Qualcomm products with Android releases from CAF using the Linux kernel, access control to the I2C bus is not sufficient.

  • CVE-2015-9064CriAug 18, 2017
    risk 0.64cvss 9.8epss 0.01

    In all Qualcomm products with Android releases from CAF using the Linux kernel, the UE can send IMEI or IMEISV to the network on a network request before NAS security has been activated.

  • CVE-2015-9047CriAug 18, 2017
    risk 0.64cvss 9.8epss 0.01

    In all Qualcomm products with Android releases from CAF using the Linux kernel, a vulnerability exists in GNSS when performing a scan after bootup.

  • CVE-2015-9040CriAug 18, 2017
    risk 0.64cvss 9.8epss 0.01

    In all Qualcomm products with Android releases from CAF using the Linux kernel, a vulnerability exists in a GERAN API.

  • CVE-2016-8584CriApr 28, 2017
    risk 0.64cvss 9.8epss 0.06

    Trend Micro Threat Discovery Appliance 2.6.1062r1 and earlier uses predictable session values, which allows remote attackers to bypass authentication by guessing the value.

  • CVE-2016-6143CriApr 13, 2017
    risk 0.64cvss 9.8epss 0.04

    SAP HANA DB 1.00.73.00.389160 allows remote attackers to execute arbitrary code via vectors involving the audit logs, aka SAP Security Note 2170806.

  • CVE-2016-4800CriApr 13, 2017
    risk 0.64cvss 9.8epss 0.06

    The path normalization mechanism in PathResource class in Eclipse Jetty 9.3.x before 9.3.9 on Windows allows remote attackers to bypass protected resource restrictions and other security constraints via a URL with certain escaped characters, related to backslashes.

  • CVE-2014-3928CriApr 3, 2017
    risk 0.64cvss 9.8epss 0.02

    Cougar-LG stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain credentials.

  • CVE-2016-6807CriMar 28, 2017
    risk 0.64cvss 9.8epss 0.02

    Custom commands may be executed on Ambari Agent (2.4.x, before 2.4.2) hosts without authorization, leading to unauthorized access to operations that may affect the underlying system. Such operations are invoked by the Ambari Agent process on Ambari Agent hosts, as the user…

  • CVE-2016-5239CriMar 15, 2017
    risk 0.64cvss 9.8epss 0.03

    The gnuplot delegate functionality in ImageMagick before 6.9.4-0 and GraphicsMagick allows remote attackers to execute arbitrary commands via unspecified vectors.