VYPR

CWE-284

Improper Access Control

PillarIncomplete

Description

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-19 · CAPEC-441 · CAPEC-478 · CAPEC-479 · CAPEC-502 · CAPEC-503 · CAPEC-536 · CAPEC-546 · CAPEC-550 · CAPEC-551 · CAPEC-552 · CAPEC-556 · CAPEC-558 · CAPEC-562 · CAPEC-563 · CAPEC-564 · CAPEC-578

CVEs mapped to this weakness (2,700)

page 7 of 135
  • CVE-2016-5815CriFeb 13, 2017
    risk 0.64cvss 9.8epss 0.02

    An issue was discovered on Schneider Electric IONXXXX series power meters ION73XX series, ION75XX series, ION76XX series, ION8650 series, ION8800 series, and PM5XXX series. No authentication is configured by default. An unauthorized user can access the device management portal…

  • CVE-2016-7565CriFeb 13, 2017
    risk 0.64cvss 9.8epss 0.02

    install/index.php in Exponent CMS 2.3.9 allows remote attackers to execute arbitrary commands via shell metacharacters in the sc array parameter.

  • CVE-2016-2788CriFeb 13, 2017
    risk 0.64cvss 9.8epss 0.02

    MCollective 2.7.0 and 2.8.x before 2.8.9, as used in Puppet Enterprise, allows remote attackers to execute arbitrary code via vectors related to the mco ping command.

  • CVE-2016-9005CriFeb 8, 2017
    risk 0.64cvss 9.8epss 0.02

    IBM System Storage TS3100-TS3200 Tape Library could allow an unauthenticated user with access to the company network, to change a user's password and gain remote access to the system.

  • CVE-2016-8418CriFeb 8, 2017
    risk 0.64cvss 9.8epss 0.03

    A remote code execution vulnerability in the Qualcomm crypto driver could enable a remote attacker to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of remote code execution in the context of the kernel. Product:…

  • CVE-2016-6095CriFeb 2, 2017
    risk 0.64cvss 9.8epss 0.02

    IBM Tivoli Key Lifecycle Manager 2.5 and 2.6 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials.

  • CVE-2016-5964CriFeb 1, 2017
    risk 0.64cvss 9.8epss 0.02

    IBM Security Privileged Identity Manager Virtual Appliance version 2.0.2 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials.

  • CVE-2016-9412CriJan 31, 2017
    risk 0.64cvss 9.8epss 0.02

    MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 allow attackers to have unspecified impact via vectors related to low adminsid and sid entropy.

  • CVE-2014-8362CriJan 23, 2017
    risk 0.64cvss 9.8epss 0.03

    Vivint Sky Control Panel 1.1.1.9926 allows remote attackers to enable and disable the alarm system and modify other security settings via the Web-enabled interface.

  • CVE-2016-7794CriJan 19, 2017
    risk 0.64cvss 9.8epss 0.04

    sociomantic-tsunami git-hub before 0.10.3 allows remote attackers to execute arbitrary code via a crafted repository name.

  • CVE-2016-8606CriJan 12, 2017
    risk 0.64cvss 9.8epss 0.04

    The REPL server (--listen) in GNU Guile 2.0.12 allows an attacker to execute arbitrary code via an HTTP inter-protocol attack.

  • CVE-2016-9877CriDec 29, 2016
    risk 0.64cvss 9.8epss 0.01

    An issue was discovered in Pivotal RabbitMQ 3.x before 3.5.8 and 3.6.x before 3.6.6 and RabbitMQ for PCF 1.5.x before 1.5.20, 1.6.x before 1.6.12, and 1.7.x before 1.7.7. MQTT (MQ Telemetry Transport) connection authentication with a username/password pair succeeds if an…

  • CVE-2016-1000156CriDec 14, 2016
    risk 0.64cvss 9.8epss 0.03

    Mailcwp remote file upload vulnerability incomplete fix v1.100

  • CVE-2016-9836CriDec 5, 2016
    risk 0.64cvss 9.8epss 0.02

    The file scanning mechanism of JFilterInput::isFileSafe() in Joomla! CMS before 3.6.5 does not consider alternative PHP file extensions when checking uploaded files for PHP content, which enables a user to upload and execute files with the `.php6`, `.php7`, `.phtml`, and `.phpt`…

  • CVE-2016-9835CriDec 5, 2016
    risk 0.64cvss 9.8epss 0.04

    Directory traversal vulnerability in file "jcss.php" in Zikula 1.3.x before 1.3.11 and 1.4.x before 1.4.4 on Windows allows a remote attacker to launch a PHP object injection by uploading a serialized file.

  • CVE-2016-9157CriDec 5, 2016
    risk 0.64cvss 9.8epss 0.03

    A vulnerability in Siemens SICAM PAS (all versions before V8.09) could allow a remote attacker to cause a Denial of Service condition and potentially lead to unauthenticated remote code execution by sending specially crafted packets to port 19234/TCP.

  • CVE-2016-6725CriNov 25, 2016
    risk 0.64cvss 9.8epss 0.03

    A remote code execution vulnerability in the Qualcomm crypto driver in Android before 2016-11-05 could enable a remote attacker to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of remote code execution in the…

  • CVE-2016-9155CriNov 22, 2016
    risk 0.64cvss 9.8epss 0.02

    The following SIEMENS branded IP Camera Models CCMW3025, CVMW3025-IR, CFMW3025 prior to version 1.41_SP18_S1; CCPW3025, CCPW5025 prior to version 0.1.73_S1; CCMD3025-DN18 prior to version v1.394_S1; CCID1445-DN18, CCID1445-DN28, CCID1145-DN36, CFIS1425, CCIS1425, CFMS2025,…

  • CVE-2016-6958CriOct 13, 2016
    risk 0.64cvss 9.8epss 0.03

    Adobe Reader and Acrobat before 11.0.18, Acrobat and Acrobat Reader DC Classic before 15.006.30243, and Acrobat and Acrobat Reader DC Continuous before 15.020.20039 on Windows and OS X allow attackers to bypass intended access restrictions via unspecified vectors.

  • CVE-2016-5745CriOct 5, 2016
    risk 0.64cvss 9.8epss 0.05

    F5 BIG-IP LTM systems 11.x before 11.2.1 HF16, 11.3.x, 11.4.x before 11.4.1 HF11, 11.5.0, 11.5.1 before HF11, 11.5.2, 11.5.3, 11.5.4 before HF2, 11.6.0 before HF8, 11.6.1 before HF1, 12.0.0 before HF4, and 12.1.0 before HF2 allow remote attackers to modify or extract system…