VYPR

CWE-284

Improper Access Control

PillarIncomplete

Description

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-19 · CAPEC-441 · CAPEC-478 · CAPEC-479 · CAPEC-502 · CAPEC-503 · CAPEC-536 · CAPEC-546 · CAPEC-550 · CAPEC-551 · CAPEC-552 · CAPEC-556 · CAPEC-558 · CAPEC-562 · CAPEC-563 · CAPEC-564 · CAPEC-578

CVEs mapped to this weakness (2,700)

page 8 of 135
  • CVE-2016-5700CriOct 3, 2016
    risk 0.64cvss 9.8epss 0.06

    Virtual servers in F5 BIG-IP systems 11.5.0, 11.5.1 before HF11, 11.5.2, 11.5.3, 11.5.4 before HF2, 11.6.0 before HF8, 11.6.1 before HF1, 12.0.0 before HF4, and 12.1.0 before HF2, when configured with the HTTP Explicit Proxy functionality or SOCKS profile, allow remote attackers…

  • CVE-2016-4464CriSep 21, 2016
    risk 0.64cvss 9.8epss 0.04

    The application plugins in Apache CXF Fediz 1.2.x before 1.2.3 and 1.3.x before 1.3.1 do not match SAML AudienceRestriction values against configured audience URIs, which might allow remote attackers to have bypass intended restrictions and have unspecified other impact via a…

  • CVE-2016-5022CriSep 7, 2016
    risk 0.64cvss 9.8epss 0.03

    F5 BIG-IP LTM, Analytics, APM, ASM, and Link Controller 11.2.x before 11.2.1 HF16, 11.3.x, 11.4.x, 11.5.x before 11.5.4 HF2, 11.6.x before 11.6.1 HF1, and 12.x before 12.0.0 HF3; BIG-IP AAM, AFM, and PEM 11.4.x, 11.5.x before 11.5.4 HF2, 11.6.x before 11.6.1 HF1, and 12.x before…

  • CVE-2016-5144CriAug 7, 2016
    risk 0.64cvss 9.8epss 0.02

    The Developer Tools (aka DevTools) subsystem in Blink, as used in Google Chrome before 52.0.2743.116, mishandles the script-path hostname, remoteBase parameter, and remoteFrontendUrl parameter, which allows remote attackers to bypass intended access restrictions via a crafted…

  • CVE-2016-6150CriAug 5, 2016
    risk 0.64cvss 9.8epss 0.03

    The multi-tenant database container feature in SAP HANA does not properly encrypt communications, which allows remote attackers to bypass intended access restrictions and possibly have unspecified other impact via unknown vectors, aka SAP Security Note 2233550.

  • CVE-2016-6140CriAug 5, 2016
    risk 0.64cvss 9.8epss 0.06

    SAP TREX 7.10 Revision 63 allows remote attackers to write to arbitrary files via vectors related to RFC-Gateway, aka SAP Security Note 2203591.

  • CVE-2016-5229CriAug 2, 2016
    risk 0.64cvss 9.8epss 0.07

    Atlassian Bamboo before 5.11.4.1 and 5.12.x before 5.12.3.1 does not properly restrict permitted deserialized classes, which allows remote attackers to execute arbitrary code via vectors related to XStream Serialization.

  • CVE-2016-4373CriAug 1, 2016
    risk 0.64cvss 9.8epss 0.04

    The AdminUI in HPE Operations Manager (OM) before 9.21.130 on Linux, Unix, and Solaris allows remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.

  • CVE-2016-5008CriJul 13, 2016
    risk 0.64cvss 9.8epss 0.04

    libvirt before 2.0.0 improperly disables password checking when the password on a VNC server is set to an empty string, which allows remote attackers to bypass authentication and establish a VNC session by connecting to the server.

  • CVE-2016-4215CriJul 13, 2016
    risk 0.64cvss 9.8epss 0.06

    Adobe Reader and Acrobat before 11.0.17, Acrobat and Acrobat Reader DC Classic before 15.006.30198, and Acrobat and Acrobat Reader DC Continuous before 15.017.20050 on Windows and OS X allow attackers to bypass JavaScript API execution restrictions via unspecified vectors.

  • CVE-2016-0391CriJul 2, 2016
    risk 0.64cvss 9.8epss 0.01

    The IBM Watson Developer Cloud services on Bluemix platforms do not properly generate random numbers for service-instance credentials, which makes it easier for remote attackers to defeat cryptographic protection mechanisms via a brute-force attack.

  • CVE-2016-5302CriJun 13, 2016
    risk 0.64cvss 9.8epss 0.03

    Citrix XenServer 7.0 before Hotfix XS70E003, when a deployment has been upgraded from an earlier release, might allow remote attackers on the management network to "compromise" a host by leveraging credentials for an Active Directory account.

  • CVE-2016-1999CriMay 30, 2016
    risk 0.64cvss 9.8epss 0.06

    The server in HP Release Control 9.13, 9.20, and 9.21 allows remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections library.

  • CVE-2016-1117CriMay 11, 2016
    risk 0.64cvss 9.8epss 0.06

    Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat Reader DC Classic before 15.006.30172, and Acrobat and Acrobat Reader DC Continuous before 15.016.20039 on Windows and OS X allow attackers to bypass JavaScript API execution restrictions via unspecified vectors, a…

  • CVE-2016-1062CriMay 11, 2016
    risk 0.64cvss 9.8epss 0.06

    Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat Reader DC Classic before 15.006.30172, and Acrobat and Acrobat Reader DC Continuous before 15.016.20039 on Windows and OS X allow attackers to bypass JavaScript API execution restrictions via unspecified vectors, a…

  • CVE-2016-1042CriMay 11, 2016
    risk 0.64cvss 9.8epss 0.06

    Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat Reader DC Classic before 15.006.30172, and Acrobat and Acrobat Reader DC Continuous before 15.016.20039 on Windows and OS X allow attackers to bypass JavaScript API execution restrictions via unspecified vectors, a…

  • CVE-2016-1040CriMay 11, 2016
    risk 0.64cvss 9.8epss 0.06

    Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat Reader DC Classic before 15.006.30172, and Acrobat and Acrobat Reader DC Continuous before 15.016.20039 on Windows and OS X allow attackers to bypass JavaScript API execution restrictions via unspecified vectors, a…

  • CVE-2016-1039CriMay 11, 2016
    risk 0.64cvss 9.8epss 0.06

    Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat Reader DC Classic before 15.006.30172, and Acrobat and Acrobat Reader DC Continuous before 15.016.20039 on Windows and OS X allow attackers to bypass JavaScript API execution restrictions via unspecified vectors, a…

  • CVE-2016-0170HigMay 11, 2016
    risk 0.64cvss 8.8epss 0.49

    GDI in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 allows remote attackers to execute arbitrary code via a crafted document, aka "Windows Graphics…

  • CVE-2015-6552CriMay 7, 2016
    risk 0.64cvss 9.8epss 0.02

    The management-services protocol implementation in Veritas NetBackup 7.x through 7.5.0.7, 7.6.0.x through 7.6.0.4, 7.6.1.x through 7.6.1.2, and 7.7.x before 7.7.2 and NetBackup Appliance through 2.5.4, 2.6.0.x through 2.6.0.4, 2.6.1.x through 2.6.1.2, and 2.7.x before 2.7.2…