VYPR

CWE-284

Improper Access Control

PillarIncomplete

Description

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-19 · CAPEC-441 · CAPEC-478 · CAPEC-479 · CAPEC-502 · CAPEC-503 · CAPEC-536 · CAPEC-546 · CAPEC-550 · CAPEC-551 · CAPEC-552 · CAPEC-556 · CAPEC-558 · CAPEC-562 · CAPEC-563 · CAPEC-564 · CAPEC-578

CVEs mapped to this weakness (2,700)

page 9 of 135
  • CVE-2015-6550CriMay 7, 2016
    risk 0.64cvss 9.8epss 0.03

    bpcd in Veritas NetBackup 7.x through 7.5.0.7, 7.6.0.x through 7.6.0.4, 7.6.1.x through 7.6.1.2, and 7.7.x before 7.7.2 and NetBackup Appliance through 2.5.4, 2.6.0.x through 2.6.0.4, 2.6.1.x through 2.6.1.2, and 2.7.x before 2.7.2 allows remote attackers to execute arbitrary…

  • CVE-2016-2275CriFeb 21, 2016
    risk 0.64cvss 9.8epss 0.03

    The web interface on Advantech/B+B SmartWorx VESP211-EU devices with firmware 1.7.2 and VESP211-232 devices with firmware 1.5.1 and 1.7.2 relies on the client to implement access control, which allows remote attackers to perform administrative actions via modified JavaScript…

  • CVE-2012-6068CriJan 21, 2013
    risk 0.64cvss 9.8epss 0.05

    The Runtime Toolkit in CODESYS Runtime System 2.3.x and 2.4.x does not require authentication, which allows remote attackers to execute commands via the command-line interface in the TCP listener service or transfer files via requests to the TCP listener service.

  • CVE-2016-5582CriOct 25, 2016
    risk 0.63cvss 9.6epss 0.05

    Unspecified vulnerability in Oracle Java SE 6u121, 7u111, 8u102; and Java SE Embedded 8u101 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Hotspot, a different vulnerability than CVE-2016-5573.

  • CVE-2016-5580CriOct 25, 2016
    risk 0.63cvss 9.6epss 0.02

    Unspecified vulnerability in the Secure Global Desktop component in Oracle Virtualization 4.7 and 5.2 allows remote authenticated users to affect confidentiality and availability via vectors through Web Services.

  • CVE-2016-5568CriOct 25, 2016
    risk 0.63cvss 9.6epss 0.04

    Unspecified vulnerability in Oracle Java SE 6u121, 7u111, and 8u102 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to AWT.

  • CVE-2016-5556CriOct 25, 2016
    risk 0.63cvss 9.6epss 0.05

    Unspecified vulnerability in Oracle Java SE 6u121, 7u111, and 8u102 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to 2D.

  • CVE-2026-24303CriApr 23, 2026
    risk 0.62cvss 9.6epss 0.00

    Improper access control in Microsoft Partner Center allows an authorized attacker to elevate privileges over a network.

  • CVE-2026-21627CriFeb 20, 2026
    risk 0.62cvss epss 0.00

    The vulnerability was rooted in how the Tassos Framework plugin handled specific AJAX requests through Joomla’s com_ajax entry point. Under certain conditions, internal framework functionality could be invoked without proper restriction.

  • CVE-2025-59434CriSep 22, 2025
    risk 0.62cvss 9.6epss 0.03

    Flowise is a drag & drop user interface to build a customized large language model flow. Prior to August 2025 Cloud-Hosted Flowise, an authenticated vulnerability in Flowise Cloud allows any user on the free tier to access sensitive environment variables from other tenants via…

  • CVE-2024-56898HigFeb 3, 2025
    risk 0.61cvss 8.8epss 0.02

    Broken access control vulnerability in Geovision GV-ASWeb with version v6.1.0.0 or less. This vulnerability allows low privilege users perform actions that they aren't authorized to, which can be leveraged to escalate privileges, create, modify or delete accounts.

  • CVE-2024-21767CriMar 1, 2024
    risk 0.61cvss 9.4epss 0.01

    A remote attacker may be able to bypass access control of Commend WS203VICM by creating a malicious request.

  • CVE-2015-0104HigApr 24, 2017
    risk 0.61cvss 8.8epss 0.07

    IBM Tivoli IT Asset Management for IT, Tivoli Service Request Manager, and Change and Configuration Management Database 7.1 through 7.1.1.8 and 7.2 and Maximo Asset Management and Maximo Industry Solutions 7.1 through 7.1.1.8, 7.5 before 7.5.0.7 IFIX003, and 7.6 before 7.6.0.0…

  • CVE-2015-8284HigApr 13, 2017
    risk 0.61cvss 8.8epss 0.04

    SeaWell Networks Spectrum SDC 02.05.00 allows remote viewer users to perform administrative functions.

  • CVE-2016-1608HigAug 1, 2016
    risk 0.61cvss 8.8epss 0.11

    vaconfig/time in Novell Filr before 1.2 Security Update 3 and 2.0 before Security Update 2 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the ntpServer parameter.

  • CVE-2016-0088CriApr 12, 2016
    risk 0.61cvss 9.3epss 0.08

    Hyper-V in Microsoft Windows 8.1, Windows Server 2012 Gold and R2, and Windows 10 allows guest OS users to execute arbitrary code on the host OS via a crafted application, aka "Hyper-V Remote Code Execution Vulnerability."

  • CVE-2026-45043CriMay 29, 2026
    risk 0.60cvss epss 0.00

    RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, improper validation in the PUT /rustfs/admin/v3/import-iam endpoint allows a user with ImportIAMAction to create service accounts under arbitrary parent identities, including the root user…

  • CVE-2026-44225CriMay 12, 2026
    risk 0.60cvss 9.3epss 0.00

    Pulpy is a lightweight, cross-platform desktop application packager for web apps. Prior to 0.1.1, Pulpy injects a pulpy.fs JavaScript API into every packaged web application, giving it access to the host filesystem. A validateFsPath() function is supposed to sandbox this access,…

  • CVE-2024-56330CriDec 20, 2024
    risk 0.60cvss epss 0.00

    Stardust is a platform for streaming isolated desktop containers. With this exploit, inter container communication (ICC) is not disabled. This would allow users within a container to access another containers agent, therefore compromising access.The problem has been patched in…

  • CVE-2016-3345HigSep 14, 2016
    risk 0.60cvss 8.8epss 0.32

    The SMBv1 server in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold, 1511, and 1607 allows remote attackers to execute arbitrary code via crafted packets, aka…