CWE-284
Improper Access Control
Description
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Hierarchy (View 1000)
Parents
none
Children
- CWE-1191
- CWE-1220
- CWE-1224
- CWE-1231
- CWE-1233
- CWE-1252
- CWE-1257
- CWE-1259
- CWE-1260
- CWE-1262
- CWE-1263
- CWE-1267
- CWE-1270
- CWE-1274
- CWE-1276
- CWE-1280
- CWE-1283
- CWE-1290
- CWE-1292
- CWE-1294
- CWE-1296
- CWE-1304
- CWE-1311
- CWE-1312
- CWE-1313
- CWE-1315
- CWE-1316
- CWE-1317
- CWE-1320
- CWE-1323
- CWE-1334
- CWE-269
- CWE-282
- CWE-285
- CWE-286
- CWE-287
- CWE-346
- CWE-749
- CWE-923
Related attack patterns (CAPEC)
CAPEC-19 · CAPEC-441 · CAPEC-478 · CAPEC-479 · CAPEC-502 · CAPEC-503 · CAPEC-536 · CAPEC-546 · CAPEC-550 · CAPEC-551 · CAPEC-552 · CAPEC-556 · CAPEC-558 · CAPEC-562 · CAPEC-563 · CAPEC-564 · CAPEC-578
CVEs mapped to this weakness (2,700)
page 9 of 135| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2015-6550 | Cri | 0.64 | 9.8 | 0.03 | May 7, 2016 | bpcd in Veritas NetBackup 7.x through 7.5.0.7, 7.6.0.x through 7.6.0.4, 7.6.1.x through 7.6.1.2, and 7.7.x before 7.7.2 and NetBackup Appliance through 2.5.4, 2.6.0.x through 2.6.0.4, 2.6.1.x through 2.6.1.2, and 2.7.x before 2.7.2 allows remote attackers to execute arbitrary… | ||
| CVE-2016-2275 | Cri | 0.64 | 9.8 | 0.03 | Feb 21, 2016 | The web interface on Advantech/B+B SmartWorx VESP211-EU devices with firmware 1.7.2 and VESP211-232 devices with firmware 1.5.1 and 1.7.2 relies on the client to implement access control, which allows remote attackers to perform administrative actions via modified JavaScript… | ||
| CVE-2012-6068 | Cri | 0.64 | 9.8 | 0.05 | Jan 21, 2013 | The Runtime Toolkit in CODESYS Runtime System 2.3.x and 2.4.x does not require authentication, which allows remote attackers to execute commands via the command-line interface in the TCP listener service or transfer files via requests to the TCP listener service. | ||
| CVE-2016-5582 | Cri | 0.63 | 9.6 | 0.05 | Oct 25, 2016 | Unspecified vulnerability in Oracle Java SE 6u121, 7u111, 8u102; and Java SE Embedded 8u101 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Hotspot, a different vulnerability than CVE-2016-5573. | ||
| CVE-2016-5580 | Cri | 0.63 | 9.6 | 0.02 | Oct 25, 2016 | Unspecified vulnerability in the Secure Global Desktop component in Oracle Virtualization 4.7 and 5.2 allows remote authenticated users to affect confidentiality and availability via vectors through Web Services. | ||
| CVE-2016-5568 | Cri | 0.63 | 9.6 | 0.04 | Oct 25, 2016 | Unspecified vulnerability in Oracle Java SE 6u121, 7u111, and 8u102 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to AWT. | ||
| CVE-2016-5556 | Cri | 0.63 | 9.6 | 0.05 | Oct 25, 2016 | Unspecified vulnerability in Oracle Java SE 6u121, 7u111, and 8u102 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to 2D. | ||
| CVE-2026-24303 | Cri | 0.62 | 9.6 | 0.00 | Apr 23, 2026 | Improper access control in Microsoft Partner Center allows an authorized attacker to elevate privileges over a network. | ||
| CVE-2026-21627 | Cri | 0.62 | — | 0.00 | Feb 20, 2026 | The vulnerability was rooted in how the Tassos Framework plugin handled specific AJAX requests through Joomla’s com_ajax entry point. Under certain conditions, internal framework functionality could be invoked without proper restriction. | ||
| CVE-2025-59434 | Cri | 0.62 | 9.6 | 0.03 | Sep 22, 2025 | Flowise is a drag & drop user interface to build a customized large language model flow. Prior to August 2025 Cloud-Hosted Flowise, an authenticated vulnerability in Flowise Cloud allows any user on the free tier to access sensitive environment variables from other tenants via… | ||
| CVE-2024-56898 | Hig | 0.61 | 8.8 | 0.02 | Feb 3, 2025 | Broken access control vulnerability in Geovision GV-ASWeb with version v6.1.0.0 or less. This vulnerability allows low privilege users perform actions that they aren't authorized to, which can be leveraged to escalate privileges, create, modify or delete accounts. | ||
| CVE-2024-21767 | Cri | 0.61 | 9.4 | 0.01 | Mar 1, 2024 | A remote attacker may be able to bypass access control of Commend WS203VICM by creating a malicious request. | ||
| CVE-2015-0104 | Hig | 0.61 | 8.8 | 0.07 | Apr 24, 2017 | IBM Tivoli IT Asset Management for IT, Tivoli Service Request Manager, and Change and Configuration Management Database 7.1 through 7.1.1.8 and 7.2 and Maximo Asset Management and Maximo Industry Solutions 7.1 through 7.1.1.8, 7.5 before 7.5.0.7 IFIX003, and 7.6 before 7.6.0.0… | ||
| CVE-2015-8284 | Hig | 0.61 | 8.8 | 0.04 | Apr 13, 2017 | SeaWell Networks Spectrum SDC 02.05.00 allows remote viewer users to perform administrative functions. | ||
| CVE-2016-1608 | Hig | 0.61 | 8.8 | 0.11 | Aug 1, 2016 | vaconfig/time in Novell Filr before 1.2 Security Update 3 and 2.0 before Security Update 2 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the ntpServer parameter. | ||
| CVE-2016-0088 | Cri | 0.61 | 9.3 | 0.08 | Apr 12, 2016 | Hyper-V in Microsoft Windows 8.1, Windows Server 2012 Gold and R2, and Windows 10 allows guest OS users to execute arbitrary code on the host OS via a crafted application, aka "Hyper-V Remote Code Execution Vulnerability." | ||
| CVE-2026-45043 | Cri | 0.60 | — | 0.00 | May 29, 2026 | RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, improper validation in the PUT /rustfs/admin/v3/import-iam endpoint allows a user with ImportIAMAction to create service accounts under arbitrary parent identities, including the root user… | ||
| CVE-2026-44225 | Cri | 0.60 | 9.3 | 0.00 | May 12, 2026 | Pulpy is a lightweight, cross-platform desktop application packager for web apps. Prior to 0.1.1, Pulpy injects a pulpy.fs JavaScript API into every packaged web application, giving it access to the host filesystem. A validateFsPath() function is supposed to sandbox this access,… | ||
| CVE-2024-56330 | Cri | 0.60 | — | 0.00 | Dec 20, 2024 | Stardust is a platform for streaming isolated desktop containers. With this exploit, inter container communication (ICC) is not disabled. This would allow users within a container to access another containers agent, therefore compromising access.The problem has been patched in… | ||
| CVE-2016-3345 | Hig | 0.60 | 8.8 | 0.32 | Sep 14, 2016 | The SMBv1 server in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold, 1511, and 1607 allows remote attackers to execute arbitrary code via crafted packets, aka… |
- risk 0.64cvss 9.8epss 0.03
bpcd in Veritas NetBackup 7.x through 7.5.0.7, 7.6.0.x through 7.6.0.4, 7.6.1.x through 7.6.1.2, and 7.7.x before 7.7.2 and NetBackup Appliance through 2.5.4, 2.6.0.x through 2.6.0.4, 2.6.1.x through 2.6.1.2, and 2.7.x before 2.7.2 allows remote attackers to execute arbitrary…
- risk 0.64cvss 9.8epss 0.03
The web interface on Advantech/B+B SmartWorx VESP211-EU devices with firmware 1.7.2 and VESP211-232 devices with firmware 1.5.1 and 1.7.2 relies on the client to implement access control, which allows remote attackers to perform administrative actions via modified JavaScript…
- risk 0.64cvss 9.8epss 0.05
The Runtime Toolkit in CODESYS Runtime System 2.3.x and 2.4.x does not require authentication, which allows remote attackers to execute commands via the command-line interface in the TCP listener service or transfer files via requests to the TCP listener service.
- risk 0.63cvss 9.6epss 0.05
Unspecified vulnerability in Oracle Java SE 6u121, 7u111, 8u102; and Java SE Embedded 8u101 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Hotspot, a different vulnerability than CVE-2016-5573.
- risk 0.63cvss 9.6epss 0.02
Unspecified vulnerability in the Secure Global Desktop component in Oracle Virtualization 4.7 and 5.2 allows remote authenticated users to affect confidentiality and availability via vectors through Web Services.
- risk 0.63cvss 9.6epss 0.04
Unspecified vulnerability in Oracle Java SE 6u121, 7u111, and 8u102 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to AWT.
- risk 0.63cvss 9.6epss 0.05
Unspecified vulnerability in Oracle Java SE 6u121, 7u111, and 8u102 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to 2D.
- risk 0.62cvss 9.6epss 0.00
Improper access control in Microsoft Partner Center allows an authorized attacker to elevate privileges over a network.
- risk 0.62cvss —epss 0.00
The vulnerability was rooted in how the Tassos Framework plugin handled specific AJAX requests through Joomla’s com_ajax entry point. Under certain conditions, internal framework functionality could be invoked without proper restriction.
- risk 0.62cvss 9.6epss 0.03
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to August 2025 Cloud-Hosted Flowise, an authenticated vulnerability in Flowise Cloud allows any user on the free tier to access sensitive environment variables from other tenants via…
- risk 0.61cvss 8.8epss 0.02
Broken access control vulnerability in Geovision GV-ASWeb with version v6.1.0.0 or less. This vulnerability allows low privilege users perform actions that they aren't authorized to, which can be leveraged to escalate privileges, create, modify or delete accounts.
- risk 0.61cvss 9.4epss 0.01
A remote attacker may be able to bypass access control of Commend WS203VICM by creating a malicious request.
- risk 0.61cvss 8.8epss 0.07
IBM Tivoli IT Asset Management for IT, Tivoli Service Request Manager, and Change and Configuration Management Database 7.1 through 7.1.1.8 and 7.2 and Maximo Asset Management and Maximo Industry Solutions 7.1 through 7.1.1.8, 7.5 before 7.5.0.7 IFIX003, and 7.6 before 7.6.0.0…
- risk 0.61cvss 8.8epss 0.04
SeaWell Networks Spectrum SDC 02.05.00 allows remote viewer users to perform administrative functions.
- risk 0.61cvss 8.8epss 0.11
vaconfig/time in Novell Filr before 1.2 Security Update 3 and 2.0 before Security Update 2 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the ntpServer parameter.
- risk 0.61cvss 9.3epss 0.08
Hyper-V in Microsoft Windows 8.1, Windows Server 2012 Gold and R2, and Windows 10 allows guest OS users to execute arbitrary code on the host OS via a crafted application, aka "Hyper-V Remote Code Execution Vulnerability."
- risk 0.60cvss —epss 0.00
RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, improper validation in the PUT /rustfs/admin/v3/import-iam endpoint allows a user with ImportIAMAction to create service accounts under arbitrary parent identities, including the root user…
- risk 0.60cvss 9.3epss 0.00
Pulpy is a lightweight, cross-platform desktop application packager for web apps. Prior to 0.1.1, Pulpy injects a pulpy.fs JavaScript API into every packaged web application, giving it access to the host filesystem. A validateFsPath() function is supposed to sandbox this access,…
- risk 0.60cvss —epss 0.00
Stardust is a platform for streaming isolated desktop containers. With this exploit, inter container communication (ICC) is not disabled. This would allow users within a container to access another containers agent, therefore compromising access.The problem has been patched in…
- risk 0.60cvss 8.8epss 0.32
The SMBv1 server in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold, 1511, and 1607 allows remote attackers to execute arbitrary code via crafted packets, aka…