CWE-284
Improper Access Control
PillarIncomplete
Description
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Hierarchy (View 1000)
Parents
none
Children
- CWE-1191
- CWE-1220
- CWE-1224
- CWE-1231
- CWE-1233
- CWE-1252
- CWE-1257
- CWE-1259
- CWE-1260
- CWE-1262
- CWE-1263
- CWE-1267
- CWE-1270
- CWE-1274
- CWE-1276
- CWE-1280
- CWE-1283
- CWE-1290
- CWE-1292
- CWE-1294
- CWE-1296
- CWE-1304
- CWE-1311
- CWE-1312
- CWE-1313
- CWE-1315
- CWE-1316
- CWE-1317
- CWE-1320
- CWE-1323
- CWE-1334
- CWE-269
- CWE-282
- CWE-285
- CWE-286
- CWE-287
- CWE-346
- CWE-749
- CWE-923
Related attack patterns (CAPEC)
CAPEC-19 · CAPEC-441 · CAPEC-478 · CAPEC-479 · CAPEC-502 · CAPEC-503 · CAPEC-536 · CAPEC-546 · CAPEC-550 · CAPEC-551 · CAPEC-552 · CAPEC-556 · CAPEC-558 · CAPEC-562 · CAPEC-563 · CAPEC-564 · CAPEC-578
CVEs mapped to this weakness (1,922)
page 9 of 97| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-54391 | Cri | 0.59 | 9.1 | 0.00 | Sep 16, 2025 | A vulnerability in the EnableTwoFactorAuthRequest SOAP endpoint of Zimbra Collaboration (ZCS) allows an attacker with valid user credentials to bypass Two-Factor Authentication (2FA) protection. The attacker can configure an additional 2FA method (either a third-party authenticator app or email-based 2FA) without presenting a valid authentication token or proving access to an already configured 2FA method. This bypasses 2FA and results in unauthorized access to accounts that are otherwise protected by 2FA. | |
| CVE-2024-45438 | Cri | 0.59 | 9.1 | 0.00 | Aug 21, 2025 | An issue was discovered in TitanHQ SpamTitan Email Security Gateway 8.00.x before 8.00.101 and 8.01.x before 8.01.14. The file quarantine.php within the SpamTitan interface allows unauthenticated users to trigger account-level actions using a crafted GET request. Notably, when a non-existent email address is provided as part of the email parameter, SpamTitan will automatically create a user record and associate quarantine settings with it - all without requiring authentication. | |
| CVE-2025-49603 | Cri | 0.59 | 9.1 | 0.00 | Jun 26, 2025 | Northern.tech Mender Server before 3.7.11 and 4.x before 4.0.1 has Incorrect Access Control. | |
| CVE-2025-28233 | Cri | 0.59 | 9.1 | 0.00 | Apr 18, 2025 | Incorrect access control in BW Broadcast TX600 (14980), TX300 (32990) (31448), TX150, TX1000, TX30, and TX50 Hardware Version: 2, Software Version: 1.6.0, Control Version: 1.0, AIO Firmware Version: 1.7 allows attackers to access log files and extract session identifiers to execute a session hijacking attack. | |
| CVE-2025-28231 | Cri | 0.59 | 9.1 | 0.00 | Apr 18, 2025 | Incorrect access control in Itel Electronics IP Stream v1.7.0.6 allows unauthorized attackers to execute arbitrary commands with Administrator privileges. | |
| CVE-2025-3113 | Cri | 0.59 | — | 0.00 | Apr 17, 2025 | A valid, authenticated user with sufficient privileges and who is aware of Continuous Compliance’s internal database configurations can leverage the application’s built-in Connector functionality to access Continuous Compliance’s internal database. This allows the user to explore the internal database schema and export its data, including the properties of Connecters and Rule Sets. | |
| CVE-2025-30132 | Cri | 0.59 | 9.1 | 0.00 | Mar 18, 2025 | An issue was discovered on IROAD Dashcam V devices. It uses an unregistered public domain name as an internal domain, creating a security risk. During analysis, it was found that this domain was not owned by IROAD, allowing an attacker to register it and potentially intercept sensitive device traffic. If the dashcam or related services attempt to resolve this domain over the public Internet instead of locally, it could lead to data exfiltration or man-in-the-middle attacks. | |
| CVE-2025-1260 | Cri | 0.59 | 9.1 | 0.00 | Mar 4, 2025 | On affected platforms running Arista EOS with OpenConfig configured, a gNOI request can be run when it should have been rejected. This issue can result in unexpected configuration/operations being applied to the switch. | |
| CVE-2025-1941 | Cri | 0.59 | 9.1 | 0.00 | Mar 4, 2025 | Under certain circumstances, a user opt-in setting that Focus should require authentication before use could have been be bypassed (distinct from CVE-2025-0245). This vulnerability was fixed in Firefox 136. | |
| CVE-2020-35546 | Cri | 0.59 | 9.1 | 0.00 | Feb 19, 2025 | Lexmark MX6500 LW75.JD.P296 and previous devices have Incorrect Access Control via the access control settings. | |
| CVE-2024-31967 | Cri | 0.59 | 9.1 | 0.00 | May 2, 2024 | A vulnerability on Mitel 6800 Series and 6900 Series SIP Phones through 6.3 SP3 HF4, 6900w Series SIP Phone through 6.3.3, and 6970 Conference Unit through 5.1.1 SP8 allows an unauthenticated attacker to conduct an unauthorized access attack due to improper access control. A successful exploit could allow an attacker to gain unauthorized access to user information or the system configuration. | |
| CVE-2021-47155 | Cri | 0.59 | 9.1 | 0.00 | Mar 18, 2024 | The Net::IPV4Addr module 0.10 for Perl does not properly consider extraneous zero characters in an IP address string, which (in some situations) allows attackers to bypass access control that is based on IP addresses. | |
| CVE-2023-51786 | Cri | 0.59 | 9.1 | 0.00 | Mar 7, 2024 | An issue was discovered in Lustre versions 2.13.x, 2.14.x, and 2.15.x before 2.15.4, allows attackers to escalate privileges and obtain sensitive information via Incorrect Access Control. | |
| CVE-2016-9639 | Cri | 0.59 | 9.1 | 0.01 | Feb 7, 2017 | Salt before 2015.8.11 allows deleted minions to read or write to minions with the same id, related to caching. | |
| CVE-2016-8325 | Cri | 0.59 | 9.1 | 0.01 | Jan 27, 2017 | Vulnerability in the Oracle One-to-One Fulfillment component of Oracle E-Business Suite (subcomponent: Internal Operations). Supported versions that are affected are 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5 and 12.2.6. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle One-to-One Fulfillment. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle One-to-One Fulfillment accessible data as well as unauthorized access to critical data or complete access to all Oracle One-to-One Fulfillment accessible data. CVSS v3.0 Base Score 9.1 (Confidentiality and Integrity impacts). | |
| CVE-2016-5605 | Cri | 0.59 | 9.1 | 0.00 | Oct 25, 2016 | Unspecified vulnerability in the Oracle VM VirtualBox component before 5.1.4 in Oracle Virtualization allows remote attackers to affect confidentiality and integrity via vectors related to VRDE. | |
| CVE-2016-5599 | Cri | 0.59 | 9.1 | 0.00 | Oct 25, 2016 | Unspecified vulnerability in the Oracle Advanced Supply Chain Planning component in Oracle Supply Chain Products Suite 12.2.3 through 12.2.5 allows remote attackers to affect confidentiality and integrity via vectors related to MscObieeSrvlt. | |
| CVE-2016-8565 | Cri | 0.59 | 9.1 | 0.01 | Oct 13, 2016 | Siemens Automation License Manager (ALM) before 5.3 SP3 allows remote attackers to write to files, rename files, create directories, or delete directories via crafted packets. | |
| CVE-2016-4694 | Cri | 0.59 | 9.1 | 0.01 | Sep 25, 2016 | The Apache HTTP Server in Apple OS X before 10.12 and OS X Server before 5.2 follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted CGI client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue, a related issue to CVE-2016-5387. | |
| CVE-2016-3345 | Hig | 0.59 | 8.8 | 0.27 | Sep 14, 2016 | The SMBv1 server in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold, 1511, and 1607 allows remote attackers to execute arbitrary code via crafted packets, aka "Windows SMB Authenticated Remote Code Execution Vulnerability." |