VYPR
Get started

CWE-284

Improper Access Control

PillarIncomplete

Description

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Hierarchy (View 1000)

Parents

none

Related attack patterns (CAPEC)

CAPEC-19 · CAPEC-441 · CAPEC-478 · CAPEC-479 · CAPEC-502 · CAPEC-503 · CAPEC-536 · CAPEC-546 · CAPEC-550 · CAPEC-551 · CAPEC-552 · CAPEC-556 · CAPEC-558 · CAPEC-562 · CAPEC-563 · CAPEC-564 · CAPEC-578

CVEs mapped to this weakness (1,922)

page 94 of 97
CVESevRiskCVSSEPSSKEVPublishedDescription
CVE-2015-30610.000.04May 13, 2015Adobe Reader and Acrobat 10.x before 10.1.14 and 11.x before 11.0.11 on Windows and OS X allow attackers to bypass intended restrictions on JavaScript API execution via unspecified vectors, a different vulnerability than CVE-2015-3060, CVE-2015-3062, CVE-2015-3063, CVE-2015-3064, CVE-2015-3065, CVE-2015-3066, CVE-2015-3067, CVE-2015-3068, CVE-2015-3069, CVE-2015-3071, CVE-2015-3072, CVE-2015-3073, and CVE-2015-3074.
CVE-2015-30600.000.04May 13, 2015Adobe Reader and Acrobat 10.x before 10.1.14 and 11.x before 11.0.11 on Windows and OS X allow attackers to bypass intended restrictions on JavaScript API execution via unspecified vectors, a different vulnerability than CVE-2015-3061, CVE-2015-3062, CVE-2015-3063, CVE-2015-3064, CVE-2015-3065, CVE-2015-3066, CVE-2015-3067, CVE-2015-3068, CVE-2015-3069, CVE-2015-3071, CVE-2015-3072, CVE-2015-3073, and CVE-2015-3074.
CVE-2015-05310.000.00May 7, 2015EMC SourceOne Email Management before 7.2 does not have a lockout mechanism for invalid login attempts, which makes it easier for remote attackers to obtain access via a brute-force attack.
CVE-2015-09140.000.00May 1, 2015EasyCTF before 1.4 does not validate the session ID, which allows remote attackers to obtain access via a crafted HTTP request.
CVE-2015-11510.000.00Apr 28, 2015Wiki Server in Apple OS X Server before 4.1 allows remote attackers to bypass intended restrictions on Activity and People pages by connecting from an iPad client.
CVE-2015-31480.000.01Apr 24, 2015cURL and libcurl 7.10.6 through 7.41.0 do not properly re-use authenticated Negotiate connections, which allows remote attackers to connect as other users via a request.
CVE-2015-02970.000.01Apr 24, 2015Red Hat JBoss Operations Network 3.3.1 does not properly restrict access to certain APIs, which allows remote attackers to execute arbitrary Java methods via the (1) ServerInvokerServlet or (2) SchedulerService or (3) cause a denial of service (disk consumption) via the ContentManager.
CVE-2015-08400.000.01Apr 13, 2015The dpkg-source command in Debian dpkg before 1.16.16 and 1.17.x before 1.17.25 allows remote attackers to bypass signature verification via a crafted Debian source control file (.dsc).
CVE-2015-06750.000.00Apr 13, 2015The failover ipsec implementation in Cisco Adaptive Security Appliance (ASA) Software 9.1 before 9.1(6), 9.2 before 9.2(3.3), and 9.3 before 9.3(3) does not properly validate failover communication messages, which allows remote attackers to reconfigure an ASA device, and consequently obtain administrative control, by sending crafted UDP packets over the local network to the failover interface, aka Bug ID CSCur21069.
CVE-2015-06940.000.00Apr 11, 2015Cisco ASR 9000 devices with software 5.3.0.BASE do not recognize that certain ACL entries have a single-host constraint, which allows remote attackers to bypass intended network-resource access restrictions by using an address that was not supposed to have been allowed, aka Bug ID CSCur28806.
CVE-2015-11150.000.00Apr 10, 2015The Telephony component in Apple iOS before 8.3 allows attackers to bypass a sandbox protection mechanism and access unintended telephone capabilities via a crafted app.
CVE-2015-01190.000.02Apr 6, 2015FastBack Mount in IBM Tivoli Storage Manager FastBack 6.1.x before 6.1.11.1 allows remote attackers to execute arbitrary code by connecting to the Mount port.
CVE-2015-28160.000.01Apr 1, 2015The XcListener in SAP Afaria 7.0.6001.5 does not properly restrict access, which allows remote attackers to have unspecified impact via a crafted request, aka SAP Security Note 2134905.
CVE-2015-27920.000.00Mar 30, 2015The WPML plugin before 3.1.9 for WordPress does not properly handle multiple actions in a request, which allows remote attackers to bypass nonce checks and perform arbitrary actions via a request containing an action POST parameter, an action GET parameter, and a valid nonce for the action GET parameter.
CVE-2015-21720.000.02Mar 30, 2015DokuWiki before 2014-05-05d and before 2014-09-29c does not properly check permissions for the ACL plugins, which allows remote authenticated users to gain privileges and add or delete ACL rules via a request to the XMLRPC API.
CVE-2015-25590.000.00Mar 25, 2015Drupal 6.x before 6.35 and 7.x before 7.35 allows remote authenticated users to reset the password of other accounts by leveraging an account with the same password hash as another account and a crafted password reset URL.
CVE-2015-06670.000.00Mar 18, 2015The Management Interface on Cisco Content Services Switch (CSS) 11500 devices 8.20.4.02 and earlier allows remote attackers to bypass intended restrictions on local-network device access via crafted SSH packets, aka Bug ID CSCut14855.
CVE-2015-21070.000.00Mar 14, 2015HP Operations Manager i Management Pack 1.x before 1.01 for SAP allows local users to execute OS commands by leveraging SAP administrative privileges.
CVE-2015-06600.000.00Mar 14, 2015Cisco Virtual TelePresence Server Software does not properly restrict use of the serial port, which allows local users to execute arbitrary OS commands as root by leveraging vSphere controller administrative privileges, aka Bug ID CSCus61123.
CVE-2015-14640.000.00Mar 9, 2015RT (aka Request Tracker) before 4.0.23 and 4.2.x before 4.2.10 allows remote attackers to hijack sessions via an RSS feed URL.