CWE-284— Improper Access Control
4,211 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-284page 17 of 85
- CVE-2022-2259MEDIUMCVSS 4.3EG 4.32023-03-13
In affected versions of Octopus Deploy it is possible for a user to view Workerpools without being explicitly assigned permissions to view these items
- CVE-2022-23132LOWCVSS 3.3EG 7.32022-01-13
During Zabbix installation from RPM, DAC_OVERRIDE SELinux capability is in use to access PID files in [/var/run/zabbix] folder. In this case, Zabbix Proxy or Server processes can bypass file read, write and execute permissions check on the…
- CVE-2022-23134LOWCVSS 3.7EG 9.0⚠ KEV2022-01-13
After the initial setup process, some steps of setup.php file are reachable not only by super-administrators, but by unauthenticated users as well. Malicious actor can pass step checks and potentially change the configuration of Zabbix Fro…
- CVE-2022-23240MEDIUMCVSS 6.5EG 6.52023-02-28
Active IQ Unified Manager for VMware vSphere, Linux, and Microsoft Windows versions prior to 9.11P1 are susceptible to a vulnerability which allows unauthorized users to update EMS Subscriptions via unspecified vectors.
- CVE-2022-23241HIGHCVSS 8.1EG 8.12022-10-19
Clustered Data ONTAP versions 9.11.1 through 9.11.1P2 with SnapLock configured FlexGroups are susceptible to a vulnerability which could allow an authenticated remote attacker to arbitrarily modify or delete WORM data prior to the end of t…
- CVE-2022-23433MEDIUMCVSS 4.3EG 5.32022-02-11
Improper access control vulnerability in Reminder prior to versions 12.3.01.3000 in Android S(12), 12.2.05.6000 in Android R(11) and 11.6.08.6000 in Andoid Q(10) allows attackers to register reminders or execute exporeted activities remote…
- CVE-2022-23485MEDIUMCVSS 6.4EG 6.42022-12-10
Sentry is an error tracking and performance monitoring platform. In versions of the sentry python library prior to 22.11.0 an attacker with a known valid invite link could manipulate a cookie to allow the same invite link to be reused on m…
- CVE-2022-23508HIGHCVSS 8.8EG 8.82023-01-09
Weave GitOps is a simple open source developer platform for people who want cloud native applications, without needing Kubernetes expertise. A vulnerability in GitOps run could allow a local user or process to alter a Kubernetes cluster's…
- CVE-2022-23513MEDIUMCVSS 5.3EG 5.32022-12-23
Pi-Hole is a network-wide ad blocking via your own Linux hardware, AdminLTE is a Pi-hole Dashboard for stats and more. In case of an attack, the threat actor will obtain the ability to perform an unauthorized query for blocked domains on …
- CVE-2022-23730CRITICALCVSS 9.8EG 9.82022-03-11
The public API error causes for the attacker to be able to bypass API access control.
- CVE-2022-23768HIGHCVSS 8.8EG 9.82022-09-19
This Vulnerability in NIS-HAP11AC is caused by an exposed external port for the telnet service. Remote attackers use this vulnerability to induce all attacks such as source code hijacking, remote control of the device.
- CVE-2022-23829HIGHCVSS 8.2EG 8.22024-06-18
A potential weakness in AMD SPI protection features may allow a malicious attacker with Ring0 (kernel mode) access to bypass the native System Management Mode (SMM) ROM protections.
- CVE-2022-23981MEDIUMCVSS 4.3EG 4.32022-02-18
The vulnerability allows Subscriber+ level users to create brands in WordPress Perfect Brands for WooCommerce plugin (versions <= 2.0.4).
- CVE-2022-23994LOWCVSS 3.3EG 3.32022-02-11
An Improper access control vulnerability in StBedtimeModeReceiver in Wear OS 3.0 prior to Firmware update Feb-2022 Release allows untrusted applications to change bedtime mode without a proper permission.
- CVE-2022-23995MEDIUMCVSS 4.0EG 4.02022-02-11
Unprotected component vulnerability in StBedtimeModeAlarmReceiver in Wear OS 3.0 prior to Firmware update Feb-2022 Release allows untrusted applications to change bedtime mode without a proper permission.
- CVE-2022-23996MEDIUMCVSS 4.0EG 4.02022-02-11
Unprotected component vulnerability in StTheaterModeReceiver in Wear OS 3.0 prior to Firmware update Feb-2022 Release allows untrusted applications to enable bedtime mode without a proper permission.
- CVE-2022-23997MEDIUMCVSS 4.0EG 4.02022-02-11
Unprotected component vulnerability in StTheaterModeDurationAlarmReceiver in Wear OS 3.0 prior to Firmware update Feb-2022 Release allows untrusted applications to disable theater mode without a proper permission.
- CVE-2022-24036HIGHCVSS 8.6EG 5.32022-11-16
Karmasis Informatics Infraskope SIEM+ has an unauthenticated access vulnerability which could allow an unauthenticated attacker to modificate logs.
- CVE-2022-24038MEDIUMCVSS 6.5EG 7.52022-11-18
Karmasis Informatics Infraskope SIEM+ has an unauthenticated access vulnerability which could allow an unauthenticated attacker to damage the page where the agents are listed.
- CVE-2022-24309MEDIUMCVSS 6.8EG 8.12022-03-08
A vulnerability has been identified in Mendix Runtime V7 (All versions < V7.23.29), Mendix Runtime V8 (All versions < V8.18.16), Mendix Runtime V9 (All versions < V9.13 only with Runtime Custom Setting *DataStorage.UseNewQueryHandler* set …
- CVE-2022-24730HIGHCVSS 7.7EG 7.72022-03-23
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with version 1.3.0 but before versions 2.1.11, 2.2.6, and 2.3.0 is vulnerable to a path traversal bug, compounded by an improper access control bug,…
- CVE-2022-24731MEDIUMCVSS 6.8EG 6.82022-03-23
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with version 1.5.0 but before versions 2.1.11, 2.2.6, and 2.3.0 is vulnerable to a path traversal vulnerability, allowing a malicious user with read…
- CVE-2022-24841MEDIUMCVSS 6.5EG 6.52022-04-18
fleetdm/fleet is an open source device management, built on osquery. All versions of fleet making use of the teams feature are affected by this authorization bypass issue. Fleet instances without teams, or with teams but without restricted…
- CVE-2022-24923MEDIUMCVSS 4.0EG 3.32022-02-11
Improper access control vulnerability in Samsung SearchWidget prior to versions 2.3.00.6 in China models allows untrusted applications to load arbitrary URL and local files in webview.
- CVE-2022-24924LOWCVSS 2.2EG 5.32022-02-11
An improper access control in LiveWallpaperService prior to versions 3.0.9.0 allows to create a specific named system directory without a proper permission.
- CVE-2022-24930MEDIUMCVSS 4.4EG 3.32022-03-10
An Improper access control vulnerability in StRetailModeReceiver in Wear OS 3.0 prior to Firmware update MAR-2022 Release allows untrusted applications to reset default app settings without a proper permission
- CVE-2022-24972MEDIUMCVSS 6.5EG 6.52023-03-28
This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of TP-Link TL-WR940N 3.20.1 Build 200316 Rel.34392n (5553) routers. Authentication is not required to exploit this vulnerabili…
- CVE-2022-25481HIGHCVSS 7.5EG 7.52022-03-21
ThinkPHP Framework v5.0.24 was discovered to be configured without the PATHINFO parameter. This allows attackers to access all system environment parameters from index.php. NOTE: this is disputed by a third party because system environment…
- CVE-2022-25627MEDIUMCVSS 6.7EG 6.72022-12-16
An authenticated administrator who has physical access to the environment can carry out Remote Command Execution on Management Console in Symantec Identity Manager 14.4
- CVE-2022-25650MEDIUMCVSS 6.5EG 6.52022-04-12
A vulnerability has been identified in Mendix Applications using Mendix 7 (All versions < V7.23.27), Mendix Applications using Mendix 8 (All versions < V8.18.14), Mendix Applications using Mendix 9 (All versions < V9.12.0), Mendix Applicat…
- CVE-2022-25679MEDIUMCVSS 6.2EG 5.52022-11-15
Denial of service in video due to improper access control in broadcast receivers in Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearables
- CVE-2022-25755HIGHCVSS 7.5EG 7.52022-04-12
A vulnerability has been identified in SCALANCE X302-7 EEC (230V), SCALANCE X302-7 EEC (230V, coated), SCALANCE X302-7 EEC (24V), SCALANCE X302-7 EEC (24V, coated), SCALANCE X302-7 EEC (2x 230V), SCALANCE X302-7 EEC (2x 230V, coated), SCAL…
- CVE-2022-2578MEDIUMCVSS 6.3EG 9.82022-07-29
A vulnerability, which was classified as critical, has been found in SourceCodester Garage Management System 1.0. This issue affects some unknown processing of the file /php_action/createUser.php. The manipulation leads to improper access …
- CVE-2022-25824MEDIUMCVSS 4.0EG 3.32022-03-10
Improper access control vulnerability in BixbyTouch prior to version 2.2.00.6 in China models allows untrusted applications to load arbitrary URL and local files in webview.
- CVE-2022-25831LOWCVSS 2.0EG 4.62022-04-11
Improper access control vulnerability in S Secure prior to SMR Apr-2022 Release 1 allows physical attackers to access secured data in certain conditions.
- CVE-2022-25932CRITICALCVSS 9.8EG 9.82022-11-09
The firmware of InHand Networks InRouter302 V3.5.45 introduces fixes for TALOS-2022-1472 and TALOS-2022-1474. The fixes are incomplete. An attacker can still perform, respectively, a privilege escalation and an information disclosure vulne…
- CVE-2022-26091MEDIUMCVSS 5.7EG 6.82022-04-11
Improper access control vulnerability in Knox Manage prior to SMR Apr-2022 Release 1 allows that physical attackers can bypass Knox Manage using a function key of hardware keyboard.
- CVE-2022-2630MEDIUMCVSS 4.3EG 4.32022-10-17
An improper access control issue in GitLab CE/EE affecting all versions starting from 15.2 before 15.2.4, all versions from 15.3 before 15.3.2 allows disclosure of confidential information via the Incident timeline events.
- CVE-2022-26308LOWCVSS 3.7EG 5.42022-08-01
Pandora FMS v7.0NG.760 and below allows an improper access control in Configuration (Credential store) where a user with the role of Operator (Write) could create, delete, view existing keys which are outside the intended role.
- CVE-2022-2631HIGHCVSS 8.8EG 8.82022-08-02
Improper Access Control in GitHub repository tooljet/tooljet prior to v1.19.0.
- CVE-2022-26313CRITICALCVSS 9.8EG 9.82022-03-08
A vulnerability has been identified in Mendix Forgot Password Appstore module (All versions >= V3.3.0 < V3.5.1). In certain configurations of the affected product, a threat actor could use the sign up flow to hijack arbitrary user accounts.
- CVE-2022-26317MEDIUMCVSS 6.5EG 6.52022-03-08
A vulnerability has been identified in Mendix Applications using Mendix 7 (All versions < V7.23.29). When returning the result of a completed Microflow execution call the affected framework does not correctly verify, if the request was ini…
- CVE-2022-26346CRITICALCVSS 9.8EG 9.82022-08-05
A denial of service vulnerability exists in the ucloud_del_node functionality of TCL LinkHub Mesh Wi-Fi MS1G_00_01.00_14. A specially-crafted network packet can lead to denial of service. An attacker can send packets to trigger this vulner…
- CVE-2022-26389HIGHCVSS 7.7EG 7.72025-02-07
An improper access control vulnerability may allow privilege escalation.This issue affects: * ELI 380 Resting Electrocardiograph: Versions 2.6.0 and prior; * ELI 280/BUR280/MLBUR 280 Resting Electrocardiograph: Versions 2.3.1 …
- CVE-2022-26423HIGHCVSS 8.2EG 7.52022-10-21
Aethon TUG Home Base Server versions prior to version 24 are affected by un unauthenticated attacker who can freely access hashed user credentials.
- CVE-2022-26926HIGHCVSS 7.8EG 7.82022-05-10
Windows Address Book Remote Code Execution Vulnerability
- CVE-2022-2702HIGHCVSS 7.3EG 6.52022-08-08
A vulnerability was found in SourceCodester Company Website CMS and classified as critical. Affected by this issue is some unknown functionality of the file site-settings.php of the component Cookie Handler. The manipulation leads to impro…
- CVE-2022-27178CRITICALCVSS 9.8EG 9.82022-08-05
A denial of service vulnerability exists in the confctl_set_wan_cfg functionality of TCL LinkHub Mesh Wi-Fi MS1G_00_01.00_14. A specially-crafted network packet can lead to denial of service. An attacker can send packets to trigger this vu…
- CVE-2022-27185HIGHCVSS 7.5EG 7.52022-08-05
A denial of service vulnerability exists in the confctl_set_master_wlan functionality of TCL LinkHub Mesh Wifi MS1G_00_01.00_14. A specially-crafted network packet can lead to denial of service. An attacker can send packets to trigger this…
- CVE-2022-27511HIGHCVSS 8.1EG 8.12022-06-16
Corruption of the system by a remote, unauthenticated user. The impact of this can include the reset of the administrator password at the next device reboot, allowing an attacker with ssh access to connect with the default administrator cr…
Map vulnerabilities like CWE-284 to your infrastructure
EchelonGraph correlates every CVE — across CWE-284 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →