CWE-284— Improper Access Control
4,211 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-284page 3 of 85
- CVE-2016-10440CRITICALCVSS 9.8EG 9.82018-04-18
In Android before 2018-04-05 or earlier security patch level on Qualcomm Snapdragon Mobile SD 425, SD 430, SD 450, SD 625, and SD 650/52, there is improper access control to a bus.
- CVE-2016-10442CRITICALCVSS 9.8EG 9.82018-04-18
In Android before 2018-04-05 or earlier security patch level on Qualcomm Snapdragon Mobile MDM9640, SDM630, MSM8976, MSM8937, SDM845, MSM8976, and MSM8952, when running module or kernel code with improper access control allowing writing to…
- CVE-2016-10444CRITICALCVSS 9.8EG 9.82018-04-18
In Android before 2018-04-05 or earlier security patch level on Qualcomm Snapdragon Automobile, Snapdragon Mobile, and Snapdragon Wear MDM9206, SD 210/SD 212/SD 205, SD 425, SD 430, SD 450, SD 625, SD 820, SD 820A, and SD 835, SMMU Access …
- CVE-2016-10462CRITICALCVSS 9.8EG 9.82018-04-18
In Android before 2018-04-05 or earlier security patch level on Qualcomm Snapdragon Automobile and Snapdragon Mobile SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 450, SD 615/16/SD 415, SD 625, SD 650/52, SD 808, SD 810, SD 820, SD 820A, S…
- CVE-2016-10472CRITICALCVSS 9.8EG 9.82018-04-18
In Android before 2018-04-05 or earlier security patch level on Qualcomm Snapdragon Mobile and Snapdragon Wear MDM9206, MDM9607, MDM9650, MSM8909W, SD 210/SD 212/SD 205, SD 400, SD 410/12, SD 425, SD 430, SD 450, SD 600, SD 615/16/SD 415, …
- CVE-2016-10549MEDIUMCVSS 4.4EG 4.42018-05-31
Sails is an MVC style framework for building realtime web applications. Version 0.12.7 and lower have an issue with the CORS configuration where the value of the origin header is reflected as the value for the Access-Control-Allow-Origin h…
- CVE-2016-10792HIGHCVSS 8.8EG 8.82019-08-06
cPanel before 59.9999.145 allows code execution in the context of other accounts via mailman list archives (SEC-141).
- CVE-2016-10799MEDIUMCVSS 5.5EG 5.52019-08-07
cPanel before 58.0.4 does not set the Pear tmp directory during a PHP installation (SEC-137).
- CVE-2016-10802HIGHCVSS 8.8EG 8.82019-08-07
cPanel before 58.0.4 allows code execution in the context of other user accounts through the PHP CGI handler (SEC-142).
- CVE-2016-10820HIGHCVSS 8.8EG 8.82019-08-01
cPanel before 55.9999.141 allows daemons to access their controlling TTYs (SEC-31).
- CVE-2016-10830HIGHCVSS 8.1EG 8.12019-08-01
cPanel before 55.9999.141 allows ACL bypass for AppConfig applications via magic_revision (SEC-100).
- CVE-2016-10838MEDIUMCVSS 6.5EG 6.52019-08-01
cPanel before 11.54.0.4 allows arbitrary file-read operations via the bin/fmq script (SEC-70).
- CVE-2016-10852MEDIUMCVSS 6.5EG 6.52019-08-01
cPanel before 11.54.0.4 lacks ACL enforcement in the AppConfig subsystem (SEC-85).
- CVE-2016-10856MEDIUMCVSS 6.5EG 6.52019-08-01
cPanel before 11.54.0.0 allows subaccounts to discover sensitive data through comet feeds (SEC-29).
- CVE-2016-10857MEDIUMCVSS 6.5EG 6.52019-08-01
cPanel before 11.54.0.0 allows a bypass of the e-mail sending limit (SEC-60).
- CVE-2016-10860HIGHCVSS 8.1EG 8.12019-08-01
cPanel before 11.54.0.0 allows unauthorized zone modification via the WHM API (SEC-66).
- CVE-2016-1587HIGHCVSS 7.1EG 7.52019-04-22
The Snapweb interface before version 0.21.2 was exposing controls to install or remove snap packages without controlling the identity of the user, nor the origin of the connection. An attacker could have used the controls to remotely add a…
- CVE-2016-3393HIGHCVSS 7.8EG 9.0⚠ KEV2016-10-14
Graphics Device Interface (aka GDI or GDI+) in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607 allows remote …
- CVE-2016-3427CRITICALCVSS 9.8EG 9.8⚠ KEV2016-04-21
Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77; Java SE Embedded 8u77; and JRockit R28.3.9 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JMX.
- CVE-2016-3715MEDIUMCVSS 5.5EG 9.0⚠ KEV2016-05-05
The EPHEMERAL coder in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allows remote attackers to delete arbitrary files via a crafted image.
- CVE-2016-4426MEDIUMCVSS 4.3EG 4.32022-07-28
In zulip before 1.3.12, bot API keys were accessible to other users in the same realm.
- CVE-2016-4427HIGHCVSS 7.5EG 7.52022-07-28
In zulip before 1.3.12, deactivated users could access messages if SSO was enabled.
- CVE-2016-5645HIGHCVSS 7.3EG 7.32016-08-24
Rockwell Automation MicroLogix 1400 PLC 1766-L32BWA, 1766-L32AWA, 1766-L32BXB, 1766-L32BWAA, 1766-L32AWAA, and 1766-L32BXBA devices have a hardcoded SNMP community, which makes it easier for remote attackers to load arbitrary firmware upda…
- CVE-2016-6543MEDIUMCVSS 5.9EG 5.92018-07-13
A captured MAC/device ID of an iTrack Easy can be registered under multiple user accounts allowing access to getgps GPS data, which can allow unauthenticated parties to track the device.
- CVE-2016-6598CRITICALCVSS 9.8EG 9.82018-01-30
BMC Track-It! 11.4 before Hotfix 3 exposes an unauthenticated .NET remoting file storage service (FileStorageService) on port 9010. This service contains a method that allows uploading a file to an arbitrary path on the machine that is run…
- CVE-2016-7048HIGHCVSS 8.1EG 8.12018-08-20
The interactive installer in PostgreSQL before 9.3.15, 9.4.x before 9.4.10, and 9.5.x before 9.5.5 might allow remote attackers to execute arbitrary code by leveraging use of HTTP to download software.
- CVE-2016-7256HIGHCVSS 8.8EG 9.0⚠ KEV2016-11-10
atmfd.dll in the Windows font library in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, and 1607, and Windows Server 2016…
- CVE-2016-8365MEDIUMCVSS 5.5EG 5.52018-04-03
OSIsoft PI System software (Applications using PI Asset Framework (AF) Client versions prior to PI AF Client 2016, Version 2.8.0; Applications using PI Software Development Kit (SDK) versions prior to PI SDK 2016, Version 1.4.6; PI Buffer …
- CVE-2016-8529HIGHCVSS 7.6EG 7.62018-02-15
A Remote Arbitrary Command Execution vulnerability in HPE StoreVirtual 4000 Storage and StoreVirtual VSA Software running LeftHand OS version v12.5 and earlier was found. The problem was resolved in LeftHand OS v12.6 or any subsequent vers…
- CVE-2016-8629MEDIUMCVSS 6.5EG 6.52018-03-12
Red Hat Keycloak before version 2.4.0 did not correctly check permissions when handling service account user deletion requests sent to the rest server. An attacker with service account authentication could use this flaw to bypass normal pe…
- CVE-2016-8656HIGHCVSS 7.0EG 7.82018-05-22
Jboss jbossas before versions 5.2.0-23, 6.4.13, 7.0.5 is vulnerable to an unsafe file handling in the jboss init script which could result in local privilege escalation.
- CVE-2016-9599HIGHCVSS 7.1EG 7.52018-04-24
puppet-tripleo before versions 5.5.0, 6.2.0 is vulnerable to an access-control flaw in the IPtables rules management, which allowed the creation of TCP/UDP rules with empty port values. If SSL is enabled, a malicious user could use these o…
- CVE-2016-9645MEDIUMCVSS 6.5EG 6.52018-04-10
The fix for ikiwiki for CVE-2016-10026 was incomplete resulting in editing restriction bypass for git revert when using git versions older than 2.8.0. This has been fixed in 3.20161229.
- CVE-2016-9722MEDIUMCVSS 4.2EG 4.22018-01-10
IBM QRadar 7.2 and 7.3 specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors. IBM X-Force ID: 119737.
- CVE-2016-9905HIGHCVSS 8.8EG 8.82018-06-11
A potentially exploitable crash in "EnumerateSubDocuments" while adding or removing sub-documents. This vulnerability affects Firefox ESR < 45.6 and Thunderbird < 45.6.
- CVE-2017-10721MEDIUMCVSS 6.5EG 6.52019-06-17
Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that the device has Telnet functionality enabled by default. This device acts as an Endoscope camera that allows its users…
- CVE-2017-11365CRITICALCVSS 9.8EG 9.82019-05-23
Certain Symfony products are affected by: Incorrect Access Control. This affects Symfony 2.7.30 and Symfony 2.8.23 and Symfony 3.2.10 and Symfony 3.3.3. The type of exploitation is: remote. The component is: Password validator.
- CVE-2017-12171MEDIUMCVSS 6.5EG 6.52018-07-26
A regression was found in the Red Hat Enterprise Linux 6.9 version of httpd 2.2.15-60, causing comments in the "Allow" and "Deny" configuration lines to be parsed incorrectly. A web administrator could unintentionally allow any client to a…
- CVE-2017-12191HIGHCVSS 7.4EG 7.42018-02-28
A flaw was found in the CloudForms account configuration when using VMware. By default, a shared account is used that has privileged access to VMRC (VMWare Remote Console) functions that may not be appropriate for users of CloudForms (and …
- CVE-2017-15131HIGHCVSS 7.8EG 7.82018-01-09
It was found that system umask policy is not being honored when creating XDG user directories, since Xsession sources xdg-user-dirs.sh before setting umask policy. This only affects xdg-user-dirs before 0.15.5 as shipped with Red Hat Enter…
- CVE-2017-18035MEDIUMCVSS 4.3EG 4.32018-02-02
The /rest/review-coverage-chart/1.0/data/<repository_name>/.json resource in Atlassian Fisheye and Crucible before version 4.5.1 and 4.6.0 was missing a permissions check, this allows remote attackers who do not have access to a particular…
- CVE-2017-18101MEDIUMCVSS 6.5EG 6.52018-04-10
Various administrative external system import resources in Atlassian JIRA Server (including JIRA Core) before version 7.6.5, from version 7.7.0 before version 7.7.3, from version 7.8.0 before version 7.8.3 and before version 7.9.0 allow re…
- CVE-2017-18380HIGHCVSS 7.5EG 7.52019-07-30
edx-platform before 2017-08-03 allows attackers to trigger password-reset e-mail messages in which the reset link has an attacker-controlled domain name.
- CVE-2017-18384LOWCVSS 3.8EG 3.82019-08-02
cPanel before 68.0.15 allows jailed accounts to restore files that are outside of the jail (SEC-310).
- CVE-2017-18385MEDIUMCVSS 5.5EG 5.52019-08-02
cPanel before 68.0.15 allows unprivileged users to access restricted directories during account restores (SEC-311).
- CVE-2017-18403MEDIUMCVSS 6.3EG 6.32019-08-02
cPanel before 68.0.15 allows code execution in the context of the nobody account via Mailman archives (SEC-337).
- CVE-2017-18404LOWCVSS 3.1EG 3.12019-08-02
cPanel before 68.0.15 allows domain data to be deleted for domains with the .lock TLD (SEC-341).
- CVE-2017-18416MEDIUMCVSS 5.5EG 5.52019-08-02
cPanel before 67.9999.103 allows arbitrary file-overwrite operations during a Roundcube SQLite schema update (SEC-303).
- CVE-2017-18421LOWCVSS 3.3EG 3.32019-08-02
cPanel before 66.0.2 allows demo accounts to create databases and users (SEC-271).
- CVE-2017-18457MEDIUMCVSS 4.4EG 4.42019-08-02
cPanel before 62.0.17 allows arbitrary file-read operations via WHM /styled/ URLs (SEC-218).
Map vulnerabilities like CWE-284 to your infrastructure
EchelonGraph correlates every CVE — across CWE-284 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →