← Back
CWE-284

5,081 CVEs • Abstraction: Pillar

Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

JSON object

Loading...

CVEs (5,081)

CVE
VENDORS
PRODUCTS
UPDATED
PUBLISHED
CVSS
CVE-2019-5487
1Gitlab
1Gitlab
Nov 21, 2024
Dec 18, 2019
N/A· v4
5.3 MEDIUM· v3
5.0 MEDIUM· v2
An improper access control vulnerability exists in Gitlab EE <v12.3.3, <v12.2.7, & <v12.1.13 that allowed the group search feature with Elasticsearch to return private code, merge requests and commits.
CVE-2019-15591
1Gitlab
1Gitlab
Nov 21, 2024
Dec 18, 2019
N/A· v4
6.5 MEDIUM· v3
4.0 MEDIUM· v2
An improper access control vulnerability exists in GitLab <12.3.3 that allows an attacker to obtain container and dependency scanning reports through the merge request widget even though public pipelines were disabled.
CVE-2019-15589
1Gitlab
1Gitlab
Nov 21, 2024
Dec 18, 2019
N/A· v4
8.8 HIGH· v3
6.5 MEDIUM· v2
An improper access control vulnerability exists in Gitlab <v12.3.2, <v12.2.6, <v12.1.12 which would allow a blocked user would be able to use GIT clone and pull if he had obtained a CI/CD token before.
CVE-2019-18309
1Siemens
1Sppa T3000 Ms3000 Migration Server
Nov 21, 2024
Dec 12, 2019
N/A· v4
7.8 HIGH· v3
7.2 HIGH· v2
A vulnerability has been identified in SPPA-T3000 MS3000 Migration Server (All versions). An attacker with local access to the MS3000 Server and a low privileged user account could gain root privileges by manipulating sp...Show more
A vulnerability has been identified in SPPA-T3000 MS3000 Migration Server (All versions). An attacker with local access to the MS3000 Server and a low privileged user account could gain root privileges by manipulating specific files in the local file system. This vulnerability is independent from CVE-2019-18308. Please note that an attacker needs to have local access to the MS3000 in order to exploit this vulnerability. At the time of advisory publication no public exploitation of this security vulnerability was known.Show less
CVE-2019-18308
1Siemens
1Sppa T3000 Ms3000 Migration Server
Nov 21, 2024
Dec 12, 2019
N/A· v4
7.8 HIGH· v3
7.2 HIGH· v2
A vulnerability has been identified in SPPA-T3000 MS3000 Migration Server (All versions). An attacker with local access to the MS3000 Server and a low privileged user account could gain root privileges by manipulating sp...Show more
A vulnerability has been identified in SPPA-T3000 MS3000 Migration Server (All versions). An attacker with local access to the MS3000 Server and a low privileged user account could gain root privileges by manipulating specific files in the local file system. This vulnerability is independent from CVE-2019-18309. Please note that an attacker needs to have local access to the MS3000 in order to exploit this vulnerability. At the time of advisory publication no public exploitation of this security vulnerability was known.Show less
CVE-2019-15998
1Cisco
1Ios Xr
Nov 21, 2024
Nov 26, 2019
N/A· v4
5.3 MEDIUM· v3
5.0 MEDIUM· v2
A vulnerability in the access-control logic of the NETCONF over Secure Shell (SSH) of Cisco IOS XR Software may allow connections despite an access control list (ACL) that is configured to deny access to the NETCONF over...Show more
A vulnerability in the access-control logic of the NETCONF over Secure Shell (SSH) of Cisco IOS XR Software may allow connections despite an access control list (ACL) that is configured to deny access to the NETCONF over SSH of an affected device. The vulnerability is due to a missing check in the NETCONF over SSH access control list (ACL). An attacker could exploit this vulnerability by connecting to an affected device using NETCONF over SSH. A successful exploit could allow the attacker to connect to the device on the NETCONF port. Valid credentials are required to access the device. This vulnerability does not affect connections to the default SSH process on the device.Show less
CVE-2019-15967
1Cisco
2Roomos
Telepresence Collaboration Endpoint
Nov 21, 2024
Nov 26, 2019
N/A· v4
4.4 MEDIUM· v3
2.1 LOW· v2
A vulnerability in the CLI of Cisco TelePresence Collaboration Endpoint (CE) and Cisco RoomOS Software could allow an authenticated, local attacker to enable audio recording without notifying users. The vulnerability is...Show more
A vulnerability in the CLI of Cisco TelePresence Collaboration Endpoint (CE) and Cisco RoomOS Software could allow an authenticated, local attacker to enable audio recording without notifying users. The vulnerability is due to the presence of unnecessary debug commands. An attacker could exploit this vulnerability by gaining unrestricted access to the restricted shell and using the specific debug commands. A successful exploit could allow the attacker to enable the microphone of an affected device to record audio without notifying users.Show less
CVE-2019-15956
1Cisco
2Asyncos
Web Security Appliance
Nov 21, 2024
Nov 26, 2019
N/A· v4
8.8 HIGH· v3
6.5 MEDIUM· v2
A vulnerability in the web management interface of Cisco AsyncOS Software for Cisco Web Security Appliance (WSA) could allow an authenticated, remote attacker to perform an unauthorized system reset on an affected device...Show more
A vulnerability in the web management interface of Cisco AsyncOS Software for Cisco Web Security Appliance (WSA) could allow an authenticated, remote attacker to perform an unauthorized system reset on an affected device. The vulnerability is due to improper authorization controls for a specific URL in the web management interface. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could have a twofold impact: the attacker could either change the administrator password, gaining privileged access, or reset the network configuration details, causing a denial of service (DoS) condition. In both scenarios, manual intervention is required to restore normal operations.Show less
CVE-2019-5644
1Gatech
1Computing For Good's Basic Laboratory Information System
Nov 21, 2024
Nov 6, 2019
N/A· v4
9.8 CRITICAL· v3
7.5 HIGH· v2
Computing For Good's Basic Laboratory Information System (also known as C4G BLIS) version 3.5 and earlier suffers from an instance of CWE-284, "Improper Access Control." As a result, an unauthenticated user may alter sev...Show more
Computing For Good's Basic Laboratory Information System (also known as C4G BLIS) version 3.5 and earlier suffers from an instance of CWE-284, "Improper Access Control." As a result, an unauthenticated user may alter several facets of a user account, including promoting any user to an administrator.Show less
CVE-2019-5643
1Gatech
1Computing For Good's Basic Laboratory Information System
Nov 21, 2024
Nov 6, 2019
N/A· v4
5.3 MEDIUM· v3
5.0 MEDIUM· v2
Computing For Good's Basic Laboratory Information System (also known as C4G BLIS) version 3.5 and earlier suffers from an instance of CWE-284, "Improper Access Control." As a result, an unauthenticated user may enumerate...Show more
Computing For Good's Basic Laboratory Information System (also known as C4G BLIS) version 3.5 and earlier suffers from an instance of CWE-284, "Improper Access Control." As a result, an unauthenticated user may enumerate the user names and facility names in use on a particular installation.Show less
CVE-2019-5617
1Gatech
1Computing For Good's Basic Laboratory Information System
Nov 21, 2024
Nov 6, 2019
N/A· v4
9.8 CRITICAL· v3
7.5 HIGH· v2
Computing For Good's Basic Laboratory Information System (also known as C4G BLIS) version 3.4 and earlier suffers from an instance of CWE-284, "Improper Access Control." As a result, an unauthenticated user may change th...Show more
Computing For Good's Basic Laboratory Information System (also known as C4G BLIS) version 3.4 and earlier suffers from an instance of CWE-284, "Improper Access Control." As a result, an unauthenticated user may change the password of any administrator-level user.Show less
CVE-2019-6144
1Forcepoint
1One Endpoint
Nov 21, 2024
Oct 23, 2019
N/A· v4
6.5 MEDIUM· v3
4.0 MEDIUM· v2
This vulnerability allows a normal (non-admin) user to disable the Forcepoint One Endpoint (versions 19.04 through 19.08) and bypass DLP and Web protection.
CVE-2019-15260
1Cisco
6Aironet 1540 Firmware
Aironet 1560 FirmwareAironet 1800 Firmware+3 more
Nov 21, 2024
Oct 16, 2019
N/A· v4
9.8 CRITICAL· v3
10.0 HIGH· v2
A vulnerability in Cisco Aironet Access Points (APs) Software could allow an unauthenticated, remote attacker to gain unauthorized access to a targeted device with elevated privileges. The vulnerability is due to insuffi...Show more
A vulnerability in Cisco Aironet Access Points (APs) Software could allow an unauthenticated, remote attacker to gain unauthorized access to a targeted device with elevated privileges. The vulnerability is due to insufficient access control for certain URLs on an affected device. An attacker could exploit this vulnerability by requesting specific URLs from an affected AP. An exploit could allow the attacker to gain access to the device with elevated privileges. While the attacker would not be granted access to all possible configuration options, it could allow the attacker to view sensitive information and replace some options with values of their choosing, including wireless network configuration. It would also allow the attacker to disable the AP, creating a denial of service (DoS) condition for clients associated with the AP.Show less
CVE-2019-14838
1Redhat
4Data Grid
Jboss Enterprise Application PlatformSingle Sign On+1 more
Nov 21, 2024
Oct 14, 2019
N/A· v4
4.9 MEDIUM· v3
4.0 MEDIUM· v2
A flaw was found in wildfly-core before 7.2.5.GA. The Management users with Monitor, Auditor and Deployer Roles should not be allowed to modify the runtime state of the server
CVE-2019-9531
1Cobham
1Explorer 710 Firmware
Nov 21, 2024
Oct 10, 2019
N/A· v4
9.8 CRITICAL· v3
10.0 HIGH· v2
The web application portal of the Cobham EXPLORER 710, firmware version 1.07, allows unauthenticated access to port 5454. This could allow an unauthenticated, remote attacker to connect to this port via Telnet and execut...Show more
The web application portal of the Cobham EXPLORER 710, firmware version 1.07, allows unauthenticated access to port 5454. This could allow an unauthenticated, remote attacker to connect to this port via Telnet and execute 86 Attention (AT) commands, including some that provide unauthenticated, shell-like access to the device.Show less
CVE-2019-9530
1Cobham
1Explorer 710 Firmware
Nov 21, 2024
Oct 10, 2019
N/A· v4
5.5 MEDIUM· v3
4.9 MEDIUM· v2
The web root directory of the Cobham EXPLORER 710, firmware version 1.07, has no access restrictions on downloading and reading all files. This could allow an unauthenticated, local attacker connected to the device to ac...Show more
The web root directory of the Cobham EXPLORER 710, firmware version 1.07, has no access restrictions on downloading and reading all files. This could allow an unauthenticated, local attacker connected to the device to access and download any file found in the web root directory.Show less
CVE-2019-9529
1Cobham
1Explorer 710 Firmware
Nov 21, 2024
Oct 10, 2019
N/A· v4
5.5 MEDIUM· v3
4.9 MEDIUM· v2
The web application portal of the Cobham EXPLORER 710, firmware version 1.07, has no authentication by default. This could allow an unauthenticated, local attacker connected to the device to access the portal and to make...Show more
The web application portal of the Cobham EXPLORER 710, firmware version 1.07, has no authentication by default. This could allow an unauthenticated, local attacker connected to the device to access the portal and to make any change to the device.Show less
CVE-2019-3653
1Mcafee
1Endpoint Security
Nov 21, 2024
Oct 9, 2019
N/A· v4
5.5 MEDIUM· v3
2.1 LOW· v2
Improper access control vulnerability in Configuration tool in McAfee Endpoint Security (ENS) Prior to 10.6.1 October 2019 Update allows local user to gain access to security configuration via unauthorized use of the con...Show more
Improper access control vulnerability in Configuration tool in McAfee Endpoint Security (ENS) Prior to 10.6.1 October 2019 Update allows local user to gain access to security configuration via unauthorized use of the configuration tool.Show less
CVE-2019-12670
1Cisco
1Ios
Nov 21, 2024
Sep 25, 2019
N/A· v4
6.7 MEDIUM· v3
4.6 MEDIUM· v2
A vulnerability in the filesystem of Cisco IOS XE Software could allow an authenticated, local attacker within the IOx Guest Shell to modify the namespace container protections on an affected device. The vulnerability is...Show more
A vulnerability in the filesystem of Cisco IOS XE Software could allow an authenticated, local attacker within the IOx Guest Shell to modify the namespace container protections on an affected device. The vulnerability is due to insufficient file permissions. An attacker could exploit this vulnerability by modifying files that they should not have access to. A successful exploit could allow the attacker to remove container protections and perform file actions outside the namespace of the container.Show less
CVE-2019-12648
1Cisco
1Ios
Nov 21, 2024
Sep 25, 2019
N/A· v4
8.8 HIGH· v3
9.0 HIGH· v2
A vulnerability in the IOx application environment for Cisco IOS Software could allow an authenticated, remote attacker to gain unauthorized access to the Guest Operating System (Guest OS) running on an affected device....Show more
A vulnerability in the IOx application environment for Cisco IOS Software could allow an authenticated, remote attacker to gain unauthorized access to the Guest Operating System (Guest OS) running on an affected device. The vulnerability is due to incorrect role-based access control (RBAC) evaluation when a low-privileged user requests access to a Guest OS that should be restricted to administrative accounts. An attacker could exploit this vulnerability by authenticating to the Guest OS by using the low-privileged-user credentials. An exploit could allow the attacker to gain unauthorized access to the Guest OS as a root user.Show less