← Back
CWE-284

5,081 CVEs • Abstraction: Pillar

Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

JSON object

Loading...

CVEs (5,081)

CVE
VENDORS
PRODUCTS
UPDATED
PUBLISHED
CVSS
CVE-2019-3936
1Crestron
2Am 100 Firmware
Am 101 Firmware
Nov 21, 2024
Apr 30, 2019
N/A· v4
7.5 HIGH· v3
5.0 MEDIUM· v2
Crestron AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 is vulnerable to denial of service via a crafted request to TCP port 389. The request will force the slideshow to transition into a "stopped" state....Show more
Crestron AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 is vulnerable to denial of service via a crafted request to TCP port 389. The request will force the slideshow to transition into a "stopped" state. A remote, unauthenticated attacker can use this vulnerability to stop an active slideshow.Show less
CVE-2019-3935
1Crestron
2Am 100 Firmware
Am 101 Firmware
Nov 21, 2024
Apr 30, 2019
N/A· v4
9.1 CRITICAL· v3
6.4 MEDIUM· v2
Crestron AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 allows anyone to act as a moderator to a slide show via crafted HTTP POST requests to conference.cgi. A remote, unauthenticated attacker can use this...Show more
Crestron AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 allows anyone to act as a moderator to a slide show via crafted HTTP POST requests to conference.cgi. A remote, unauthenticated attacker can use this vulnerability to start, stop, and disconnect active slideshows.Show less
CVE-2019-3934
1Crestron
2Am 100 Firmware
Am 101 Firmware
Nov 21, 2024
Apr 30, 2019
N/A· v4
5.3 MEDIUM· v3
5.0 MEDIUM· v2
Crestron AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 allows anyone to bypass the presentation code sending a crafted HTTP POST request to login.cgi. A remote, unauthenticated attacker can use this vulne...Show more
Crestron AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 allows anyone to bypass the presentation code sending a crafted HTTP POST request to login.cgi. A remote, unauthenticated attacker can use this vulnerability to download the current slide image without knowing the access code.Show less
CVE-2019-3933
1Crestron
2Am 100 Firmware
Am 101 Firmware
Nov 21, 2024
Apr 30, 2019
N/A· v4
5.3 MEDIUM· v3
5.0 MEDIUM· v2
Crestron AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 allows anyone to bypass the presentation code simply by requesting /images/browserslide.jpg via HTTP. A remote, unauthenticated attacker can use this...Show more
Crestron AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 allows anyone to bypass the presentation code simply by requesting /images/browserslide.jpg via HTTP. A remote, unauthenticated attacker can use this vulnerability to watch a slideshow without knowing the access code.Show less
CVE-2019-3928
1Crestron
2Am 100 Firmware
Am 101 Firmware
Nov 21, 2024
Apr 30, 2019
N/A· v4
5.3 MEDIUM· v3
5.0 MEDIUM· v2
Crestron AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 allow any user to obtain the presentation passcode via the iso.3.6.1.4.1.3212.100.3.2.7.4 OIDs. A remote, unauthenticated attacker can use this vulne...Show more
Crestron AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 allow any user to obtain the presentation passcode via the iso.3.6.1.4.1.3212.100.3.2.7.4 OIDs. A remote, unauthenticated attacker can use this vulnerability to access a restricted presentation or to become the presenter.Show less
CVE-2019-3927
1Crestron
2Am 100 Firmware
Am 101 Firmware
Nov 21, 2024
Apr 30, 2019
N/A· v4
9.8 CRITICAL· v3
5.0 MEDIUM· v2
Crestron AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 anyone can change the administrator and moderator passwords via the iso.3.6.1.4.1.3212.100.3.2.8.1 and iso.3.6.1.4.1.3212.100.3.2.8.2 OIDs. A remote,...Show more
Crestron AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 anyone can change the administrator and moderator passwords via the iso.3.6.1.4.1.3212.100.3.2.8.1 and iso.3.6.1.4.1.3212.100.3.2.8.2 OIDs. A remote, unauthenticated attacker can use this vulnerability to change the admin or moderator user's password and gain access to restricted areas on the HTTP interface.Show less
CVE-2019-10950
1Fujifilm
3Cr Ir 357 Fcr Capsula X Firmware
Cr Ir 357 Fcr Carbon X FirmwareCr Ir 357 Fcr Xc 2 Firmware
Nov 21, 2024
Apr 30, 2019
N/A· v4
9.8 CRITICAL· v3
10.0 HIGH· v2
Fujifilm FCR Capsula X/ Carbon X/ FCR XC-2, model versions CR-IR 357 FCR Carbon X, CR-IR 357 FCR XC-2, FCR-IR 357 FCR Capsula X provide insecure telnet services that lack authentication requirements. An attacker who succ...Show more
Fujifilm FCR Capsula X/ Carbon X/ FCR XC-2, model versions CR-IR 357 FCR Carbon X, CR-IR 357 FCR XC-2, FCR-IR 357 FCR Capsula X provide insecure telnet services that lack authentication requirements. An attacker who successfully exploits this vulnerability may be able to access the underlying operating system.Show less
CVE-2019-7476
1Sonicwall
1Global Management System
Nov 21, 2024
Apr 26, 2019
N/A· v4
8.1 HIGH· v3
6.8 MEDIUM· v2
A vulnerability in SonicWall Global Management System (GMS), allow a remote user to gain access to the appliance using existing SSH key. This vulnerability affects GMS versions 9.1, 9.0, 8.7, 8.6, 8.4, 8.3 and earlier.
CVE-2019-1805
1Cisco
1Wireless Lan Controller Software
Nov 21, 2024
Apr 18, 2019
N/A· v4
4.3 MEDIUM· v3
3.3 LOW· v2
A vulnerability in certain access control mechanisms for the Secure Shell (SSH) server implementation for Cisco Wireless LAN Controller (WLC) Software could allow an unauthenticated, adjacent attacker to access a CLI ins...Show more
A vulnerability in certain access control mechanisms for the Secure Shell (SSH) server implementation for Cisco Wireless LAN Controller (WLC) Software could allow an unauthenticated, adjacent attacker to access a CLI instance on an affected device. The vulnerability is due to a lack of proper input- and validation-checking mechanisms for inbound SSH connections on an affected device. An attacker could exploit this vulnerability by attempting to establish an SSH connection to an affected controller. An exploit could allow the attacker to access an affected device's CLI to potentially cause further attacks. This vulnerability has been fixed in version 8.5(140.0).Show less
CVE-2019-1686
1Cisco
1Ios Xr
Nov 21, 2024
Apr 17, 2019
N/A· v4
8.6 HIGH· v3
5.0 MEDIUM· v2
A vulnerability in the TCP flags inspection feature for access control lists (ACLs) on Cisco ASR 9000 Series Aggregation Services Routers could allow an unauthenticated, remote attacker to bypass protection offered by a...Show more
A vulnerability in the TCP flags inspection feature for access control lists (ACLs) on Cisco ASR 9000 Series Aggregation Services Routers could allow an unauthenticated, remote attacker to bypass protection offered by a configured ACL on an affected device. The vulnerability is due to incorrect processing of the ACL applied to an interface of an affected device when Cisco Express Forwarding load balancing using the 3-tuple hash algorithm is enabled. An attacker could exploit this vulnerability by sending traffic through an affected device that should otherwise be denied by the configured ACL. An exploit could allow the attacker to bypass protection offered by a configured ACL on the affected device. There are workarounds that address this vulnerability. Affected Cisco IOS XR versions are: Cisco IOS XR Software Release 5.1.1 and later till first fixed. First Fixed Releases: 6.5.2 and later, 6.6.1 and later.Show less
CVE-2019-3845
1Redhat
1Satellite
Nov 21, 2024
Apr 11, 2019
N/A· v4
8.0 HIGH· v3
5.2 MEDIUM· v2
A lack of access control was found in the message queues maintained by Satellite's QPID broker and used by katello-agent in versions before Satellite 6.2, Satellite 6.1 optional and Satellite Capsule 6.1. A malicious use...Show more
A lack of access control was found in the message queues maintained by Satellite's QPID broker and used by katello-agent in versions before Satellite 6.2, Satellite 6.1 optional and Satellite Capsule 6.1. A malicious user authenticated to a host registered to Satellite (or Capsule) can use this flaw to access QMF methods to any host also registered to Satellite (or Capsule) and execute privileged commands.Show less
CVE-2019-0041
1Juniper
1Junos
Nov 21, 2024
Apr 10, 2019
N/A· v4
8.6 HIGH· v3
5.0 MEDIUM· v2
On EX4300-MP Series devices with any lo0 filters applied, transit network traffic may reach the control plane via loopback interface (lo0). The device may fail to forward such traffic. This issue affects Juniper Networks...Show more
On EX4300-MP Series devices with any lo0 filters applied, transit network traffic may reach the control plane via loopback interface (lo0). The device may fail to forward such traffic. This issue affects Juniper Networks Junos OS 18.2 versions prior to 18.2R1-S2, 18.2R2 on EX4300-MP Series. This issue does not affect any other EX series devices.Show less
CVE-2019-0036
1Juniper
1Junos
Nov 21, 2024
Apr 10, 2019
N/A· v4
9.8 CRITICAL· v3
7.5 HIGH· v2
When configuring a stateless firewall filter in Junos OS, terms named using the format "internal-n" (e.g. "internal-1", "internal-2", etc.) are silently ignored. No warning is issued during configuration, and the config...Show more
When configuring a stateless firewall filter in Junos OS, terms named using the format "internal-n" (e.g. "internal-1", "internal-2", etc.) are silently ignored. No warning is issued during configuration, and the config is committed without error, but the filter criteria will match all packets leading to unexpected results. Affected releases are Juniper Networks Junos OS: All versions prior to and including 12.3; 14.1X53 versions prior to 14.1X53-D130, 14.1X53-D49; 15.1 versions prior to 15.1F6-S12, 15.1R7-S4; 15.1X49 versions prior to 15.1X49-D161, 15.1X49-D170; 15.1X53 versions prior to 15.1X53-D236, 15.1X53-D496, 15.1X53-D69; 16.1 versions prior to 16.1R7-S4, 16.1R7-S5; 16.2 versions prior to 16.2R2-S9; 17.1 versions prior to 17.1R3; 17.2 versions prior to 17.2R1-S8, 17.2R3-S1; 17.3 versions prior to 17.3R3-S4; 17.4 versions prior to 17.4R1-S7, 17.4R2-S3; 18.1 versions prior to 18.1R2-S4, 18.1R3-S4; 18.2 versions prior to 18.2R1-S5, 18.2R2-S1; 18.2X75 versions prior to 18.2X75-D40; 18.3 versions prior to 18.3R1-S3; 18.4 versions prior to 18.4R1-S1, 18.4R1-S2.Show less
CVE-2019-8456
1Checkpoint
1Ipsec Vpn
Nov 21, 2024
Apr 9, 2019
N/A· v4
5.9 MEDIUM· v3
4.3 MEDIUM· v2
Check Point IKEv2 IPsec VPN up to R80.30, in some less common conditions, may allow an attacker with knowledge of the internal configuration and setup to successfully connect to a site-to-site VPN server.
CVE-2019-6140
1Forcepoint
1Email Security
Nov 21, 2024
Apr 9, 2019
N/A· v4
9.8 CRITICAL· v3
7.5 HIGH· v2
A configuration issue has been discovered in Forcepoint Email Security 8.4.x and 8.5.x: the product is left in a vulnerable state if the hybrid registration process is not completed.
CVE-2018-15640
1Odoo
1Odoo
Nov 21, 2024
Apr 9, 2019
N/A· v4
8.8 HIGH· v3
9.0 HIGH· v2
Improper access control in the Helpdesk App of Odoo Enterprise 10.0 through 12.0 allows remote authenticated attackers to obtain elevated privileges via a crafted request.
CVE-2018-15631
1Odoo
1Odoo
Nov 21, 2024
Apr 9, 2019
N/A· v4
6.5 MEDIUM· v3
4.0 MEDIUM· v2
Improper access control in the Discuss App of Odoo Community 12.0 and earlier, and Odoo Enterprise 12.0 and earlier allows remote authenticated attackers to e-mail themselves arbitrary files from the database, via a craf...Show more
Improper access control in the Discuss App of Odoo Community 12.0 and earlier, and Odoo Enterprise 12.0 and earlier allows remote authenticated attackers to e-mail themselves arbitrary files from the database, via a crafted RPC request.Show less
CVE-2017-7912
1Hanwhasecurity
1Srn 4000 Firmware
Nov 21, 2024
Apr 8, 2019
N/A· v4
9.8 CRITICAL· v3
7.5 HIGH· v2
Hanwha Techwin SRN-4000, SRN-4000 firmware versions prior to SRN4000_v2.16_170401, A specially crafted http request and response could allow an attacker to gain access to the device management page with admin privileges...Show more
Hanwha Techwin SRN-4000, SRN-4000 firmware versions prior to SRN4000_v2.16_170401, A specially crafted http request and response could allow an attacker to gain access to the device management page with admin privileges without proper authentication.Show less
CVE-2019-6554
1Advantech
1Webaccess
Nov 21, 2024
Apr 5, 2019
N/A· v4
7.5 HIGH· v3
5.0 MEDIUM· v2
Advantech WebAccess/SCADA, Versions 8.3.5 and prior. An improper access control vulnerability may allow an attacker to cause a denial-of-service condition.
CVE-2019-7475
1Sonicwall
2Sonicos
Sonicosv
Nov 21, 2024
Apr 2, 2019
N/A· v4
9.8 CRITICAL· v3
7.5 HIGH· v2
A vulnerability in SonicWall SonicOS and SonicOSv with management enabled system on specific configuration allow unprivileged user to access advanced routing services. This vulnerability affected SonicOS Gen 5 version 5....Show more
A vulnerability in SonicWall SonicOS and SonicOSv with management enabled system on specific configuration allow unprivileged user to access advanced routing services. This vulnerability affected SonicOS Gen 5 version 5.9.1.10 and earlier, Gen 6 version 6.2.7.3, 6.5.1.3, 6.5.2.2, 6.5.3.1, 6.2.7.8, 6.4.0.0, 6.5.1.8, 6.0.5.3-86o and SonicOSv 6.5.0.2-8v_RC363 (VMWARE), 6.5.0.2.8v_RC367 (AZURE), SonicOSv 6.5.0.2.8v_RC368 (AWS), SonicOSv 6.5.0.2.8v_RC366 (HYPER_V).Show less