← Back
CWE-284

5,080 CVEs • Abstraction: Pillar

Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

JSON object

Loading...

CVEs (5,080)

CVE
VENDORS
PRODUCTS
UPDATED
PUBLISHED
CVSS
CVE-2016-10418
1Qualcomm
14Mdm9206 Firmware
Mdm9650 FirmwareSd 205 Firmware+11 more
Nov 21, 2024
Apr 18, 2018
N/A· v4
7.5 HIGH· v3
5.0 MEDIUM· v2
In Android before 2018-04-05 or earlier security patch level on Qualcomm Snapdragon Automobile, Snapdragon Mobile, and Snapdragon Wear MDM9206, MDM9650, SD 210/SD 212/SD 205, SD 425, SD 430, SD 450, SD 625, SD 650/52, SD...Show more
In Android before 2018-04-05 or earlier security patch level on Qualcomm Snapdragon Automobile, Snapdragon Mobile, and Snapdragon Wear MDM9206, MDM9650, SD 210/SD 212/SD 205, SD 425, SD 430, SD 450, SD 625, SD 650/52, SD 820, SD 820A, and SD 835, HLOS can enable PMIC debug through TCSR_QPDI_DISABLE_CFG due to improper access control.Show less
CVE-2016-10417
1Qualcomm
32Ipq4019 Firmware
Mdm9206 FirmwareMdm9607 Firmware+29 more
Nov 21, 2024
Apr 18, 2018
N/A· v4
8.1 HIGH· v3
9.3 HIGH· v2
In Android before 2018-04-05 or earlier security patch level on Qualcomm Snapdragon Automobile, Snapdragon Mobile, and Snapdragon Wear IPQ4019, MDM9206, MDM9607, MDM9625, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM...Show more
In Android before 2018-04-05 or earlier security patch level on Qualcomm Snapdragon Automobile, Snapdragon Mobile, and Snapdragon Wear IPQ4019, MDM9206, MDM9607, MDM9625, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8909W, SD 210/SD 212/SD 205, SD 400, SD 410/12, SD 425, SD 430, SD 450, SD 615/16/SD 415, SD 617, SD 625, SD 650/52, SD 800, SD 808, SD 810, SD 820, SD 820A, and SDX20, in QTEE, a TOCTOU vulnerability exists due to improper access control.Show less
CVE-2015-9209
1Qualcomm
34Mdm9206 Firmware
Mdm9607 FirmwareMdm9615 Firmware+31 more
Nov 21, 2024
Apr 18, 2018
N/A· v4
9.8 CRITICAL· v3
10.0 HIGH· v2
In Android before 2018-04-05 or earlier security patch level on Qualcomm Snapdragon Mobile and Snapdragon Wear MDM9206, MDM9607, MDM9615, MDM9625, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8909W, SD 210/SD 212/SD...Show more
In Android before 2018-04-05 or earlier security patch level on Qualcomm Snapdragon Mobile and Snapdragon Wear MDM9206, MDM9607, MDM9615, MDM9625, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8909W, SD 210/SD 212/SD 205, SD 400, SD 410/12, SD 425, SD 430, SD 450, SD 600, SD 615/16/SD 415, SD 617, SD 625, SD 650/52, SD 800, SD 808, SD 810, SD 820, SD 835, SD 845, SD 850, and SDX20, there is improper access control in a file storage API.Show less
CVE-2015-9152
1Qualcomm
21Ipq4019 Firmware
Sd 205 FirmwareSd 210 Firmware+18 more
Nov 21, 2024
Apr 18, 2018
N/A· v4
9.8 CRITICAL· v3
10.0 HIGH· v2
In Android before 2018-04-05 or earlier security patch level on Qualcomm Snapdragon Automobile and Snapdragon Mobile IPQ4019, SD 210/SD 212/SD 205, SD 400, SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 450, SD 615/16/SD...Show more
In Android before 2018-04-05 or earlier security patch level on Qualcomm Snapdragon Automobile and Snapdragon Mobile IPQ4019, SD 210/SD 212/SD 205, SD 400, SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 450, SD 615/16/SD 415, SD 625, SD 800, SD 810, SD 820, SD 820A, SD 835, and Snapdragon_High_Med_2016, modem owned regions are accessible from secure side.Show less
CVE-2015-9140
1Qualcomm
27Fsm9055 Firmware
Mdm9206 FirmwareMdm9607 Firmware+24 more
Nov 21, 2024
Apr 18, 2018
N/A· v4
7.5 HIGH· v3
5.0 MEDIUM· v2
In Android before 2018-04-05 or earlier security patch level on Qualcomm Snapdragon Mobile, Snapdragon Wear, and Small Cell SoC FSM9055, MDM9206, MDM9607, MDM9625, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8909W,...Show more
In Android before 2018-04-05 or earlier security patch level on Qualcomm Snapdragon Mobile, Snapdragon Wear, and Small Cell SoC FSM9055, MDM9206, MDM9607, MDM9625, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8909W, SD 210/SD 212/SD 205, SD 400, SD 410/12, SD 600, SD 615/16/SD 415, SD 617, SD 650/52, SD 800, SD 808, SD 810, and SDX20, unauthorized memory access possible in online memory dump feature.Show less
CVE-2014-10059
1Qualcomm
7Mdm9615 Firmware
Mdm9625 FirmwareSd 205 Firmware+4 more
Nov 21, 2024
Apr 18, 2018
N/A· v4
9.8 CRITICAL· v3
10.0 HIGH· v2
In Android before 2018-04-05 or earlier security patch level on Qualcomm Snapdragon Mobile MDM9615, MDM9625, SD 210/SD 212/SD 205, SD 400, and SD 800, improper access control on ATCMD service allows third party services...Show more
In Android before 2018-04-05 or earlier security patch level on Qualcomm Snapdragon Mobile MDM9615, MDM9625, SD 210/SD 212/SD 205, SD 400, and SD 800, improper access control on ATCMD service allows third party services to access without user knowledge.Show less
CVE-2014-10053
1Qualcomm
27Mdm9206 Firmware
Mdm9650 FirmwareMsm8909w Firmware+24 more
Nov 21, 2024
Apr 18, 2018
N/A· v4
9.8 CRITICAL· v3
10.0 HIGH· v2
In Android before 2018-04-05 or earlier security patch level on Qualcomm Snapdragon Automobile, Snapdragon Mobile, and Snapdragon Wear MDM9206, MDM9650, MSM8909W, SD 210/SD 212/SD 205, SD 400, SD 410/12, SD 425, SD 430,...Show more
In Android before 2018-04-05 or earlier security patch level on Qualcomm Snapdragon Automobile, Snapdragon Mobile, and Snapdragon Wear MDM9206, MDM9650, MSM8909W, SD 210/SD 212/SD 205, SD 400, SD 410/12, SD 425, SD 430, SD 615/16/SD 415, SD 450, SD 617, SD 625, SD 650/52, SD 800, SD 808, SD 810, SD 820, SD 820A, SD 835, SD 845, and SD 850, data access is not properly validated in the Widevine secure application.Show less
CVE-2014-10050
1Qualcomm
6Msm8917 Firmware
Msm8939 FirmwareMsm8976 Firmware+3 more
Nov 21, 2024
Apr 18, 2018
N/A· v4
9.8 CRITICAL· v3
10.0 HIGH· v2
In Android before 2018-04-05 or earlier security patch level on Qualcomm Snapdragon Mobile MSM8996, MSM8939, MSM8976, MSM8917, SDM845, and SDM660, access control collision vulnerability when accessing the replay protecte...Show more
In Android before 2018-04-05 or earlier security patch level on Qualcomm Snapdragon Mobile MSM8996, MSM8939, MSM8976, MSM8917, SDM845, and SDM660, access control collision vulnerability when accessing the replay protected memory block.Show less
CVE-2015-0150
1Dlink
1Dir 815 Firmware
Nov 21, 2024
Apr 12, 2018
N/A· v4
9.8 CRITICAL· v3
7.5 HIGH· v2
The remote administration UI in D-Link DIR-815 devices with firmware before 2.07.B01 allows remote attackers to bypass intended access restrictions via unspecified vectors.
CVE-2016-9645
1Ikiwiki
1Ikiwiki
Nov 21, 2024
Apr 10, 2018
N/A· v4
6.5 MEDIUM· v3
4.0 MEDIUM· v2
The fix for ikiwiki for CVE-2016-10026 was incomplete resulting in editing restriction bypass for git revert when using git versions older than 2.8.0. This has been fixed in 3.20161229.
CVE-2014-1400
2Entity Api Project
Fedoraproject
2Entity Api
Fedora
Nov 21, 2024
Apr 10, 2018
N/A· v4
6.5 MEDIUM· v3
4.0 MEDIUM· v2
The entity_access API in the Entity API module 7.x-1.x before 7.x-1.3 for Drupal might allow remote authenticated users to bypass intended access restrictions and read unpublished comments via unspecified vectors.
CVE-2014-1399
2Entity Api Project
Fedoraproject
2Entity Api
Fedora
Nov 21, 2024
Apr 10, 2018
N/A· v4
6.5 MEDIUM· v3
4.0 MEDIUM· v2
The entity wrapper access API in the Entity API module 7.x-1.x before 7.x-1.3 for Drupal might allow remote authenticated users to bypass intended access restrictions on referenced entities via unspecified vectors.
CVE-2014-1398
2Entity Api Project
Fedoraproject
2Entity Api
Fedora
Nov 21, 2024
Apr 10, 2018
N/A· v4
6.5 MEDIUM· v3
4.0 MEDIUM· v2
The entity wrapper access API in the Entity API module 7.x-1.x before 7.x-1.3 for Drupal might allow remote authenticated users to bypass intended access restrictions on comment, user and node statistics properties via u...Show more
The entity wrapper access API in the Entity API module 7.x-1.x before 7.x-1.3 for Drupal might allow remote authenticated users to bypass intended access restrictions on comment, user and node statistics properties via unspecified vectors.Show less
CVE-2017-18101
1Atlassian
2Jira
Jira Server
Nov 21, 2024
Apr 10, 2018
N/A· v4
6.5 MEDIUM· v3
6.4 MEDIUM· v2
Various administrative external system import resources in Atlassian JIRA Server (including JIRA Core) before version 7.6.5, from version 7.7.0 before version 7.7.3, from version 7.8.0 before version 7.8.3 and before ver...Show more
Various administrative external system import resources in Atlassian JIRA Server (including JIRA Core) before version 7.6.5, from version 7.7.0 before version 7.7.3, from version 7.8.0 before version 7.8.3 and before version 7.9.0 allow remote attackers to run import operations and to determine if an internal service exists through missing permission checks.Show less
CVE-2016-8365
1Osisoft
4Pi Af Client
Pi Buffer SubsystemPi Data Archive+1 more
Nov 21, 2024
Apr 3, 2018
N/A· v4
5.5 MEDIUM· v3
2.1 LOW· v2
OSIsoft PI System software (Applications using PI Asset Framework (AF) Client versions prior to PI AF Client 2016, Version 2.8.0; Applications using PI Software Development Kit (SDK) versions prior to PI SDK 2016, Versio...Show more
OSIsoft PI System software (Applications using PI Asset Framework (AF) Client versions prior to PI AF Client 2016, Version 2.8.0; Applications using PI Software Development Kit (SDK) versions prior to PI SDK 2016, Version 1.4.6; PI Buffer Subsystem, versions prior to and including, Version 4.4; and PI Data Archive versions prior to PI Data Archive 2015, Version 3.4.395.64) operates between endpoints without a complete model of endpoint features potentially causing the product to perform actions based on this incomplete model, which could result in a denial of service. OSIsoft reports that in order to exploit the vulnerability an attacker would need to be locally connected to a server. A CVSS v3 base score of 7.1 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H)Show less
CVE-2014-2048
1Owncloud
1Owncloud
Nov 21, 2024
Mar 26, 2018
N/A· v4
9.8 CRITICAL· v3
7.5 HIGH· v2
The user_openid app in ownCloud Server before 5.0.15 allows remote attackers to obtain access by leveraging an insecure OpenID implementation.
CVE-2018-7520
1Geutebrueck
2G Cam/efd 2250 Firmware
Topfd 2125 Firmware
Nov 21, 2024
Mar 22, 2018
N/A· v4
9.8 CRITICAL· v3
5.0 MEDIUM· v2
An improper access control vulnerability has been identified in Geutebruck G-Cam/EFD-2250 Version 1.12.0.4 and Topline TopFD-2125 Version 3.15.1 IP cameras, which could allow a full configuration download, including pass...Show more
An improper access control vulnerability has been identified in Geutebruck G-Cam/EFD-2250 Version 1.12.0.4 and Topline TopFD-2125 Version 3.15.1 IP cameras, which could allow a full configuration download, including passwords.Show less
CVE-2018-4844
1Siemens
1Simatic Wincc Oa Ui
Nov 21, 2024
Mar 20, 2018
N/A· v4
6.7 MEDIUM· v3
3.8 LOW· v2
A vulnerability has been identified in SIMATIC WinCC OA UI for Android (All versions < V3.15.10), SIMATIC WinCC OA UI for iOS (All versions < V3.15.10). Insufficient limitation of CONTROL script capabilities could allow...Show more
A vulnerability has been identified in SIMATIC WinCC OA UI for Android (All versions < V3.15.10), SIMATIC WinCC OA UI for iOS (All versions < V3.15.10). Insufficient limitation of CONTROL script capabilities could allow read and write access from one HMI project cache folder to other HMI project cache folders within the app's sandbox on the same mobile device. This includes HMI project cache folders of other configured WinCC OA servers. The security vulnerability could be exploited by an attacker who tricks an app user to connect to an attacker-controlled WinCC OA server. Successful exploitation requires user interaction and read/write access to the app's folder on a mobile device. The vulnerability could allow reading data from and writing data to the app's folder. At the time of advisory publication no public exploitation of this security vulnerability was known. Siemens confirms the security vulnerability and provides mitigations to resolve the security issue.Show less
CVE-2014-2884
1Truecrypt Project
1Truecrypt
Nov 21, 2024
Mar 19, 2018
N/A· v4
3.3 LOW· v3
2.1 LOW· v2
The ProcessVolumeDeviceControlIrp function in Ntdriver.c in TrueCrypt 7.1a allows local users to bypass access restrictions and obtain sensitive information about arbitrary files via a (1) TC_IOCTL_OPEN_TEST or (2) TC_IO...Show more
The ProcessVolumeDeviceControlIrp function in Ntdriver.c in TrueCrypt 7.1a allows local users to bypass access restrictions and obtain sensitive information about arbitrary files via a (1) TC_IOCTL_OPEN_TEST or (2) TC_IOCTL_GET_SYSTEM_DRIVE_CONFIG IOCTL call.Show less
CVE-2015-5350
1Cloudfoundry
1Garden
Nov 21, 2024
Mar 19, 2018
N/A· v4
7.5 HIGH· v3
5.0 MEDIUM· v2
In Garden versions 0.22.0-0.329.0, a vulnerability has been discovered in the garden-linux nstar executable that allows access to files on the host system. By staging an application on Cloud Foundry using Diego and Garde...Show more
In Garden versions 0.22.0-0.329.0, a vulnerability has been discovered in the garden-linux nstar executable that allows access to files on the host system. By staging an application on Cloud Foundry using Diego and Garden installations with a malicious custom buildpack an end user could read files on the host system that the BOSH-created vcap user has permissions to read and then package them into their app droplet.Show less