Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CVEs (5,079)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2017-15891 1Synology 1Calendar May 13, 2026 Dec 8, 2017 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 Improper access control vulnerability in SYNO.Cal.EventBase in Synology Calendar before 2.0.1-0242 allows remote authenticated users to modify calendar event via unspecified vectors.
CVE-2017-12340 1Cisco 1Nx Os May 13, 2026 Nov 30, 2017 N/A· v4 4.2 MEDIUM· v3 4.6 MEDIUM· v2 A vulnerability in Cisco NX-OS System Software running on Cisco MDS Multilayer Director Switches, Cisco Nexus 7000 Series Switches, and Cisco Nexus 7700 Series Switches could allow an authenticated, local attacker to acc...Show more A vulnerability in Cisco NX-OS System Software running on Cisco MDS Multilayer Director Switches, Cisco Nexus 7000 Series Switches, and Cisco Nexus 7700 Series Switches could allow an authenticated, local attacker to access the Bash shell of an affected device's operating system, even if the Bash shell is disabled on the system. The vulnerability is due to insufficient sanitization of user-supplied parameters that are passed to certain functions of the Python scripting sandbox of the affected system. An attacker could exploit this vulnerability to escape the scripting sandbox and enter the Bash shell of the operating system with the privileges of the authenticated user for the affected system. To exploit this vulnerability, the attacker must have local access to the affected system and be authenticated to the affected system with administrative or Python execution privileges. Cisco Bug IDs: CSCvd86513.Show less
CVE-2017-14031 1Trihedral 1Vtscada May 13, 2026 Nov 6, 2017 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 An Improper Access Control issue was discovered in Trihedral VTScada 11.3.03 and prior. A local, non-administrator user has privileges to read and write to the file system of the target machine.
CVE-2017-12262 1Cisco 1Application Policy Infrastructure Controller Enterprise Module May 13, 2026 Nov 2, 2017 N/A· v4 8.8 HIGH· v3 5.8 MEDIUM· v2 A vulnerability within the firewall configuration of the Cisco Application Policy Infrastructure Controller Enterprise Module (APIC-EM) could allow an unauthenticated, adjacent attacker to gain privileged access to servi...Show more A vulnerability within the firewall configuration of the Cisco Application Policy Infrastructure Controller Enterprise Module (APIC-EM) could allow an unauthenticated, adjacent attacker to gain privileged access to services only available on the internal network of the device. The vulnerability is due to an incorrect firewall rule on the device. The misconfiguration could allow traffic sent to the public interface of the device to be forwarded to the internal virtual network of the APIC-EM. An attacker that is logically adjacent to the network on which the public interface of the affected APIC-EM resides could leverage this behavior to gain access to services listening on the internal network with elevated privileges. This vulnerability affects appliances or virtual devices running Cisco Application Policy Infrastructure Controller Enterprise Module prior to version 1.5. Cisco Bug IDs: CSCve89638.Show less
CVE-2015-9245 1Progress 1Openedge May 13, 2026 Oct 31, 2017 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Insecure default configuration in Progress Software OpenEdge 10.2x and 11.x allows unauthenticated remote attackers to specify arbitrary URLs from which to load and execute malicious Java classes via port 20931.
CVE-2014-3624 1Apache 1Traffic Server May 13, 2026 Oct 30, 2017 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Apache Traffic Server 5.1.x before 5.1.1 allows remote attackers to bypass access restrictions by leveraging failure to properly tunnel remap requests using CONNECT.
CVE-2013-4246 1Apache 1Subversion May 13, 2026 Oct 30, 2017 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 libsvn_fs_fs/fs_fs.c in Apache Subversion 1.8.x before 1.8.2 might allow remote authenticated users with commit access to corrupt FSFS repositories and cause a denial of service or obtain sensitive information by editing...Show more libsvn_fs_fs/fs_fs.c in Apache Subversion 1.8.x before 1.8.2 might allow remote authenticated users with commit access to corrupt FSFS repositories and cause a denial of service or obtain sensitive information by editing packed revision properties.Show less
CVE-2010-2232 1Apache 1Derby May 13, 2026 Oct 23, 2017 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 In Apache Derby 10.1.2.1, 10.2.2.0, 10.3.1.4, and 10.4.1.3, Export processing may allow an attacker to overwrite an existing file.
CVE-2012-4380 1Mediawiki 1Mediawiki May 13, 2026 Oct 19, 2017 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 MediaWiki before 1.18.5, and 1.19.x before 1.19.2 allows remote attackers to bypass GlobalBlocking extension IP address blocking and create an account via unspecified vectors.
CVE-2012-4379 1Mediawiki 1Mediawiki May 13, 2026 Oct 19, 2017 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 MediaWiki before 1.18.5, and 1.19.x before 1.19.2 does not send a restrictive X-Frame-Options HTTP header, which allows remote attackers to conduct clickjacking attacks via an embedded API response in an IFRAME element.
CVE-2016-5714 1Puppet 2Puppet Agent Puppet Enterprise May 13, 2026 Oct 18, 2017 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 Puppet Enterprise 2015.3.3 and 2016.x before 2016.4.0, and Puppet Agent 1.3.6 through 1.7.0 allow remote attackers to bypass a host whitelist protection mechanism and execute arbitrary code on Puppet nodes via vectors re...Show more Puppet Enterprise 2015.3.3 and 2016.x before 2016.4.0, and Puppet Agent 1.3.6 through 1.7.0 allow remote attackers to bypass a host whitelist protection mechanism and execute arbitrary code on Puppet nodes via vectors related to command validation, aka "Puppet Execution Protocol (PXP) Command Whitelist Validation Vulnerability."Show less
CVE-2014-2277 1Perltidy Project 1Perltidy May 13, 2026 Oct 17, 2017 N/A· v4 7.1 HIGH· v3 3.6 LOW· v2 The make_temporary_filename function in perltidy 20120701-1 and earlier allows local users to obtain sensitive information or write to arbitrary files via a symlink attack, related to use of the tmpnam function.
CVE-2014-9489 1Gollum Project 3Gollum Gollum LibGrit Adapter May 13, 2026 Oct 17, 2017 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 The gollum-grit_adapter Ruby gem dependency in gollum before 3.1.1 and the gollum-lib gem dependency in gollum-lib before 4.0.1 when the string "master" is in any of the wiki documents, allows remote authenticated users...Show more The gollum-grit_adapter Ruby gem dependency in gollum before 3.1.1 and the gollum-lib gem dependency in gollum-lib before 4.0.1 when the string "master" is in any of the wiki documents, allows remote authenticated users to execute arbitrary code via the -O or --open-files-in-pager flags.Show less
CVE-2014-9148 1Fiyo 1Fiyo Cms May 13, 2026 Oct 16, 2017 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Fiyo CMS 2.0.1.8 allows remote attackers to bypass intended access restrictions and execute the (1) "Install and Update" or (2) Backup super administrator function via the view parameter in a direct request to fiyo/dapur...Show more Fiyo CMS 2.0.1.8 allows remote attackers to bypass intended access restrictions and execute the (1) "Install and Update" or (2) Backup super administrator function via the view parameter in a direct request to fiyo/dapur.Show less
CVE-2016-10514 1Piwigo 1Piwigo May 13, 2026 Oct 10, 2017 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 url_check_format in include/functions.inc.php in Piwigo before 2.8.3 allows remote attackers to bypass intended access restrictions via a URL that contains a " character, or a URL beginning with a substring other than th...Show more url_check_format in include/functions.inc.php in Piwigo before 2.8.3 allows remote attackers to bypass intended access restrictions via a URL that contains a " character, or a URL beginning with a substring other than the http:// or https:// substring.Show less
CVE-2017-8448 1Elastic 1X Pack May 13, 2026 Sep 29, 2017 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 An error was found in the permission model used by X-Pack Alerting 5.0.0 to 5.6.0 whereby users mapped to certain built-in roles could create a watch that results in that user gaining elevated privileges.
CVE-2017-8447 1Elastic 1X Pack May 13, 2026 Sep 29, 2017 N/A· v4 6.5 MEDIUM· v3 5.5 MEDIUM· v2 An error was found in the X-Pack Security 5.3.0 to 5.5.2 privilege enforcement. If a user has either 'delete' or 'index' permissions on an index in a cluster, they may be able to issue both delete and index requests agai...Show more An error was found in the X-Pack Security 5.3.0 to 5.5.2 privilege enforcement. If a user has either 'delete' or 'index' permissions on an index in a cluster, they may be able to issue both delete and index requests against that index.Show less
CVE-2015-1336 1Man Db Project 1Man Db May 13, 2026 Sep 28, 2017 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 The daily mandb cleanup job in Man-db before 2.7.6.1-1 as packaged in Ubuntu and Debian allows local users with access to the man account to gain privileges via vectors involving insecure chown use.
CVE-2015-7315 1Plone 1Plone May 13, 2026 Sep 25, 2017 N/A· v4 5.9 MEDIUM· v3 4.3 MEDIUM· v2 Plone 3.3.0 through 3.3.6, 4.0.0 through 4.0.10, 4.1.0 through 4.1.6, 4.2.0 through 4.2.7, 4.3.0 through 4.3.6, and 5.0rc1 allows remote attackers to add a new member to a Plone site with registration enabled, without ac...Show more Plone 3.3.0 through 3.3.6, 4.0.0 through 4.0.10, 4.1.0 through 4.1.6, 4.2.0 through 4.2.7, 4.3.0 through 4.3.6, and 5.0rc1 allows remote attackers to add a new member to a Plone site with registration enabled, without acknowledgment of site administrator.Show less
CVE-2015-1854 2Debian Fedoraproject 3389 Directory Server Debian LinuxFedora May 13, 2026 Sep 19, 2017 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 389 Directory Server before 1.3.3.10 allows attackers to bypass intended access restrictions and modify directory entries via a crafted ldapmodrdn call.

Previous 1...211212213...254 Next