Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CVEs (5,079)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2016-7824 1Buffalotech 1Wnc01wh Firmware May 13, 2026 Jun 9, 2017 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 Buffalo NC01WH devices with firmware version 1.0.0.8 and earlier allows authenticated attackers to bypass access restriction to enable the debug option via unspecified vectors.
CVE-2016-7811 1Corega 1Cg Wlr300nx Firmware May 13, 2026 Jun 9, 2017 N/A· v4 8.8 HIGH· v3 5.8 MEDIUM· v2 Corega CG-WLR300NX firmware Ver. 1.20 and earlier allows an attacker on the same network segment to bypass access restriction to perform arbitrary operations via unspecified vectors.
CVE-2016-7807 1Iodata 1Wfs Sr01 Firmware May 13, 2026 Jun 9, 2017 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 I-O DATA DEVICE WFS-SR01 firmware version 1.10 and earlier allow remote attackers to bypass access restriction to access data on storage devices inserted into the product via unspecified vectors.
CVE-2016-7801 1Cybozu 1Garoon May 13, 2026 Jun 9, 2017 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 Cybozu Garoon 3.0.0 to 4.2.2 allows remote attackers to bypass access restrictions to delete other users' To-Dos via unspecified vectors.
CVE-2016-4910 1Cybozu 1Garoon May 13, 2026 Jun 9, 2017 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 Cybozu Garoon 3.0.0 to 4.2.2 allows remote authenticated attackers to bypass access restriction to delete other operational administrators' MultiReport filters via unspecified vectors.
CVE-2016-4908 1Cybozu 1Garoon May 13, 2026 Jun 9, 2017 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 Cybozu Garoon 3.0.0 to 4.2.2 allows remote authenticated attackers to bypass access restriction to alter or delete another user's private RSS settings via unspecified vectors.
CVE-2016-6098 1Ibm 2Security Key Lifecycle Manager Tivoli Key Lifecycle Manager May 13, 2026 Jun 8, 2017 N/A· v4 8.1 HIGH· v3 5.5 MEDIUM· v2 IBM Tivoli Key Lifecycle Manager 2.0.1, 2.5, and 2.6 specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.
CVE-2015-2692 1Adblock 1Adblock May 13, 2026 Jun 8, 2017 N/A· v4 10.0 CRITICAL· v3 6.4 MEDIUM· v2 AdBlock before 2.21 allows remote attackers to block arbitrary resources on arbitrary websites and to disable arbitrary blocking filters.
CVE-2016-3112 1Pulpproject 1Pulp May 13, 2026 Jun 8, 2017 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 client/consumer/cli.py in Pulp before 2.8.3 writes consumer private keys to etc/pki/pulp/consumer/consumer-cert.pem as world-readable, which allows remote authenticated users to obtain the consumer private keys and escal...Show more client/consumer/cli.py in Pulp before 2.8.3 writes consumer private keys to etc/pki/pulp/consumer/consumer-cert.pem as world-readable, which allows remote authenticated users to obtain the consumer private keys and escalate privileges by reading /etc/pki/pulp/consumer/consumer-cert, and authenticating as a consumer user.Show less
CVE-2016-3107 1Pulpproject 1Pulp May 13, 2026 Jun 8, 2017 N/A· v4 5.5 MEDIUM· v3 2.1 LOW· v2 The Node certificate in Pulp before 2.8.3 contains the private key, and is stored in a world-readable file in the "/etc/pki/pulp/nodes/" directory, which allows local users to gain access to sensitive data.
CVE-2015-3295 1Markdown It Project 1Markdown It May 13, 2026 Jun 7, 2017 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 markdown-it before 4.1.0 does not block data: URLs.
CVE-2016-6089 1Ibm 1Websphere Mq May 13, 2026 Jun 7, 2017 N/A· v4 5.5 MEDIUM· v3 3.6 LOW· v2 IBM WebSphere MQ 9.0.0.1 and 9.0.2 could allow a local user to write to a file or delete files in a directory they should not have access to due to improper access controls. IBM X-Force ID: 117926.
CVE-2016-0768 1Postgresql 1Postgresql May 13, 2026 Jun 6, 2017 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 PostgreSQL PL/Java after 9.0 does not honor access controls on large objects.
CVE-2015-9006 1Google 1Android May 13, 2026 Jun 6, 2017 N/A· v4 7.8 HIGH· v3 9.3 HIGH· v2 In Resource Power Manager (RPM) in all Android releases from CAF using the Linux kernel, an Improper Access Control vulnerability could potentially exist.
CVE-2017-8438 1Elastic 1X Pack May 13, 2026 Jun 5, 2017 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 Elastic X-Pack Security versions 5.0.0 to 5.4.0 contain a privilege escalation bug in the run_as functionality. This bug prevents transitioning into the specified user specified in a run_as request. If a role has been cr...Show more Elastic X-Pack Security versions 5.0.0 to 5.4.0 contain a privilege escalation bug in the run_as functionality. This bug prevents transitioning into the specified user specified in a run_as request. If a role has been created using a template that contains the _user properties, the behavior of run_as will be incorrect. Additionally if the run_as user specified does not exist, the transition will not happen.Show less
CVE-2017-6016 1Leao Consultoria E Desenvolvimento De Sistemas 1Ltda Me Laquis Scada May 13, 2026 May 19, 2017 N/A· v4 7.3 HIGH· v3 4.4 MEDIUM· v2 An Improper Access Control issue was discovered in LCDS - Leao Consultoria e Desenvolvimento de Sistemas LTDA ME LAquis SCADA. The following versions are affected: Versions 4.1 and prior versions released before January...Show more An Improper Access Control issue was discovered in LCDS - Leao Consultoria e Desenvolvimento de Sistemas LTDA ME LAquis SCADA. The following versions are affected: Versions 4.1 and prior versions released before January 20, 2017. An Improper Access Control vulnerability has been identified, which may allow an authenticated user to modify application files to escalate privileges.Show less
CVE-2016-10237 1Google 1Android May 13, 2026 May 16, 2017 N/A· v4 7.8 HIGH· v3 9.3 HIGH· v2 If shared content protection memory were passed as the secure camera memory buffer by the HLOS to a trusted application (TA) in all Android releases from CAF using the Linux kernel, the TA would not detect an issue and i...Show more If shared content protection memory were passed as the secure camera memory buffer by the HLOS to a trusted application (TA) in all Android releases from CAF using the Linux kernel, the TA would not detect an issue and it would be treated as secure memory.Show less
CVE-2016-10370 1Oneplus 1Oxygenos May 13, 2026 May 11, 2017 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 An issue was discovered on OnePlus devices such as the 3T. The OnePlus OTA Updater pushes the signed-OTA image over HTTP without TLS. While it does not allow for installation of arbitrary OTAs (due to the digital signatu...Show more An issue was discovered on OnePlus devices such as the 3T. The OnePlus OTA Updater pushes the signed-OTA image over HTTP without TLS. While it does not allow for installation of arbitrary OTAs (due to the digital signature), it unnecessarily increases the attack surface, and allows for remote exploitation of other vulnerabilities such as CVE-2017-5948, CVE-2017-8850, and CVE-2017-8851.Show less
CVE-2016-10369 1Lxterminal Project 1Lxterminal May 13, 2026 May 8, 2017 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access c...Show more unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).Show less
CVE-2016-7054 1Openssl 1Openssl May 13, 2026 May 4, 2017 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 In OpenSSL 1.1.0 before 1.1.0c, TLS connections using -CHACHA20-POLY1305 ciphersuites are susceptible to a DoS attack by corrupting larger payloads. This can result in an OpenSSL crash. This issue is not considered to b...Show more In OpenSSL 1.1.0 before 1.1.0c, TLS connections using -CHACHA20-POLY1305 ciphersuites are susceptible to a DoS attack by corrupting larger payloads. This can result in an OpenSSL crash. This issue is not considered to be exploitable beyond a DoS.Show less

Previous 1...214215216...254 Next