Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CVEs (5,079)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2016-9976 1Ibm 2Maximo Asset Management Maximo Asset Management Essentials May 13, 2026 May 3, 2017 N/A· v4 8.4 HIGH· v3 6.8 MEDIUM· v2 IBM Maximo Asset Management 7.1, 7.5, and 7.6 could allow a remote attacker to include arbitrary files. A remote attacker could send a specially-crafted URL request, which could allow the attacker to execute arbitrary co...Show more IBM Maximo Asset Management 7.1, 7.5, and 7.6 could allow a remote attacker to include arbitrary files. A remote attacker could send a specially-crafted URL request, which could allow the attacker to execute arbitrary code on the vulnerable server. IBM X-Force ID: 120252.Show less
CVE-2016-2930 1Ibm 1Bigfix Remote Control May 13, 2026 May 3, 2017 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 IBM BigFix Remote Control 9.1.3 could allow a remote attacker to perform actions reserved for an administrator without authentication. IBM X-Force ID: 5512.
CVE-2016-8588 1Trendmicro 1Threat Discovery Appliance May 13, 2026 Apr 28, 2017 N/A· v4 7.3 HIGH· v3 6.0 MEDIUM· v2 The hotfix_upload.cgi in Trend Micro Threat Discovery Appliance 2.6.1062r1 and earlier allows remote authenticated users to execute arbitrary code via shell metacharacters in the file name of an uploaded file.
CVE-2016-8587 1Trendmicro 1Threat Discovery Appliance May 13, 2026 Apr 28, 2017 N/A· v4 7.3 HIGH· v3 6.0 MEDIUM· v2 dlp_policy_upload.cgi in Trend Micro Threat Discovery Appliance 2.6.1062r1 and earlier allows remote authenticated users to execute arbitrary code via an archive file containing a symlink to /eng_ptn_stores/prod/sensorSD...Show more dlp_policy_upload.cgi in Trend Micro Threat Discovery Appliance 2.6.1062r1 and earlier allows remote authenticated users to execute arbitrary code via an archive file containing a symlink to /eng_ptn_stores/prod/sensorSDK/data/ or /eng_ptn_stores/prod/sensorSDK/backup_pol/.Show less
CVE-2016-8584 1Trendmicro 1Threat Discovery Appliance May 13, 2026 Apr 28, 2017 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Trend Micro Threat Discovery Appliance 2.6.1062r1 and earlier uses predictable session values, which allows remote attackers to bypass authentication by guessing the value.
CVE-2016-5551 1Oracle 1Solaris Cluster May 13, 2026 Apr 24, 2017 N/A· v4 2.8 LOW· v3 1.9 LOW· v2 Vulnerability in the Solaris Cluster component of Oracle Sun Systems Products Suite (subcomponent: NAS device addition). The supported version that is affected is 4.3. Easily "exploitable" vulnerability allows unauthenti...Show more Vulnerability in the Solaris Cluster component of Oracle Sun Systems Products Suite (subcomponent: NAS device addition). The supported version that is affected is 4.3. Easily "exploitable" vulnerability allows unauthenticated attacker with logon to the infrastructure where Solaris Cluster executes to compromise Solaris Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Solaris Cluster accessible data. CVSS 3.0 Base Score 3.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N).Show less
CVE-2015-0104 1Ibm 11Change And Configuration Management Database Maximo Asset ManagementMaximo Asset Management Essentials+8 more May 13, 2026 Apr 24, 2017 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 IBM Tivoli IT Asset Management for IT, Tivoli Service Request Manager, and Change and Configuration Management Database 7.1 through 7.1.1.8 and 7.2 and Maximo Asset Management and Maximo Industry Solutions 7.1 through 7....Show more IBM Tivoli IT Asset Management for IT, Tivoli Service Request Manager, and Change and Configuration Management Database 7.1 through 7.1.1.8 and 7.2 and Maximo Asset Management and Maximo Industry Solutions 7.1 through 7.1.1.8, 7.5 before 7.5.0.7 IFIX003, and 7.6 before 7.6.0.0 IFIX002 allow remote authenticated users to execute arbitrary code via unspecified vectors.Show less
CVE-2016-2433 1Google 1Android May 13, 2026 Apr 21, 2017 N/A· v4 8.8 HIGH· v3 8.3 HIGH· v2 The Broadcom Wi-Fi driver for Android, as used by BlackBerry smartphones before Build AAE570, allows remote attackers to execute arbitrary code in the context of the kernel.
CVE-2016-1518 1Grandstream 1Wave May 13, 2026 Apr 21, 2017 N/A· v4 8.1 HIGH· v3 6.8 MEDIUM· v2 The auto-provisioning mechanism in the Grandstream Wave app 1.0.1.26 and earlier for Android and Grandstream Video IP phones allows man-in-the-middle attackers to spoof provisioning data and consequently modify device fu...Show more The auto-provisioning mechanism in the Grandstream Wave app 1.0.1.26 and earlier for Android and Grandstream Video IP phones allows man-in-the-middle attackers to spoof provisioning data and consequently modify device functionality, obtain sensitive information from system logs, and have unspecified other impact by leveraging failure to use an HTTPS session for downloading configuration files from http://fm.grandstream.com/gs/.Show less
CVE-2016-3733 1Moodle 1Moodle May 13, 2026 Apr 20, 2017 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 The "restore teacher" feature in Moodle 3.0 through 3.0.3, 2.9 through 2.9.5, 2.8 through 2.8.11, 2.7 through 2.7.13, and earlier allows remote authenticated users to overwrite the course idnumber.
CVE-2016-3729 1Moodle 1Moodle May 13, 2026 Apr 20, 2017 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 The user editing form in Moodle 3.0 through 3.0.3, 2.9 through 2.9.5, 2.8 through 2.8.11, 2.7 through 2.7.13, and earlier allows remote authenticated users to edit profile fields locked by the administrator.
CVE-2016-4850 1Linecorp 1Line May 13, 2026 Apr 20, 2017 N/A· v4 8.1 HIGH· v3 6.8 MEDIUM· v2 LINE for Windows before 4.8.3 allows man-in-the-middle attackers to execute arbitrary code.
CVE-2016-1220 1Cybozu 1Garoon May 13, 2026 Apr 20, 2017 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 Cybozu Garoon before 4.2.2 does not properly restrict access.
CVE-2016-6338 1Redhat 1Enterprise Virtualization May 13, 2026 Apr 20, 2017 N/A· v4 6.8 MEDIUM· v3 4.6 MEDIUM· v2 ovirt-engine-webadmin, as used in Red Hat Enterprise Virtualization Manager (aka RHEV-M) for Servers and RHEV-M 4.0, allows physically proximate attackers to bypass a webadmin session timeout restriction via vectors rela...Show more ovirt-engine-webadmin, as used in Red Hat Enterprise Virtualization Manager (aka RHEV-M) for Servers and RHEV-M 4.0, allows physically proximate attackers to bypass a webadmin session timeout restriction via vectors related to UI selections, which trigger repeating queries.Show less
CVE-2016-6337 1Mediawiki 1Mediawiki May 13, 2026 Apr 20, 2017 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 MediaWiki 1.27.x before 1.27.1 might allow remote attackers to bypass intended session access restrictions by leveraging a call to the UserGetRights function after Session::getAllowedUserRights.
CVE-2016-6336 1Mediawiki 1Mediawiki May 13, 2026 Apr 20, 2017 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 MediaWiki before 1.23.15, 1.26.x before 1.26.4, and 1.27.x before 1.27.1 allows remote authenticated users with undelete permissions to bypass intended suppressrevision and deleterevision restrictions and remove the revi...Show more MediaWiki before 1.23.15, 1.26.x before 1.26.4, and 1.27.x before 1.27.1 allows remote authenticated users with undelete permissions to bypass intended suppressrevision and deleterevision restrictions and remove the revision deletion status of arbitrary file revisions by using Special:Undelete.Show less
CVE-2016-6331 1Mediawiki 1Mediawiki May 13, 2026 Apr 20, 2017 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 ApiParse in MediaWiki before 1.23.15, 1.26.x before 1.26.4, and 1.27.x before 1.27.1 allows remote attackers to bypass intended per-title read restrictions via a parse action to api.php.
CVE-2016-4874 1Cybozu 1Office May 13, 2026 Apr 17, 2017 N/A· v4 3.5 LOW· v3 3.5 LOW· v2 Cybozu Office 9.0.0 through 10.4.0 allows remote attackers to conduct a "reflected file download" attack.
CVE-2016-7032 1Todd Miller 1Sudo May 13, 2026 Apr 14, 2017 N/A· v4 7.0 HIGH· v3 6.9 MEDIUM· v2 sudo_noexec.so in Sudo before 1.8.15 on Linux might allow local users to bypass intended noexec command restrictions via an application that calls the (1) system or (2) popen function.
CVE-2016-4032 1Samsung 5Galaxy Note 3 Firmware Galaxy S4 FirmwareGalaxy S4 Mini Firmware+2 more May 13, 2026 Apr 13, 2017 N/A· v4 4.6 MEDIUM· v3 2.1 LOW· v2 Samsung SM-G920F build G920FXXU2COH2 (Galaxy S6), SM-N9005 build N9005XXUGBOK6 (Galaxy Note 3), GT-I9192 build I9192XXUBNB1 (Galaxy S4 mini), GT-I9195 build I9195XXUCOL1 (Galaxy S4 mini LTE), and GT-I9505 build I9505XXUH...Show more Samsung SM-G920F build G920FXXU2COH2 (Galaxy S6), SM-N9005 build N9005XXUGBOK6 (Galaxy Note 3), GT-I9192 build I9192XXUBNB1 (Galaxy S4 mini), GT-I9195 build I9195XXUCOL1 (Galaxy S4 mini LTE), and GT-I9505 build I9505XXUHOJ2 (Galaxy S4) devices do not block AT+USBDEBUG and AT+WIFIVALUE, which allows attackers to modify Android settings by leveraging AT access, aka SVE-2016-5301.Show less

Previous 1...215216217...254 Next