Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CVEs (5,078)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2016-8273 1Huawei 1Hisuite May 13, 2026 Apr 2, 2017 N/A· v4 7.8 HIGH· v3 6.9 MEDIUM· v2 Huawei PC client software HiSuite 4.0.5.300_OVE uses insecure HTTP for upgrade software package download and does not check the integrity of the software package before installing; an attacker can launch an MITM attack t...Show more Huawei PC client software HiSuite 4.0.5.300_OVE uses insecure HTTP for upgrade software package download and does not check the integrity of the software package before installing; an attacker can launch an MITM attack to interrupt or replace the downloaded software package and further compromise the PC.Show less
CVE-2014-4707 1Huawei 3Campus S7700 Firmware Campus S9300 FirmwareCampus S9700 Firmware May 13, 2026 Apr 2, 2017 N/A· v4 8.8 HIGH· v3 7.5 HIGH· v2 Huawei Campus S7700 with software V200R001C00SPC300, V200R002C00SPC100, V200R003C00SPC300; S9300 with software V200R001C00SPC300, V200R002C00SPC100, V200R003C00SPC300; S9700 with software V200R001C00SPC300, V200R002C00SP...Show more Huawei Campus S7700 with software V200R001C00SPC300, V200R002C00SPC100, V200R003C00SPC300; S9300 with software V200R001C00SPC300, V200R002C00SPC100, V200R003C00SPC300; S9700 with software V200R001C00SPC300, V200R002C00SPC100, V200R003C00SPC300 allow unauthorized users to upgrade the bootrom or bootload software, bypass a Menu protection mechanism, conduct a Menu compromise attack, or bypass a Menu/upgrade protection mechanism.Show less
CVE-2016-8032 1Mcafee 1Anti Malware Scan Engine May 13, 2026 Mar 31, 2017 N/A· v4 7.3 HIGH· v3 4.4 MEDIUM· v2 Software Integrity Attacks vulnerability in Intel Security Anti-Virus Engine (AVE) 5200 through 5800 allows local attackers to bypass local security protection via a crafted input file.
CVE-2015-4624 1Hak5 1Wi Fi Pineapple Firmware May 13, 2026 Mar 31, 2017 N/A· v4 7.5 HIGH· v3 4.3 MEDIUM· v2 Hak5 WiFi Pineapple 2.0 through 2.3 uses predictable CSRF tokens.
CVE-2016-6807 1Apache 1Ambari May 13, 2026 Mar 28, 2017 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Custom commands may be executed on Ambari Agent (2.4.x, before 2.4.2) hosts without authorization, leading to unauthorized access to operations that may affect the underlying system. Such operations are invoked by the Am...Show more Custom commands may be executed on Ambari Agent (2.4.x, before 2.4.2) hosts without authorization, leading to unauthorized access to operations that may affect the underlying system. Such operations are invoked by the Ambari Agent process on Ambari Agent hosts, as the user executing the Ambari Agent process.Show less
CVE-2016-9468 2Nextcloud Owncloud 2Nextcloud Server Owncloud May 13, 2026 Mar 28, 2017 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before 9.0.6 and 9.1.2 suffer from content spoofing in the dav app. The exception message displayed on the DAV endpoints contained partially user-controllable i...Show more Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before 9.0.6 and 9.1.2 suffer from content spoofing in the dav app. The exception message displayed on the DAV endpoints contained partially user-controllable input leading to a potential misrepresentation of information.Show less
CVE-2016-9467 2Nextcloud Owncloud 2Nextcloud Server Owncloud May 13, 2026 Mar 28, 2017 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before 9.0.6 and 9.1.2 suffer from content spoofing in the files app. The location bar in the files app was not verifying the passed parameters. An attacker cou...Show more Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before 9.0.6 and 9.1.2 suffer from content spoofing in the files app. The location bar in the files app was not verifying the passed parameters. An attacker could craft an invalid link to a fake directory structure and use this to display an attacker-controlled error message to the user.Show less
CVE-2016-9462 2Nextcloud Owncloud 2Nextcloud Server Owncloud May 13, 2026 Mar 28, 2017 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 Nextcloud Server before 9.0.52 & ownCloud Server before 9.0.4 are not properly verifying restore privileges when restoring a file. The restore capability of Nextcloud/ownCloud was not verifying whether a user has only re...Show more Nextcloud Server before 9.0.52 & ownCloud Server before 9.0.4 are not properly verifying restore privileges when restoring a file. The restore capability of Nextcloud/ownCloud was not verifying whether a user has only read-only access to a share. Thus a user with read-only access was able to restore old versions.Show less
CVE-2016-9461 2Nextcloud Owncloud 2Nextcloud Server Owncloud May 13, 2026 Mar 28, 2017 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 Nextcloud Server before 9.0.52 & ownCloud Server before 9.0.4 are not properly verifying edit check permissions on WebDAV copy actions. The WebDAV endpoint was not properly checking the permission on a WebDAV COPY action...Show more Nextcloud Server before 9.0.52 & ownCloud Server before 9.0.4 are not properly verifying edit check permissions on WebDAV copy actions. The WebDAV endpoint was not properly checking the permission on a WebDAV COPY action. This allowed an authenticated attacker with access to a read-only share to put new files in there. It was not possible to modify existing files.Show less
CVE-2016-9460 2Nextcloud Owncloud 2Nextcloud Owncloud May 13, 2026 Mar 28, 2017 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 Nextcloud Server before 9.0.52 & ownCloud Server before 9.0.4 are vulnerable to a content-spoofing attack in the files app. The location bar in the files app was not verifying the passed parameters. An attacker could cra...Show more Nextcloud Server before 9.0.52 & ownCloud Server before 9.0.4 are vulnerable to a content-spoofing attack in the files app. The location bar in the files app was not verifying the passed parameters. An attacker could craft an invalid link to a fake directory structure and use this to display an attacker-controlled error message to the user.Show less
CVE-2016-9122 1Go Jose Project 1Go Jose May 13, 2026 Mar 28, 2017 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 go-jose before 1.0.4 suffers from multiple signatures exploitation. The go-jose library supports messages with multiple signatures. However, when validating a signed message the API did not indicate which signature was v...Show more go-jose before 1.0.4 suffers from multiple signatures exploitation. The go-jose library supports messages with multiple signatures. However, when validating a signed message the API did not indicate which signature was valid, which could potentially lead to confusion. For example, users of the library might mistakenly read protected header values from an attached signature that was different from the one originally validated.Show less
CVE-2016-10144 1Imagemagick 1Imagemagick May 13, 2026 Mar 24, 2017 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 coders/ipl.c in ImageMagick allows remote attackers to have unspecific impact by leveraging a missing malloc check.
CVE-2016-10130 1Libgit2 Project 1Libgit2 May 13, 2026 Mar 24, 2017 N/A· v4 5.9 MEDIUM· v3 4.3 MEDIUM· v2 The http_connect function in transports/http.c in libgit2 before 0.24.6 and 0.25.x before 0.25.1 might allow man-in-the-middle attackers to spoof servers by leveraging clobbering of the error variable.
CVE-2015-8627 1Mediawiki 1Mediawiki May 13, 2026 Mar 23, 2017 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 MediaWiki before 1.23.12, 1.24.x before 1.24.5, 1.25.x before 1.25.4, and 1.26.x before 1.26.1 do not properly normalize IP addresses containing zero-padded octets, which might allow remote attackers to bypass intended a...Show more MediaWiki before 1.23.12, 1.24.x before 1.24.5, 1.25.x before 1.25.4, and 1.26.x before 1.26.1 do not properly normalize IP addresses containing zero-padded octets, which might allow remote attackers to bypass intended access restrictions by using an IP address that was not supposed to have been allowed.Show less
CVE-2016-7468 1F5 10Big Ip Access Policy Manager Big Ip Advanced Firewall ManagerBig Ip Analytics+7 more May 13, 2026 Mar 23, 2017 N/A· v4 5.9 MEDIUM· v3 4.3 MEDIUM· v2 An unauthenticated remote attacker may be able to disrupt services on F5 BIG-IP 11.4.1 - 11.5.4 devices with maliciously crafted network traffic. This vulnerability affects virtual servers associated with TCP profiles wh...Show more An unauthenticated remote attacker may be able to disrupt services on F5 BIG-IP 11.4.1 - 11.5.4 devices with maliciously crafted network traffic. This vulnerability affects virtual servers associated with TCP profiles when the BIG-IP system's tm.tcpprogressive db variable value is set to non-default setting "enabled". The default value for the tm.tcpprogressive db variable is "negotiate". An attacker may be able to disrupt traffic or cause the BIG-IP system to fail over to another device in the device group.Show less
CVE-2016-5750 1Netiq 1Access Manager May 13, 2026 Mar 23, 2017 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 The certificate upload feature in iManager in NetIQ Access Manager 4.1 before 4.1.2 Hot Fix 1 and 4.2 before 4.2.2 could be used to upload JSP pages that would be executed as the iManager user, allowing code execution by...Show more The certificate upload feature in iManager in NetIQ Access Manager 4.1 before 4.1.2 Hot Fix 1 and 4.2 before 4.2.2 could be used to upload JSP pages that would be executed as the iManager user, allowing code execution by logged-in remote users.Show less
CVE-2016-5747 1Novell 1Edirectory May 13, 2026 Mar 23, 2017 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 A security vulnerability in cookie handling in the http stack implementation in NDSD in Novell eDirectory before 9.0.1 allows remote attackers to bypass intended access restrictions by leveraging predictable cookies.
CVE-2016-5239 1Imagemagick 1Imagemagick May 13, 2026 Mar 15, 2017 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 The gnuplot delegate functionality in ImageMagick before 6.9.4-0 and GraphicsMagick allows remote attackers to execute arbitrary commands via unspecified vectors.
CVE-2016-8010 1Mcafee 2Application Control Endpoint Security May 13, 2026 Mar 14, 2017 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 Application protections bypass vulnerability in Intel Security McAfee Application Control (MAC) 7.0 and earlier and Endpoint Security (ENS) 10.2 and earlier allows local users to bypass local security protection via a co...Show more Application protections bypass vulnerability in Intel Security McAfee Application Control (MAC) 7.0 and earlier and Endpoint Security (ENS) 10.2 and earlier allows local users to bypass local security protection via a command-line utility.Show less
CVE-2016-8007 1Mcafee 1Host Intrusion Prevention Services May 13, 2026 Mar 14, 2017 N/A· v4 6.3 MEDIUM· v3 3.0 LOW· v2 Authentication bypass vulnerability in McAfee Host Intrusion Prevention Services (HIPS) 8.0 Patch 7 and earlier allows authenticated users to manipulate the product's registry keys via specific conditions.

Previous 1...217218219...254 Next