Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CVEs (5,077)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2016-9356 1Moxa 1Dacenter May 13, 2026 Feb 13, 2017 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 An issue was discovered in Moxa DACenter Versions 1.4 and older. The application may suffer from an unquoted search path issue.
CVE-2016-5815 1Schneider Electric 6Ion5000 Ion7300Ion7500+3 more May 13, 2026 Feb 13, 2017 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 An issue was discovered on Schneider Electric IONXXXX series power meters ION73XX series, ION75XX series, ION76XX series, ION8650 series, ION8800 series, and PM5XXX series. No authentication is configured by default. An...Show more An issue was discovered on Schneider Electric IONXXXX series power meters ION73XX series, ION75XX series, ION76XX series, ION8650 series, ION8800 series, and PM5XXX series. No authentication is configured by default. An unauthorized user can access the device management portal and make configuration changes.Show less
CVE-2016-5801 1Omnimetrix 1Omniview May 13, 2026 Feb 13, 2017 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 An issue was discovered in OmniMetrix OmniView, Version 1.2. Insufficient password requirements for the OmniView web application may allow an attacker to gain access by brute forcing account passwords.
CVE-2016-7565 1Exponentcms 1Exponent Cms May 13, 2026 Feb 13, 2017 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 install/index.php in Exponent CMS 2.3.9 allows remote attackers to execute arbitrary commands via shell metacharacters in the sc array parameter.
CVE-2016-2788 1Puppet 2Marionette Collective Puppet Enterprise May 13, 2026 Feb 13, 2017 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 MCollective 2.7.0 and 2.8.x before 2.8.9, as used in Puppet Enterprise, allows remote attackers to execute arbitrary code via vectors related to the mco ping command.
CVE-2016-2787 2Puppet Puppetlabs 2Puppet Enterprise Puppet Enterprise May 13, 2026 Feb 13, 2017 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 The Puppet Communications Protocol in Puppet Enterprise 2015.3.x before 2015.3.3 does not properly validate certificates for the broker node, which allows remote non-whitelisted hosts to prevent runs from triggering via...Show more The Puppet Communications Protocol in Puppet Enterprise 2015.3.x before 2015.3.3 does not properly validate certificates for the broker node, which allows remote non-whitelisted hosts to prevent runs from triggering via unspecified vectors.Show less
CVE-2016-10026 1Ikiwiki 1Ikiwiki May 13, 2026 Feb 13, 2017 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 ikiwiki 3.20161219 does not properly check if a revision changes the access permissions for a page on sites with the git and recentchanges plugins and the CGI interface enabled, which allows remote attackers to revert ce...Show more ikiwiki 3.20161219 does not properly check if a revision changes the access permissions for a page on sites with the git and recentchanges plugins and the CGI interface enabled, which allows remote attackers to revert certain changes by leveraging permissions to change the page before the revision was made.Show less
CVE-2015-8832 1Dotclear 1Dotclear May 13, 2026 Feb 9, 2017 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 Multiple incomplete blacklist vulnerabilities in inc/core/class.dc.core.php in Dotclear before 2.8.2 allow remote authenticated users with "manage their own media items" and "manage their own entries and comments" permis...Show more Multiple incomplete blacklist vulnerabilities in inc/core/class.dc.core.php in Dotclear before 2.8.2 allow remote authenticated users with "manage their own media items" and "manage their own entries and comments" permissions to execute arbitrary PHP code by uploading a file with a (1) .pht, (2) .phps, or (3) .phtml extension.Show less
CVE-2015-6023 1Netcommwireless 1Hspa 3g10wve Firmware May 13, 2026 Feb 9, 2017 N/A· v4 7.3 HIGH· v3 7.5 HIGH· v2 ping.cgi in NetCommWireless HSPA 3G10WVE wireless routers with firmware before 3G10WVE-L101-S306ETS-C01_R05 allows remote attackers to bypass intended access restrictions via a direct request. NOTE: this issue can be co...Show more ping.cgi in NetCommWireless HSPA 3G10WVE wireless routers with firmware before 3G10WVE-L101-S306ETS-C01_R05 allows remote attackers to bypass intended access restrictions via a direct request. NOTE: this issue can be combined with CVE-2015-6024 to execute arbitrary commands.Show less
CVE-2016-9005 1Ibm 1System Storage Ts3100 Ts3200 Tape Library May 13, 2026 Feb 8, 2017 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 IBM System Storage TS3100-TS3200 Tape Library could allow an unauthenticated user with access to the company network, to change a user's password and gain remote access to the system.
CVE-2016-0308 1Ibm 1Connections May 13, 2026 Feb 8, 2017 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 IBM Connections 5.5 and earlier is vulnerable to possible link manipulation attack that could result in the display of inappropriate background images.
CVE-2016-0214 1Ibm 1Bigfix Platform May 13, 2026 Feb 8, 2017 N/A· v4 7.8 HIGH· v3 6.8 MEDIUM· v2 IBM Tivoli Endpoint Manager could allow a remote attacker to upload arbitrary files. A remote attacker could exploit this vulnerability to upload a malicious file. The only way that file would be executed would be throug...Show more IBM Tivoli Endpoint Manager could allow a remote attacker to upload arbitrary files. A remote attacker could exploit this vulnerability to upload a malicious file. The only way that file would be executed would be through a phishing attack to trick an unsuspecting victim to execute the file.Show less
CVE-2015-7494 1Ibm 2Cloud Orchestrator Smartcloud Orchestrator May 13, 2026 Feb 8, 2017 N/A· v4 2.8 LOW· v3 1.7 LOW· v2 A vulnerability has been identified in IBM Cloud Orchestrator services/[action]/launch API. An authenticated domain admin user might modify cross domain resources via a /services/[action]/launch API call, provided it wou...Show more A vulnerability has been identified in IBM Cloud Orchestrator services/[action]/launch API. An authenticated domain admin user might modify cross domain resources via a /services/[action]/launch API call, provided it would have been possible for the domain admin user to gain access to a resource identifier of the other domain.Show less
CVE-2015-1976 1Ibm 2Security Directory Server Tivoli Directory Server May 13, 2026 Feb 8, 2017 N/A· v4 5.5 MEDIUM· v3 2.1 LOW· v2 IBM Security Directory Server could allow an authenticated user to execute commands into the web administration tool that would cause the tool to crash.
CVE-2016-8418 1Google 1Android May 13, 2026 Feb 8, 2017 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 A remote code execution vulnerability in the Qualcomm crypto driver could enable a remote attacker to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of rem...Show more A remote code execution vulnerability in the Qualcomm crypto driver could enable a remote attacker to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of remote code execution in the context of the kernel. Product: Android. Versions: N/A. Android ID: A-32652894. References: QC-CR#1077457.Show less
CVE-2016-9639 1Saltstack 1Salt May 13, 2026 Feb 7, 2017 N/A· v4 9.1 CRITICAL· v3 7.5 HIGH· v2 Salt before 2015.8.11 allows deleted minions to read or write to minions with the same id, related to caching.
CVE-2016-1894 1Netapp 1Oncommand Workflow Automation May 13, 2026 Feb 7, 2017 N/A· v4 8.1 HIGH· v3 9.3 HIGH· v2 NetApp OnCommand Workflow Automation before 3.1P2 allows remote attackers to bypass authentication via unspecified vectors.
CVE-2016-3020 1Ibm 4Security Access Manager 9.0 Firmware Security Access Manager For MobileSecurity Access Manager For Web 7.0 Firmware+1 more May 13, 2026 Feb 7, 2017 N/A· v4 5.5 MEDIUM· v3 4.3 MEDIUM· v2 IBM Security Access Manager for Web 7.0.0, 8.0.0, and 9.0.0 could allow a remote attacker to bypass security restrictions, caused by improper content validation. By persuading a victim to open specially-crafted content,...Show more IBM Security Access Manager for Web 7.0.0, 8.0.0, and 9.0.0 could allow a remote attacker to bypass security restrictions, caused by improper content validation. By persuading a victim to open specially-crafted content, an attacker could exploit this vulnerability to bypass validation and load a page with malicious content.Show less
CVE-2016-6095 1Ibm 1Security Key Lifecycle Manager May 13, 2026 Feb 2, 2017 N/A· v4 9.8 CRITICAL· v3 5.0 MEDIUM· v2 IBM Tivoli Key Lifecycle Manager 2.5 and 2.6 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials.
CVE-2016-9008 1Ibm 1Urbancode Deploy May 13, 2026 Feb 1, 2017 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 IBM UrbanCode Deploy could allow a malicious user to access the Agent Relay ActiveMQ Broker JMX interface and run plugins on the agent.

Previous 1...219220221...254 Next