Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CVEs (5,077)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2016-8938 1Ibm 1Urbancode Deploy May 13, 2026 Feb 1, 2017 N/A· v4 10.0 CRITICAL· v3 10.0 HIGH· v2 IBM UrbanCode Deploy could allow a user to execute code using a specially crafted file upload that would replace code on the server. This code could be executed on the UCD agent machines that host customer's production a...Show more IBM UrbanCode Deploy could allow a user to execute code using a specially crafted file upload that would replace code on the server. This code could be executed on the UCD agent machines that host customer's production applications.Show less
CVE-2016-8932 1Ibm 1Kenexa Lms May 13, 2026 Feb 1, 2017 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 IBM Kenexa LMS on Cloud could allow a remote attacker to upload arbitrary files, which could allow the attacker to execute arbitrary code on the vulnerable server.
CVE-2016-8931 1Ibm 1Kenexa Lms May 13, 2026 Feb 1, 2017 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 IBM Kenexa LMS on Cloud could allow a remote attacker to upload arbitrary files, which could allow the attacker to execute arbitrary code on the vulnerable server.
CVE-2016-2942 1Ibm 1Urbancode Deploy May 13, 2026 Feb 1, 2017 N/A· v4 7.5 HIGH· v3 6.0 MEDIUM· v2 IBM UrbanCode Deploy could allow an authenticated attacker with special permissions to craft a script on the server in a way that will cause processes to run on a remote UCD agent machine.
CVE-2016-0320 1Ibm 1Urbancode Deploy May 13, 2026 Feb 1, 2017 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 IBM UrbanCode Deploy could allow an authenticated user to modify Ucd objects due to multiple REST endpoints not properly authorizing users editing UCD objects. This could affect the behavior of legitimately triggered pro...Show more IBM UrbanCode Deploy could allow an authenticated user to modify Ucd objects due to multiple REST endpoints not properly authorizing users editing UCD objects. This could affect the behavior of legitimately triggered processes.Show less
CVE-2016-6105 1Ibm 1Security Key Lifecycle Manager May 13, 2026 Feb 1, 2017 N/A· v4 8.2 HIGH· v3 6.4 MEDIUM· v2 IBM Tivoli Key Lifecycle Manager 2.5 and 2.6 do not perform an authentication check for a critical resource or functionality allowing anonymous users access to protected areas.
CVE-2016-8942 1Ibm 2Spectrum Control Tivoli Storage Productivity Center May 13, 2026 Feb 1, 2017 N/A· v4 3.1 LOW· v3 3.5 LOW· v2 IBM Tivoli Storage Productivity Center could allow an authenticated user with intimate knowledge of the system to edit a limited set of properties on the server.
CVE-2016-6085 1Ibm 1Bigfix Platform May 13, 2026 Feb 1, 2017 N/A· v4 6.5 MEDIUM· v3 3.3 LOW· v2 IBM BigFix Platform could allow an attacker on the local network to crash the BES and relay servers.
CVE-2016-6044 1Ibm 1Tivoli Storage Manager May 13, 2026 Feb 1, 2017 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 IBM Tivoli Storage Manager Operations Center could allow an authenticated attacker to enable or disable the application's REST API, which may let the attacker violate security policy.
CVE-2016-5990 1Ibm 1Security Privileged Identity Manager May 13, 2026 Feb 1, 2017 N/A· v4 6.3 MEDIUM· v3 6.5 MEDIUM· v2 IBM Security Privileged Identity Manager Virtual Appliance allows an authenticated user to upload malicious files that would be automatically executed by the server.
CVE-2016-5964 1Ibm 1Security Privileged Identity Manager May 13, 2026 Feb 1, 2017 N/A· v4 9.8 CRITICAL· v3 5.0 MEDIUM· v2 IBM Security Privileged Identity Manager Virtual Appliance version 2.0.2 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials.
CVE-2016-9415 1Mybb 2Merge System Mybb May 13, 2026 Jan 31, 2017 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 MyBB (aka MyBulletinBoard) before 1.8.8 on Windows and MyBB Merge System before 1.8.8 on Windows allow remote attackers to overwrite arbitrary CSS files via vectors related to "style import."
CVE-2016-9413 1Mybb 2Merge System Mybb May 13, 2026 Jan 31, 2017 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 The Admin control panel in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 allows remote attackers to conduct clickjacking attacks via unspecified vectors.
CVE-2016-9412 1Mybb 2Merge System Mybb May 13, 2026 Jan 31, 2017 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 allow attackers to have unspecified impact via vectors related to low adminsid and sid entropy.
CVE-2015-8973 1Mybb 2Merge System Mybb May 13, 2026 Jan 31, 2017 N/A· v4 8.3 HIGH· v3 7.5 HIGH· v2 xmlhttp.php in MyBB (aka MyBulletinBoard) before 1.6.18 and 1.8.x before 1.8.6 and MyBB Merge System before 1.8.6 allows remote attackers to bypass intended access restrictions via vectors related to the forum password.
CVE-2016-5026 1Onionshare 1Onionshare May 13, 2026 Jan 30, 2017 N/A· v4 5.5 MEDIUM· v3 2.1 LOW· v2 hs.py in OnionShare before 0.9.1 allows local users to modify the hiddenservice by pre-creating the /tmp/onionshare directory.
CVE-2015-8140 1Ntp 1Ntp May 13, 2026 Jan 30, 2017 N/A· v4 4.8 MEDIUM· v3 5.8 MEDIUM· v2 The ntpq protocol in NTP before 4.2.8p7 allows remote attackers to conduct replay attacks by sniffing the network.
CVE-2015-8139 1Ntp 1Ntp May 13, 2026 Jan 30, 2017 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 ntpq in NTP before 4.2.8p7 allows remote attackers to obtain origin timestamps and then impersonate peers via unspecified vectors.
CVE-2016-8330 1Oracle 1Solaris May 13, 2026 Jan 27, 2017 N/A· v4 3.7 LOW· v3 4.3 MEDIUM· v2 Vulnerability in the Solaris component of Oracle Sun Systems Products Suite (subcomponent: Kernel). The supported version that is affected is 11.3. Difficult to exploit vulnerability allows unauthenticated attacker with...Show more Vulnerability in the Solaris component of Oracle Sun Systems Products Suite (subcomponent: Kernel). The supported version that is affected is 11.3. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Solaris. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Solaris accessible data. CVSS v3.0 Base Score 3.7 (Integrity impacts).Show less
CVE-2016-8325 1Oracle 1One To One Fulfillment May 13, 2026 Jan 27, 2017 N/A· v4 9.1 CRITICAL· v3 6.4 MEDIUM· v2 Vulnerability in the Oracle One-to-One Fulfillment component of Oracle E-Business Suite (subcomponent: Internal Operations). Supported versions that are affected are 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5 and 12....Show more Vulnerability in the Oracle One-to-One Fulfillment component of Oracle E-Business Suite (subcomponent: Internal Operations). Supported versions that are affected are 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5 and 12.2.6. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle One-to-One Fulfillment. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle One-to-One Fulfillment accessible data as well as unauthorized access to critical data or complete access to all Oracle One-to-One Fulfillment accessible data. CVSS v3.0 Base Score 9.1 (Confidentiality and Integrity impacts).Show less

Previous 1...220221222...254 Next