Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CVEs (5,077)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2016-8824 1Nvidia 1Gpu Driver May 6, 2026 Dec 16, 2016 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 All versions of NVIDIA Windows GPU Display Driver contain a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgDdiEscape where improper access controls allow a regular user to write a part of the regist...Show more All versions of NVIDIA Windows GPU Display Driver contain a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgDdiEscape where improper access controls allow a regular user to write a part of the registry intended for privileged users only, leading to escalation of privileges.Show less
CVE-2016-8821 1Nvidia 1Gpu Driver May 6, 2026 Dec 16, 2016 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 All versions of NVIDIA Windows GPU Display Driver contain a vulnerability in the kernel mode layer handler for DxgDdiEscape where improper access controls may allow a user to access arbitrary physical memory, leading to...Show more All versions of NVIDIA Windows GPU Display Driver contain a vulnerability in the kernel mode layer handler for DxgDdiEscape where improper access controls may allow a user to access arbitrary physical memory, leading to an escalation of privileges.Show less
CVE-2016-9838 1Joomla 1Joomla May 6, 2026 Dec 16, 2016 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 An issue was discovered in components/com_users/models/registration.php in Joomla! before 3.6.5. Incorrect filtering of registration form data stored to the session on a validation error enables a user to gain access to...Show more An issue was discovered in components/com_users/models/registration.php in Joomla! before 3.6.5. Incorrect filtering of registration form data stored to the session on a validation error enables a user to gain access to a registered user's account and reset the user's group mappings, username, and password, as demonstrated by submitting a form that targets the `registration.register` task.Show less
CVE-2016-9565 1Nagios 1Nagios May 6, 2026 Dec 15, 2016 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 MagpieRSS, as used in the front-end component in Nagios Core before 4.2.2 might allow remote attackers to read or write to arbitrary files by spoofing a crafted response from the Nagios RSS feed server. NOTE: this vulne...Show more MagpieRSS, as used in the front-end component in Nagios Core before 4.2.2 might allow remote attackers to read or write to arbitrary files by spoofing a crafted response from the Nagios RSS feed server. NOTE: this vulnerability exists because of an incomplete fix for CVE-2008-4796.Show less
CVE-2016-1000156 1Mailcwp Project 1Mailcwp May 6, 2026 Dec 14, 2016 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Mailcwp remote file upload vulnerability incomplete fix v1.100
CVE-2016-7952 2Fedoraproject X.org 2Fedora Libxtst May 6, 2026 Dec 13, 2016 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 X.org libXtst before 1.2.3 allows remote X servers to cause a denial of service (infinite loop) via a reply in the (1) XRecordStartOfData, (2) XRecordEndOfData, or (3) XRecordClientDied category without a client sequence...Show more X.org libXtst before 1.2.3 allows remote X servers to cause a denial of service (infinite loop) via a reply in the (1) XRecordStartOfData, (2) XRecordEndOfData, or (3) XRecordClientDied category without a client sequence and with attached data.Show less
CVE-2016-7946 2Fedoraproject X.org 2Fedora Libxi May 6, 2026 Dec 13, 2016 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 X.org libXi before 1.7.7 allows remote X servers to cause a denial of service (infinite loop) via vectors involving length fields.
CVE-2016-9920 1Roundcube 1Webmail May 6, 2026 Dec 8, 2016 N/A· v4 7.5 HIGH· v3 6.0 MEDIUM· v2 steps/mail/sendmail.inc in Roundcube before 1.1.7 and 1.2.x before 1.2.3, when no SMTP server is configured and the sendmail program is enabled, does not properly restrict the use of custom envelope-from addresses on the...Show more steps/mail/sendmail.inc in Roundcube before 1.1.7 and 1.2.x before 1.2.3, when no SMTP server is configured and the sendmail program is enabled, does not properly restrict the use of custom envelope-from addresses on the sendmail command line, which allows remote authenticated users to execute arbitrary code via a modified HTTP request that sends a crafted e-mail message.Show less
CVE-2016-5341 1Google 1Android May 6, 2026 Dec 6, 2016 N/A· v4 5.9 MEDIUM· v3 7.1 HIGH· v2 The GPS component in Android before 2016-12-05 allows man-in-the-middle attackers to cause a denial of service (GPS signal-acquisition delay) via an incorrect xtra.bin or xtra2.bin file on a spoofed Qualcomm gpsonextra.n...Show more The GPS component in Android before 2016-12-05 allows man-in-the-middle attackers to cause a denial of service (GPS signal-acquisition delay) via an incorrect xtra.bin or xtra2.bin file on a spoofed Qualcomm gpsonextra.net or izatcloud.net host, aka internal bug 31470303 and external bug 211602 (and AndroidID-7225554).Show less
CVE-2016-9836 1Joomla 1Joomla May 6, 2026 Dec 5, 2016 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 The file scanning mechanism of JFilterInput::isFileSafe() in Joomla! CMS before 3.6.5 does not consider alternative PHP file extensions when checking uploaded files for PHP content, which enables a user to upload and exe...Show more The file scanning mechanism of JFilterInput::isFileSafe() in Joomla! CMS before 3.6.5 does not consider alternative PHP file extensions when checking uploaded files for PHP content, which enables a user to upload and execute files with the `.php6`, `.php7`, `.phtml`, and `.phpt` extensions. Additionally, JHelperMedia::canUpload() did not blacklist these file extensions as uploadable file types.Show less
CVE-2016-9835 1Zikula 1Zikula Application Framework May 6, 2026 Dec 5, 2016 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Directory traversal vulnerability in file "jcss.php" in Zikula 1.3.x before 1.3.11 and 1.4.x before 1.4.4 on Windows allows a remote attacker to launch a PHP object injection by uploading a serialized file.
CVE-2016-9157 1Siemens 1Sicam Pas/pqs May 6, 2026 Dec 5, 2016 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 A vulnerability in Siemens SICAM PAS (all versions before V8.09) could allow a remote attacker to cause a Denial of Service condition and potentially lead to unauthenticated remote code execution by sending specially cra...Show more A vulnerability in Siemens SICAM PAS (all versions before V8.09) could allow a remote attacker to cause a Denial of Service condition and potentially lead to unauthenticated remote code execution by sending specially crafted packets to port 19234/TCP.Show less
CVE-2016-9156 1Siemens 1Sicam Pas/pqs May 6, 2026 Dec 5, 2016 N/A· v4 7.3 HIGH· v3 7.5 HIGH· v2 A vulnerability in Siemens SICAM PAS (all versions before V8.09) could allow a remote attacker to upload, download, or delete files in certain parts of the file system by sending specially crafted packets to port 19235/T...Show more A vulnerability in Siemens SICAM PAS (all versions before V8.09) could allow a remote attacker to upload, download, or delete files in certain parts of the file system by sending specially crafted packets to port 19235/TCP.Show less
CVE-2016-3044 1Ibm 1Powerkvm May 6, 2026 Dec 1, 2016 N/A· v4 6.5 MEDIUM· v3 4.9 MEDIUM· v2 The Linux kernel component in IBM PowerKVM 2.1 before 2.1.1.3-65.10 and 3.1 before 3.1.0.2 allows guest OS users to cause a denial of service (host OS infinite loop and hang) via unspecified vectors.
CVE-2016-2887 1Ibm 1Ims Enterprise Suite May 6, 2026 Nov 30, 2016 N/A· v4 8.1 HIGH· v3 5.5 MEDIUM· v2 IBM IMS Enterprise Suite Data Provider before 3.2.0.1 for Microsoft .NET allows remote authenticated users to obtain sensitive information or modify data via unspecified vectors.
CVE-2016-2874 1Ibm 1Qradar Security Information And Event Manager May 6, 2026 Nov 30, 2016 N/A· v4 3.1 LOW· v3 3.5 LOW· v2 IBM QRadar SIEM 7.1 before MR2 Patch 13 and 7.2 before 7.2.7 mishandles authorization, which allows remote authenticated users to obtain sensitive information via unspecified vectors.
CVE-2016-8222 1Lenovo 74Thinkpad 10 Ella 2 Bios Thinkpad 11e Beema BiosThinkpad 11e Braswell Bios+71 more May 6, 2026 Nov 30, 2016 N/A· v4 4.4 MEDIUM· v3 4.7 MEDIUM· v2 A vulnerability has been identified in a signed kernel driver for the BIOS of some ThinkPad systems that can allow an attacker with Windows administrator-level privileges to call System Management Mode (SMM) services. Th...Show more A vulnerability has been identified in a signed kernel driver for the BIOS of some ThinkPad systems that can allow an attacker with Windows administrator-level privileges to call System Management Mode (SMM) services. This could lead to a denial of service attack or allow certain BIOS variables or settings to be altered (such as boot sequence). The setting or changing of BIOS passwords is not affected by this vulnerability.Show less
CVE-2016-8223 1Lenovo 1System Interface Foundation May 6, 2026 Nov 29, 2016 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 During an internal security review, Lenovo identified a local privilege escalation vulnerability in Lenovo System Interface Foundation software installed on some Windows 10 PCs where a user with local privileges could ru...Show more During an internal security review, Lenovo identified a local privilege escalation vulnerability in Lenovo System Interface Foundation software installed on some Windows 10 PCs where a user with local privileges could run arbitrary code with administrator level privileges.Show less
CVE-2016-5393 1Apache 1Hadoop May 6, 2026 Nov 29, 2016 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 In Apache Hadoop 2.6.x before 2.6.5 and 2.7.x before 2.7.3, a remote user who can authenticate with the HDFS NameNode can possibly run arbitrary commands with the same privileges as the HDFS service.
CVE-2016-8645 1Linux 1Linux Kernel May 6, 2026 Nov 28, 2016 N/A· v4 5.5 MEDIUM· v3 4.9 MEDIUM· v2 The TCP stack in the Linux kernel before 4.8.10 mishandles skb truncation, which allows local users to cause a denial of service (system crash) via a crafted application that makes sendto system calls, related to net/ipv...Show more The TCP stack in the Linux kernel before 4.8.10 mishandles skb truncation, which allows local users to cause a denial of service (system crash) via a crafted application that makes sendto system calls, related to net/ipv4/tcp_ipv4.c and net/ipv6/tcp_ipv6.c.Show less

Previous 1...225226227...254 Next