Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CVEs (5,077)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2016-3839 1Google 1Android May 6, 2026 Aug 5, 2016 N/A· v4 5.5 MEDIUM· v3 4.3 MEDIUM· v2 Bluetooth in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-08-01 allows attackers to cause a denial of service (loss of Bluetooth 911 functionality) via a crafted application that...Show more Bluetooth in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-08-01 allows attackers to cause a denial of service (loss of Bluetooth 911 functionality) via a crafted application that sends a signal to a Bluetooth process, aka internal bug 28885210.Show less
CVE-2016-3838 1Google 1Android May 6, 2026 Aug 5, 2016 N/A· v4 5.5 MEDIUM· v3 4.3 MEDIUM· v2 Android 6.x before 2016-08-01 allows attackers to cause a denial of service (loss of locked-screen 911 functionality) via a crafted application that uses the app-pinning feature, aka internal bug 28761672.
CVE-2014-9901 1Google 1Android May 6, 2026 Aug 5, 2016 N/A· v4 7.5 HIGH· v3 7.8 HIGH· v2 The Qualcomm Wi-Fi driver in Android before 2016-08-05 on Nexus 7 (2013) devices makes incorrect snprintf calls, which allows remote attackers to cause a denial of service (device hang or reboot) via crafted frames, aka...Show more The Qualcomm Wi-Fi driver in Android before 2016-08-05 on Nexus 7 (2013) devices makes incorrect snprintf calls, which allows remote attackers to cause a denial of service (device hang or reboot) via crafted frames, aka Android internal bug 28670333 and Qualcomm internal bug CR548711.Show less
CVE-2016-6150 1Sap 1Hana May 6, 2026 Aug 5, 2016 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 The multi-tenant database container feature in SAP HANA does not properly encrypt communications, which allows remote attackers to bypass intended access restrictions and possibly have unspecified other impact via unknow...Show more The multi-tenant database container feature in SAP HANA does not properly encrypt communications, which allows remote attackers to bypass intended access restrictions and possibly have unspecified other impact via unknown vectors, aka SAP Security Note 2233550.Show less
CVE-2016-6144 1Sap 1Hana May 6, 2026 Aug 5, 2016 N/A· v4 8.1 HIGH· v3 4.3 MEDIUM· v2 The SQL interface in SAP HANA before Revision 102 does not limit the number of login attempts for the SYSTEM user when the password_lock_for_system_user is not supported or is configured as "False," which makes it easier...Show more The SQL interface in SAP HANA before Revision 102 does not limit the number of login attempts for the SYSTEM user when the password_lock_for_system_user is not supported or is configured as "False," which makes it easier for remote attackers to bypass authentication via a brute force attack, aka SAP Security Note 2216869.Show less
CVE-2016-6140 1Sap 1Trex May 6, 2026 Aug 5, 2016 N/A· v4 9.8 CRITICAL· v3 7.6 HIGH· v2 SAP TREX 7.10 Revision 63 allows remote attackers to write to arbitrary files via vectors related to RFC-Gateway, aka SAP Security Note 2203591.
CVE-2016-6258 2Citrix Xen 2Xen Xenserver May 6, 2026 Aug 2, 2016 N/A· v4 8.8 HIGH· v3 7.2 HIGH· v2 The PV pagetable code in arch/x86/mm.c in Xen 4.7.x and earlier allows local 32-bit PV guest OS administrators to gain host OS privileges by leveraging fast-paths for updating pagetable entries.
CVE-2016-5229 1Atlassian 1Bamboo May 6, 2026 Aug 2, 2016 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Atlassian Bamboo before 5.11.4.1 and 5.12.x before 5.12.3.1 does not properly restrict permitted deserialized classes, which allows remote attackers to execute arbitrary code via vectors related to XStream Serialization.
CVE-2016-4373 1Hp 1Operations Manager May 6, 2026 Aug 1, 2016 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 The AdminUI in HPE Operations Manager (OM) before 9.21.130 on Linux, Unix, and Solaris allows remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections...Show more The AdminUI in HPE Operations Manager (OM) before 9.21.130 on Linux, Unix, and Solaris allows remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.Show less
CVE-2016-1608 1Novell 1Filr May 6, 2026 Aug 1, 2016 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 vaconfig/time in Novell Filr before 1.2 Security Update 3 and 2.0 before Security Update 2 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the ntpServer parameter.
CVE-2016-3992 3Cronic Project DebianOpensuse 4Cronic Debian LinuxLeap+1 more May 6, 2026 Jul 26, 2016 N/A· v4 6.2 MEDIUM· v3 4.9 MEDIUM· v2 cronic before 3 allows local users to write to arbitrary files via a symlink attack on a (1) cronic.out.$$, (2) cronic.err.$$, or (3) cronic.trace.$$ file in /tmp.
CVE-2016-5130 1Google 1Chrome May 6, 2026 Jul 23, 2016 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 content/renderer/history_controller.cc in Google Chrome before 52.0.2743.82 does not properly restrict multiple uses of a JavaScript forward method, which allows remote attackers to spoof the URL display via a crafted we...Show more content/renderer/history_controller.cc in Google Chrome before 52.0.2743.82 does not properly restrict multiple uses of a JavaScript forward method, which allows remote attackers to spoof the URL display via a crafted web site.Show less
CVE-2016-4591 1Apple 1Webkit May 6, 2026 Jul 22, 2016 N/A· v4 7.5 HIGH· v3 7.8 HIGH· v2 WebKit in Apple iOS before 9.3.3, Safari before 9.1.2, and tvOS before 9.2.2 mishandles the location variable, which allows remote attackers to access the local filesystem via unspecified vectors.
CVE-2016-5388 4Apache HpOracle+1 more 11Enterprise Linux Desktop Enterprise Linux Hpc NodeEnterprise Linux Hpc Node Eus+8 more May 6, 2026 Jul 19, 2016 N/A· v4 8.1 HIGH· v3 5.1 MEDIUM· v2 Apache Tomcat 7.x through 7.0.70 and 8.x through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_...Show more Apache Tomcat 7.x through 7.0.70 and 8.x through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. NOTE: the vendor states "A mitigation is planned for future releases of Tomcat, tracked as CVE-2016-5388"; in other words, this is not a CVE ID for a vulnerability.Show less
CVE-2016-5386 4Fedoraproject GolangOracle+1 more 6Enterprise Linux Server Enterprise Linux Server AusEnterprise Linux Server Eus+3 more May 6, 2026 Jul 19, 2016 N/A· v4 8.1 HIGH· v3 6.8 MEDIUM· v2 The net/http package in Go through 1.6 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTP_PROXY...Show more The net/http package in Go through 1.6 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect a CGI application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue.Show less
CVE-2016-5661 1Accela 1Civic Platform Citizen Access Portal May 6, 2026 Jul 15, 2016 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 Accela Civic Platform Citizen Access portal relies on the client to restrict file types for uploads, which allows remote authenticated users to execute arbitrary code via modified _EventArgument and filename parameters.
CVE-2016-0357 1Ibm 1Security Identity Manager Adapter May 6, 2026 Jul 15, 2016 N/A· v4 4.3 MEDIUM· v3 4.3 MEDIUM· v2 IBM Security Identity Manager (ISIM) Virtual Appliance 7.0.0.0 through 7.0.1.1 before 7.0.1-ISS-SIM-FP0003 allows remote attackers to conduct clickjacking attacks via a crafted web site.
CVE-2016-0340 1Ibm 1Security Identity Manager Adapter May 6, 2026 Jul 15, 2016 N/A· v4 7.4 HIGH· v3 4.4 MEDIUM· v2 IBM Security Identity Manager (ISIM) Virtual Appliance 7.0.0.0 through 7.0.1.1 before 7.0.1-ISS-SIM-FP0003 mishandles session expiration, which allows remote attackers to hijack sessions by leveraging an unattended works...Show more IBM Security Identity Manager (ISIM) Virtual Appliance 7.0.0.0 through 7.0.1.1 before 7.0.1-ISS-SIM-FP0003 mishandles session expiration, which allows remote attackers to hijack sessions by leveraging an unattended workstation.Show less
CVE-2016-0339 1Ibm 1Security Identity Manager Adapter May 6, 2026 Jul 15, 2016 N/A· v4 5.6 MEDIUM· v3 4.3 MEDIUM· v2 IBM Security Identity Manager (ISIM) Virtual Appliance 7.0.0.0 through 7.0.1.1 before 7.0.1-ISS-SIM-FP0003 mishandles session identifiers after logout, which makes it easier for remote attackers to spoof users by leverag...Show more IBM Security Identity Manager (ISIM) Virtual Appliance 7.0.0.0 through 7.0.1.1 before 7.0.1-ISS-SIM-FP0003 mishandles session identifiers after logout, which makes it easier for remote attackers to spoof users by leveraging knowledge of "traffic records."Show less
CVE-2016-5807 1Tollgrade 1Lighthouse Sms May 6, 2026 Jul 15, 2016 N/A· v4 8.1 HIGH· v3 5.5 MEDIUM· v2 Tollgrade LightHouse SMS before 5.1 patch 3 allows remote authenticated users to bypass an intended administrative-authentication requirement, and read or change parameter values, via a direct request.

Previous 1...235236237...254 Next