Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CVEs (5,077)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2016-2822 4Canonical DebianMozilla+1 more 5Debian Linux FirefoxLeap+2 more May 6, 2026 Jun 13, 2016 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 Mozilla Firefox before 47.0 and Firefox ESR 45.x before 45.2 allow remote attackers to spoof the address bar via a SELECT element with a persistent menu.
CVE-2016-2785 1Puppet 3Puppet Puppet AgentPuppet Server May 6, 2026 Jun 10, 2016 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Puppet Server before 2.3.2 and Ruby puppetmaster in Puppet 4.x before 4.4.2 and in Puppet Agent before 1.4.2 might allow remote attackers to bypass intended auth.conf access restrictions by leveraging incorrect URL decod...Show more Puppet Server before 2.3.2 and Ruby puppetmaster in Puppet 4.x before 4.4.2 and in Puppet Agent before 1.4.2 might allow remote attackers to bypass intended auth.conf access restrictions by leveraging incorrect URL decoding.Show less
CVE-2016-4524 1Abb 1Pcm600 May 6, 2026 Jun 10, 2016 N/A· v4 6.5 MEDIUM· v3 2.1 LOW· v2 ABB PCM600 before 2.7 improperly stores OPC Server IEC61850 passwords in unspecified temporary circumstances, which allows local users to obtain sensitive information via unknown vectors.
CVE-2016-4495 1Kmc Controls 1Bac 5051e Firmware May 6, 2026 Jun 10, 2016 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 KMC Controls BAC-5051E devices with firmware before E0.2.0.2 allow remote attackers to bypass intended access restrictions and read a configuration file via unspecified vectors.
CVE-2016-2150 4Debian OpensuseRedhat+1 more 11Debian Linux Enterprise LinuxEnterprise Linux Desktop+8 more May 6, 2026 Jun 9, 2016 N/A· v4 7.1 HIGH· v3 3.6 LOW· v2 SPICE allows local guest OS users to read from or write to arbitrary host memory locations via crafted primary surface parameters, a similar issue to CVE-2015-5261.
CVE-2016-1581 1Canonical 2Lxd Ubuntu Linux May 6, 2026 Jun 9, 2016 N/A· v4 5.5 MEDIUM· v3 2.1 LOW· v2 LXD before 2.0.2 uses world-readable permissions for /var/lib/lxd/zfs.img when setting up a loop based ZFS pool, which allows local users to copy and read data from arbitrary containers via unspecified vectors.
CVE-2016-3708 1Redhat 1Openshift May 6, 2026 Jun 8, 2016 N/A· v4 7.1 HIGH· v3 5.5 MEDIUM· v2 Red Hat OpenShift Enterprise 3.2, when multi-tenant SDN is enabled and a build is run in a namespace that would normally be isolated from pods in other namespaces, allows remote authenticated users to access network reso...Show more Red Hat OpenShift Enterprise 3.2, when multi-tenant SDN is enabled and a build is run in a namespace that would normally be isolated from pods in other namespaces, allows remote authenticated users to access network resources on restricted pods via an s2i build with a builder image that (1) contains ONBUILD commands or (2) does not contain a tar binary.Show less
CVE-2016-3703 1Redhat 1Openshift May 6, 2026 Jun 8, 2016 N/A· v4 5.3 MEDIUM· v3 3.5 LOW· v2 Red Hat OpenShift Enterprise 3.2 and 3.1 do not properly validate the origin of a request when anonymous access is granted to a service/proxy or pod/proxy API for a specific pod, which allows remote attackers to access A...Show more Red Hat OpenShift Enterprise 3.2 and 3.1 do not properly validate the origin of a request when anonymous access is granted to a service/proxy or pod/proxy API for a specific pod, which allows remote attackers to access API credentials in the web browser localStorage via an access_token in the query parameter.Show less
CVE-2016-4369 1Hp 1Discovery And Dependency Mapping Inventory May 6, 2026 Jun 8, 2016 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 HPE Discovery and Dependency Mapping Inventory (DDMi) 9.30, 9.31, 9.32, 9.32 update 1, 9.32 update 2, and 9.32 update 3 allows remote authenticated users to execute arbitrary commands via a crafted serialized Java object...Show more HPE Discovery and Dependency Mapping Inventory (DDMi) 9.30, 9.31, 9.32, 9.32 update 1, 9.32 update 2, and 9.32 update 3 allows remote authenticated users to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections library.Show less
CVE-2016-4963 1Xen 1Xen May 6, 2026 Jun 7, 2016 N/A· v4 4.7 MEDIUM· v3 1.9 LOW· v2 The libxl device-handling in Xen through 4.6.x allows local guest OS users with access to the driver domain to cause a denial of service (management tool confusion) by manipulating information in the backend directories...Show more The libxl device-handling in Xen through 4.6.x allows local guest OS users with access to the driver domain to cause a denial of service (management tool confusion) by manipulating information in the backend directories in xenstore.Show less
CVE-2014-8177 1Redhat 3Gluster Storage Management Console Gluster Storage ServerStorage Native Client May 6, 2026 Jun 7, 2016 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 The Red Hat gluster-swift package, as used in Red Hat Gluster Storage (formerly Red Hat Storage Server), allows remote authenticated users to bypass the max_meta_count constraint via multiple crafted requests which excee...Show more The Red Hat gluster-swift package, as used in Red Hat Gluster Storage (formerly Red Hat Storage Server), allows remote authenticated users to bypass the max_meta_count constraint via multiple crafted requests which exceed the limit when combined.Show less
CVE-2016-1699 6Canonical DebianGoogle+3 more 9Chrome Debian LinuxEnterprise Linux Desktop+6 more May 6, 2026 Jun 5, 2016 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 WebKit/Source/devtools/front_end/devtools.js in the Developer Tools (aka DevTools) subsystem in Blink, as used in Google Chrome before 51.0.2704.79, does not ensure that the remoteFrontendUrl parameter is associated with...Show more WebKit/Source/devtools/front_end/devtools.js in the Developer Tools (aka DevTools) subsystem in Blink, as used in Google Chrome before 51.0.2704.79, does not ensure that the remoteFrontendUrl parameter is associated with a chrome-devtools-frontend.appspot.com URL, which allows remote attackers to bypass intended access restrictions via a crafted URL.Show less
CVE-2016-1697 6Canonical DebianGoogle+3 more 9Chrome Debian LinuxEnterprise Linux Desktop+6 more May 6, 2026 Jun 5, 2016 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 The FrameLoader::startLoad function in WebKit/Source/core/loader/FrameLoader.cpp in Blink, as used in Google Chrome before 51.0.2704.79, does not prevent frame navigations during DocumentLoader detach operations, which a...Show more The FrameLoader::startLoad function in WebKit/Source/core/loader/FrameLoader.cpp in Blink, as used in Google Chrome before 51.0.2704.79, does not prevent frame navigations during DocumentLoader detach operations, which allows remote attackers to bypass the Same Origin Policy via crafted JavaScript code.Show less
CVE-2016-1696 5Debian GoogleOpensuse+2 more 8Chrome Debian LinuxEnterprise Linux Desktop+5 more May 6, 2026 Jun 5, 2016 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 The extensions subsystem in Google Chrome before 51.0.2704.79 does not properly restrict bindings access, which allows remote attackers to bypass the Same Origin Policy via unspecified vectors.
CVE-2016-1694 5Debian GoogleOpensuse+2 more 8Chrome Debian LinuxEnterprise Linux Desktop+5 more May 6, 2026 Jun 5, 2016 N/A· v4 5.3 MEDIUM· v3 4.3 MEDIUM· v2 browser/browsing_data/browsing_data_remover.cc in Google Chrome before 51.0.2704.63 deletes HPKP pins during cache clearing, which makes it easier for remote attackers to spoof web sites via a valid certificate from an a...Show more browser/browsing_data/browsing_data_remover.cc in Google Chrome before 51.0.2704.63 deletes HPKP pins during cache clearing, which makes it easier for remote attackers to spoof web sites via a valid certificate from an arbitrary recognized Certification Authority.Show less
CVE-2016-1693 5Debian GoogleOpensuse+2 more 8Chrome Debian LinuxEnterprise Linux Desktop+5 more May 6, 2026 Jun 5, 2016 N/A· v4 5.3 MEDIUM· v3 2.6 LOW· v2 browser/safe_browsing/srt_field_trial_win.cc in Google Chrome before 51.0.2704.63 does not use the HTTPS service on dl.google.com to obtain the Software Removal Tool, which allows remote attackers to spoof the chrome_cle...Show more browser/safe_browsing/srt_field_trial_win.cc in Google Chrome before 51.0.2704.63 does not use the HTTPS service on dl.google.com to obtain the Software Removal Tool, which allows remote attackers to spoof the chrome_cleanup_tool.exe (aka CCT) file via a man-in-the-middle attack on an HTTP session.Show less
CVE-2016-1692 6Canonical DebianGoogle+3 more 9Chrome Debian LinuxEnterprise Linux Desktop+6 more May 6, 2026 Jun 5, 2016 N/A· v4 5.3 MEDIUM· v3 4.3 MEDIUM· v2 WebKit/Source/core/css/StyleSheetContents.cpp in Blink, as used in Google Chrome before 51.0.2704.63, permits cross-origin loading of CSS stylesheets by a ServiceWorker even when the stylesheet download has an incorrect...Show more WebKit/Source/core/css/StyleSheetContents.cpp in Blink, as used in Google Chrome before 51.0.2704.63, permits cross-origin loading of CSS stylesheets by a ServiceWorker even when the stylesheet download has an incorrect MIME type, which allows remote attackers to bypass the Same Origin Policy via a crafted web site.Show less
CVE-2016-1682 6Canonical DebianGoogle+3 more 9Chrome Debian LinuxEnterprise Linux Desktop+6 more May 6, 2026 Jun 5, 2016 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 The ServiceWorkerContainer::registerServiceWorkerImpl function in WebKit/Source/modules/serviceworkers/ServiceWorkerContainer.cpp in Blink, as used in Google Chrome before 51.0.2704.63, allows remote attackers to bypass...Show more The ServiceWorkerContainer::registerServiceWorkerImpl function in WebKit/Source/modules/serviceworkers/ServiceWorkerContainer.cpp in Blink, as used in Google Chrome before 51.0.2704.63, allows remote attackers to bypass the Content Security Policy (CSP) protection mechanism via a ServiceWorker registration.Show less
CVE-2016-1676 5Debian GoogleOpensuse+2 more 8Chrome Debian LinuxEnterprise Linux Desktop+5 more May 6, 2026 Jun 5, 2016 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 extensions/renderer/resources/binding.js in the extension bindings in Google Chrome before 51.0.2704.63 does not properly use prototypes, which allows remote attackers to bypass the Same Origin Policy via unspecified vec...Show more extensions/renderer/resources/binding.js in the extension bindings in Google Chrome before 51.0.2704.63 does not properly use prototypes, which allows remote attackers to bypass the Same Origin Policy via unspecified vectors.Show less
CVE-2016-1675 6Canonical DebianGoogle+3 more 9Chrome Debian LinuxEnterprise Linux Desktop+6 more May 6, 2026 Jun 5, 2016 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Blink, as used in Google Chrome before 51.0.2704.63, allows remote attackers to bypass the Same Origin Policy by leveraging the mishandling of Document reattachment during destruction, related to FrameLoader.cpp and Loca...Show more Blink, as used in Google Chrome before 51.0.2704.63, allows remote attackers to bypass the Same Origin Policy by leveraging the mishandling of Document reattachment during destruction, related to FrameLoader.cpp and LocalFrame.cpp.Show less

Previous 1...238239240...254 Next