Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CVEs (5,077)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2016-1672 5Debian GoogleOpensuse+2 more 8Chrome Debian LinuxEnterprise Linux Desktop+5 more May 6, 2026 Jun 5, 2016 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 The ModuleSystem::RequireForJsInner function in extensions/renderer/module_system.cc in the extension bindings in Google Chrome before 51.0.2704.63 mishandles properties, which allows remote attackers to conduct bindings...Show more The ModuleSystem::RequireForJsInner function in extensions/renderer/module_system.cc in the extension bindings in Google Chrome before 51.0.2704.63 mishandles properties, which allows remote attackers to conduct bindings-interception attacks and bypass the Same Origin Policy via unspecified vectors.Show less
CVE-2016-4810 1Citrix 2Xenapp Xendesktop May 6, 2026 Jun 1, 2016 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 Citrix Studio before 7.6.1000, Citrix XenDesktop 7.x before 7.6 LTSR Cumulative Update 1 (CU1), and Citrix XenApp 7.5 and 7.6 allow attackers to set Access Policy rules on the XenDesktop Delivery Controller via unspecifi...Show more Citrix Studio before 7.6.1000, Citrix XenDesktop 7.x before 7.6 LTSR Cumulative Update 1 (CU1), and Citrix XenApp 7.5 and 7.6 allow attackers to set Access Policy rules on the XenDesktop Delivery Controller via unspecified vectors.Show less
CVE-2016-4502 1Envirosys 1Esc 8832 Data Controller May 6, 2026 May 31, 2016 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 Environmental Systems Corporation (ESC) 8832 Data Controller 3.02 and earlier allows remote attackers to bypass intended access restrictions and execute arbitrary functions via a modified parameter.
CVE-2016-4501 1Envirosys 1Esc 8832 Data Controller May 6, 2026 May 31, 2016 N/A· v4 9.1 CRITICAL· v3 6.4 MEDIUM· v2 Environmental Systems Corporation (ESC) 8832 Data Controller 3.02 and earlier mishandles sessions, which allows remote attackers to bypass authentication and make arbitrary configuration changes via unspecified vectors.
CVE-2016-1999 1Hp 1Release Control May 6, 2026 May 30, 2016 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 The server in HP Release Control 9.13, 9.20, and 9.21 allows remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections library.
CVE-2016-1406 1Cisco 2Evolved Programmable Network Manager Prime Infrastructure May 6, 2026 May 25, 2016 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 The API web interface in Cisco Prime Infrastructure before 3.1 and Cisco Evolved Programmable Network Manager before 1.2.4 allows remote authenticated users to bypass intended RBAC restrictions and obtain sensitive infor...Show more The API web interface in Cisco Prime Infrastructure before 3.1 and Cisco Evolved Programmable Network Manager before 1.2.4 allows remote authenticated users to bypass intended RBAC restrictions and obtain sensitive information, and consequently gain privileges, via crafted JSON data, aka Bug ID CSCuy12409.Show less
CVE-2016-2159 1Moodle 1Moodle May 6, 2026 May 22, 2016 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 The save_submission function in mod/assign/externallib.php in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 allows remote authenticated users to bypass intend...Show more The save_submission function in mod/assign/externallib.php in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 allows remote authenticated users to bypass intended due-date restrictions by leveraging the student role for a web-service request.Show less
CVE-2016-3728 1Theforeman 1Foreman May 6, 2026 May 20, 2016 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Eval injection vulnerability in tftp_api.rb in the TFTP module in the Smart-Proxy in Foreman before 1.10.4 and 1.11.x before 1.11.2 allows remote attackers to execute arbitrary code via the PXE template type portion of t...Show more Eval injection vulnerability in tftp_api.rb in the TFTP module in the Smart-Proxy in Foreman before 1.10.4 and 1.11.x before 1.11.2 allows remote attackers to execute arbitrary code via the PXE template type portion of the PATH_INFO to tftp/.Show less
CVE-2016-2100 1Theforeman 1Foreman May 6, 2026 May 20, 2016 N/A· v4 5.4 MEDIUM· v3 6.5 MEDIUM· v2 Foreman before 1.10.3 and 1.11.0 before 1.11.0-RC2 allow remote authenticated users to read, modify, or delete private bookmarks by leveraging the (1) edit_bookmarks or (2) destroy_bookmarks permission.
CVE-2016-1844 1Apple 1Mac Os X May 6, 2026 May 20, 2016 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 The Messages component in Apple OS X before 10.11.5 mishandles roster changes, which allows remote attackers to modify contact lists via unspecified vectors.
CVE-2016-1842 1Apple 3Iphone Os Mac Os XWatchos May 6, 2026 May 20, 2016 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 MapKit in Apple iOS before 9.3.2, OS X before 10.11.5, and watchOS before 2.2.1 does not use HTTPS for shared links, which allows remote attackers to obtain sensitive information by sniffing the network for HTTP traffic.
CVE-2016-1806 1Apple 1Mac Os X May 6, 2026 May 20, 2016 N/A· v4 7.8 HIGH· v3 9.3 HIGH· v2 Crash Reporter in Apple OS X before 10.11.5 allows attackers to execute arbitrary code in a privileged context via a crafted app.
CVE-2016-1805 1Apple 1Mac Os X May 6, 2026 May 20, 2016 N/A· v4 7.8 HIGH· v3 9.3 HIGH· v2 CoreStorage in Apple OS X before 10.11.5 allows attackers to execute arbitrary code in a privileged context via a crafted app.
CVE-2016-1797 1Apple 1Mac Os X May 6, 2026 May 20, 2016 N/A· v4 7.8 HIGH· v3 9.3 HIGH· v2 Apple Type Services (ATS) in Apple OS X before 10.11.5 allows attackers to bypass intended FontValidator sandbox-policy restrictions and execute arbitrary code in a privileged context via a crafted app.
CVE-2016-0731 1Apache 1Ambari May 6, 2026 May 18, 2016 N/A· v4 4.9 MEDIUM· v3 4.0 MEDIUM· v2 The File Browser View in Apache Ambari before 2.2.1 allows remote authenticated administrators to read arbitrary files via a file: URL in the WebHDFS URL configuration.
CVE-2016-0323 1Ibm 1Bluemix May 6, 2026 May 17, 2016 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 The Auto-Scaling agent in Liberty for Java in IBM Bluemix before 2.7-20160321-1358 allows remote authenticated users to disable X.509 certificate validation, and consequently bypass an intended HTTPS trust-management fea...Show more The Auto-Scaling agent in Liberty for Java in IBM Bluemix before 2.7-20160321-1358 allows remote authenticated users to disable X.509 certificate validation, and consequently bypass an intended HTTPS trust-management feature, via unspecified vectors.Show less
CVE-2015-8838 1Php 1Php May 6, 2026 May 16, 2016 N/A· v4 5.9 MEDIUM· v3 4.3 MEDIUM· v2 ext/mysqlnd/mysqlnd.c in PHP before 5.4.43, 5.5.x before 5.5.27, and 5.6.x before 5.6.11 uses a client SSL option to mean that SSL is optional, which allows man-in-the-middle attackers to spoof servers via a cleartext-do...Show more ext/mysqlnd/mysqlnd.c in PHP before 5.4.43, 5.5.x before 5.5.27, and 5.6.x before 5.6.11 uses a client SSL option to mean that SSL is optional, which allows man-in-the-middle attackers to spoof servers via a cleartext-downgrade attack, a related issue to CVE-2015-3152.Show less
CVE-2016-1668 3Debian GoogleOpensuse 3Chrome Debian LinuxOpensuse May 6, 2026 May 14, 2016 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 The forEachForBinding function in WebKit/Source/bindings/core/v8/Iterable.h in the V8 bindings in Blink, as used in Google Chrome before 50.0.2661.102, uses an improper creation context, which allows remote attackers to...Show more The forEachForBinding function in WebKit/Source/bindings/core/v8/Iterable.h in the V8 bindings in Blink, as used in Google Chrome before 50.0.2661.102, uses an improper creation context, which allows remote attackers to bypass the Same Origin Policy via a crafted web site.Show less
CVE-2016-1667 3Debian GoogleOpensuse 3Chrome Debian LinuxOpensuse May 6, 2026 May 14, 2016 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 The TreeScope::adoptIfNeeded function in WebKit/Source/core/dom/TreeScope.cpp in the DOM implementation in Blink, as used in Google Chrome before 50.0.2661.102, does not prevent script execution during node-adoption oper...Show more The TreeScope::adoptIfNeeded function in WebKit/Source/core/dom/TreeScope.cpp in the DOM implementation in Blink, as used in Google Chrome before 50.0.2661.102, does not prevent script execution during node-adoption operations, which allows remote attackers to bypass the Same Origin Policy via a crafted web site.Show less
CVE-2016-2016 1Hp 3Base Vxfs 50 Base Vxfs 501Base Vxfs 51 May 6, 2026 May 14, 2016 N/A· v4 5.5 MEDIUM· v3 2.1 LOW· v2 Base-VxFS-50 B.05.00.01 through B.05.00.02, Base-VxFS-501 B.05.01.0 through B.05.01.03, and Base-VxFS-51 B.05.10.00 through B.05.10.02 on HPE HP-UX 11iv3 with VxFS 5.0, VxFS 5.0.1, and VxFS 5.1SP1 mishandles ACL inherita...Show more Base-VxFS-50 B.05.00.01 through B.05.00.02, Base-VxFS-501 B.05.01.0 through B.05.01.03, and Base-VxFS-51 B.05.10.00 through B.05.10.02 on HPE HP-UX 11iv3 with VxFS 5.0, VxFS 5.0.1, and VxFS 5.1SP1 mishandles ACL inheritance for default:class: entries, default:other: entries, and default:user: entries, which allows local users to bypass intended access restrictions by leveraging the configuration of a parent directory.Show less

Previous 1...239240241...254 Next