CWE-284
5,077 CVEs • Abstraction: Pillar
Improper Access Control
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CVEs (5,077)
CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS |
|---|
The canonicalize_username function in svnserve/cyrus_auth.c in Apache Subversion before 1.8.16 and 1.9.x before 1.9.4, when Cyrus SASL authentication is used, allows remote attackers to authenticate and bypass intended a...Show more |
fs/namespace.c in the Linux kernel before 4.0.2 processes MNT_DETACH umount2 system calls without verifying that the MNT_LOCKED flag is unset, which allows local users to bypass intended access restrictions and navigate...Show more |
The netlink_sendmsg function in net/netlink/af_netlink.c in the Linux kernel before 3.5.5 does not validate the dst_pid field, which allows local users to have an unspecified impact by spoofing Netlink messages. |
The Firefox Health Reports (aka FHR or about:healthreport) feature in Mozilla Firefox before 46.0 does not properly restrict the origin of events, which makes it easier for remote attackers to modify sharing preferences...Show more |
Mozilla Firefox before 46.0 allows remote attackers to bypass the Content Security Policy (CSP) protection mechanism via the multipart/x-mixed-replace content type. |
The management screen in LOCKON EC-CUBE 3.0.7 through 3.0.9 allows remote authenticated users to bypass intended access restrictions via unspecified vectors, a different vulnerability than CVE-2016-1199. |
3Linux NovellSuse8Linux Kernel Suse Linux Enterprise DesktopSuse Linux Enterprise Live Patching+5 moreMay 6, 2026 Apr 27, 2016 N/A· v4 5.5 MEDIUM· v3 4.9 MEDIUM· v2 The tm_reclaim_thread function in arch/powerpc/kernel/process.c in the Linux kernel before 4.4.1 on powerpc platforms does not ensure that TM suspend mode exists before proceeding with a tm_reclaim call, which allows loc...Show more |
epan/dissectors/packet-iax2.c in the IAX2 dissector in Wireshark 1.12.x before 1.12.11 and 2.0.x before 2.0.3 uses an incorrect integer data type, which allows remote attackers to cause a denial of service (infinite loop...Show more |
epan/dissectors/packet-ncp2222.inc in the NCP dissector in Wireshark 2.0.x before 2.0.3 does not properly initialize memory for search patterns, which allows remote attackers to cause a denial of service (application cra...Show more |
1Foxitsoftware 2Foxit Reader PhantompdfMay 6, 2026 Apr 22, 2016 N/A· v4 7.8 HIGH· v3 6.8 MEDIUM· v2 Use-after-free vulnerability in the XFA forms handling functionality in Foxit Reader and PhantomPDF before 7.3.4 on Windows allows remote attackers to execute arbitrary code via a crafted remerge call. |
The Bluetooth functionality in Lemur Vehicle Monitors BlueDriver before 2016-04-07 supports unrestricted pairing without a PIN, which allows remote attackers to send arbitrary CAN commands by leveraging access to a devic...Show more |
8Apache CanonicalDebian+5 more38Cassandra Debian LinuxE Series Santricity Management Plug Ins+35 moreApr 22, 2026 Apr 21, 2016 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77; Java SE Embedded 8u77; and JRockit R28.3.9 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JMX. |
4Debian GoogleNovell+1 more4Chrome Debian LinuxLeap+1 moreMay 6, 2026 Apr 18, 2016 N/A· v4 4.3 MEDIUM· v3 4.3 MEDIUM· v2 The Extensions subsystem in Google Chrome before 50.0.2661.75 incorrectly relies on GetOrigin method calls for origin comparisons, which allows remote attackers to bypass the Same Origin Policy and obtain sensitive infor...Show more |
3Google OpensuseSuse3Chrome LeapLinux EnterpriseMay 6, 2026 Apr 18, 2016 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 The download implementation in Google Chrome before 50.0.2661.75 on Android allows remote attackers to bypass intended pathname restrictions via unspecified vectors. |
2Canonical Redhat2Libvirt Ubuntu LinuxMay 6, 2026 Apr 14, 2016 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 The virStorageVolCreateXML API in libvirt 1.2.14 through 1.2.19 allows remote authenticated users with a read-write connection to cause a denial of service (libvirtd crash) by triggering a failed unlink after creating a...Show more |
2Canonical Redhat2Libvirt Ubuntu LinuxMay 6, 2026 Apr 14, 2016 N/A· v4 5.9 MEDIUM· v3 4.3 MEDIUM· v2 The networkReloadIptablesRules function in network/bridge_driver.c in libvirt before 0.9.9 does not properly handle firewall rules on bridge networks when libvirtd is restarted, which might allow remote attackers to bypa...Show more |
The Data Provisioning Agent (aka DP Agent) in SAP HANA does not properly restrict access to service functionality, which allows remote attackers to obtain sensitive information, gain privileges, and conduct unspecified o...Show more |
2Novell Xen2Suse Linux Enterprise Real Time Extension XenMay 6, 2026 Apr 14, 2016 N/A· v4 8.2 HIGH· v3 5.7 MEDIUM· v2 Xen, when used on a system providing PV backends, allows local guest OS administrators to cause a denial of service (host OS crash) or gain privileges by writing to memory shared between the frontend and backend, aka a d...Show more |
1Openstack 1Image Registry And Delivery Service (glance) May 6, 2026 Apr 13, 2016 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 OpenStack Image Service (Glance) before 2015.1.3 (kilo) and 11.0.x before 11.0.2 (liberty), when show_multiple_locations is enabled, allow remote authenticated users to change image status and upload new image data by re...Show more |
4Debian FedoraprojectOracle+1 more4Debian Linux FedoraVm Server+1 moreMay 6, 2026 Apr 13, 2016 N/A· v4 3.8 LOW· v3 1.7 LOW· v2 The fpu_fxrstor function in arch/x86/i387.c in Xen 4.x does not properly handle writes to the hardware FSW.ES bit when running on AMD64 processors, which allows local guest OS users to obtain sensitive register content i...Show more |