Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CVEs (5,077)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2015-6366 1Cisco 1Ios May 6, 2026 Nov 13, 2015 N/A· v4 N/A· v3 5.0 MEDIUM· v2 Cisco IOS 15.2(04)M6 and 15.4(03)S lets physical-interface ACLs supersede tunnel-interface ACLs, which allows remote attackers to bypass intended network-traffic restrictions in opportunistic circumstances by using a tun...Show more Cisco IOS 15.2(04)M6 and 15.4(03)S lets physical-interface ACLs supersede tunnel-interface ACLs, which allows remote attackers to bypass intended network-traffic restrictions in opportunistic circumstances by using a tunnel, aka Bug ID CSCur01042.Show less
CVE-2015-8001 1Mediawiki 1Mediawiki May 6, 2026 Nov 9, 2015 N/A· v4 N/A· v3 3.5 LOW· v2 The chunked upload API (ApiUpload) in MediaWiki before 1.23.11, 1.24.x before 1.24.4, and 1.25.x before 1.25.3 does not restrict the uploaded data to the claimed file size, which allows remote authenticated users to caus...Show more The chunked upload API (ApiUpload) in MediaWiki before 1.23.11, 1.24.x before 1.24.4, and 1.25.x before 1.25.3 does not restrict the uploaded data to the claimed file size, which allows remote authenticated users to cause a denial of service via a chunk that exceeds the file size.Show less
CVE-2015-7395 1Ibm 11Change And Configuration Management Database Maximo Asset ManagementMaximo For Government+8 more May 6, 2026 Nov 8, 2015 N/A· v4 N/A· v3 4.0 MEDIUM· v2 IBM Maximo Asset Management 7.1 through 7.1.1.13, 7.5.0 before 7.5.0.8 IFIX005, and 7.6.0 before 7.6.0.2 FP002; Maximo Asset Management 7.5.0 before 7.5.0.8 IFIX005, 7.5.1, and 7.6.0 before 7.6.0.2 FP002 for SmartCloud C...Show more IBM Maximo Asset Management 7.1 through 7.1.1.13, 7.5.0 before 7.5.0.8 IFIX005, and 7.6.0 before 7.6.0.2 FP002; Maximo Asset Management 7.5.0 before 7.5.0.8 IFIX005, 7.5.1, and 7.6.0 before 7.6.0.2 FP002 for SmartCloud Control Desk; and Maximo Asset Management 7.1 through 7.1.1.13 and 7.2 for Tivoli IT Asset Management for IT and certain other products allow remote authenticated users to bypass intended work-order change restrictions via unspecified vectors.Show less
CVE-2015-7244 1Mobatek 1Mobaxterm May 6, 2026 Nov 4, 2015 N/A· v4 N/A· v3 7.5 HIGH· v2 The default configuration of the server in MobaXterm before 8.3 has a disabled Access Control setting and consequently does not require authentication for X11 connections, which allows remote attackers to execute arbitra...Show more The default configuration of the server in MobaXterm before 8.3 has a disabled Access Control setting and consequently does not require authentication for X11 connections, which allows remote attackers to execute arbitrary commands or obtain sensitive information via X11 packets.Show less
CVE-2015-6867 1Opentext 1Vertica May 6, 2026 Nov 4, 2015 N/A· v4 N/A· v3 7.5 HIGH· v2 The vertica-udx-zygote process in HP Vertica 7.1.1 UDx does not require authentication, which allows remote attackers to execute arbitrary commands via a crafted packet, aka ZDI-CAN-2914.
CVE-2015-7899 1Joomla 1Joomla May 6, 2026 Oct 29, 2015 N/A· v4 N/A· v3 5.0 MEDIUM· v2 The com_content component in Joomla! 3.x before 3.4.5 does not properly check ACLs, which allows remote attackers to obtain sensitive information via unspecified vectors.
CVE-2014-8912 1Ibm 1Websphere Portal May 6, 2026 Oct 28, 2015 N/A· v4 N/A· v3 5.0 MEDIUM· v2 IBM WebSphere Portal 6.1.0 through 6.1.0.6 CF27, 6.1.5 through 6.1.5.3 CF27, 7.0.0 through 7.0.0.2 CF29, 8.0.0 through 8.0.0.1 CF18, and 8.5.0 before CF08 improperly restricts resource access, which allows remote attacke...Show more IBM WebSphere Portal 6.1.0 through 6.1.0.6 CF27, 6.1.5 through 6.1.5.3 CF27, 7.0.0 through 7.0.0.2 CF29, 8.0.0 through 8.0.0.1 CF18, and 8.5.0 before CF08 improperly restricts resource access, which allows remote attackers to obtain sensitive information via unspecified vectors, as demonstrated by configuration information.Show less
CVE-2015-3971 1Janitza 5Umg 508 Umg 509Umg 511+2 more May 6, 2026 Oct 28, 2015 N/A· v4 N/A· v3 7.5 HIGH· v2 The debug interface on Janitza UMG 508, 509, 511, 604, and 605 devices does not require authentication, which allows remote attackers to read or write to files, or execute arbitrary JASIC code, via a session on TCP port...Show more The debug interface on Janitza UMG 508, 509, 511, 604, and 605 devices does not require authentication, which allows remote attackers to read or write to files, or execute arbitrary JASIC code, via a session on TCP port 1239.Show less
CVE-2015-7881 1Colorbox Project 1Colorbox May 6, 2026 Oct 26, 2015 N/A· v4 N/A· v3 3.5 LOW· v2 The Colorbox module 7.x-2.x before 7.x-2.10 for Drupal allows remote authenticated users with certain permissions to bypass intended access restrictions and "add unexpected content to a Colorbox" via unspecified vectors,...Show more The Colorbox module 7.x-2.x before 7.x-2.10 for Drupal allows remote authenticated users with certain permissions to bypass intended access restrictions and "add unexpected content to a Colorbox" via unspecified vectors, possibly related to a link in a comment.Show less
CVE-2015-6984 1Apple 1Mac Os X May 6, 2026 Oct 23, 2015 N/A· v4 N/A· v3 8.8 HIGH· v2 libarchive in Apple OS X before 10.11.1 allows attackers to write to arbitrary files via a crafted app that conducts an unspecified symlink attack.
CVE-2015-4902 4Opensuse OracleRedhat+1 more 21Enterprise Linux Desktop Enterprise Linux EusEnterprise Linux Eus Compute Node+18 more Apr 22, 2026 Oct 22, 2015 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60 allows remote attackers to affect integrity via unknown vectors related to Deployment.
CVE-2015-7184 1Mozilla 1Firefox May 6, 2026 Oct 18, 2015 N/A· v4 N/A· v3 6.8 MEDIUM· v2 The fetch API implementation in Mozilla Firefox before 41.0.2 does not restrict access to the HTTP response body in certain situations where user credentials are supplied but the CORS cross-origin request algorithm is im...Show more The fetch API implementation in Mozilla Firefox before 41.0.2 does not restrict access to the HTTP response body in certain situations where user credentials are supplied but the CORS cross-origin request algorithm is improperly followed, which allows remote attackers to bypass the Same Origin Policy via a crafted web site.Show less
CVE-2015-7369 1Revive Adserver 1Revive Adserver May 6, 2026 Oct 14, 2015 N/A· v4 N/A· v3 7.5 HIGH· v2 The default Flash cross-domain policy (crossdomain.xml) in Revive Adserver before 3.2.2 does not restrict access cross domain access, which allows remote attackers to conduct cross domain attacks via unspecified vectors.
CVE-2015-7367 1Revive Adserver 1Revive Adserver May 6, 2026 Oct 14, 2015 N/A· v4 N/A· v3 7.5 HIGH· v2 Revive Adserver before 3.2.2 allows remote attackers to perform unspecified actions by leveraging an unexpired session after the user has been (1) deleted or (2) unlinked.
CVE-2015-1304 1Google 1Chrome May 6, 2026 Oct 12, 2015 N/A· v4 N/A· v3 7.5 HIGH· v2 object-observe.js in Google V8, as used in Google Chrome before 45.0.2454.101, does not properly restrict method calls on access-checked objects, which allows remote attackers to bypass the Same Origin Policy via a (1) o...Show more object-observe.js in Google V8, as used in Google Chrome before 45.0.2454.101, does not properly restrict method calls on access-checked objects, which allows remote attackers to bypass the Same Origin Policy via a (1) observe or (2) getNotifier call.Show less
CVE-2015-5913 1Apple 1Mac Os X May 6, 2026 Oct 9, 2015 N/A· v4 N/A· v3 6.8 MEDIUM· v2 Heimdal, as used in Apple OS X before 10.11, allows remote attackers to conduct replay attacks against the SMB server via packet data that represents a Kerberos authenticated request.
CVE-2015-0141 1Ibm 1Openpages Grc Platform May 6, 2026 Oct 3, 2015 N/A· v4 N/A· v3 4.0 MEDIUM· v2 IBM OpenPages GRC Platform 6.2 before IF7, 6.2.1 before 6.2.1.1 IF5, 7.0 before FP4, and 7.1 before FP1 allows remote authenticated users to modify arbitrary user filters via a JSON request.
CVE-2015-3860 1Google 1Android May 6, 2026 Oct 1, 2015 N/A· v4 N/A· v3 7.2 HIGH· v2 packages/Keyguard/res/layout/keyguard_password_view.xml in Lockscreen in Android 5.x before 5.1.1 LMY48M does not restrict the number of characters in the passwordEntry input field, which allows physically proximate atta...Show more packages/Keyguard/res/layout/keyguard_password_view.xml in Lockscreen in Android 5.x before 5.1.1 LMY48M does not restrict the number of characters in the passwordEntry input field, which allows physically proximate attackers to bypass intended access restrictions via a long password that triggers a SystemUI crash, aka internal bug 22214934.Show less
CVE-2015-3833 1Google 1Android May 6, 2026 Oct 1, 2015 N/A· v4 N/A· v3 4.3 MEDIUM· v2 The getRunningAppProcesses function in services/core/java/com/android/server/am/ActivityManagerService.java in Android before 5.1.1 LMY48I allows attackers to bypass intended getRecentTasks restrictions and discover the...Show more The getRunningAppProcesses function in services/core/java/com/android/server/am/ActivityManagerService.java in Android before 5.1.1 LMY48I allows attackers to bypass intended getRecentTasks restrictions and discover the name of the foreground application via a crafted application, aka internal bug 20034603.Show less
CVE-2015-1541 1Google 1Android May 6, 2026 Oct 1, 2015 N/A· v4 N/A· v3 4.3 MEDIUM· v2 The AppWidgetServiceImpl implementation in com/android/server/appwidget/AppWidgetServiceImpl.java in the Settings application in Android before 5.1.1 LMY48I allows attackers to obtain a URI permission via an application...Show more The AppWidgetServiceImpl implementation in com/android/server/appwidget/AppWidgetServiceImpl.java in the Settings application in Android before 5.1.1 LMY48I allows attackers to obtain a URI permission via an application that sends an Intent with a (1) FLAG_GRANT_READ_URI_PERMISSION or (2) FLAG_GRANT_WRITE_URI_PERMISSION flag, as demonstrated by bypassing intended restrictions on reading contacts, aka internal bug 19618745.Show less

Previous 1...245246247...254 Next