Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CVEs (5,009)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2015-1115 1Apple 1Iphone Os May 6, 2026 Apr 10, 2015 N/A· v4 N/A· v3 4.4 MEDIUM· v2 The Telephony component in Apple iOS before 8.3 allows attackers to bypass a sandbox protection mechanism and access unintended telephone capabilities via a crafted app.
CVE-2015-0119 1Ibm 1Tivoli Storage Manager Fastback May 6, 2026 Apr 6, 2015 N/A· v4 N/A· v3 7.5 HIGH· v2 FastBack Mount in IBM Tivoli Storage Manager FastBack 6.1.x before 6.1.11.1 allows remote attackers to execute arbitrary code by connecting to the Mount port.
CVE-2015-2841 1Citrix 1Netscaler May 6, 2026 Apr 3, 2015 N/A· v4 N/A· v3 5.0 MEDIUM· v2 Citrix NetScaler AppFirewall, as used in NetScaler 10.5, allows remote attackers to bypass intended firewall restrictions via a crafted Content-Type header, as demonstrated by the application/octet-stream and text/xml Co...Show more Citrix NetScaler AppFirewall, as used in NetScaler 10.5, allows remote attackers to bypass intended firewall restrictions via a crafted Content-Type header, as demonstrated by the application/octet-stream and text/xml Content-Types.Show less
CVE-2015-2816 1Sap 1Afaria May 6, 2026 Apr 1, 2015 N/A· v4 N/A· v3 7.5 HIGH· v2 The XcListener in SAP Afaria 7.0.6001.5 does not properly restrict access, which allows remote attackers to have unspecified impact via a crafted request, aka SAP Security Note 2134905.
CVE-2015-2792 1Wpml 1Wpml May 6, 2026 Mar 30, 2015 N/A· v4 N/A· v3 7.5 HIGH· v2 The WPML plugin before 3.1.9 for WordPress does not properly handle multiple actions in a request, which allows remote attackers to bypass nonce checks and perform arbitrary actions via a request containing an action POS...Show more The WPML plugin before 3.1.9 for WordPress does not properly handle multiple actions in a request, which allows remote attackers to bypass nonce checks and perform arbitrary actions via a request containing an action POST parameter, an action GET parameter, and a valid nonce for the action GET parameter.Show less
CVE-2015-2172 1Dokuwiki 1Dokuwiki May 6, 2026 Mar 30, 2015 N/A· v4 N/A· v3 6.5 MEDIUM· v2 DokuWiki before 2014-05-05d and before 2014-09-29c does not properly check permissions for the ACL plugins, which allows remote authenticated users to gain privileges and add or delete ACL rules via a request to the XMLR...Show more DokuWiki before 2014-05-05d and before 2014-09-29c does not properly check permissions for the ACL plugins, which allows remote authenticated users to gain privileges and add or delete ACL rules via a request to the XMLRPC API.Show less
CVE-2015-2559 2Debian Drupal 2Debian Linux Drupal May 6, 2026 Mar 25, 2015 N/A· v4 N/A· v3 3.5 LOW· v2 Drupal 6.x before 6.35 and 7.x before 7.35 allows remote authenticated users to reset the password of other accounts by leveraging an account with the same password hash as another account and a crafted password reset UR...Show more Drupal 6.x before 6.35 and 7.x before 7.35 allows remote authenticated users to reset the password of other accounts by leveraging an account with the same password hash as another account and a crafted password reset URL.Show less
CVE-2015-0667 1Cisco 1Content Services Switch 11500 Firmware May 6, 2026 Mar 18, 2015 N/A· v4 N/A· v3 5.0 MEDIUM· v2 The Management Interface on Cisco Content Services Switch (CSS) 11500 devices 8.20.4.02 and earlier allows remote attackers to bypass intended restrictions on local-network device access via crafted SSH packets, aka Bug...Show more The Management Interface on Cisco Content Services Switch (CSS) 11500 devices 8.20.4.02 and earlier allows remote attackers to bypass intended restrictions on local-network device access via crafted SSH packets, aka Bug ID CSCut14855.Show less
CVE-2015-2107 1Hp 1Operations Manager I Management Pack May 6, 2026 Mar 14, 2015 N/A· v4 N/A· v3 6.8 MEDIUM· v2 HP Operations Manager i Management Pack 1.x before 1.01 for SAP allows local users to execute OS commands by leveraging SAP administrative privileges.
CVE-2015-0660 1Cisco 1Telepresence Server Software May 6, 2026 Mar 14, 2015 N/A· v4 N/A· v3 7.2 HIGH· v2 Cisco Virtual TelePresence Server Software does not properly restrict use of the serial port, which allows local users to execute arbitrary OS commands as root by leveraging vSphere controller administrative privileges,...Show more Cisco Virtual TelePresence Server Software does not properly restrict use of the serial port, which allows local users to execute arbitrary OS commands as root by leveraging vSphere controller administrative privileges, aka Bug ID CSCus61123.Show less
CVE-2015-1631 1Microsoft 1Exchange Server May 6, 2026 Mar 11, 2015 N/A· v4 N/A· v3 5.0 MEDIUM· v2 Microsoft Exchange Server 2013 SP1 and Cumulative Update 7 allows remote attackers to spoof meeting organizers via unspecified vectors, aka "Exchange Forged Meeting Request Spoofing Vulnerability."
CVE-2015-1464 2Bestpractical Fedoraproject 2Fedora Request Tracker May 6, 2026 Mar 9, 2015 N/A· v4 N/A· v3 6.4 MEDIUM· v2 RT (aka Request Tracker) before 4.0.23 and 4.2.x before 4.2.10 allows remote attackers to hijack sessions via an RSS feed URL.
CVE-2015-0820 3Canonical MozillaOpensuse 3Firefox OpensuseUbuntu Linux May 6, 2026 Feb 25, 2015 N/A· v4 N/A· v3 2.6 LOW· v2 Mozilla Firefox before 36.0 does not properly restrict transitions of JavaScript objects from a non-extensible state to an extensible state, which allows remote attackers to bypass a Caja Compiler sandbox protection mech...Show more Mozilla Firefox before 36.0 does not properly restrict transitions of JavaScript objects from a non-extensible state to an extensible state, which allows remote attackers to bypass a Caja Compiler sandbox protection mechanism or a Secure EcmaScript sandbox protection mechanism via a crafted web site.Show less
CVE-2014-9422 1Mit 1Kerberos 5 May 6, 2026 Feb 19, 2015 N/A· v4 N/A· v3 6.1 MEDIUM· v2 The check_rpcsec_auth function in kadmin/server/kadm_rpc_svc.c in kadmind in MIT Kerberos 5 (aka krb5) through 1.11.5, 1.12.x through 1.12.2, and 1.13.x before 1.13.1 allows remote authenticated users to bypass a kadmin/...Show more The check_rpcsec_auth function in kadmin/server/kadm_rpc_svc.c in kadmind in MIT Kerberos 5 (aka krb5) through 1.11.5, 1.12.x through 1.12.2, and 1.13.x before 1.13.1 allows remote authenticated users to bypass a kadmin/* authorization check and obtain administrative access by leveraging access to a two-component principal with an initial "kadmind" substring, as demonstrated by a "ka/x" principal.Show less
CVE-2014-8757 1Lg 1On Screen Phone May 6, 2026 Feb 17, 2015 N/A· v4 N/A· v3 8.3 HIGH· v2 LG On-Screen Phone (OSP) before 4.3.010 allows remote attackers to bypass authorization via a crafted request.
CVE-2014-6195 1Ibm 1Tivoli Storage Manager May 6, 2026 Feb 14, 2015 N/A· v4 N/A· v3 1.9 LOW· v2 The (1) Java GUI and (2) Web GUI components in the IBM Tivoli Storage Manager (TSM) Backup-Archive client 5.4 and 5.5 before 5.5.4.4 on AIX, Linux, and Solaris; 5.4.x and 5.5.x on Windows and z/OS; 6.1 before 6.1.5.7 on...Show more The (1) Java GUI and (2) Web GUI components in the IBM Tivoli Storage Manager (TSM) Backup-Archive client 5.4 and 5.5 before 5.5.4.4 on AIX, Linux, and Solaris; 5.4.x and 5.5.x on Windows and z/OS; 6.1 before 6.1.5.7 on z/OS; 6.1 and 6.2 before 6.2.5.2 on Windows, before 6.2.5.3 on AIX and Linux x86, and before 6.2.5.4 on Linux Z and Solaris; 6.3 before 6.3.2.1 on AIX, before 6.3.2.2 on Windows, and before 6.3.2.3 on Linux; 6.4 before 6.4.2.1; and 7.1 before 7.1.1 in IBM TSM for Mail, when the Data Protection for Lotus Domino component is used, allow local users to bypass authentication and restore a Domino database or transaction-log backup via unspecified vectors.Show less
CVE-2015-0008 1Microsoft 9Windows 7 Windows 8Windows 8.1+6 more May 6, 2026 Feb 11, 2015 N/A· v4 N/A· v3 8.3 HIGH· v2 The UNC implementation in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 does...Show more The UNC implementation in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 does not include authentication from the server to the client, which allows remote attackers to execute arbitrary code by making crafted data available on a UNC share, as demonstrated by Group Policy data from a spoofed domain controller, aka "Group Policy Remote Code Execution Vulnerability."Show less
CVE-2015-0929 1Servision 1Hvg Video Gateway Firmware May 6, 2026 Feb 3, 2015 N/A· v4 N/A· v3 10.0 HIGH· v2 time.htm in the web interface on SerVision HVG Video Gateway devices with firmware before 2.2.26a78 allows remote attackers to bypass authentication and obtain administrative access by leveraging a cookie received in an...Show more time.htm in the web interface on SerVision HVG Video Gateway devices with firmware before 2.2.26a78 allows remote attackers to bypass authentication and obtain administrative access by leveraging a cookie received in an HTTP response.Show less
CVE-2015-0926 1Labtech Software 1Labtech May 6, 2026 Feb 1, 2015 N/A· v4 N/A· v3 6.8 MEDIUM· v2 Labtech before 100.237 on Linux uses world-writable permissions for root-executed scripts, which allows local users to gain privileges by modifying a script file.
CVE-2014-8833 1Apple 1Mac Os X May 6, 2026 Jan 30, 2015 N/A· v4 N/A· v3 2.1 LOW· v2 SpotlightIndex in Apple OS X before 10.10.2 does not properly perform deserialization during access to a permission cache, which allows local users to read search results associated with other users' protected files via...Show more SpotlightIndex in Apple OS X before 10.10.2 does not properly perform deserialization during access to a permission cache, which allows local users to read search results associated with other users' protected files via a Spotlight query.Show less

Previous 1...247248249 250 251 Next