Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CVEs (5,077)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2015-0820 3Canonical MozillaOpensuse 3Firefox OpensuseUbuntu Linux May 6, 2026 Feb 25, 2015 N/A· v4 N/A· v3 2.6 LOW· v2 Mozilla Firefox before 36.0 does not properly restrict transitions of JavaScript objects from a non-extensible state to an extensible state, which allows remote attackers to bypass a Caja Compiler sandbox protection mech...Show more Mozilla Firefox before 36.0 does not properly restrict transitions of JavaScript objects from a non-extensible state to an extensible state, which allows remote attackers to bypass a Caja Compiler sandbox protection mechanism or a Secure EcmaScript sandbox protection mechanism via a crafted web site.Show less
CVE-2014-9422 1Mit 1Kerberos 5 May 6, 2026 Feb 19, 2015 N/A· v4 N/A· v3 6.1 MEDIUM· v2 The check_rpcsec_auth function in kadmin/server/kadm_rpc_svc.c in kadmind in MIT Kerberos 5 (aka krb5) through 1.11.5, 1.12.x through 1.12.2, and 1.13.x before 1.13.1 allows remote authenticated users to bypass a kadmin/...Show more The check_rpcsec_auth function in kadmin/server/kadm_rpc_svc.c in kadmind in MIT Kerberos 5 (aka krb5) through 1.11.5, 1.12.x through 1.12.2, and 1.13.x before 1.13.1 allows remote authenticated users to bypass a kadmin/* authorization check and obtain administrative access by leveraging access to a two-component principal with an initial "kadmind" substring, as demonstrated by a "ka/x" principal.Show less
CVE-2014-8757 1Lg 1On Screen Phone May 6, 2026 Feb 17, 2015 N/A· v4 N/A· v3 8.3 HIGH· v2 LG On-Screen Phone (OSP) before 4.3.010 allows remote attackers to bypass authorization via a crafted request.
CVE-2014-6195 1Ibm 1Tivoli Storage Manager May 6, 2026 Feb 14, 2015 N/A· v4 N/A· v3 1.9 LOW· v2 The (1) Java GUI and (2) Web GUI components in the IBM Tivoli Storage Manager (TSM) Backup-Archive client 5.4 and 5.5 before 5.5.4.4 on AIX, Linux, and Solaris; 5.4.x and 5.5.x on Windows and z/OS; 6.1 before 6.1.5.7 on...Show more The (1) Java GUI and (2) Web GUI components in the IBM Tivoli Storage Manager (TSM) Backup-Archive client 5.4 and 5.5 before 5.5.4.4 on AIX, Linux, and Solaris; 5.4.x and 5.5.x on Windows and z/OS; 6.1 before 6.1.5.7 on z/OS; 6.1 and 6.2 before 6.2.5.2 on Windows, before 6.2.5.3 on AIX and Linux x86, and before 6.2.5.4 on Linux Z and Solaris; 6.3 before 6.3.2.1 on AIX, before 6.3.2.2 on Windows, and before 6.3.2.3 on Linux; 6.4 before 6.4.2.1; and 7.1 before 7.1.1 in IBM TSM for Mail, when the Data Protection for Lotus Domino component is used, allow local users to bypass authentication and restore a Domino database or transaction-log backup via unspecified vectors.Show less
CVE-2015-0008 1Microsoft 9Windows 7 Windows 8Windows 8.1+6 more May 6, 2026 Feb 11, 2015 N/A· v4 N/A· v3 8.3 HIGH· v2 The UNC implementation in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 does...Show more The UNC implementation in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 does not include authentication from the server to the client, which allows remote attackers to execute arbitrary code by making crafted data available on a UNC share, as demonstrated by Group Policy data from a spoofed domain controller, aka "Group Policy Remote Code Execution Vulnerability."Show less
CVE-2015-0929 1Servision 1Hvg Video Gateway Firmware May 6, 2026 Feb 3, 2015 N/A· v4 N/A· v3 10.0 HIGH· v2 time.htm in the web interface on SerVision HVG Video Gateway devices with firmware before 2.2.26a78 allows remote attackers to bypass authentication and obtain administrative access by leveraging a cookie received in an...Show more time.htm in the web interface on SerVision HVG Video Gateway devices with firmware before 2.2.26a78 allows remote attackers to bypass authentication and obtain administrative access by leveraging a cookie received in an HTTP response.Show less
CVE-2015-0926 1Labtech Software 1Labtech May 6, 2026 Feb 1, 2015 N/A· v4 N/A· v3 6.8 MEDIUM· v2 Labtech before 100.237 on Linux uses world-writable permissions for root-executed scripts, which allows local users to gain privileges by modifying a script file.
CVE-2014-8833 1Apple 1Mac Os X May 6, 2026 Jan 30, 2015 N/A· v4 N/A· v3 2.1 LOW· v2 SpotlightIndex in Apple OS X before 10.10.2 does not properly perform deserialization during access to a permission cache, which allows local users to read search results associated with other users' protected files via...Show more SpotlightIndex in Apple OS X before 10.10.2 does not properly perform deserialization during access to a permission cache, which allows local users to read search results associated with other users' protected files via a Spotlight query.Show less
CVE-2014-8827 1Apple 1Mac Os X May 6, 2026 Jan 30, 2015 N/A· v4 N/A· v3 2.1 LOW· v2 LoginWindow in Apple OS X before 10.10.2 does not transition to the lock-screen state immediately upon being woken from sleep, which allows physically proximate attackers to obtain sensitive information by reading the sc...Show more LoginWindow in Apple OS X before 10.10.2 does not transition to the lock-screen state immediately upon being woken from sleep, which allows physically proximate attackers to obtain sensitive information by reading the screen.Show less
CVE-2015-1376 1Pixabay Images Project 1Pixabay Images May 6, 2026 Jan 28, 2015 N/A· v4 N/A· v3 4.0 MEDIUM· v2 pixabay-images.php in the Pixabay Images plugin before 2.4 for WordPress does not validate hostnames, which allows remote authenticated users to write to arbitrary files via an upload URL with a host other than pixabay.c...Show more pixabay-images.php in the Pixabay Images plugin before 2.4 for WordPress does not validate hostnames, which allows remote authenticated users to write to arbitrary files via an upload URL with a host other than pixabay.com.Show less
CVE-2014-9648 1Google 1Chrome May 6, 2026 Jan 27, 2015 N/A· v4 N/A· v3 4.3 MEDIUM· v2 components/navigation_interception/intercept_navigation_resource_throttle.cc in Google Chrome before 40.0.2214.91 on Android does not properly restrict use of intent: URLs to open an application after navigation to a web...Show more components/navigation_interception/intercept_navigation_resource_throttle.cc in Google Chrome before 40.0.2214.91 on Android does not properly restrict use of intent: URLs to open an application after navigation to a web site, which allows remote attackers to cause a denial of service (loss of browser access to that site) via crafted JavaScript code, as demonstrated by pandora.com and the Pandora application, a different vulnerability than CVE-2015-1205.Show less
CVE-2014-9197 1Schneider Electric 5Etg3000 Factorycast Hmi Gateway Firmware Tsxetg3000Tsxetg3010+2 more May 6, 2026 Jan 27, 2015 N/A· v4 N/A· v3 7.8 HIGH· v2 The Schneider Electric ETG3000 FactoryCast HMI Gateway with firmware before 1.60 IR 04 stores rde.jar under the web root with insufficient access control, which allows remote attackers to obtain sensitive setup and confi...Show more The Schneider Electric ETG3000 FactoryCast HMI Gateway with firmware before 1.60 IR 04 stores rde.jar under the web root with insufficient access control, which allows remote attackers to obtain sensitive setup and configuration information via a direct request.Show less
CVE-2015-1307 1Kde 1Plasma Workspace May 6, 2026 Jan 26, 2015 N/A· v4 N/A· v3 4.3 MEDIUM· v2 plasma-workspace before 5.1.95 allows remote attackers to obtain passwords via a Trojan horse Look and Feel package.
CVE-2014-9572 1Mantisbt 1Mantisbt May 6, 2026 Jan 26, 2015 N/A· v4 N/A· v3 7.5 HIGH· v2 MantisBT before 1.2.19 and 1.3.x before 1.3.0-beta.2 does not properly restrict access to /*/install.php, which allows remote attackers to obtain database credentials via the install parameter with the value 4.
CVE-2014-1949 3Canonical GnomeLinuxmint 3Gtk Linux MintUbuntu May 6, 2026 Jan 16, 2015 N/A· v4 N/A· v3 7.2 HIGH· v2 GTK+ 3.10.9 and earlier, as used in cinnamon-screensaver, gnome-screensaver, and other applications, allows physically proximate attackers to bypass the lock screen by pressing the menu button.
CVE-2014-1449 1Maxthon 1Maxthon Cloud Browser May 6, 2026 Dec 25, 2014 N/A· v4 N/A· v3 5.0 MEDIUM· v2 The Maxthon Cloud Browser application before 4.1.6.2000 for Android allows remote attackers to spoof the address bar via crafted JavaScript code that uses the history API.
CVE-2014-7193 1Sideway 1Hapi Crumb May 6, 2026 Dec 25, 2014 N/A· v4 N/A· v3 5.8 MEDIUM· v2 The Crumb plugin before 3.0.0 for Node.js does not properly restrict token access in situations where a hapi route handler has CORS enabled, which allows remote attackers to obtain sensitive information, and potentially...Show more The Crumb plugin before 3.0.0 for Node.js does not properly restrict token access in situations where a hapi route handler has CORS enabled, which allows remote attackers to obtain sensitive information, and potentially obtain the ability to spoof requests to non-CORS routes, via a crafted web site that is visited by an application consumer.Show less
CVE-2014-5208 1Yokogawa 3Centum Cs 3000 Centum VpExaopc May 6, 2026 Dec 22, 2014 N/A· v4 N/A· v3 7.5 HIGH· v2 BKBCopyD.exe in the Batch Management Packages in Yokogawa CENTUM CS 3000 through R3.09.50 and CENTUM VP through R4.03.00 and R5.x through R5.04.00, and Exaopc through R3.72.10, does not require authentication, which allo...Show more BKBCopyD.exe in the Batch Management Packages in Yokogawa CENTUM CS 3000 through R3.09.50 and CENTUM VP through R4.03.00 and R5.x through R5.04.00, and Exaopc through R3.72.10, does not require authentication, which allows remote attackers to read arbitrary files via a RETR operation, write to arbitrary files via a STOR operation, or obtain sensitive database-location information via a PMODE operation, a different vulnerability than CVE-2014-0784.Show less
CVE-2014-6078 1Ibm 2Security Access Manager For Mobile Security Access Manager For Web May 6, 2026 Dec 18, 2014 N/A· v4 N/A· v3 5.0 MEDIUM· v2 IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 do not have a lockout period after invalid login attempts, which makes it easier for...Show more IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 do not have a lockout period after invalid login attempts, which makes it easier for remote attackers to obtain admin access via a brute-force attack.Show less
CVE-2014-9388 1Mantisbt 1Mantisbt May 6, 2026 Dec 17, 2014 N/A· v4 N/A· v3 5.0 MEDIUM· v2 bug_report.php in MantisBT before 1.2.18 allows remote attackers to assign arbitrary issues via the handler_id parameter.

Previous 1...250 251252253 254 Next