Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CVEs (5,077)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2014-8632 1Mozilla 2Firefox Seamonkey May 6, 2026 Dec 11, 2014 N/A· v4 N/A· v3 4.3 MEDIUM· v2 The structured-clone implementation in Mozilla Firefox before 34.0 and SeaMonkey before 2.31 does not properly interact with XrayWrapper property filtering, which allows remote attackers to bypass intended DOM object res...Show more The structured-clone implementation in Mozilla Firefox before 34.0 and SeaMonkey before 2.31 does not properly interact with XrayWrapper property filtering, which allows remote attackers to bypass intended DOM object restrictions by leveraging property availability after XrayWrapper removal.Show less
CVE-2014-8631 1Mozilla 2Firefox Seamonkey May 6, 2026 Dec 11, 2014 N/A· v4 N/A· v3 4.3 MEDIUM· v2 The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 34.0 and SeaMonkey before 2.31 supports native-interface passing, which allows remote attackers to bypass intended DOM object restrictions via a ca...Show more The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 34.0 and SeaMonkey before 2.31 supports native-interface passing, which allows remote attackers to bypass intended DOM object restrictions via a call to an unspecified method.Show less
CVE-2014-1589 1Mozilla 2Firefox Seamonkey May 6, 2026 Dec 11, 2014 N/A· v4 N/A· v3 6.8 MEDIUM· v2 Mozilla Firefox before 34.0 and SeaMonkey before 2.31 provide stylesheets with an incorrect primary namespace, which allows remote attackers to bypass intended access restrictions via an XBL binding.
CVE-2014-8680 1Isc 1Bind May 6, 2026 Dec 11, 2014 N/A· v4 N/A· v3 5.4 MEDIUM· v2 The GeoIP functionality in ISC BIND 9.10.0 through 9.10.1 allows remote attackers to cause a denial of service (assertion failure and named exit) via vectors related to (1) the lack of GeoIP databases for both IPv4 and I...Show more The GeoIP functionality in ISC BIND 9.10.0 through 9.10.1 allows remote attackers to cause a denial of service (assertion failure and named exit) via vectors related to (1) the lack of GeoIP databases for both IPv4 and IPv6, or (2) IPv6 support with certain options.Show less
CVE-2014-6319 1Microsoft 1Exchange Server May 6, 2026 Dec 11, 2014 N/A· v4 N/A· v3 5.0 MEDIUM· v2 Outlook Web App (OWA) in Microsoft Exchange Server 2007 SP3, 2010 SP3, and 2013 SP1 and Cumulative Update 6 does not properly validate tokens in requests, which allows remote attackers to spoof the origin of e-mail messa...Show more Outlook Web App (OWA) in Microsoft Exchange Server 2007 SP3, 2010 SP3, and 2013 SP1 and Cumulative Update 6 does not properly validate tokens in requests, which allows remote attackers to spoof the origin of e-mail messages via unspecified vectors, aka "Outlook Web App Token Spoofing Vulnerability."Show less
CVE-2014-9117 1Mantisbt 1Mantisbt May 6, 2026 Dec 6, 2014 N/A· v4 N/A· v3 5.0 MEDIUM· v2 MantisBT before 1.2.18 uses the public_key parameter value as the key to the CAPTCHA answer, which allows remote attackers to bypass the CAPTCHA protection mechanism by leveraging knowledge of a CAPTCHA answer for a publ...Show more MantisBT before 1.2.18 uses the public_key parameter value as the key to the CAPTCHA answer, which allows remote attackers to bypass the CAPTCHA protection mechanism by leveraging knowledge of a CAPTCHA answer for a public_key parameter value, as demonstrated by E4652 for the public_key value 0.Show less
CVE-2014-9151 1Services Project 1Services May 6, 2026 Dec 1, 2014 N/A· v4 N/A· v3 7.5 HIGH· v2 The Services module 7.x-3.x before 7.x-3.10 for Drupal does not properly limit the rate of authentication attempts, which makes it easier for remote attackers to obtain access via a brute-force attack on the administrati...Show more The Services module 7.x-3.x before 7.x-3.10 for Drupal does not properly limit the rate of authentication attempts, which makes it easier for remote attackers to obtain access via a brute-force attack on the administrative password.Show less
CVE-2014-6627 1Arubanetworks 1Clearpass May 6, 2026 Nov 19, 2014 N/A· v4 N/A· v3 9.0 HIGH· v2 Aruba Networks ClearPass before 6.3.5 and 6.4.x before 6.4.1 allows remote attackers to execute arbitrary commands via unspecified vectors, a different vulnerability than CVE-2014-5342.
CVE-2014-6626 1Arubanetworks 1Clearpass May 6, 2026 Nov 19, 2014 N/A· v4 N/A· v3 10.0 HIGH· v2 Aruba Networks ClearPass before 6.3.6 and 6.4.x before 6.4.1 does not properly restrict access to unspecified administrative functions, which allows remote attackers to bypass authentication and execute administrative ac...Show more Aruba Networks ClearPass before 6.3.6 and 6.4.x before 6.4.1 does not properly restrict access to unspecified administrative functions, which allows remote attackers to bypass authentication and execute administrative actions via unknown vectors.Show less
CVE-2014-6625 1Arubanetworks 1Clearpass May 6, 2026 Nov 19, 2014 N/A· v4 N/A· v3 9.0 HIGH· v2 The Policy Manager in Aruba Networks ClearPass before 6.3.6 and 6.4.x before 6.4.1 allows remote authenticated users to gain privileges via unspecified vectors.
CVE-2014-7905 1Google 1Chrome May 6, 2026 Nov 19, 2014 N/A· v4 N/A· v3 5.0 MEDIUM· v2 Google Chrome before 39.0.2171.65 on Android does not prevent navigation to a URL in cases where an intent for the URL lacks CATEGORY_BROWSABLE, which allows remote attackers to bypass intended access restrictions via a...Show more Google Chrome before 39.0.2171.65 on Android does not prevent navigation to a URL in cases where an intent for the URL lacks CATEGORY_BROWSABLE, which allows remote attackers to bypass intended access restrictions via a crafted web site.Show less
CVE-2014-6110 1Ibm 1Security Identity Manager May 6, 2026 Nov 18, 2014 N/A· v4 N/A· v3 2.1 LOW· v2 IBM Security Identity Manager 6.x before 6.0.0.3 IF14 does not properly perform logout actions, which allows remote attackers to access sessions by leveraging an unattended workstation.
CVE-2014-0228 1Apache 1Hive May 6, 2026 Nov 16, 2014 N/A· v4 N/A· v3 3.5 LOW· v2 Apache Hive before 0.13.1, when in SQL standards based authorization mode, does not properly check the file permissions for (1) import and (2) export statements, which allows remote authenticated users to obtain sensitiv...Show more Apache Hive before 0.13.1, when in SQL standards based authorization mode, does not properly check the file permissions for (1) import and (2) export statements, which allows remote authenticated users to obtain sensitive information via a crafted URI.Show less
CVE-2014-3120 2Elastic Elasticsearch 2Elasticsearch Elasticsearch Apr 22, 2026 Jul 28, 2014 N/A· v4 8.1 HIGH· v3 6.8 MEDIUM· v2 The default configuration in Elasticsearch before 1.2 enables dynamic scripting, which allows remote attackers to execute arbitrary MVEL expressions and Java code via the source parameter to _search. NOTE: this only vio...Show more The default configuration in Elasticsearch before 1.2 enables dynamic scripting, which allows remote attackers to execute arbitrary MVEL expressions and Java code via the source parameter to _search. NOTE: this only violates the vendor's intended security policy if the user does not run Elasticsearch in its own independent virtual machine.Show less
CVE-2014-2365 1Advantech 1Advantech Webaccess May 6, 2026 Jul 19, 2014 N/A· v4 N/A· v3 5.5 MEDIUM· v2 Unspecified vulnerability in Advantech WebAccess before 7.2 allows remote authenticated users to create or delete arbitrary files via unknown vectors.
CVE-2013-7293 1Asus 1Wl 330nul Apr 29, 2026 Jan 15, 2014 N/A· v4 N/A· v3 5.0 MEDIUM· v2 The ASUS WL-330NUL router has a configuration process that relies on accessing the 192.168.1.1 IP address, but the documentation advises users to instead access a DNS hostname that does not always resolve to 192.168.1.1,...Show more The ASUS WL-330NUL router has a configuration process that relies on accessing the 192.168.1.1 IP address, but the documentation advises users to instead access a DNS hostname that does not always resolve to 192.168.1.1, which makes it easier for remote attackers to hijack the configuration traffic by controlling the server associated with that hostname.Show less
CVE-2013-4316 2Apache Oracle 4Flexcube Private Banking Mysql Enterprise MonitorStruts+1 more Apr 29, 2026 Sep 30, 2013 N/A· v4 N/A· v3 10.0 HIGH· v2 Apache Struts 2.0.0 through 2.3.15.1 enables Dynamic Method Invocation by default, which has unknown impact and attack vectors.
CVE-2013-2175 4Canonical DebianHaproxy+1 more 4Debian Linux Enterprise Linux Load BalancerHaproxy+1 more Apr 29, 2026 Aug 19, 2013 N/A· v4 N/A· v3 5.0 MEDIUM· v2 HAProxy 1.4 before 1.4.24 and 1.5 before 1.5-dev19, when configured to use hdr_ip or other "hdr_" functions with a negative occurrence count, allows remote attackers to cause a denial of service (negative array index us...Show more HAProxy 1.4 before 1.4.24 and 1.5 before 1.5-dev19, when configured to use hdr_ip or other "hdr_" functions with a negative occurrence count, allows remote attackers to cause a denial of service (negative array index usage and crash) via an HTTP header with a certain number of values, related to the MAX_HDR_HISTORY variable.Show less
CVE-2013-4213 1Redhat 1Jboss Enterprise Application Platform Apr 29, 2026 Aug 16, 2013 N/A· v4 N/A· v3 6.4 MEDIUM· v2 Red Hat JBoss Enterprise Application Platform (EAP) 6.1.0 does not properly cache EJB invocations by the EJB client API, which allows remote attackers to hijack sessions by using an EJB client.
CVE-2013-2423 3Canonical OpensuseOracle 3Jre OpensuseUbuntu Linux Apr 22, 2026 Apr 17, 2013 N/A· v4 3.7 LOW· v3 4.3 MEDIUM· v2 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, and OpenJDK 7, allows remote attackers to affect integrity via unknown vectors related to HotSpot. NOT...Show more Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, and OpenJDK 7, allows remote attackers to affect integrity via unknown vectors related to HotSpot. NOTE: the previous information is from the April 2013 CPU. Oracle has not commented on claims from the original researcher that this vulnerability allows remote attackers to bypass permission checks by the MethodHandles method and modify arbitrary public final fields using reflection and type confusion, as demonstrated using integer and double fields to disable the security manager.Show less

Previous 1...250 251 252253254 Next