Vulnerabilities > Improper Access Control

DATE CVE VULNERABILITY TITLE RISK
2015-07-26 CVE-2015-3224 Improper Access Control vulnerability in Rubyonrails web Console 2.1.2
request.rb in Web Console before 2.1.3, as used with Ruby on Rails 3.x and 4.x, does not properly restrict the use of X-Forwarded-For headers in determining a client's IP address, which allows remote attackers to bypass the whitelisted_ips protection mechanism via a crafted request.
4.3
2015-07-26 CVE-2015-2847 Improper Access Control vulnerability in Honeywell Tuxedo Touch
Honeywell Tuxedo Touch before 5.2.19.0_VA relies on client-side authentication involving JavaScript, which allows remote attackers to bypass intended access restrictions by removing USERACCT requests from the client-server data stream.
network
low complexity
honeywell CWE-284
5.0
2015-07-22 CVE-2015-5464 Improper Access Control vulnerability in Gemalto products
The Gemalto SafeNet Luna HSM allows remote authenticated users to bypass intended key-export restrictions by leveraging (1) crypto-user or (2) crypto-officer access to an HSM partition.
1.3
2015-07-20 CVE-2015-1922 Improper Access Control vulnerability in IBM DB2
The Data Movement implementation in IBM DB2 9.7 through FP10, 9.8 through FP5, 10.1 before FP5, and 10.5 through FP5 on Linux, UNIX, and Windows allows remote authenticated users to bypass intended access restrictions and delete table rows via unspecified vectors.
network
ibm CWE-284
3.5
2015-07-15 CVE-2015-4271 Improper Access Control vulnerability in Cisco Telepresence TC Software
Cisco TelePresence TC before 7.3.4 on Integrator C devices allows remote attackers to bypass authentication via vectors involving multiple request parameters, aka Bug ID CSCuv00604.
network
low complexity
cisco CWE-284
6.4
2015-07-14 CVE-2015-1763 Improper Access Control vulnerability in Microsoft SQL Server 2008/2012/2014
Microsoft SQL Server 2008 SP3 and SP4, 2008 R2 SP2 and SP3, 2012 SP1 and SP2, and 2014 does not prevent use of uninitialized memory in certain attempts to execute virtual functions, which allows remote authenticated users to execute arbitrary code via a crafted query, aka "SQL Server Remote Code Execution Vulnerability."
network
microsoft CWE-284
8.5
2015-07-14 CVE-2015-1761 Improper Access Control vulnerability in Microsoft SQL Server 2008/2012/2014
Microsoft SQL Server 2008 SP3 and SP4, 2008 R2 SP2 and SP3, 2012 SP1 and SP2, and 2014 uses an incorrect class during casts of unspecified pointers, which allows remote authenticated users to gain privileges by leveraging certain write access, aka "SQL Server Elevation of Privilege Vulnerability."
network
low complexity
microsoft CWE-284
6.5
2015-07-14 CVE-2015-3007 Improper Access Control vulnerability in Juniper Junos 12.1X46/12.1X47/12.3X48
The Juniper SRX Series services gateways with Junos OS 12.1X46 before 12.1X46-D35, 12.1X47 before 12.1X47-D25, and 12.3X48 before 12.3X48-D15 do not properly implement the "set system ports console insecure" feature, which allows physically proximate attackers to gain administrative privileges by leveraging access to the console port.
local
low complexity
juniper CWE-284
7.2
2015-07-14 CVE-2015-1936 Improper Access Control vulnerability in IBM Websphere Application Server
The administrative console in IBM WebSphere Application Server (WAS) 8.0.0 before 8.0.0.11 and 8.5 before 8.5.5.6, when the Security feature is disabled, allows remote authenticated users to hijack sessions via the JSESSIONID parameter.
network
ibm CWE-284
6.0
2015-07-14 CVE-2015-1927 Improper Access Control vulnerability in IBM Websphere Application Server
The default configuration of IBM WebSphere Application Server (WAS) 7.0.0 before 7.0.0.39, 8.0.0 before 8.0.0.11, and 8.5 before 8.5.5.6 has a false value for the com.ibm.ws.webcontainer.disallowServeServletsByClassname WebContainer property, which allows remote attackers to obtain privileged access via unspecified vectors.
network
ibm CWE-284
6.8