Vulnerabilities > Improper Access Control
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2015-01-30 | CVE-2014-8827 | Improper Access Control vulnerability in Apple mac OS X LoginWindow in Apple OS X before 10.10.2 does not transition to the lock-screen state immediately upon being woken from sleep, which allows physically proximate attackers to obtain sensitive information by reading the screen. | 2.1 |
| 2015-01-28 | CVE-2015-1376 | Improper Access Control vulnerability in Pixabay Images Project Pixabay Images 2.3 pixabay-images.php in the Pixabay Images plugin before 2.4 for WordPress does not validate hostnames, which allows remote authenticated users to write to arbitrary files via an upload URL with a host other than pixabay.com. | 4.0 |
| 2015-01-27 | CVE-2014-9648 | Improper Access Control vulnerability in Google Chrome components/navigation_interception/intercept_navigation_resource_throttle.cc in Google Chrome before 40.0.2214.91 on Android does not properly restrict use of intent: URLs to open an application after navigation to a web site, which allows remote attackers to cause a denial of service (loss of browser access to that site) via crafted JavaScript code, as demonstrated by pandora.com and the Pandora application, a different vulnerability than CVE-2015-1205. | 4.3 |
| 2015-01-27 | CVE-2014-9197 | Improper Access Control vulnerability in Schneider-Electric products The Schneider Electric ETG3000 FactoryCast HMI Gateway with firmware before 1.60 IR 04 stores rde.jar under the web root with insufficient access control, which allows remote attackers to obtain sensitive setup and configuration information via a direct request. | 7.8 |
| 2015-01-26 | CVE-2015-1307 | Improper Access Control vulnerability in KDE Plasma-Workspace plasma-workspace before 5.1.95 allows remote attackers to obtain passwords via a Trojan horse Look and Feel package. | 4.3 |
| 2015-01-26 | CVE-2014-9572 | Improper Access Control vulnerability in Mantisbt MantisBT before 1.2.19 and 1.3.x before 1.3.0-beta.2 does not properly restrict access to /*/install.php, which allows remote attackers to obtain database credentials via the install parameter with the value 4. | 7.5 |
| 2014-12-25 | CVE-2014-1449 | Improper Access Control vulnerability in Maxthon Cloud Browser 4.1.5.2000 The Maxthon Cloud Browser application before 4.1.6.2000 for Android allows remote attackers to spoof the address bar via crafted JavaScript code that uses the history API. | 5.0 |
| 2014-12-25 | CVE-2014-7193 | Improper Access Control vulnerability in Sideway Hapi Crumb The Crumb plugin before 3.0.0 for Node.js does not properly restrict token access in situations where a hapi route handler has CORS enabled, which allows remote attackers to obtain sensitive information, and potentially obtain the ability to spoof requests to non-CORS routes, via a crafted web site that is visited by an application consumer. | 5.8 |
| 2014-12-22 | CVE-2014-5208 | Improper Access Control vulnerability in Yokogawa Centum CS 3000, Centum VP and Exaopc BKBCopyD.exe in the Batch Management Packages in Yokogawa CENTUM CS 3000 through R3.09.50 and CENTUM VP through R4.03.00 and R5.x through R5.04.00, and Exaopc through R3.72.10, does not require authentication, which allows remote attackers to read arbitrary files via a RETR operation, write to arbitrary files via a STOR operation, or obtain sensitive database-location information via a PMODE operation, a different vulnerability than CVE-2014-0784. | 7.5 |
| 2014-12-18 | CVE-2014-6078 | Improper Access Control vulnerability in IBM products IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 do not have a lockout period after invalid login attempts, which makes it easier for remote attackers to obtain admin access via a brute-force attack. | 5.0 |