Vulnerabilities > Improper Access Control

DATE CVE VULNERABILITY TITLE RISK
2016-12-08 CVE-2016-9920 Improper Access Control vulnerability in Roundcube Webmail
steps/mail/sendmail.inc in Roundcube before 1.1.7 and 1.2.x before 1.2.3, when no SMTP server is configured and the sendmail program is enabled, does not properly restrict the use of custom envelope-from addresses on the sendmail command line, which allows remote authenticated users to execute arbitrary code via a modified HTTP request that sends a crafted e-mail message.
network
high complexity
roundcube CWE-284
7.5
2016-12-06 CVE-2016-5341 Improper Access Control vulnerability in Google Android
The GPS component in Android before 2016-12-05 allows man-in-the-middle attackers to cause a denial of service (GPS signal-acquisition delay) via an incorrect xtra.bin or xtra2.bin file on a spoofed Qualcomm gpsonextra.net or izatcloud.net host, aka internal bug 31470303 and external bug 211602 (and AndroidID-7225554).
network
high complexity
google CWE-284
5.9
2016-12-05 CVE-2016-9836 Improper Access Control vulnerability in Joomla Joomla!
The file scanning mechanism of JFilterInput::isFileSafe() in Joomla! CMS before 3.6.5 does not consider alternative PHP file extensions when checking uploaded files for PHP content, which enables a user to upload and execute files with the `.php6`, `.php7`, `.phtml`, and `.phpt` extensions.
network
low complexity
joomla CWE-284
critical
9.8
2016-12-05 CVE-2016-9835 Improper Access Control vulnerability in Zikula Application Framework
Directory traversal vulnerability in file "jcss.php" in Zikula 1.3.x before 1.3.11 and 1.4.x before 1.4.4 on Windows allows a remote attacker to launch a PHP object injection by uploading a serialized file.
network
low complexity
zikula CWE-284
critical
9.8
2016-12-05 CVE-2016-9157 Improper Access Control vulnerability in Siemens Sicam Pas/Pqs
A vulnerability in Siemens SICAM PAS (all versions before V8.09) could allow a remote attacker to cause a Denial of Service condition and potentially lead to unauthenticated remote code execution by sending specially crafted packets to port 19234/TCP.
network
low complexity
siemens CWE-284
critical
9.8
2016-12-05 CVE-2016-9156 Improper Access Control vulnerability in Siemens Sicam Pas/Pqs
A vulnerability in Siemens SICAM PAS (all versions before V8.09) could allow a remote attacker to upload, download, or delete files in certain parts of the file system by sending specially crafted packets to port 19235/TCP.
network
low complexity
siemens CWE-284
7.3
2016-12-01 CVE-2016-3044 Improper Access Control vulnerability in IBM Powerkvm
The Linux kernel component in IBM PowerKVM 2.1 before 2.1.1.3-65.10 and 3.1 before 3.1.0.2 allows guest OS users to cause a denial of service (host OS infinite loop and hang) via unspecified vectors.
local
low complexity
ibm CWE-284
6.5
2016-11-30 CVE-2016-2887 Improper Access Control vulnerability in IBM IMS Enterprise Suite
IBM IMS Enterprise Suite Data Provider before 3.2.0.1 for Microsoft .NET allows remote authenticated users to obtain sensitive information or modify data via unspecified vectors.
network
low complexity
ibm CWE-284
8.1
2016-11-30 CVE-2016-2874 Improper Access Control vulnerability in IBM Qradar Security Information and Event Manager
IBM QRadar SIEM 7.1 before MR2 Patch 13 and 7.2 before 7.2.7 mishandles authorization, which allows remote authenticated users to obtain sensitive information via unspecified vectors.
network
high complexity
ibm CWE-284
3.1
2016-11-30 CVE-2016-8222 Improper Access Control vulnerability in Lenovo products
A vulnerability has been identified in a signed kernel driver for the BIOS of some ThinkPad systems that can allow an attacker with Windows administrator-level privileges to call System Management Mode (SMM) services.
local
low complexity
lenovo CWE-284
4.4