Vulnerabilities > Improper Access Control

DATE CVE VULNERABILITY TITLE RISK
2016-09-25 CVE-2016-4760 Improper Access Control vulnerability in Apple Itunes
WebKit in Apple iOS before 10, iTunes before 12.5.1 on Windows, and Safari before 10 allows remote attackers to conduct DNS rebinding attacks against non-HTTP Safari sessions by leveraging HTTP/0.9 support.
network
low complexity
apple CWE-284
6.5
2016-09-25 CVE-2016-4694 Improper Access Control vulnerability in Apple mac OS X
The Apache HTTP Server in Apple OS X before 10.12 and OS X Server before 5.2 follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted CGI client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue, a related issue to CVE-2016-5387.
network
low complexity
apple CWE-284
critical
9.1
2016-09-22 CVE-2016-5283 Improper Access Control vulnerability in Mozilla Firefox
Mozilla Firefox before 49.0 allows remote attackers to bypass the Same Origin Policy via a crafted fragment identifier in the SRC attribute of an IFRAME element, leading to insufficient restrictions on link-color information after a document is resized.
network
low complexity
mozilla CWE-284
8.8
2016-09-22 CVE-2016-5273 Improper Access Control vulnerability in Mozilla Firefox
The mozilla::a11y::HyperTextAccessible::GetChildOffset function in the accessibility implementation in Mozilla Firefox before 49.0 allows remote attackers to execute arbitrary code via a crafted web site.
network
low complexity
mozilla CWE-284
8.8
2016-09-21 CVE-2016-4464 Improper Access Control vulnerability in Apache CXF Fediz
The application plugins in Apache CXF Fediz 1.2.x before 1.2.3 and 1.3.x before 1.3.1 do not match SAML AudienceRestriction values against configured audience URIs, which might allow remote attackers to have bypass intended restrictions and have unspecified other impact via a crafted SAML token with a trusted signature.
network
low complexity
apache CWE-284
critical
9.8
2016-09-20 CVE-2016-6802 Improper Access Control vulnerability in Apache Shiro 1.3.1
Apache Shiro before 1.3.2 allows attackers to bypass intended servlet filters and gain access by leveraging use of a non-root servlet context path.
network
low complexity
apache CWE-284
7.5
2016-09-14 CVE-2016-3366 Improper Access Control vulnerability in Microsoft Outlook
Microsoft Outlook 2007 SP3, Outlook 2010 SP2, Outlook 2013 SP1, Outlook 2013 RT SP1, Outlook 2016, and Outlook 2016 for Mac do not properly implement RFC 2046, which allows remote attackers to bypass virus or spam detection via crafted MIME data in an e-mail attachment, aka "Microsoft Office Spoofing Vulnerability."
network
low complexity
microsoft CWE-284
6.5
2016-09-14 CVE-2016-3345 Improper Access Control vulnerability in Microsoft products
The SMBv1 server in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold, 1511, and 1607 allows remote attackers to execute arbitrary code via crafted packets, aka "Windows SMB Authenticated Remote Code Execution Vulnerability."
network
low complexity
microsoft CWE-284
8.8
2016-09-12 CVE-2016-5954 Improper Access Control vulnerability in IBM Websphere Portal
IBM WebSphere Portal 6.1.0 through 6.1.0.6 CF27, 6.1.5 through 6.1.5.3 CF27, 7.0.0 through 7.0.0.2 CF30, 8.0.0 through 8.0.0.1 CF21, and 8.5.0 before CF12 allows remote authenticated users to cause a denial of service by uploading temporary files.
network
low complexity
ibm CWE-284
6.5
2016-09-11 CVE-2016-3899 Improper Access Control vulnerability in Google Android
OMXCodec.cpp in libstagefright in mediaserver in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, 6.x before 2016-09-01, and 7.0 before 2016-09-01 does not validate a certain pointer, which allows remote attackers to cause a denial of service (device hang or reboot) via a crafted media file, aka internal bug 29421811.
local
low complexity
google CWE-284
5.5