CWE-264: Permissions, Privileges, and Access Controls — known CVE vulnerabilities
CVEs classified under CWE-264 (Permissions, Privileges, and Access Controls), ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (50)
CVE-2016-8363 — CVSS 10.0 (critical): An issue was discovered in Moxa OnCell OnCellG3470A-LTE, AWK-1131A/3131A/4131A Series, AWK-3191 Series, AWK-5232/6232 Series, AWK-1121/1127…
CVE-2016-7457 — CVSS 10.0 (critical): VMware vRealize Operations (aka vROps) 6.x before 6.4.0 allows remote authenticated users to gain privileges, or halt and remove virtual…
CVE-2015-7425 — CVSS 10.0 (critical): The Data Protection component in the VMware vSphere GUI in IBM Tivoli Storage Manager for Virtual Environments: Data Protection for VMware…
CVE-2015-8267 — CVSS 10.0 (critical): The PasswordReset.Controllers.ResetController.ChangePasswordIndex method in PasswordReset.dll in Dovestones AD Self Password Reset before…
CVE-2015-7919 — CVSS 10.0 (critical): SearchBlox 8.3 before 8.3.1 allows remote attackers to write to the config file, and consequently cause a denial of service (application…
CVE-2015-7071 — CVSS 10.0 (critical): The File Bookmark component in Apple OS X before 10.11.2 allows attackers to bypass a sandbox protection mechanism for app scoped bookmarks…
CVE-2015-8440 — CVSS 10.0 (critical): Adobe Flash Player before 18.0.0.268 and 19.x and 20.x before 20.0.0.228 on Windows and OS X and before 11.2.202.554 on Linux, Adobe AIR…
CVE-2015-8236 — CVSS 10.0 (critical): Arista EOS before 4.11.12, 4.12 before 4.12.11, 4.13 before 4.13.14M, 4.14 before 4.14.5FX.5, and 4.15 before 4.15.0FX1.1 allows remote…
CVE-2015-7861 — CVSS 10.0 (critical): Persistent Accelerite Radia Client Automation (formerly HP Client Automation), possibly before 9.1, allows remote attackers to execute…
CVE-2015-7709 — CVSS 10.0 (critical): The arkeiad daemon in the Arkeia Backup Agent in Western Digital Arkeia 11.0.12 and earlier allows remote attackers to bypass…
CVE-2015-0546 — CVSS 10.0 (critical): EMC Unified Infrastructure Manager/Provisioning (UIM/P) 4.1 allows remote attackers to bypass LDAP authentication by providing a valid…
CVE-2015-4032 — CVSS 10.0 (critical): projectContents.jsp in the Developer tools in Visual Mining NetCharts Server allows remote attackers to rename arbitrary files, and…
CVE-2015-3435 — CVSS 10.0 (critical): Samsung Security Manager (SSM) before 1.31 allows remote attackers to execute arbitrary code by uploading a file with an HTTP (1) PUT or…
CVE-2015-3459 — CVSS 10.0 (critical): The communication module on the Hospira LifeCare PCA Infusion System before 7.0 does not require authentication for root TELNET sessions…
CVE-2015-0932 — CVSS 10.0 (critical): The ANTlabs InnGate firmware on IG 3100, IG 3101, InnGate 3.00 E, InnGate 3.01 E, InnGate 3.02 E, InnGate 3.10 E, InnGate 3.01 G, and…
CVE-2015-2284 — CVSS 10.0 (critical): userlogin.jsp in SolarWinds Firewall Security Manager (FSM) before 6.6.5 HotFix1 allows remote attackers to gain privileges and execute…
CVE-2015-1498 — CVSS 10.0 (critical): Persistent Systems Radia Client Automation does not properly restrict access to certain request, which allows remote attackers to (1)…
CVE-2014-9353 — CVSS 10.0 (critical): NetApp OnCommand Balance before 4.2P2 contains a "default privileged account," which allows remote attackers to gain privileges via…
CVE-2015-1448 — CVSS 10.0 (critical): The integrated management service on Siemens Ruggedcom WIN51xx devices with firmware before SS4.4.4624.35, WIN52xx devices with firmware…
CVE-2014-4495 — CVSS 10.0 (critical): The kernel in Apple iOS before 8.1.3, Apple OS X before 10.10.2, and Apple TV before 7.0.3 does not enforce the read-only attribute of a…
CVE-2014-9583 — CVSS 10.0 (critical): common.c in infosvr in ASUS WRT firmware 3.0.0.4.376_1071, 3.0.0.376.2524-g0013f52, and other versions, as used in RT-AC66U, RT-N66U, and…
CVE-2014-9387 — CVSS 10.0 (critical): SAP BusinessObjects Edge 4.1 allows remote attackers to obtain the SI_PLATFORM_SEARCH_SERVER_LOGON_TOKEN token and gain privileges via a…
CVE-2014-9357 — CVSS 10.0 (critical): Docker 1.3.2 allows remote attackers to execute arbitrary code with root privileges via a crafted (1) image or (2) build in a Dockerfile in…
CVE-2014-0580 — CVSS 10.0 (critical): Adobe Flash Player before 13.0.0.259 and 14.x through 16.x before 16.0.0.235 on Windows and OS X and before 11.2.202.425 on Linux allows…
CVE-2014-9002 — CVSS 10.0 (critical): Lantronix xPrintServer does not properly restrict access to ips/, which allows remote attackers to execute arbitrary commands via the c…
CVE-2014-4073 — CVSS 10.0 (critical): Microsoft .NET Framework 2.0 SP2, 3.5, 3.5.1, 4, 4.5, 4.5.1, and 4.5.2 processes unverified data during interaction with the ClickOnce…
CVE-2014-0557 — CVSS 10.0 (critical): Adobe Flash Player before 13.0.0.244 and 14.x and 15.x before 15.0.0.152 on Windows and OS X and before 11.2.202.406 on Linux, Adobe AIR…
CVE-2014-5246 — CVSS 10.0 (critical): The Shenzhen Tenda Technology Tenda A5s router with firmware 3.02.05_CN allows remote attackers to bypass authentication and gain…
CVE-2014-0545 — CVSS 10.0 (critical): Adobe Flash Player before 13.0.0.241 and 14.x before 14.0.0.176 on Windows and OS X and before 11.2.202.400 on Linux, Adobe AIR before…
CVE-2014-0544 — CVSS 10.0 (critical): Adobe Flash Player before 13.0.0.241 and 14.x before 14.0.0.176 on Windows and OS X and before 11.2.202.400 on Linux, Adobe AIR before…
CVE-2014-0543 — CVSS 10.0 (critical): Adobe Flash Player before 13.0.0.241 and 14.x before 14.0.0.176 on Windows and OS X and before 11.2.202.400 on Linux, Adobe AIR before…
CVE-2014-0542 — CVSS 10.0 (critical): Adobe Flash Player before 13.0.0.241 and 14.x before 14.0.0.176 on Windows and OS X and before 11.2.202.400 on Linux, Adobe AIR before…
CVE-2014-0541 — CVSS 10.0 (critical): Adobe Flash Player before 13.0.0.241 and 14.x before 14.0.0.176 on Windows and OS X and before 11.2.202.400 on Linux, Adobe AIR before…
CVE-2014-0540 — CVSS 10.0 (critical): Adobe Flash Player before 13.0.0.241 and 14.x before 14.0.0.176 on Windows and OS X and before 11.2.202.400 on Linux, Adobe AIR before…
CVE-2014-1381 — CVSS 10.0 (critical): Thunderbolt in Apple OS X before 10.9.4 does not properly restrict IOThunderBoltController API calls, which allows attackers to execute…
CVE-2014-1376 — CVSS 10.0 (critical): Intel Compute in Apple OS X before 10.9.4 does not properly restrict an unspecified OpenCL API call, which allows attackers to execute…
CVE-2014-1373 — CVSS 10.0 (critical): Intel Graphics Driver in Apple OS X before 10.9.4 does not properly restrict an unspecified OpenGL API call, which allows attackers to…
CVE-2012-5390 — CVSS 10.0 (critical): The standard universe shadow (condor_shadow.std) component in Condor 7.7.3 through 7.7.6, 7.8.0 before 7.8.5, and 7.9.0 does no properly…
CVE-2014-0525 — CVSS 10.0 (critical): The API in Adobe Reader and Acrobat 10.x before 10.1.10 and 11.x before 11.0.07 on Windows and OS X does not prevent access to unmapped…
CVE-2014-1764 — CVSS 10.0 (critical): Microsoft Internet Explorer 7 through 11 allows remote attackers to execute arbitrary code and bypass a sandbox protection mechanism by…
CVE-2014-1314 — CVSS 10.0 (critical): WindowServer in Apple OS X through 10.9.2 does not prevent session creation by a sandboxed application, which allows attackers to bypass…
CVE-2013-6775 — CVSS 10.0 (critical): The Chainfire SuperSU package before 1.69 for Android allows attackers to gain privileges via the (1) backtick or (2) $() type of shell…
CVE-2014-0512 — CVSS 10.0 (critical): Adobe Reader 11.0.06 allows attackers to bypass a PDF sandbox protection mechanism via unspecified vectors, as demonstrated by VUPEN during…
CVE-2014-2321 — CVSS 10.0 (critical): web_shell_cmd.gch on ZTE F460 and F660 cable modems allows remote attackers to obtain administrative access via sendcmd requests, as…
CVE-2014-0721 — CVSS 10.0 (critical): The Cisco Unified SIP Phone 3905 with firmware before 9.4(1) allows remote attackers to obtain root access via a session on the test…
CVE-2014-0648 — CVSS 10.0 (critical): The RMI interface in Cisco Secure Access Control System (ACS) 5.x before 5.5 does not properly enforce authentication and authorization…
CVE-2014-0492 — CVSS 10.0 (critical): Adobe Flash Player before 11.7.700.260 and 11.8.x and 11.9.x before 12.0.0.38 on Windows and Mac OS X and before 11.2.202.335 on Linux…
CVE-2014-0491 — CVSS 10.0 (critical): Adobe Flash Player before 11.7.700.260 and 11.8.x and 11.9.x before 12.0.0.38 on Windows and Mac OS X and before 11.2.202.335 on Linux…
CVE-2013-6955 — CVSS 10.0 (critical): webman/imageSelector.cgi in Synology DiskStation Manager (DSM) 4.0 before 4.0-2259, 4.2 before 4.2-3243, and 4.3 before 4.3-3810 Update 1…
CVE-2012-0264 — CVSS 10.0 (critical): op5 Monitor and op5 Appliance before 5.5.0 do not properly manage session cookies, which allows remote attackers to have an unspecified…