CWE-284: Improper Access Control

参考: CVE-2022-24985

A form hosting website only checks the session authentication status for a single form, making it possible to bypass authentication when there are multiple forms

参考: CVE-2022-29238

Access-control setting in web-based document collaboration tool is not properly implemented by the code, which prevents listing hidden directories but does not prevent direct requests to files in those directories.

参考: CVE-2022-23607

Python-based HTTP library did not scope cookies to a particular domain such that "supercookies" could be sent to any domain on redirect

参考: CVE-2021-21972

Chain: Cloud computing virtualization platform does not require authentication for upload of a tar format file (CWE-306), then uses .. path traversal sequences (CWE-23) in the file to access unexpected files, as exploited in the wild per CISA KEV.

参考: CVE-2021-37415

IT management product does not perform authentication for some REST API requests, as exploited in the wild per CISA KEV.

参考: CVE-2021-35033

Firmware for a WiFi router uses a hard-coded password for a BusyBox shell, allowing bypass of authentication through the UART port

参考: CVE-2020-10263

Bluetooth speaker does not require authentication for the debug functionality on the UART port, allowing root shell access

参考: CVE-2020-13927

Default setting in workflow management product allows all API requests without authentication, as exploited in the wild per CISA KEV.

参考: CVE-2010-4624

Bulletin board applies restrictions on number of images during post creation, but does not enforce this on editing.