CWE-1220
36 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-1220page 1 of 1
- CVE-2021-31384HIGHCVSS 7.2EG 7.22021-10-19
Due to a Missing Authorization weakness and Insufficient Granularity of Access Control in a specific device configuration, a vulnerability exists in Juniper Networks Junos OS on SRX Series whereby an attacker who attempts to access J-Web a…
- CVE-2022-1177MEDIUMCVSS 4.3EG 4.32022-03-30
Accounting User Can Download Patient Reports in openemr in GitHub repository openemr/openemr prior to 6.1.0.
- CVE-2022-1461MEDIUMCVSS 6.5EG 6.52022-04-25
Non Privilege User can Enable or Disable Registered in GitHub repository openemr/openemr prior to 6.1.0.1.
- CVE-2022-2475CRITICALCVSS 9.8EG 8.82022-10-28
Haas Controller version 100.20.000.1110 has insufficient granularity of access control when using the "Ethernet Q Commands" service. Any user is able to write macros into registers outside of the authorized accessible range. This could all…
- CVE-2022-36110HIGHCVSS 8.8EG 8.82022-09-09
Netmaker makes networks with WireGuard. Prior to version 0.15.1, Improper Authorization functions lead to non-privileged users running privileged API calls. If someone adds users to the Netmaker platform who do not have admin privileges, t…
- CVE-2022-4801MEDIUMCVSS 5.3EG 5.32022-12-28
Insufficient Granularity of Access Control in GitHub repository usememos/memos prior to 0.9.1.
- CVE-2022-4813MEDIUMCVSS 4.3EG 4.32022-12-28
Insufficient Granularity of Access Control in GitHub repository usememos/memos prior to 0.9.1.
- CVE-2023-0203MEDIUMCVSS 5.0EG 5.02023-04-22
NVIDIA ConnectX-5, ConnectX-6, and ConnectX6-DX contain a vulnerability in the NIC firmware, where an unprivileged user can exploit insufficient granularity of access control, which may lead to denial of service.
- CVE-2023-0205MEDIUMCVSS 5.0EG 5.02023-04-22
NVIDIA ConnectX-5, ConnectX-6, and ConnectX6-DX contain a vulnerability in the NIC firmware, where an unprivileged user can exploit insufficient granularity of access control, which may lead to denial of service.
- CVE-2023-27591HIGHCVSS 7.5EG 7.52023-03-17
Miniflux is a feed reader. Prior to version 2.0.43, an unauthenticated user can retrieve Prometheus metrics from a publicly reachable Miniflux instance where the `METRICS_COLLECTOR` configuration option is enabled and `METRICS_ALLOWED_NETW…
- CVE-2023-32259MEDIUMCVSS 6.5EG 6.52024-03-19
Insufficient Granularity of Access Control vulnerability in OpenText™ Service Management Automation X (SMAX), OpenText™ Asset Management X (AMX) allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects…
- CVE-2023-3227MEDIUMCVSS 5.7EG 5.42023-06-14
Insufficient Granularity of Access Control in GitHub repository fossbilling/fossbilling prior to 0.5.0.
- CVE-2023-33127HIGHCVSS 8.1EG 8.12023-07-11
.NET and Visual Studio Elevation of Privilege Vulnerability
- CVE-2023-39418LOWCVSS 3.1EG 3.12023-08-11
A vulnerability was found in PostgreSQL with the use of the MERGE command, which fails to test new rows against row security policies defined for UPDATE and SELECT. If UPDATE and SELECT policies forbid some rows that INSERT policies do not…
- CVE-2023-40070HIGHCVSS 8.8EG 8.82024-05-16
Improper access control in some Intel(R) Power Gadget software for macOS all versions may allow an authenticated user to potentially enable escalation of privilege via local access.
- CVE-2023-43040MEDIUMCVSS 6.5EG 6.52024-05-14
IBM Spectrum Fusion HCI 2.5.2 through 2.7.2 could allow an attacker to perform unauthorized actions in RGW for Ceph due to improper bucket access. IBM X-Force ID: 266807.
- CVE-2023-44285HIGHCVSS 7.8EG 7.82023-12-14
Dell PowerProtect DD, versions prior to 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110 contain an improper access control vulnerability. A local malicious user with low privileges could potentially exploit this vulnerability leading to…
- CVE-2023-4456MEDIUMCVSS 5.7EG 5.72023-08-21
A flaw was found in openshift-logging LokiStack. The key used for caching is just the token, which is too broad. This issue allows a user with a token valid for one action to execute other actions as long as the authorization allowing the …
- CVE-2023-45217HIGHCVSS 8.8EG 8.82024-05-16
Improper access control in Intel(R) Power Gadget software for Windows all versions may allow an authenticated user to potentially enable escalation of privilege via local access.
- CVE-2023-50713MEDIUMCVSS 6.5EG 6.52023-12-14
Speckle Server provides server, frontend, 3D viewer, and other JavaScript utilities for the Speckle 3D data platform. A vulnerability in versions prior to 2.17.6 affects users who: authorized an application which requested a 'token write' …
- CVE-2023-6725MEDIUMCVSS 5.5EG 6.62024-03-15
An access-control flaw was found in the OpenStack Designate component where private configuration information including access keys to BIND were improperly made world readable. A malicious attacker with access to any container could exploi…
- CVE-2024-2412MEDIUMCVSS 5.3EG 5.32024-03-13
The disabling function of the user registration page for Heimavista Rpage and Epage is not properly implemented, allowing remote attackers to complete user registration on sites where user registration is supposed to be disabled.
- CVE-2024-26246LOWCVSS 3.9EG 3.92024-03-14
Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability
- CVE-2024-29200MEDIUMCVSS 6.8EG 6.82024-03-28
Kimai is a web-based multi-user time-tracking application. The permission `view_other_timesheet` performs differently for the Kimai UI and the API, thus returning unexpected data through the API. When setting the `view_other_timesheet` per…
- CVE-2024-39323HIGHCVSS 7.1EG 7.12024-07-02
aimeos/ai-admin-graphql is the Aimeos GraphQL API admin interface. Starting in version 2022.04.01 and prior to versions 2022.10.10, 2023.10.6, and 2024.04.6, an improper access control vulnerability allows an editor to modify and take over…
- CVE-2024-39324LOWCVSS 3.8EG 3.82024-07-02
aimeos/ai-admin-graphql is the Aimeos GraphQL API admin interface. Starting in version 2022.04.1 and prior to versions 2022.10.10, 2023.10.6, and 2024.4.2, improper access control allows a editors to manage own services via GraphQL API whi…
- CVE-2024-42365HIGHCVSS 7.4EG 7.42024-08-08
Asterisk is an open source private branch exchange (PBX) and telephony toolkit. Prior to asterisk versions 18.24.2, 20.9.2, and 21.4.2 and certified-asterisk versions 18.9-cert11 and 20.7-cert2, an AMI user with `write=originate` may chang…
- CVE-2024-43604MEDIUMCVSS 5.7EG 5.72024-10-08
Outlook for Android Elevation of Privilege Vulnerability
- CVE-2024-52799HIGHCVSS 8.2EG 8.22024-11-21
Argo Workflows Chart is used to set up argo and its needed dependencies through one command. Prior to 0.44.0, the workflow-role has excessive privileges, the worst being create pods/exec, which will allow kubectl exec into any Pod in the s…
- CVE-2024-52814LOWCVSS 2.8EG 2.82024-11-22
Argo Helm is a collection of community maintained charts for `argoproj.github.io` projects. Prior to version 0.45.0, the `workflow-role`) lacks granularity in its privileges, giving permissions to `workflowtasksets` and `workflowartifactgc…
- CVE-2024-5389HIGHCVSS 8.1EG 8.12024-06-09
In lunary-ai/lunary version 1.2.13, an insufficient granularity of access control vulnerability allows users to create, update, get, and delete prompt variations for datasets not owned by their organization. This issue arises due to the ap…
- CVE-2024-6867MEDIUMCVSS 6.5EG 6.52024-09-13
An information disclosure vulnerability exists in the lunary-ai/lunary, specifically in the `runs/{run_id}/related` endpoint. This endpoint does not verify that the user has the necessary access rights to the run(s) they are accessing. As …
- CVE-2024-8927HIGHCVSS 7.5EG 7.52024-10-08
In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, HTTP_REDIRECT_STATUS variable is used to check whether or not CGI binary is being run by the HTTP server. However, in certain scenarios, the content of this va…
- CVE-2026-35436HIGHCVSS 8.8EG 8.82026-05-12
Insufficient granularity of access control in Microsoft Office Click-To-Run allows an authorized attacker to elevate privileges locally.
- CVE-2026-37981MEDIUMCVSS 4.3EG 4.32026-05-19
A flaw was found in Keycloak. A broken access control vulnerability in the Account Resources user lookup endpoint allows a remote authenticated user, who owns at least one User-Managed Access (UMA) resource, to enumerate and harvest person…
- CVE-2026-40365HIGHCVSS 8.8EG 8.82026-05-12
Insufficient granularity of access control in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.
Map vulnerabilities like CWE-1220 to your infrastructure
EchelonGraph correlates every CVE — across CWE-1220 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →