CWE-862— Missing Authorization
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.— MITRE CWE catalog
8,465 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-862page 15 of 170
- CVE-2020-9456HIGHCVSS 8.8EG 8.82020-03-06
In the RegistrationMagic plugin through 4.6.0.3 for WordPress, the user controller allows remote authenticated users (with minimal privileges) to elevate their privileges to administrator via class_rm_user_controller.php rm_user_edit.
- CVE-2020-9457HIGHCVSS 8.8EG 8.82020-03-06
The RegistrationMagic plugin through 4.6.0.3 for WordPress allows remote authenticated users (with minimal privileges) to import custom vulnerable forms and change form settings via class_rm_form_settings_controller.php, resulting in privi…
- CVE-2020-9458HIGHCVSS 8.8EG 8.82020-03-06
In the RegistrationMagic plugin through 4.6.0.3 for WordPress, the export function allows remote authenticated users (with minimal privileges) to export submitted form data and settings via class_rm_form_controller.php rm_form_export.
- CVE-2020-9514MEDIUMCVSS 6.5EG 6.52020-04-07
An issue was discovered in the IMPress for IDX Broker plugin before 2.6.2 for WordPress. wrappers.php allows a logged-in user (with the Subscriber role) to permanently delete arbitrary posts and pages, create new posts with arbitrary subje…
- CVE-2020-9982MEDIUMCVSS 5.5EG 5.52020-10-27
This issue was addressed with improved checks to prevent unauthorized actions. This issue is fixed in Apple Music 3.4.0 for Android. A malicious application may be able to leak a user's credentials.
- CVE-2021-0328HIGHCVSS 7.8EG 7.82021-02-10
In onBatchScanReports and deliverBatchScan of GattService.java, there is a possible way to retrieve Bluetooth scan results without permissions due to a missing permission check. This could lead to local escalation of privilege with no addi…
- CVE-2021-0380HIGHCVSS 7.8EG 7.82021-03-10
In onReceive of DcTracker.java, there is a possible way to trigger a provisioning URL and modify other telephony settings due to a missing permission check. This could lead to local escalation of privilege during the onboarding flow with n…
- CVE-2021-0385HIGHCVSS 7.8EG 7.82021-03-10
In createConnectToAvailableNetworkNotification of ConnectToNetworkNotificationBuilder.java, there is a possible connection to untrusted WiFi networks due to notification interaction above the lockscreen. This could lead to local escalation…
- CVE-2021-0388HIGHCVSS 7.8EG 7.82021-03-10
In onReceive of ImsPhoneCallTracker.java, there is a possible misattribution of data usage due to an incorrect broadcast handler. This could lead to local escalation of privilege resulting in attributing video call data to the wrong app, w…
- CVE-2021-0389HIGHCVSS 7.8EG 7.82021-03-10
In setNightModeActivated of UiModeManagerService.java, there is a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Pr…
- CVE-2021-0390HIGHCVSS 7.8EG 7.82021-03-10
In various methods of WifiNetworkSuggestionsManager.java, there is a possible modification of suggested networks due to a missing permission check. This could lead to local escalation of privilege by a background user on the same device wi…
- CVE-2021-0403MEDIUMCVSS 4.4EG 4.42021-02-26
In netdiag, there is a possible information disclosure due to a missing permission check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Product: An…
- CVE-2021-0415MEDIUMCVSS 5.5EG 5.52021-08-18
In memory management driver, there is a possible information disclosure due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for e…
- CVE-2021-0428MEDIUMCVSS 5.5EG 5.52021-04-13
In getSimSerialNumber of TelephonyManager.java, there is a possible way to read a trackable identifier due to a missing permission check. This could lead to local information disclosure with User execution privileges needed. User interacti…
- CVE-2021-0491HIGHCVSS 7.8EG 7.82021-06-11
In memory management driver, there is a possible escalation of privilege due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for…
- CVE-2021-0505HIGHCVSS 7.8EG 7.82021-06-21
In the Settings app, there is a possible way to disable an always-on VPN due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for…
- CVE-2021-0513HIGHCVSS 7.8EG 7.82021-06-21
In deleteNotificationChannel and related functions of NotificationManagerService.java, there is a possible permission bypass due to improper state validation. This could lead to local escalation of privilege via hidden services with no add…
- CVE-2021-0518MEDIUMCVSS 5.5EG 5.52021-07-14
In Wi-Fi, there is a possible leak of location-sensitive data due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitatio…
- CVE-2021-0521MEDIUMCVSS 5.5EG 5.52021-06-21
In getAllPackages of PackageManagerService, there is a possible information disclosure due to a missing permission check. This could lead to local information disclosure of cross-user permissions with no additional execution privileges nee…
- CVE-2021-0539HIGHCVSS 7.8EG 7.82021-06-22
In archiveStoredConversation of MmsService.java, there is a possible way to archive message conversation without user consent due to a missing permission check. This could lead to local escalation of privilege with no additional execution …
- CVE-2021-0547HIGHCVSS 7.8EG 7.82021-06-22
In onReceive of NetInitiatedActivity.java, there is a possible way to supply an attacker-controlled value to a GPS HAL handler due to a missing permission check. This could lead to local escalation of privilege that may result in undefined…
- CVE-2021-0554MEDIUMCVSS 5.5EG 5.52021-06-22
In isBackupServiceActive of BackupManagerService.java, there is a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Pro…
- CVE-2021-0568HIGHCVSS 7.8EG 7.82021-06-22
In onReceive of DevicePolicyManagerService.java, there is a possible enabling of disabled profiles due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User int…
- CVE-2021-0597MEDIUMCVSS 5.5EG 5.52021-07-14
In notifyProfileAdded and notifyProfileRemoved of SipService.java, there is a possible way to retrieve SIP account names due to a missing permission check. This could lead to local information disclosure with no additional execution privil…
- CVE-2021-0641MEDIUMCVSS 5.5EG 5.52021-08-17
In getAvailableSubscriptionInfoList of SubscriptionController.java, there is a possible disclosure of unique identifiers due to a missing permission check. This could lead to local information disclosure with no additional execution privil…
- CVE-2021-0642MEDIUMCVSS 5.5EG 5.52021-08-17
In onResume of VoicemailSettingsFragment.java, there is a possible way to retrieve a trackable identifier without permissions due to a missing permission check. This could lead to local information disclosure with no additional execution p…
- CVE-2021-0643MEDIUMCVSS 5.5EG 5.52021-10-22
In getAllSubInfoList of SubscriptionController.java, there is a possible way to retrieve a long term identifier without the correct permissions due to a missing permission check. This could lead to local information disclosure with User ex…
- CVE-2021-0653MEDIUMCVSS 5.5EG 5.52021-12-15
In enqueueNotification of NetworkPolicyManagerService.java, there is a possible way to retrieve a trackable identifier due to a missing permission check. This could lead to local information disclosure with no additional execution privileg…
- CVE-2021-0654MEDIUMCVSS 5.5EG 5.52021-07-14
In isRealSnapshot of TaskThumbnailView.java, there is possible data exposure due to a missing permission check. This could lead to local information disclosure from locked profiles with no additional execution privileges needed. User inter…
- CVE-2021-0672MEDIUMCVSS 5.5EG 5.52021-11-18
In Browser app, there is a possible information disclosure due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.P…
- CVE-2021-0673HIGHCVSS 7.8EG 7.82021-12-17
In Audio Aurisys HAL, there is a possible permission bypass due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation…
- CVE-2021-0680MEDIUMCVSS 5.5EG 5.52021-10-06
In system properties, there is a possible information disclosure due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploita…
- CVE-2021-0681MEDIUMCVSS 5.5EG 5.52021-10-06
In system properties, there is a possible information disclosure due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploita…
- CVE-2021-0682MEDIUMCVSS 5.5EG 5.52021-10-06
In sendAccessibilityEvent of NotificationManagerService.java, there is a possible disclosure of notification data due to a missing permission check. This could lead to local information disclosure with User execution privileges needed. Use…
- CVE-2021-0686MEDIUMCVSS 5.5EG 5.52021-10-06
In getDefaultSmsPackage of RoleManagerService.java, there is a possible way to get information about the default sms app of a different device user due to a missing permission check. This could lead to local information disclosure with no …
- CVE-2021-0706MEDIUMCVSS 5.5EG 5.52021-10-22
In startListening of PluginManagerImpl.java, there is a possible way to disable arbitrary app components due to a missing permission check. This could lead to local denial of service with no additional execution privileges needed. User int…
- CVE-2021-0735MEDIUMCVSS 5.5EG 5.52022-08-11
In PackageManager, there is a possible way to get information about installed packages ignoring limitations introduced in Android 11 due to a missing permission check. This could lead to local information disclosure with no additional exec…
- CVE-2021-0922HIGHCVSS 7.8EG 7.82021-12-15
In enforceCrossUserOrProfilePermission of PackageManagerService.java, there is a possible bypass of INTERACT_ACROSS_PROFILES permission due to a missing permission check. This could lead to local escalation of privilege with no additional …
- CVE-2021-0923HIGHCVSS 7.8EG 7.82021-12-15
In createOrUpdate of Permission.java, there is a possible way to gain internal permissions due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction…
- CVE-2021-0926HIGHCVSS 7.8EG 7.82021-12-15
In onCreate of NfcImportVCardActivity.java, there is a possible way to add a contact without user's consent due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed.…
- CVE-2021-0965HIGHCVSS 8.8EG 8.82021-12-15
In AndroidManifest.xml of Settings, there is a possible pairing of a Bluetooth device without user's consent due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed…
- CVE-2021-0978LOWCVSS 3.3EG 3.32021-12-15
In getSerialForPackage of DeviceIdentifiersPolicyService.java, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. This could lead to local information di…
- CVE-2021-0982LOWCVSS 3.3EG 3.32021-12-15
In getOrganizationNameForUser of DevicePolicyManagerService.java, there is a possible organization name disclosure due to a missing permission check. This could lead to local information disclosure with no additional execution privileges n…
- CVE-2021-0985HIGHCVSS 7.8EG 7.82021-12-15
In onReceive of AlertReceiver.java, there is a possible way to dismiss system dialog due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is no…
- CVE-2021-0986MEDIUMCVSS 5.5EG 5.52021-12-15
In hasGrantedPolicy of DevicePolicyManagerService.java, there is a possible information disclosure about the device owner, profile owner, or device admin due to a logic error in the code. This could lead to local information disclosure wit…
- CVE-2021-0994LOWCVSS 3.3EG 3.32021-12-15
In requestRouteToHostAddress of ConnectivityService.java, there is a possible way to determine whether an app is installed, without query permissions, due to a missing permission check. This could lead to local information disclosure with …
- CVE-2021-0999HIGHCVSS 7.8EG 7.82021-12-15
In the broadcast definition in AndroidManifest.xml, there is a possible way to set the A2DP bluetooth device connection state due to a missing permission check. This could lead to local escalation of privilege with no additional execution …
- CVE-2021-1004HIGHCVSS 7.8EG 7.82021-12-15
In getConfiguredNetworks of WifiServiceImpl.java, there is a possible way to determine whether an app is installed, without query permissions, due to a missing permission check. This could lead to local escalation of privilege with no addi…
- CVE-2021-1010MEDIUMCVSS 5.5EG 5.52021-12-15
In getSigningKeySet of PackageManagerService.java, there is a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product…
- CVE-2021-1011MEDIUMCVSS 5.5EG 5.52021-12-15
In setPackageStoppedState of PackageManagerService.java, there is a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.P…
Map vulnerabilities like CWE-862 to your infrastructure
EchelonGraph correlates every CVE — across CWE-862 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →