CWE-862— Missing Authorization
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.— MITRE CWE catalog
8,505 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-862page 35 of 171
- CVE-2022-48302HIGHCVSS 7.5EG 7.52023-02-09
The AMS module has a vulnerability of lacking permission verification in APIs.Successful exploitation of this vulnerability may affect data confidentiality.
- CVE-2022-48318MEDIUMCVSS 5.3EG 5.32023-02-20
No authorisation controls in the RestAPI documentation for Tribe29's Checkmk <= 2.1.0p13 and Checkmk <= 2.0.0p29 which may lead to unintended information disclosure through automatically generated user specific tags within Rest API documen…
- CVE-2022-48350HIGHCVSS 7.5EG 7.52023-03-27
The HUAWEI Messaging app has a vulnerability of unauthorized file access. Successful exploitation of this vulnerability may affect confidentiality.
- CVE-2022-48367CRITICALCVSS 9.8EG 9.82023-03-12
An issue was discovered in eZ Publish Ibexa Kernel before 7.5.28. Access control based on object state is mishandled.
- CVE-2022-48368HIGHCVSS 7.8EG 7.82023-05-09
In audio service, there is a possible missing permission check. This could lead to local escalation of privilege with no additional execution privileges.
- CVE-2022-48369HIGHCVSS 7.8EG 7.82023-05-09
In audio service, there is a possible missing permission check. This could lead to local escalation of privilege with no additional execution privileges.
- CVE-2022-48370MEDIUMCVSS 5.5EG 5.52023-05-09
In dialer service, there is a possible missing permission check. This could lead to local information disclosure with no additional execution privileges.
- CVE-2022-48371MEDIUMCVSS 5.5EG 5.52023-05-09
In dialer service, there is a possible missing permission check. This could lead to local information disclosure with no additional execution privileges.
- CVE-2022-48375MEDIUMCVSS 5.5EG 5.52023-05-09
In contacts service, there is a possible missing permission check. This could lead to local denial of service with no additional execution privileges.
- CVE-2022-48376MEDIUMCVSS 5.5EG 5.52023-05-09
In dialer service, there is a possible missing permission check. This could lead to local denial of service with no additional execution privileges.
- CVE-2022-48377MEDIUMCVSS 5.5EG 5.52023-05-09
In dialer service, there is a possible missing permission check. This could lead to local denial of service with no additional execution privileges.
- CVE-2022-48378MEDIUMCVSS 5.5EG 5.52023-05-09
In engineermode service, there is a possible missing permission check. This could lead to local denial of service with no additional execution privileges.
- CVE-2022-48379MEDIUMCVSS 5.5EG 5.52023-05-09
In dialer service, there is a possible missing permission check. This could lead to local denial of service with no additional execution privileges.
- CVE-2022-48383HIGHCVSS 7.8EG 7.82023-05-09
.In srtd service, there is a possible missing permission check. This could lead to local escalation of privilege with no additional execution privileges.
- CVE-2022-48384HIGHCVSS 7.8EG 7.82023-05-09
In srtd service, there is a possible missing permission check. This could lead to local escalation of privilege with no additional execution privileges.
- CVE-2022-48388HIGHCVSS 7.8EG 7.82023-05-09
In powerEx service, there is a possible missing permission check. This could lead to local escalation of privilege with no additional execution privileges.
- CVE-2022-48390HIGHCVSS 7.8EG 7.82023-06-06
In telephony service, there is a possible missing permission check. This could lead to local escalation of privilege with no additional execution privileges.
- CVE-2022-48391MEDIUMCVSS 5.5EG 5.52023-06-06
In telephony service, there is a possible missing permission check. This could lead to local denial of service with no additional execution privileges.
- CVE-2022-48392HIGHCVSS 7.8EG 7.82023-06-06
In dialer service, there is a possible missing permission check. This could lead to local escalation of privilege with no additional execution privileges.
- CVE-2022-48440MEDIUMCVSS 5.5EG 5.52023-06-06
In dialer service, there is a possible missing permission check. This could lead to local denial of service with no additional execution privileges.
- CVE-2022-48441MEDIUMCVSS 5.5EG 5.52023-06-06
In dialer service, there is a possible missing permission check. This could lead to local denial of service with no additional execution privileges.
- CVE-2022-48442MEDIUMCVSS 5.5EG 5.52023-06-06
In dialer service, there is a possible missing permission check. This could lead to local denial of service with no additional execution privileges.
- CVE-2022-48443MEDIUMCVSS 5.5EG 5.52023-06-06
In telephony service, there is a possible missing permission check. This could lead to local denial of service with no additional execution privileges.
- CVE-2022-48444MEDIUMCVSS 5.5EG 5.52023-06-06
In telephony service, there is a possible missing permission check. This could lead to local denial of service with no additional execution privileges.
- CVE-2022-48445MEDIUMCVSS 5.5EG 5.52023-06-06
In telephony service, there is a possible missing permission check. This could lead to local denial of service with no additional execution privileges.
- CVE-2022-48446MEDIUMCVSS 5.5EG 5.52023-06-06
In telephony service, there is a possible missing permission check. This could lead to local denial of service with no additional execution privileges.
- CVE-2022-48447MEDIUMCVSS 5.5EG 5.52023-06-06
In telephony service, there is a possible missing permission check. This could lead to local denial of service with no additional execution privileges.
- CVE-2022-48448MEDIUMCVSS 5.5EG 5.52023-06-06
In telephony service, there is a possible missing permission check. This could lead to local denial of service with no additional execution privileges.
- CVE-2022-48452MEDIUMCVSS 4.4EG 4.42023-09-04
In Ifaa service, there is a possible missing permission check. This could lead to local denial of service with System execution privileges needed
- CVE-2022-48491MEDIUMCVSS 5.3EG 5.32023-06-19
Vulnerability of missing authentication on certain HUAWEI phones.Successful exploitation of this vulnerability can lead to ads and other windows to display at any time.
- CVE-2022-4872MEDIUMCVSS 4.3EG 4.32023-01-30
The Chained Products WordPress plugin before 2.12.0 does not have authorisation and CSRF checks, as well as does not ensure that the option to be updated belong to the plugin, allowing unauthenticated attackers to set arbitrary options to …
- CVE-2022-4931MEDIUMCVSS 4.3EG 4.32023-03-07
The BackupWordPress plugin for WordPress is vulnerable to information disclosure in versions up to, and including 3.12. This is due to missing authorization on the heartbeat_received() function that triggers on WordPress heartbeat. This ma…
- CVE-2022-4932MEDIUMCVSS 4.3EG 4.32023-03-07
The Total Upkeep plugin for WordPress is vulnerable to information disclosure in versions up to, and including 1.14.13. This is due to missing authorization on the heartbeat_received() function that triggers on WordPress heartbeat. This ma…
- CVE-2022-4935HIGHCVSS 8.8EG 8.82023-04-05
The WCFM Marketplace plugin for WordPress is vulnerable to unauthorized modification and access of data in versions up to, and including, 3.4.11 due to missing capability checks on various AJAX actions. This makes it possible for authentic…
- CVE-2022-4937MEDIUMCVSS 6.3EG 8.82023-04-05
The WCFM Frontend Manager plugin for WordPress is vulnerable to unauthorized modification and access of data in versions up to, and including, 6.6.0 due to missing capability checks on various AJAX actions. This makes it possible for authe…
- CVE-2022-4939CRITICALCVSS 9.8EG 9.82023-04-05
THe WCFM Membership plugin for WordPress is vulnerable to privilege escalation in versions up to, and including 2.10.0, due to a missing capability check on the wp_ajax_nopriv_wcfm_ajax_controller AJAX action that controls membership setti…
- CVE-2022-4940HIGHCVSS 7.3EG 6.52023-04-05
The WCFM Membership plugin for WordPress is vulnerable to unauthorized modification and access of data in versions up to, and including, 2.10.0 due to missing capability checks on various AJAX actions. This makes it possible for unauthenti…
- CVE-2022-4943HIGHCVSS 7.5EG 7.52023-10-20
The miniOrange's Google Authenticator plugin for WordPress is vulnerable to authorization bypass due to a missing capability check when changing plugin settings in versions up to, and including, 5.6.5. This makes it possible for unauthenti…
- CVE-2022-4948MEDIUMCVSS 4.3EG 4.32023-06-07
The FlyingPress plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on its AJAX actions in versions up to, and including, 3.9.6. This makes it possible for authenticated attackers, with subscriber-l…
- CVE-2022-4950HIGHCVSS 8.8EG 8.82023-06-07
Several WordPress plugins developed by Cool Plugins are vulnerable to arbitrary plugin installation and activation that can lead to remote code execution by authenticated attackers with minimal permissions, such as a subscriber.
- CVE-2022-4972HIGHCVSS 7.5EG 7.52024-10-16
The Download Monitor plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on several REST-API routes related to reporting in versions up to, and including, 4.7.51. This makes it possible for unauthen…
- CVE-2022-4974MEDIUMCVSS 6.3EG 6.32024-10-16
The Freemius SDK, as used by hundreds of WordPress plugin and theme developers, was vulnerable to Cross-Site Request Forgery and Information disclosure due to missing capability checks and nonce protection on the _get_debug_log, _get_db_op…
- CVE-2023-0019MEDIUMCVSS 6.5EG 6.52023-02-14
In SAP GRC (Process Control) - versions GRCFND_A V1200, GRCFND_A V8100, GRCPINW V1100_700, GRCPINW V1100_731, GRCPINW V1200_750, remote-enabled function module in the proprietary SAP solution enables an authenticated attacker with minimal …
- CVE-2023-0242HIGHCVSS 8.8EG 8.82023-01-18
Rapid7 Velociraptor allows users to be created with different privileges on the server. Administrators are generally allowed to run any command on the server including writing arbitrary files. However, lower privilege users are generally f…
- CVE-2023-0291HIGHCVSS 7.2EG 7.22023-06-09
The Quiz And Survey Master for WordPress is vulnerable to authorization bypass due to a missing capability check on the function associated with the qsm_remove_file_fd_question AJAX action in versions up to, and including, 8.0.8. This make…
- CVE-2023-0293MEDIUMCVSS 4.3EG 4.32023-01-13
The Mediamatic – Media Library Folders plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on its AJAX actions in versions up to, and including, 2.8.1. This makes it possible for authenticated att…
- CVE-2023-0335MEDIUMCVSS 6.5EG 6.52023-03-27
The WP Shamsi WordPress plugin through 4.3.3 has CSRF and broken access control vulnerabilities which leads user with role as low as subscriber delete attachment.
- CVE-2023-0336MEDIUMCVSS 6.5EG 6.52023-03-27
The OoohBoi Steroids for Elementor WordPress plugin before 2.1.5 has CSRF and broken access control vulnerabilities which leads user with role as low as subscriber to delete attachment.
- CVE-2023-0349HIGHCVSS 7.5EG 9.12023-03-13
The Akuvox E11 libvoice library provides unauthenticated access to the camera capture for image and video. This could allow an attacker to view and record image and video from the camera.
- CVE-2023-0402MEDIUMCVSS 5.4EG 5.42023-01-19
The Social Warfare plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on several AJAX actions in versions up to, and including, 4.3.0. This makes it possible for authenticated attackers, with subsc…
Map vulnerabilities like CWE-862 to your infrastructure
EchelonGraph correlates every CVE — across CWE-862 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →