CWE-862— Missing Authorization
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.— MITRE CWE catalog
8,505 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-862page 38 of 171
- CVE-2023-21173MEDIUMCVSS 5.5EG 5.52023-06-28
In multiple methods of DataUsageList.java, there is a possible way to learn about admin user's network activities due to a missing permission check. This could lead to local information disclosure with no additional execution privileges ne…
- CVE-2023-21177MEDIUMCVSS 5.5EG 5.52023-06-28
In requestAppKeyboardShortcuts of WindowManagerService.java, there is a possible way to infer the app a user is interacting with due to a missing permission check. This could lead to local information disclosure with no additional executio…
- CVE-2023-21185HIGHCVSS 7.8EG 7.82023-06-28
In multiple functions of WifiNetworkFactory.java, there is a missing permission check. This could lead to local escalation of privilege from the guest user with no additional execution privileges needed. User interaction is not needed for …
- CVE-2023-21234MEDIUMCVSS 5.5EG 5.52023-08-14
In launchConfirmationActivity of ChooseLockSettingsHelper.java, there is a possible way to enable developer options without the lockscreen PIN due to a missing permission check. This could lead to local escalation of privilege with no addi…
- CVE-2023-21244MEDIUMCVSS 6.7EG 6.72023-10-06
In visitUris of Notification.java, there is a possible bypass of user profile boundaries due to a missing permission check. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not nee…
- CVE-2023-21247HIGHCVSS 7.8EG 7.82023-07-13
In getAvailabilityStatus of BluetoothScanningMainSwitchPreferenceController.java, there is a possible way to bypass a device policy restriction due to a missing permission check. This could lead to local escalation of privilege with no add…
- CVE-2023-21248HIGHCVSS 7.8EG 7.82023-07-13
In getAvailabilityStatus of WifiScanningMainSwitchPreferenceController.java, there is a possible way to bypass a device policy restriction due to a missing permission check. This could lead to local escalation of privilege with no addition…
- CVE-2023-21257HIGHCVSS 7.8EG 7.82023-07-13
In updateSettingsInternalLI of InstallPackageHelper.java, there is a possible way to sideload an app in the work profile due to a missing permission check. This could lead to local escalation of privilege with no additional execution privi…
- CVE-2023-21288MEDIUMCVSS 5.5EG 5.52023-08-14
In visitUris of Notification.java, there is a possible way to reveal images across users due to a missing permission check. This could lead to local information disclosure with User execution privileges needed. User interaction is not need…
- CVE-2023-21291MEDIUMCVSS 5.5EG 5.52023-10-06
In visitUris of Notification.java, there is a possible way to reveal image contents from another user due to a missing permission check. This could lead to local information disclosure with User execution privileges needed. User interactio…
- CVE-2023-21294MEDIUMCVSS 5.5EG 5.52023-10-30
In Slice, there is a possible disclosure of installed packages due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitati…
- CVE-2023-21313HIGHCVSS 7.8EG 7.82023-10-30
In Core, there is a possible way to forward calls without user knowledge due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for…
- CVE-2023-21321MEDIUMCVSS 5.5EG 5.52023-10-30
In Package Manager, there is a possible cross-user settings disclosure due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for ex…
- CVE-2023-21328HIGHCVSS 7.8EG 7.82023-10-30
In Package Installer, there is a possible way to determine whether an app is installed, without query permissions, due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges …
- CVE-2023-21329MEDIUMCVSS 5.5EG 5.52023-10-30
In Activity Manager, there is a possible way to determine whether an app is installed due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is no…
- CVE-2023-21340MEDIUMCVSS 5.5EG 5.52023-10-30
In Telecomm, there is a possible way to get the call state due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
- CVE-2023-21341HIGHCVSS 7.8EG 7.82023-10-30
In Permission Manager, there is a possible way to bypass required permissions due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not neede…
- CVE-2023-21373HIGHCVSS 7.8EG 7.82023-10-30
In Telephony, there is a possible way for a guest user to change the preferred SIM due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not …
- CVE-2023-21378HIGHCVSS 7.8EG 7.82023-10-30
In Telecomm, there is a possible way to silence the ring for calls of secondary users due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is n…
- CVE-2023-21382MEDIUMCVSS 5.5EG 5.52023-10-30
In Content Resolver, there is a possible method to access metadata about existing content providers on the device due to a missing permission check. This could lead to local information disclosure with no additional execution privileges ne…
- CVE-2023-21388HIGHCVSS 7.8EG 7.82023-10-30
In Settings, there is a possible restriction bypass due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
- CVE-2023-21389HIGHCVSS 7.8EG 7.82023-10-30
In Settings, there is a possible bypass of profile owner restrictions due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for ex…
- CVE-2023-21393HIGHCVSS 7.8EG 7.82023-10-30
In Settings, there is a possible way for the user to change SIM due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploita…
- CVE-2023-21450LOWCVSS 2.3EG 2.12023-02-09
Missing Authorization vulnerability in One Hand Operation + prior to version 6.1.21 allows multi-users to access owner's widget without authorization via gesture setting.
- CVE-2023-2174MEDIUMCVSS 4.3EG 4.32023-08-31
The BadgeOS plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the delete_badgeos_log_entries function in versions up to, and including, 3.7.1.6. This makes it possible for authenti…
- CVE-2023-2183MEDIUMCVSS 4.1EG 4.12023-06-06
Grafana is an open-source platform for monitoring and observability. The option to send a test alert is not available from the user panel UI for users having the Viewer role. It is still possible for a user with the Viewer role to send a…
- CVE-2023-2189MEDIUMCVSS 4.3EG 4.32023-06-09
The Elementor Addons, Widgets and Enhancements – Stax plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the toggle_widget function in versions up to, and including, 1.4.3. This m…
- CVE-2023-2193MEDIUMCVSS 6.5EG 6.52023-04-20
Mattermost fails to invalidate existing authorization codes when deauthorizing an OAuth2 app, allowing an attacker possessing an authorization code to generate an access token.
- CVE-2023-2233LOWCVSS 3.1EG 3.12023-09-29
An improper authorization issue has been discovered in GitLab CE/EE affecting all versions starting from 11.8 before 16.2.8, all versions starting from 16.3 before 16.3.5 and all versions starting from 16.4 before 16.4.1. It allows a proje…
- CVE-2023-22478HIGHCVSS 7.3EG 7.32023-01-14
KubePi is a modern Kubernetes panel. The API interfaces with unauthorized entities and may leak sensitive information. This issue has been patched in version 1.6.4. There are currently no known workarounds.
- CVE-2023-22488MEDIUMCVSS 6.8EG 6.82023-01-12
Flarum is a forum software for building communities. Using the notifications feature, one can read restricted/private content and bypass access checks that would be in place for such content. The notification-sending component does not che…
- CVE-2023-22489LOWCVSS 3.5EG 3.52023-01-13
Flarum is a discussion platform for websites. If the first post of a discussion is permanently deleted but the discussion stays visible, any actor who can view the discussion is able to create a new reply via the REST API, no matter the re…
- CVE-2023-2261MEDIUMCVSS 4.3EG 4.32023-06-09
The WP Activity Log plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the handle_ajax_call function in versions up to, and including, 4.5.0. This makes it possible for authenticated attackers, …
- CVE-2023-22674MEDIUMCVSS 5.4EG 5.42023-12-21
Missing Authorization, Cross-Site Request Forgery (CSRF) vulnerability in Hal Gatewood Dashicons + Custom Post Types.This issue affects Dashicons + Custom Post Types: from n/a through 1.0.2.
- CVE-2023-22676LOWCVSS 3.1EG 3.12023-12-29
Missing Authorization vulnerability in Anders Thorborg.This issue affects Anders Thorborg: from n/a through 1.4.12.
- CVE-2023-2268HIGHCVSS 7.1EG 7.12023-07-15
Plane version 0.7.1 allows an unauthenticated attacker to view all stored server files of all users.
- CVE-2023-22697MEDIUMCVSS 5.3EG 5.32024-12-13
Missing Authorization vulnerability in Survey Maker team Survey Maker allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Survey Maker: from n/a through 3.2.0.
- CVE-2023-22699MEDIUMCVSS 5.4EG 5.42024-03-25
Missing Authorization vulnerability in MainWP MainWP Wordfence Extension.This issue affects MainWP Wordfence Extension: from n/a through 4.0.7.
- CVE-2023-22701HIGHCVSS 7.5EG 7.52024-12-09
Missing Authorization vulnerability in Shopfiles Ltd Ebook Store allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ebook Store: from n/a through 5.775.
- CVE-2023-22708MEDIUMCVSS 4.3EG 4.32024-12-09
Missing Authorization vulnerability in Karim Salman Kraken.io Image Optimizer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Kraken.io Image Optimizer: from n/a through 2.6.7.
- CVE-2023-22728MEDIUMCVSS 4.3EG 4.32023-04-26
Silverstripe Framework is the Model-View-Controller framework that powers the Silverstripe content management system. Prior to version 4.12.15, the GridField print view incorrectly validates the permission of DataObjects potentially allowi…
- CVE-2023-22736HIGHCVSS 8.5EG 8.52023-01-26
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions starting with 2.5.0-rc1 and above, prior to 2.5.8, and version 2.6.0-rc4, are vulnerable to an authorization bypass bug which allows a malicious Argo CD use…
- CVE-2023-22737MEDIUMCVSS 6.5EG 6.52023-01-28
wire-server provides back end services for Wire, a team communication and collaboration platform. Prior to version 2022-12-09, every member of a Conversation can remove a Bot from a Conversation due to a missing permissions check. Only Con…
- CVE-2023-2275MEDIUMCVSS 4.3EG 4.32023-06-09
The WooCommerce Multivendor Marketplace – REST API plugin for WordPress is vulnerable to unauthorized access of data and addition of data due to a missing capability check on the 'get_item', 'get_order_notes' and 'add_order_note' functio…
- CVE-2023-2280MEDIUMCVSS 6.5EG 6.52023-06-09
The WP Directory Kit plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on the 'ajax_public' function in versions up to, and including, 1.2.2. This makes it possible f…
- CVE-2023-22813LOWCVSS 3.3EG 3.32023-05-08
A device API endpoint was missing access controls on Western Digital My Cloud OS 5 iOS and Anroid Mobile Apps, My Cloud Home iOS and Android Mobile Apps, SanDisk ibi iOS and Android Mobile Apps, My Cloud OS 5 Web App, My Cloud Ho…
- CVE-2023-22834LOWCVSS 2.7EG 2.72023-06-27
The Contour Service was not checking that users had permission to create an analysis for a given dataset. This could allow an attacker to clutter up Compass folders with extraneous analyses, that the attacker would otherwise not have permi…
- CVE-2023-22836LOWCVSS 3.5EG 3.52024-01-29
In cases where a multi-tenant stack user is operating Foundry’s Linter service, and the user changes a group name from the default value, the renamed value may be visible to the rest of the stack’s tenants.
- CVE-2023-2284MEDIUMCVSS 4.3EG 4.32023-06-09
The WP Activity Log Premium plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_switch_db function in versions up to, and including, 4.5.0. This makes it possible for authen…
- CVE-2023-22858MEDIUMCVSS 5.3EG 5.32023-03-06
An Improper Access Control vulnerability in BlogEngine.NET 3.3.8.0, allows unauthenticated visitors to access the files of unpublished blogs.
Map vulnerabilities like CWE-862 to your infrastructure
EchelonGraph correlates every CVE — across CWE-862 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →