CWE-862— Missing Authorization
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.— MITRE CWE catalog
8,528 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-862page 81 of 171
- CVE-2024-40852MEDIUMCVSS 5.3EG 7.52024-09-17
This issue was addressed by restricting options offered on a locked device. This issue is fixed in iOS 18 and iPadOS 18. An attacker may be able to see recent photos without authentication in Assistive Access.
- CVE-2024-4088MEDIUMCVSS 4.3EG 4.32024-06-05
The Gutenberg Blocks and Page Layouts – Attire Blocks plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the disable_fe_assets function in all versions up to, and including, 1.9.2…
- CVE-2024-4102MEDIUMCVSS 5.4EG 5.42024-07-09
The Pricing Table plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ajax() function in all versions up to, and including, 2.0.1. This makes it possible for authenticated attackers, w…
- CVE-2024-41108HIGHCVSS 7.5EG 7.52024-07-31
FOG is a free open-source cloning/imaging/rescue suite/inventory management system. The hostinfo page has missing/improper access control since only the host's mac address is required to obtain the configuration information. This data can …
- CVE-2024-4138MEDIUMCVSS 4.3EG 4.32024-05-14
Manage Bank Statement ReProcessing Rules does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. By exploiting this vulnerability, an attacker can enable/disable the sharing rule of…
- CVE-2024-4139MEDIUMCVSS 4.3EG 4.32024-05-14
Manage Bank Statement ReProcessing Rules does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. By exploiting this vulnerability, an attacker can delete rules of other users affect…
- CVE-2024-41624MEDIUMCVSS 6.3EG 6.32024-07-29
Incorrect access control in Himalaya Xiaoya nano smart speaker rom_version 1.6.96 allows a remote attacker to have an unspecified impact.
- CVE-2024-4163HIGHCVSS 8.0EG 8.02024-04-26
The Skylab IGX IIoT Gateway allowed users to connect to it via a limited shell terminal (IGX). However, it was discovered that the process was running under root privileges. This allowed the attacker to read, write, and modify any file in …
- CVE-2024-41728LOWCVSS 2.7EG 2.72024-09-10
Due to missing authorization check, SAP NetWeaver Application Server for ABAP and ABAP Platform allows an attacker logged in as a developer to read objects contained in a package. This causes an impact on confidentiality, as this attacker …
- CVE-2024-41729MEDIUMCVSS 4.3EG 4.32024-09-10
Due to missing authorization checks, SAP BEx Analyzer allows an authenticated attacker to access information over the network which is otherwise restricted. On successful exploitation the attacker can enumerate information causing a limite…
- CVE-2024-41730CRITICALCVSS 9.8EG 9.82024-08-13
In SAP BusinessObjects Business Intelligence Platform, if Single Signed On is enabled on Enterprise authentication, an unauthorized user can get a logon token using a REST endpoint. The attacker can fully compromise the system resulting in…
- CVE-2024-41734MEDIUMCVSS 4.3EG 4.32024-08-13
Due to missing authorization check in SAP NetWeaver Application Server ABAP and ABAP Platform, an authenticated attacker could call an underlying transaction, which leads to disclosure of user related information. There is no impact on int…
- CVE-2024-41918MEDIUMCVSS 6.1EG 3.12024-08-29
'Rakuten Ichiba App' for Android 12.4.0 and earlier and 'Rakuten Ichiba App' for iOS 11.7.0 and earlier are vulnerable to improper authorization in handler for custom URL scheme. An arbitrary site may be displayed on the WebView of the pro…
- CVE-2024-4199MEDIUMCVSS 4.3EG 4.32024-05-15
The Bulk Posts Editing For WordPress plugin for WordPress is vulnerable to unauthorized access of functionality due to a missing capability check on the plugin's AJAX actions in all versions up to, and including, 4.2.3. This makes it possi…
- CVE-2024-42035HIGHCVSS 8.4EG 8.42024-08-08
Permission control vulnerability in the App Multiplier module Impact:Successful exploitation of this vulnerability may affect functionality and confidentiality.
- CVE-2024-4205MEDIUMCVSS 4.3EG 4.32024-05-31
The Premium Addons for Elementor plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the get_template_content() function in all versions up to, and including, 4.10.31. This makes it possib…
- CVE-2024-4222HIGHCVSS 7.3EG 7.32024-05-16
The Tutor LMS Pro plugin for WordPress is vulnerable to unauthorized access of data, modification of data, loss of data due to a missing capability check on multiple functions in all versions up to, and including, 2.7.0. This makes it poss…
- CVE-2024-4223CRITICALCVSS 9.8EG 9.82024-05-16
The Tutor LMS plugin for WordPress is vulnerable to unauthorized access of data, modification of data, loss of data due to a missing capability check on multiple functions in all versions up to, and including, 2.7.0. This makes it possible…
- CVE-2024-4233MEDIUMCVSS 4.3EG 4.32024-05-08
Missing Authorization vulnerability in Tyche Softwares Print Invoice & Delivery Notes for WooCommerce, Tyche Softwares Arconix Shortcodes, Tyche Softwares Arconix FAQ.This issue affects Print Invoice & Delivery Notes for WooCommerce: from …
- CVE-2024-42371MEDIUMCVSS 5.4EG 5.42024-09-10
The RFC enabled function module allows a low privileged user to delete the workplace favourites of any user. This vulnerability could be utilized to identify usernames and access information about targeted user's workplaces and nodes. Ther…
- CVE-2024-42372MEDIUMCVSS 6.5EG 6.52024-11-12
Due to missing authorization check in SAP NetWeaver AS Java (System Landscape Directory) an unauthorized user can read and modify some restricted global SLD configurations causing low impact on confidentiality and integrity of the applicat…
- CVE-2024-42373MEDIUMCVSS 4.3EG 4.32024-08-13
SAP Student Life Cycle Management (SLcM) fails to conduct proper authorization checks for authenticated users, leading to the potential escalation of privileges. On successful exploitation it could allow an attacker to delete non-sensitive…
- CVE-2024-42376MEDIUMCVSS 6.5EG 6.52024-08-13
SAP Shared Service Framework does not perform necessary authorization check for an authenticated user, resulting in escalation of privileges. On successful exploitation, an attacker can cause a high impact on confidentiality of the applica…
- CVE-2024-42377MEDIUMCVSS 4.3EG 4.32024-08-13
SAP shared service framework allows an authenticated non-administrative user to call a remote-enabled function, which will allow them to insert value entries into a non-sensitive table, causing low impact on integrity of the application
- CVE-2024-42380MEDIUMCVSS 4.3EG 4.32024-09-10
The RFC enabled function module allows a low privileged user to read any user's workplace favourites and user menu along with all the specific data of each node. Usernames can be enumerated by exploiting vulnerability. There is low impact …
- CVE-2024-42434MEDIUMCVSS 4.9EG 4.92024-08-14
Missing authorization in some Zoom Workplace Apps, SDKs, Rooms Clients, and Rooms Controllers may allow a privileged user to conduct an information disclosure via network access.
- CVE-2024-42453HIGHCVSS 8.1EG 7.42024-12-04
A vulnerability Veeam Backup & Replication allows low-privileged users to control and modify configurations on connected virtual infrastructure hosts. This includes the ability to power off virtual machines, delete files in storage, and ma…
- CVE-2024-42470MEDIUMCVSS 6.5EG 6.52024-08-12
openHAB, a provider of open-source home automation software, has add-ons including the visualization add-on CometVisu. Several endpoints in versions prior to 4.2.1 of the CometVisu add-on of openHAB don't require authentication. This makes…
- CVE-2024-4259CRITICALCVSS 9.8EG 9.82024-09-03
Missing Authorization vulnerability in SAMPAŞ Holding AKOS (AkosCepVatandasService), SAMPAŞ Holding AKOS (TahsilatService) allows Collect Data as Provided by Users. This issue affects AKOS (AkosCepVatandasService): before V2.0; AKOS (T…
- CVE-2024-4280MEDIUMCVSS 5.3EG 5.32024-05-14
The White Label CMS plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the reset_plugin function in all versions up to, and including, 2.7.3. This makes it possible for unauthentica…
- CVE-2024-42934MEDIUMCVSS 5.0EG 5.02024-10-09
OpenIPMI before 2.0.36 has an out-of-bounds array access (for authentication type) in the ipmi_sim simulator, resulting in denial of service or (with very low probability) authentication bypass or code execution.
- CVE-2024-43045MEDIUMCVSS 6.3EG 6.32024-08-07
Jenkins 2.470 and earlier, LTS 2.452.3 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to access other users' "My Views".
- CVE-2024-43087HIGHCVSS 7.8EG 8.42024-11-13
In getInstalledAccessibilityPreferences of AccessibilitySettings.java, there is a possible way to hide an enabled accessibility service in the accessibility service settings due to a logic error in the code. This could lead to local escala…
- CVE-2024-43088HIGHCVSS 7.8EG 8.42024-11-13
In multiple functions in AppInfoBase.java, there is a possible way to manipulate app permission settings belonging to another user on the device due to a missing permission check. This could lead to local escalation of privilege across use…
- CVE-2024-43089HIGHCVSS 7.8EG 7.82024-11-13
In updateInternal of MediaProvider.java , there is a possible access of another app's files due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interactio…
- CVE-2024-43090MEDIUMCVSS 5.0EG 5.02024-11-13
In multiple locations, there is a possible cross-user image read due to a missing permission check. This could lead to local information disclosure with User execution privileges needed. User interaction is needed for exploitation.
- CVE-2024-43118MEDIUMCVSS 4.3EG 4.32024-11-01
Missing Authorization vulnerability in WPMU DEV - Your All-in-One WordPress Platform Hummingbird hummingbird-performance.This issue affects Hummingbird: from n/a through <= 3.9.1.
- CVE-2024-43119MEDIUMCVSS 4.3EG 4.32024-11-01
Missing Authorization vulnerability in Aruba.It Aruba HiSpeed Cache allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Aruba HiSpeed Cache: from n/a through 2.0.12.
- CVE-2024-43120MEDIUMCVSS 5.3EG 5.32024-11-01
Missing Authorization vulnerability in XSERVER Inc. TypeSquare Webfonts allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects TypeSquare Webfonts: from n/a through 2.0.7.
- CVE-2024-43122MEDIUMCVSS 6.5EG 6.52024-11-01
Missing Authorization vulnerability in Creative Motion Robin image optimizer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Robin image optimizer: from n/a through 1.6.9.
- CVE-2024-43134MEDIUMCVSS 4.3EG 4.32024-11-01
Missing Authorization vulnerability in xootix Waitlist Woocommerce ( Back in stock notifier ) allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Waitlist Woocommerce ( Back in stock notifier ): from …
- CVE-2024-43136MEDIUMCVSS 4.3EG 4.32024-11-01
Missing Authorization vulnerability in sunshinephotocart Sunshine Photo Cart sunshine-photo-cart.This issue affects Sunshine Photo Cart: from n/a through <= 3.2.1.
- CVE-2024-43142MEDIUMCVSS 4.3EG 4.32024-11-01
Missing Authorization vulnerability in Themeum Tutor LMS allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tutor LMS: from n/a through 2.7.3.
- CVE-2024-43143MEDIUMCVSS 6.4EG 6.42024-11-01
Missing Authorization vulnerability in Roundup WP Registrations for the Events Calendar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Registrations for the Events Calendar: from n/a through 2.12…
- CVE-2024-43146MEDIUMCVSS 6.3EG 6.32024-11-01
Missing Authorization vulnerability in Ahmed Kaludi, Mohammed Kaludi AMP for WP allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AMP for WP: from n/a through 1.0.96.1.
- CVE-2024-43154MEDIUMCVSS 4.3EG 4.32024-11-01
Missing Authorization vulnerability in BracketSpace Advanced Cron Manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Advanced Cron Manager – debug & control: from n/a through 2.5.9.
- CVE-2024-43157MEDIUMCVSS 4.3EG 4.32024-11-01
Missing Authorization vulnerability in nCrafts FormCraft allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FormCraft: from n/a through 1.2.10.
- CVE-2024-43158HIGHCVSS 7.5EG 7.52024-11-01
Missing Authorization vulnerability in masteriyo Masteriyo - LMS learning-management-system.This issue affects Masteriyo - LMS: from n/a through <= 1.11.4.
- CVE-2024-43159MEDIUMCVSS 5.3EG 5.32024-11-01
Missing Authorization vulnerability in masteriyo Masteriyo - LMS learning-management-system.This issue affects Masteriyo - LMS: from n/a through <= 1.11.6.
- CVE-2024-43162MEDIUMCVSS 4.3EG 4.32024-11-01
Missing Authorization vulnerability in Easy Digital Downloads allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Easy Digital Downloads: from n/a through 3.2.12.
Map vulnerabilities like CWE-862 to your infrastructure
EchelonGraph correlates every CVE — across CWE-862 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →