CWE-862— Missing Authorization
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.— MITRE CWE catalog
8,529 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-862page 83 of 171
- CVE-2024-43925MEDIUMCVSS 4.3EG 4.32024-11-01
Missing Authorization vulnerability in Envira Gallery Team Envira Photo Gallery allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Envira Photo Gallery: from n/a through 1.8.14.
- CVE-2024-43928MEDIUMCVSS 5.4EG 5.42024-11-01
Missing Authorization vulnerability in eyecix JobSearch allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JobSearch: from n/a through 2.5.4.
- CVE-2024-43929MEDIUMCVSS 6.5EG 6.52024-11-01
Missing Authorization vulnerability in eyecix JobSearch allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects JobSearch: from n/a through 2.5.4.
- CVE-2024-43932MEDIUMCVSS 6.5EG 6.52024-11-01
Missing Authorization vulnerability in POSIMYTH The Plus Addons for Elementor Page Builder Lite the-plus-addons-for-elementor-page-builder.This issue affects The Plus Addons for Elementor Page Builder Lite: from n/a through <= 5.6.2.
- CVE-2024-43937MEDIUMCVSS 6.4EG 6.42024-11-01
Missing Authorization vulnerability in Themeum WP Crowdfunding allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Crowdfunding: from n/a through 2.1.10.
- CVE-2024-43939MEDIUMCVSS 6.5EG 6.52024-08-29
Missing Authorization vulnerability in VIICTORY MEDIA LLC Z Y N I T H allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Z Y N I T H: from n/a through 7.4.9.
- CVE-2024-43940MEDIUMCVSS 6.5EG 6.52024-08-29
Missing Authorization vulnerability in VIICTORY MEDIA LLC Z Y N I T H allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Z Y N I T H: from n/a through 7.4.9.
- CVE-2024-43956MEDIUMCVSS 6.5EG 6.52024-11-01
Missing Authorization vulnerability in Caseproof, LLC Memberpress allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Memberpress: from n/a through 1.11.34.
- CVE-2024-43962MEDIUMCVSS 5.4EG 5.42024-11-01
Missing Authorization vulnerability in LWS LWS Affiliation allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects LWS Affiliation: from n/a through 2.3.4.
- CVE-2024-43968MEDIUMCVSS 4.3EG 4.32024-11-01
Broken Access Control vulnerability in Automattic Newspack allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Newspack: from n/a through 3.8.6.
- CVE-2024-43973MEDIUMCVSS 4.3EG 4.32024-11-01
Missing Authorization vulnerability in Stiofan GetPaid invoicing allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects GetPaid: from n/a through <= 2.8.11.
- CVE-2024-43974MEDIUMCVSS 6.5EG 6.52024-11-01
Missing Authorization vulnerability in CozyThemes ReviveNews allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects ReviveNews: from n/a through 1.0.2.
- CVE-2024-43979MEDIUMCVSS 6.5EG 6.52024-11-01
Missing Authorization vulnerability in CozyThemes Blockbooster allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Blockbooster: from n/a through 1.0.10.
- CVE-2024-43980MEDIUMCVSS 6.5EG 6.52024-11-01
Missing Authorization vulnerability in CozyThemes Fota WP allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Fota WP: from n/a through 1.4.1.
- CVE-2024-43981MEDIUMCVSS 4.3EG 4.32024-11-01
Missing Authorization vulnerability in AyeCode – WP Business Directory Plugins GeoDirectory allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects GeoDirectory: from n/a through 2.3.70.
- CVE-2024-43982HIGHCVSS 8.8EG 8.82024-11-01
Missing Authorization vulnerability in Geek Code Lab Login As Users allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Login As Users: from n/a through 1.4.3.
- CVE-2024-43998MEDIUMCVSS 6.5EG 6.52024-11-01
Missing Authorization vulnerability in WebsiteinWP Blogpoet allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Blogpoet: from n/a through 1.0.3.
- CVE-2024-44006MEDIUMCVSS 4.3EG 4.32024-11-01
Missing Authorization vulnerability in Amir Helzer WooCommerce Multilingual & Multicurrency woocommerce-multilingual.This issue affects WooCommerce Multilingual & Multicurrency: from n/a through <= 5.3.6.
- CVE-2024-44019MEDIUMCVSS 5.3EG 5.32024-11-01
Missing Authorization vulnerability in Renzo Johnson Contact Form 7 Campaign Monitor Extension contact-form-7-campaign-monitor-extension.This issue affects Contact Form 7 Campaign Monitor Extension: from n/a through <= 0.4.67.
- CVE-2024-44020MEDIUMCVSS 4.3EG 4.32024-11-01
Missing Authorization vulnerability in prasadkirpekar WP Free SSL – Free SSL Certificate for WordPress and force HTTPS wp-free-ssl.This issue affects WP Free SSL – Free SSL Certificate for WordPress and force HTTPS: from n/a through <=…
- CVE-2024-44021MEDIUMCVSS 5.4EG 5.42024-11-01
Missing Authorization vulnerability in truepushplugin Truepush truepush-free-web-push-notifications.This issue affects Truepush: from n/a through <= 1.0.8.
- CVE-2024-44031MEDIUMCVSS 4.3EG 4.32024-11-01
Missing Authorization vulnerability in beardev JoomSport joomsport-sports-league-results-management.This issue affects JoomSport: from n/a through <= 5.6.3.
- CVE-2024-44038MEDIUMCVSS 5.3EG 5.32024-11-01
Missing Authorization vulnerability in sunshinephotocart Sunshine Photo Cart sunshine-photo-cart allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sunshine Photo Cart: from n/a through <= 3.2.9.
- CVE-2024-44052MEDIUMCVSS 4.3EG 4.32024-11-01
Missing Authorization vulnerability in HelloAsso HelloAsso helloasso.This issue affects HelloAsso: from n/a through <= 1.1.10.
- CVE-2024-44069HIGHCVSS 7.5EG 7.52024-08-19
Pi-hole before 6 allows unauthenticated admin/api.php?setTempUnit= calls to change the temperature units of the web dashboard. NOTE: the supplier reportedly does "not consider the bug a security issue" but the specific motivation for letti…
- CVE-2024-44082MEDIUMCVSS 4.3EG 4.32024-09-06
In OpenStack Ironic before 26.0.1 and ironic-python-agent before 9.13.1, there is a vulnerability in image processing, in which a crafted image could be used by an authenticated user to exploit undesired behaviors in qemu-img, including po…
- CVE-2024-4410MEDIUMCVSS 5.4EG 5.42024-07-27
The IgnitionDeck Crowdfunding Platform plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 1.9.8. This is due to missing capability checks on various functions called via AJAX actions in the ~/clas…
- CVE-2024-44112MEDIUMCVSS 4.3EG 4.32024-09-10
Due to missing authorization check in SAP for Oil & Gas (Transportation and Distribution), an attacker authenticated as a non-administrative user could call a remote-enabled function which will allow them to delete non-sensitive entries in…
- CVE-2024-44113MEDIUMCVSS 4.3EG 4.32024-09-10
Due to missing authorization checks, SAP Business Warehouse (BEx Analyzer) allows an authenticated attacker to access information over the network which is otherwise restricted. On successful exploitation the attacker can enumerate informa…
- CVE-2024-44115MEDIUMCVSS 4.3EG 4.32024-09-10
The RFC enabled function module allows a low privileged user to add URLs to any user's workplace favourites. This vulnerability could be utilized to identify usernames and access information about targeted user's workplaces, and nodes. The…
- CVE-2024-44116MEDIUMCVSS 4.3EG 4.32024-09-10
The RFC enabled function module allows a low privileged user to add any workbook to any user's workplace favourites. This vulnerability could be utilized to identify usernames and access information about targeted user's workplaces. There …
- CVE-2024-44117MEDIUMCVSS 5.4EG 5.42024-09-10
The RFC enabled function module allows a low privileged user to perform various actions, such as modifying the URLs of any user's favourite nodes and workbook ID. There is low impact on integrity and availability of the application.
- CVE-2024-44156HIGHCVSS 7.1EG 7.12024-10-28
A path deletion vulnerability was addressed by preventing vulnerable code from running with privileges. This issue is fixed in macOS Sequoia 15.1, macOS Sonoma 14.7.1, macOS Ventura 13.7.1. An app may be able to bypass Privacy preferences.
- CVE-2024-44208HIGHCVSS 7.5EG 7.52024-10-28
This issue was addressed through improved state management. This issue is fixed in macOS Sequoia 15. An app may be able to bypass certain Privacy preferences.
- CVE-2024-4422MEDIUMCVSS 6.4EG 6.42024-05-30
The Comparison Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the slider title parameter in all versions up to, and including, 1.0.5 due to insufficient input sanitization and output escaping. This makes it po…
- CVE-2024-44265LOWCVSS 2.4EG 2.42024-10-28
The issue was addressed by restricting options offered on a locked device. This issue is fixed in macOS Sequoia 15.1, macOS Sonoma 14.7.1, macOS Ventura 13.7.1. An attacker with physical access can input Game Controller events to apps runn…
- CVE-2024-4427MEDIUMCVSS 4.3EG 4.32024-05-30
The Comparison Slider plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several AJAX actions in all versions up to, and including, 1.0.5. This makes it possible for authenticated a…
- CVE-2024-4428CRITICALCVSS 9.8EG 9.82024-08-29
Missing Authentication for Critical Function, Missing Authorization vulnerability in Menulux Information Technologies Managment Portal allows Collect Data as Provided by Users. This issue affects Managment Portal: through 21.05.2024.
- CVE-2024-44408HIGHCVSS 7.5EG 7.52024-09-06
D-Link DIR-823G v1.0.2B05_20181207 is vulnerable to Information Disclosure. The device allows unauthorized configuration file downloads, and the downloaded configuration files contain plaintext user passwords.
- CVE-2024-4444MEDIUMCVSS 5.3EG 5.32024-05-14
The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to bypass to user registration in versions up to, and including, 4.2.6.5. This is due to missing checks in the 'create_account' function in the checkout. This makes…
- CVE-2024-4445MEDIUMCVSS 6.5EG 6.52024-05-14
The WP Compress – Image Optimizer [All-In-One] plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the several functions in versions up to, and including, 6.20.01. This makes it po…
- CVE-2024-4450MEDIUMCVSS 6.3EG 6.32024-06-19
The AliExpress Dropshipping with AliNext Lite plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions in the ImportAjaxController.php file in all versions up to, and including, 3.3.6…
- CVE-2024-4468MEDIUMCVSS 4.3EG 4.32024-06-08
The Salon booking system plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on several functions hooked into admin_init in all versions up to, and including, 9.9. This makes…
- CVE-2024-45050HIGHCVSS 7.1EG 7.12024-09-04
Ringer server is the server code for the Ringer messaging app. Prior to version 1.3.1, there is an issue with the messages loading route where Ringer Server does not check to ensure that the user loading the conversation is actually a memb…
- CVE-2024-45058HIGHCVSS 8.1EG 8.12024-08-28
i-Educar is free, fully online school management software that can be used by school secretaries, teachers, coordinators, and area managers. Prior to the 2.9 branch, an attacker with only minimal viewing privileges in the settings section …
- CVE-2024-45168CRITICALCVSS 9.1EG 9.12024-08-22
An issue was discovered in UCI IDOL 2 (aka uciIDOL or IDOL2) through 2.12. Data is transferred over a raw socket without any authentication mechanism. Thus, communication endpoints are not verifiable.
- CVE-2024-4520HIGHCVSS 7.5EG 7.52024-06-04
An improper access control vulnerability exists in the gaizhenbiao/chuanhuchatgpt application, specifically in version 20240410. This vulnerability allows any user on the server to access the chat history of any other user without requirin…
- CVE-2024-45284LOWCVSS 2.4EG 2.42024-09-10
An authenticated attacker with high privilege can use functions of SLCM transactions to which access should be restricted. This may result in an escalation of privileges causing low impact on integrity of the application.
- CVE-2024-45285MEDIUMCVSS 5.4EG 5.42024-09-10
The RFC enabled function module allows a low privileged user to perform denial of service on any user and also change or delete favourite nodes. By sending a crafted packet in the function module targeting specific parameters, the specific…
- CVE-2024-45286MEDIUMCVSS 6.5EG 6.52024-09-10
Due to lack of proper authorization checks when calling user, a function module in obsolete Tobin interface in SAP Production and Revenue Accounting allows unauthorized access that could lead to disclosure of highly sensitive data. There i…
Map vulnerabilities like CWE-862 to your infrastructure
EchelonGraph correlates every CVE — across CWE-862 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →