CWE-862— Missing Authorization
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.— MITRE CWE catalog
8,530 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-862page 84 of 171
- CVE-2024-45307HIGHCVSS 8.8EG 8.82024-09-03
SudoBot, a Discord moderation bot, is vulnerable to privilege escalation and exploit of the `-config` command in versions prior to 9.26.7. Anyone is theoretically able to update any configuration of the bot and potentially gain control ove…
- CVE-2024-45393MEDIUMCVSS 6.4EG 6.42024-09-10
Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for computer vision. An attacker with a CVAT account can access webhook delivery information for any webhook registered on the CVAT instance, includin…
- CVE-2024-45461MEDIUMCVSS 5.7EG 5.72024-10-16
The CloudStack Quota feature allows cloud administrators to implement a quota or usage limit system for cloud resources, and is disabled by default. In environments where the feature is enabled, due to missing access check enforcements, no…
- CVE-2024-45493CRITICALCVSS 9.8EG 9.82024-12-10
An issue was discovered in MSA FieldServer Gateway 5.0.0 through 6.5.2 (Fixed in 7.0.0). The FieldServer Gateway has internal users, whose access is supposed to be restricted to login locally on the device. However, an attacker can bypass …
- CVE-2024-45591MEDIUMCVSS 5.3EG 5.32024-09-10
XWiki Platform is a generic wiki platform. The REST API exposes the history of any page in XWiki of which the attacker knows the name. The exposed information includes for each modification of the page the time of the modification, the ver…
- CVE-2024-4566HIGHCVSS 7.1EG 7.12024-05-21
The ShopLentor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_dismiss function in all versions up to, and including, 2.8.8. This makes it possible for authenticated att…
- CVE-2024-45689MEDIUMCVSS 6.5EG 6.52024-11-20
A flaw was found in Moodle. Dynamic tables did not enforce capability checks, which resulted in users having the ability to retrieve information they did not have permission to access.
- CVE-2024-45732HIGHCVSS 7.1EG 7.12024-10-14
In Splunk Enterprise versions below 9.3.1, and 9.2.0 versions below 9.2.3, and Splunk Cloud Platform versions below 9.2.2403.103, 9.1.2312.200, 9.1.2312.110 and 9.1.2308.208, a low-privileged user that does not hold the "admin" or "power" …
- CVE-2024-45760MEDIUMCVSS 4.3EG 4.32024-12-09
Dell OpenManage Server Administrator, versions 11.0.1.0 and prior, contains an improper access control vulnerability. A remote low privileged user could potentially exploit this vulnerability via the HTTP GET method leading to unauthorized…
- CVE-2024-46450HIGHCVSS 8.1EG 8.12025-01-16
Incorrect access control in Tenda AC1200 Smart Dual-Band WiFi Router Model AC6 v2.0 Firmware v15.03.06.50 allows attackers to bypass authentication via a crafted web request.
- CVE-2024-4660MEDIUMCVSS 6.5EG 6.52024-09-12
An issue has been discovered in GitLab EE affecting all versions starting from 11.2 before 17.1.7, all versions starting from 17.2 before 17.2.5, all versions starting from 17.3 before 17.3.2. It was possible for a guest to read the source…
- CVE-2024-4661MEDIUMCVSS 4.3EG 4.32024-06-08
The WP Reset plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_ajax function in all versions up to, and including, 2.02. This makes it possible for authenticated attackers…
- CVE-2024-47055MEDIUMCVSS 4.3EG 4.32025-05-28
SummaryThis advisory addresses a security vulnerability in Mautic related to the segment cloning functionality. This vulnerability allows any authenticated user to clone segments without proper authorization checks. Insecure Direct Object…
- CVE-2024-47268MEDIUMCVSS 4.9EG 4.92026-05-27
Missing authorization vulnerability in AddOns functionality in Synology Surveillance Station before 9.2.2-11575 and 9.2.2-9575 allows remote authenticated users with administrator privileges to obtain sensitive information via unspecified …
- CVE-2024-47302MEDIUMCVSS 5.3EG 5.32024-11-01
Missing Authorization vulnerability in Shahjahan Jewel Fluent Support fluent-support allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Fluent Support: from n/a through <= 1.8.0.
- CVE-2024-47308MEDIUMCVSS 6.5EG 6.52024-11-01
Missing Authorization vulnerability in WPDeveloper Templately templately.This issue affects Templately: from n/a through <= 3.1.2.
- CVE-2024-47311MEDIUMCVSS 5.3EG 5.32024-11-01
Missing Authorization vulnerability in Kraft Plugins Wheel of Life wheel-of-life allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Wheel of Life: from n/a through <= 1.1.8.
- CVE-2024-47314HIGHCVSS 7.1EG 7.12024-11-01
Missing Authorization vulnerability in sunshinephotocart Sunshine Photo Cart sunshine-photo-cart allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sunshine Photo Cart: from n/a through <= 3.2.8.
- CVE-2024-47317MEDIUMCVSS 4.3EG 4.32024-11-01
Missing Authorization vulnerability in Ads by WPQuads Ads by WPQuads quick-adsense-reloaded.This issue affects Ads by WPQuads: from n/a through <= 2.0.84.
- CVE-2024-47318MEDIUMCVSS 4.3EG 4.32024-11-01
Missing Authorization vulnerability in Magazine3 PWA for WP & AMP pwa-for-wp.This issue affects PWA for WP & AMP: from n/a through <= 1.7.72.
- CVE-2024-47321MEDIUMCVSS 6.5EG 6.52024-11-01
Missing Authorization vulnerability in Fahad Mahmood WP Datepicker wp-datepicker.This issue affects WP Datepicker: from n/a through <= 2.1.1.
- CVE-2024-47330MEDIUMCVSS 4.3EG 4.32024-09-26
Missing Authorization vulnerability in Supsystic Slider by Supsystic, Supsystic Social Share Buttons by Supsystic.This issue affects Slider by Supsystic: from n/a through 1.8.6; Social Share Buttons by Supsystic: from n/a through 2.2.9.
- CVE-2024-47337MEDIUMCVSS 4.3EG 4.32024-09-26
Missing Authorization vulnerability in Phillip Dane Joy Of Text Lite joy-of-text.This issue affects Joy Of Text Lite: from n/a through <= 2.3.1.
- CVE-2024-47358MEDIUMCVSS 5.3EG 5.32024-11-01
Missing Authorization vulnerability in Daniel Iser Popup Maker popup-maker.This issue affects Popup Maker: from n/a through <= 1.19.2.
- CVE-2024-47361MEDIUMCVSS 6.5EG 6.52024-11-01
Missing Authorization vulnerability in WPVibes Elementor Addon Elements addon-elements-for-elementor-page-builder.This issue affects Elementor Addon Elements: from n/a through <= 1.13.6.
- CVE-2024-47362MEDIUMCVSS 4.3EG 4.32024-11-01
Missing Authorization vulnerability in WP Chill Strong Testimonials strong-testimonials.This issue affects Strong Testimonials: from n/a through <= 3.1.16.
- CVE-2024-4744MEDIUMCVSS 5.3EG 5.32024-06-10
Missing Authorization vulnerability in Avirtum iPages Flipbook.This issue affects iPages Flipbook: from n/a through 1.5.1.
- CVE-2024-4745MEDIUMCVSS 4.3EG 4.32024-06-10
Missing Authorization vulnerability in RafflePress Giveaways and Contests by RafflePress.This issue affects Giveaways and Contests by RafflePress: from n/a through 1.12.4.
- CVE-2024-4746MEDIUMCVSS 4.3EG 4.32024-06-10
Missing Authorization vulnerability in netgsm Netgsm netgsm allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Netgsm: from n/a through <= 2.9.32.
- CVE-2024-47581MEDIUMCVSS 4.3EG 4.32024-12-10
SAP HCM Approve Timesheets Version 4 application does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.There is low impact on integrity of the application. Confidentiality and avai…
- CVE-2024-47585MEDIUMCVSS 4.3EG 4.32024-12-10
SAP NetWeaver Application Server for ABAP and ABAP Platform allows an authenticated attacker to gain higher access levels than they should have by exploiting improper authorization checks, resulting in privilege escalation. While authoriza…
- CVE-2024-47587LOWCVSS 3.5EG 3.52024-11-12
Cash Operations does not perform necessary authorization check for an authenticated user, resulting in escalation of privileges causing low impact to confidentiality to the application.
- CVE-2024-47768HIGHCVSS 8.1EG 8.12024-10-04
Lif Authentication Server is a server used by Lif to do various tasks regarding Lif accounts. This vulnerability has to do with the account recovery system where there does not appear to be a check to make sure the user has been sent the r…
- CVE-2024-47790HIGHCVSS 8.7EG 8.72024-10-04
** UNSUPPORTED WHEN ASSIGNED ** This vulnerability exists in D3D Security IP Camera D8801 due to usage of insecure Real-Time Streaming Protocol (RTSP) version for live video streaming. A remote attacker could exploit this vulnerability by…
- CVE-2024-4788MEDIUMCVSS 4.3EG 4.32024-06-06
The Boostify Header Footer Builder for Elementor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the create_bhf_post function in all versions up to, and including, 1.3.5. This ma…
- CVE-2024-48039MEDIUMCVSS 4.3EG 4.32024-11-01
Missing Authorization vulnerability in Imran Tauqeer CubeWP cubewp-framework allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects CubeWP: from n/a through <= 1.1.15.
- CVE-2024-48044MEDIUMCVSS 5.4EG 5.42024-11-01
Missing Authorization vulnerability in ShortPixel ShortPixel Image Optimizer shortpixel-image-optimiser allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ShortPixel Image Optimizer: from n/a through…
- CVE-2024-48045MEDIUMCVSS 4.3EG 4.32024-11-01
Missing Authorization vulnerability in HappyMonster Happy Addons for Elementor happy-elementor-addons allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Happy Addons for Elementor: from n/a through <…
- CVE-2024-48073CRITICALCVSS 9.8EG 9.82024-11-08
sunniwell HT3300 before 1.0.0.B022.2 is vulnerable to Insecure Permissions. The /usr/local/bin/update program, which is responsible for updating the software in the HT3300 device, is given the execution mode of sudo NOPASSWD. This program …
- CVE-2024-48538CRITICALCVSS 9.8EG 9.82024-10-24
Incorrect access control in the firmware update and download processes of Neye3C v4.5.2.0 allows attackers to access sensitive information by analyzing the code and data within the APK file.
- CVE-2024-4858MEDIUMCVSS 5.3EG 5.32024-05-25
The Testimonial Carousel For Elementor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'save_testimonials_option_callback' function in versions up to, and including, 10.2.0. …
- CVE-2024-48645HIGHCVSS 7.5EG 7.52024-10-21
In Minecraft mod "Command Block IDE" up to and including version 0.4.9, a missing authorization (CWE-862) allows any user to modify "function" files used by the game when installed on a dedicated server.
- CVE-2024-4875MEDIUMCVSS 4.3EG 4.32024-05-21
The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to unauthorized modification of data|loss of data due to a missing capability check on the 'ajax_dismiss' function in versions up to, and including, 2.5.2. Th…
- CVE-2024-4888HIGHCVSS 8.1EG 8.12024-06-06
BerriAI's litellm, in its latest version, is vulnerable to arbitrary file deletion due to improper input validation on the `/audio/transcriptions` endpoint. An attacker can exploit this vulnerability by sending a specially crafted request …
- CVE-2024-48898MEDIUMCVSS 4.3EG 4.32024-11-18
A vulnerability was found in Moodle. Users with access to delete audiences from reports could delete audiences from other reports that they do not have permission to delete from.
- CVE-2024-48902MEDIUMCVSS 5.4EG 5.42024-10-10
In JetBrains YouTrack before 2024.3.46677 improper access control allowed users with project update permission to delete applications via API
- CVE-2024-48932MEDIUMCVSS 5.3EG 5.32024-10-24
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In versions below 1.5.0, the API endpoint `http://<Server-ip>/v1/users/name` allows unauthenticated users to access sensitive information, such …
- CVE-2024-4898CRITICALCVSS 9.8EG 9.82024-06-12
The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to arbitrary option updates due to a missing authorization checks on the REST API calls in all versions up to, and including, 0.1.0.38. This makes it…
- CVE-2024-49273MEDIUMCVSS 4.3EG 4.32024-10-21
Missing Authorization vulnerability in Metagauss ProfileGrid profilegrid-user-profiles-groups-and-communities.This issue affects ProfileGrid : from n/a through <= 5.9.3.
- CVE-2024-49293MEDIUMCVSS 4.3EG 4.32024-10-21
Missing Authorization vulnerability in RexTheme WP VR wpvr allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP VR: from n/a through <= 8.5.4.
Map vulnerabilities like CWE-862 to your infrastructure
EchelonGraph correlates every CVE — across CWE-862 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →