CWE-863— Incorrect Authorization

2,671 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →

CVEs classified under CWE-863page 1 of 54

CVE-2009-3723HIGHCVSS 7.5EG 7.5
2019-10-29
asterisk allows calls on prohibited networks
CVE-2010-1435CRITICALCVSS 9.8EG 9.8
2021-06-21
Joomla! Core is prone to a security bypass vulnerability. Exploiting this issue may allow attackers to perform otherwise restricted actions and subsequently retrieve password reset tokens from the database through an already existing SQL i…
CVE-2010-2525HIGHCVSS 7.8EG 7.8
2021-06-22
A flaw was discovered in gfs2 file system’s handling of acls (access control lists). An unprivileged local attacker could exploit this flaw to gain access or execute any file stored in the gfs2 file system.
CVE-2010-2548CRITICALCVSS 9.1EG 9.1
2019-10-31
IcedTea6 before 1.7.4 does not properly check property access, which allows unsigned apps to read and write arbitrary files.
CVE-2010-3782HIGHCVSS 8.8EG 8.8
2020-01-02
obs-server before 1.7.7 allows logins by 'unconfirmed' accounts due to a bug in the REST api implementation.
CVE-2011-1070HIGHCVSS 7.8EG 7.8
2019-11-14
v86d before 0.1.10 do not verify if received netlink messages are sent by the kernel. This could allow unprivileged users to manipulate the video mode and potentially other consequences.
CVE-2011-2726HIGHCVSS 7.5EG 7.5
2019-11-15
An access bypass issue was found in Drupal 7.x before version 7.5. If a Drupal site has the ability to attach File upload fields to any entity type in the system or has the ability to point individual File upload fields to the private file…
CVE-2011-3617MEDIUMCVSS 6.5EG 6.5
2019-11-26
Tahoe-LAFS v1.3.0 through v1.8.2 could allow unauthorized users to delete immutable files in some cases.
CVE-2012-2238HIGHCVSS 7.5EG 7.5
2019-11-21
trytond 2.4: ModelView.button fails to validate authorization
CVE-2012-3821MEDIUMCVSS 4.3EG 4.3
2020-01-10
A Security Bypass vulnerability exists in the activate.asp page in Arial Software Campaign Enterprise 11.0.551, which could let a remote malicious user modify the SerialNumber field.
CVE-2012-3822HIGHCVSS 7.5EG 7.5
2020-01-10
Arial Campaign Enterprise before 11.0.551 has unauthorized access to the User-Edit.asp page, which allows remote attackers to enumerate users' credentials.
CVE-2012-6094CRITICALCVSS 9.8EG 9.8
2019-12-20
cups (Common Unix Printing System) 'Listen localhost:631' option not honored correctly which could provide unauthorized access to the system
CVE-2013-1350CRITICALCVSS 9.1EG 9.1
2020-01-30
Verax NMS prior to 2.1.0 has multiple security bypass vulnerabilities
CVE-2013-2198CRITICALCVSS 9.8EG 9.8
2020-01-30
The Login Security module 6.x-1.x before 6.x-1.3 and 7.x-1.x before 7.x-1.3 for Drupal allows attackers to bypass intended restrictions via a crafted username.
CVE-2013-2574HIGHCVSS 7.5EG 7.5
2020-01-29
An Access vulnerability exists in FOSCAM IP Camera FI8620 due to insufficient access restrictions in the /tmpfs/ and /log/ directories, which could let a malicious user obtain sensitive information.
CVE-2013-2673MEDIUMCVSS 6.8EG 6.8
2020-02-03
Brother MFC-9970CDW 1.10 firmware L devices contain a security bypass vulnerability which allows physically proximate attackers to gain unauthorized access.
CVE-2013-4228MEDIUMCVSS 4.3EG 4.3
2020-02-18
The OG access fields (visibility fields) implementation in Organic Groups (OG) module 7.x-2.x before 7.x-2.3 for Drupal does not properly restrict access to private groups, which allows remote authenticated users to guess node IDs, subscri…
CVE-2013-4410HIGHCVSS 7.5EG 7.5
2019-12-02
ReviewBoard: has an access-control problem in REST API
CVE-2013-4411MEDIUMCVSS 4.3EG 4.3
2019-12-03
Review Board: URL processing gives unauthorized users access to review lists
CVE-2013-4862HIGHCVSS 8.1EG 8.1
2020-01-28
MiCasaVerde VeraLite with firmware 1.5.408 does not properly restrict access, which allows remote authenticated users to (1) update the firmware via the squashfs parameter to upgrade_step2.sh or (2) obtain hashed passwords via the cgi-bin/…
CVE-2013-4985HIGHCVSS 7.5EG 7.5
2019-12-27
Multiple Vivotek IP Cameras remote authentication bypass that could allow access to the video stream
CVE-2014-0169MEDIUMCVSS 6.5EG 6.5
2020-01-02
In JBoss EAP 6 a security domain is configured to use a cache that is shared between all applications that are in the security domain. This could allow an authenticated user in one application to access protected resources in another appli…
CVE-2014-7914HIGHCVSS 8.1EG 8.1
2020-02-21
btif/src/btif_dm.c in Android before 5.1 does not properly enforce the temporary nature of a Bluetooth pairing, which allows user-assisted remote attackers to bypass intended access restrictions via crafted Bluetooth packets after the tapp…
CVE-2015-10033LOWCVSS 3.5EG 6.5
2023-01-09
A vulnerability, which was classified as problematic, was found in jvvlee MerlinsBoard. This affects an unknown part of the component Grade Handler. The manipulation leads to improper authorization. The identifier of the patch is 134f5481e…
CVE-2015-1780MEDIUMCVSS 6.5EG 6.5
2019-11-22
oVirt users with MANIPULATE_STORAGE_DOMAIN permissions can attach a storage domain to any data-center
CVE-2016-10996MEDIUMCVSS 5.3EG 5.3
2019-09-20
The optinmonster plugin before 1.1.4.6 for WordPress has incorrect access control for shortcodes because of a nonce leak.
CVE-2016-20001CRITICALCVSS 9.8EG 9.8
2021-01-01
The REST/JSON project 7.x-1.x for Drupal allows node access bypass, aka SA-CONTRIB-2016-033. NOTE: This project is not covered by Drupal's security advisory policy.
CVE-2016-20002CRITICALCVSS 9.8EG 9.8
2021-01-01
The REST/JSON project 7.x-1.x for Drupal allows comment access bypass, aka SA-CONTRIB-2016-033. NOTE: This project is not covered by Drupal's security advisory policy.
CVE-2016-20004CRITICALCVSS 9.8EG 9.8
2021-01-01
The REST/JSON project 7.x-1.x for Drupal allows field access bypass, aka SA-CONTRIB-2016-033. NOTE: This project is not covered by Drupal's security advisory policy.
CVE-2016-20005CRITICALCVSS 9.8EG 9.8
2021-01-01
The REST/JSON project 7.x-1.x for Drupal allows user registration bypass, aka SA-CONTRIB-2016-033. NOTE: This project is not covered by Drupal's security advisory policy.
CVE-2016-3131MEDIUMCVSS 6.5EG 6.5
2019-11-26
Cloudera CDH before 5.6.1 allows authorization bypass via direct internal API calls.
CVE-2016-4572HIGHCVSS 8.8EG 8.8
2019-11-26
In Cloudera CDH before 5.7.1, Impala REVOKE ALL ON SERVER commands do not revoke all privileges.
CVE-2016-6353MEDIUMCVSS 6.5EG 6.5
2019-11-26
Cloudera Search in CDH before 5.7.0 allows unauthorized document access because Solr Queries by document id can bypass Sentry document-level security via the RealTimeGetHandler.
CVE-2016-6591HIGHCVSS 7.1EG 7.1
2020-01-08
A security bypass vulnerability exists in Symantec Norton App Lock 1.0.3.186 and earlier if application pinning is enabled, which could let a local malicious user bypass security restrictions.
CVE-2016-9575MEDIUMCVSS 6.3
2018-03-13
Ipa versions 4.2.x, 4.3.x before 4.3.3 and 4.4.x before 4.4.3 did not properly check the user's permissions while modifying certificate profiles in IdM's certprofile-mod command. An authenticated, unprivileged attacker could use this flaw …
CVE-2017-0920MEDIUMCVSS 4.3
2018-03-22
GitLab Community and Enterprise Editions before 10.1.6, 10.2.6, and 10.3.4 are vulnerable to an authorization bypass issue in the Projects::MergeRequests::CreationsController component resulting in an attacker to see every project name and…
CVE-2017-0922HIGHCVSS 7.5EG 7.5
2018-03-21
Gitlab Enterprise Edition version 10.3 is vulnerable to an authorization bypass issue in the GitLab Projects::BoardsController component resulting in an information disclosure on any board object.
CVE-2017-0926HIGHCVSS 8.8EG 8.8
2018-03-21
Gitlab Community Edition version 10.3 is vulnerable to an improper authorization issue in the Oauth sign-in component resulting in unauthorized user login.
CVE-2017-0927MEDIUMCVSS 6.5
2018-03-21
Gitlab Community Edition version 10.3 is vulnerable to an improper authorization issue in the deployment keys component resulting in unauthorized use of deployment keys by guest users.
CVE-2017-12112HIGHCVSS 8.1
2018-01-19
An exploitable improper authorization vulnerability exists in admin_addPeer API of cpp-ethereum's JSON-RPC (commit 4e1015743b95821849d001618a7ce82c7c073768). A JSON request can cause an access to the restricted functionality resulting in a…
CVE-2017-12113HIGHCVSS 8.1
2018-01-19
An exploitable improper authorization vulnerability exists in admin_nodeInfo API of cpp-ethereum's JSON-RPC (commit 4e1015743b95821849d001618a7ce82c7c073768). A JSON request can cause an access to the restricted functionality resulting in …
CVE-2017-12114MEDIUMCVSS 6.8
2018-01-19
An exploitable improper authorization vulnerability exists in admin_peers API of cpp-ethereum's JSON-RPC (commit 4e1015743b95821849d001618a7ce82c7c073768). A JSON request can cause an access to the restricted functionality resulting in aut…
CVE-2017-12115HIGHCVSS 8.1
2018-01-19
An exploitable improper authorization vulnerability exists in miner_setEtherbase API of cpp-ethereum's JSON-RPC (commit 4e1015743b95821849d001618a7ce82c7c073768). A JSON request can cause an access to the restricted functionality resulting…
CVE-2017-12116HIGHCVSS 8.1
2018-01-19
An exploitable improper authorization vulnerability exists in miner_setGasPrice API of cpp-ethereum's JSON-RPC (commit 4e1015743b95821849d001618a7ce82c7c073768). A JSON request can cause an access to the restricted functionality resulting …
CVE-2017-12117HIGHCVSS 8.1
2018-01-19
An exploitable improper authorization vulnerability exists in miner_start API of cpp-ethereum's JSON-RPC (commit 4e1015743b95821849d001618a7ce82c7c073768). A JSON request can cause an access to the restricted functionality resulting in aut…
CVE-2017-12118HIGHCVSS 8.1
2018-01-19
An exploitable improper authorization vulnerability exists in miner_stop API of cpp-ethereum's JSON-RPC (commit 4e1015743b95821849d001618a7ce82c7c073768). An attacker can send JSON to trigger this vulnerability.
CVE-2017-12196MEDIUMCVSS 4.8
2018-04-18
undertow before versions 1.4.18.SP1, 2.0.2.Final, 1.4.24.Final was found vulnerable when using Digest authentication, the server does not ensure that the value of URI in the Authorization header matches the URI in HTTP request line. This a…
CVE-2017-12197MEDIUMCVSS 6.5
2018-01-18
It was found that libpam4j up to and including 1.8 did not properly validate user accounts when authenticating. A user with a valid password for a disabled account would be able to bypass security restrictions and possibly access sensitive…
CVE-2017-1233MEDIUMCVSS 6.7EG 6.7
2018-01-31
IBM Remote Control v9 could allow a local user to use the component to replace files to which he does not have write access and which he can cause to be executed with Local System or root privileges. IBM X-Force ID: 123912.
CVE-2017-15091HIGHCVSS 7.1
2018-01-23
An issue has been found in the API component of PowerDNS Authoritative 4.x up to and including 4.0.4 and 3.x up to and including 3.4.11, where some operations that have an impact on the state of the server are still allowed even though the…

Map vulnerabilities like CWE-863 to your infrastructure

EchelonGraph correlates every CVE — across CWE-863 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.

Start Free Scan →