CWE-863— Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.— MITRE CWE catalog
3,791 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-863page 10 of 76
- CVE-2020-18701CRITICALCVSS 9.8EG 9.82021-08-16
Incorrect Access Control in Lin-CMS-Flask v0.1.1 allows remote attackers to obtain sensitive information and/or gain privileges due to the application not invalidating a user's authentication token upon logout, which allows for replaying p…
- CVE-2020-1882MEDIUMCVSS 4.6EG 4.62020-02-18
Huawei mobile phones Ever-L29B versions earlier than 10.0.0.180(C185E6R3P3), earlier than 10.0.0.180(C432E6R1P7), earlier than 10.0.0.180(C636E5R2P3); HUAWEI Mate 20 RS versions earlier than 10.0.0.175(C786E70R3P8); HUAWEI Mate 20 X versio…
- CVE-2020-19005MEDIUMCVSS 5.7EG 5.72020-08-25
zrlog v2.1.0 has a vulnerability with the permission check. If admin account is logged in, other unauthorized users can download the database backup file directly.
- CVE-2020-19150HIGHCVSS 8.1EG 8.12021-09-15
Improper Access Control in Jfinal CMS v4.7.1 and earlier allows remote attackers to obtain sensitive information or cause a denial of service via the 'FileManager.delete()' function in the component 'modules/filemanager/FileManagerControll…
- CVE-2020-19154MEDIUMCVSS 6.5EG 6.52021-09-15
Improper Access Control in Jfinal CMS v4.7.1 and earlier allows remote attackers to obtain sensitive information via the 'FileManager.editFile()' function in the component 'modules/filemanager/FileManagerController.java'.
- CVE-2020-19301CRITICALCVSS 9.8EG 9.82021-08-03
A vulnerability in the vae_admin_rule database table of vaeThink v1.0.1 allows attackers to execute arbitrary code via a crafted payload in the condition parameter.
- CVE-2020-19551HIGHCVSS 8.8EG 8.82021-09-21
Blacklist bypass issue exists in WUZHI CMS up to and including 4.1.0 in common.func.php, which when uploaded can cause remote code executiong.
- CVE-2020-19765HIGHCVSS 7.5EG 7.52021-09-07
An issue in the noReentrance() modifier of the Ethereum-based contract Accounting 1.0 allows attackers to carry out a reentrancy attack.
- CVE-2020-19888MEDIUMCVSS 5.9EG 5.92020-08-24
DBHcms v1.2.0 has an unauthorized operation vulnerability because there's no access control at line 175 of dbhcms\page.php for empty cache operation. This vulnerability can be exploited to empty a table.
- CVE-2020-1998MEDIUMCVSS 5.4EG 5.42020-05-13
An improper authorization vulnerability in PAN-OS that mistakenly uses the permissions of local linux users instead of the intended SAML permissions of the account when the username is shared for the purposes of SSO authentication. This ca…
- CVE-2020-20466CRITICALCVSS 9.8EG 9.82021-06-21
White Shark System (WSS) 1.3.2 is vulnerable to unauthorized access via user_edit_password.php, remote attackers can modify the password of any user.
- CVE-2020-20471HIGHCVSS 8.8EG 8.82021-06-21
White Shark System (WSS) 1.3.2 has an unauthorized access vulnerability in default_user_edit.php, remote attackers can exploit this vulnerability to escalate to admin privileges.
- CVE-2020-2097HIGHCVSS 8.8EG 8.82020-01-15
Jenkins Sounds Plugin 0.5 and earlier does not perform permission checks in URLs performing form validation, allowing attackers with Overall/Read access to execute arbitrary OS commands as the OS user account running Jenkins.
- CVE-2020-2104MEDIUMCVSS 4.3EG 4.32020-01-29
Jenkins 2.218 and earlier, LTS 2.204.1 and earlier allowed users with Overall/Read access to view a JVM memory usage chart.
- CVE-2020-21124CRITICALCVSS 9.8EG 9.82021-09-15
UReport 2.2.9 allows attackers to execute arbitrary code due to a lack of access control to the designer page.
- CVE-2020-2134HIGHCVSS 8.8EG 8.82020-03-09
Sandbox protection in Jenkins Script Security Plugin 1.70 and earlier could be circumvented through crafted constructor calls and crafted constructor bodies.
- CVE-2020-2135HIGHCVSS 8.8EG 8.82020-03-09
Sandbox protection in Jenkins Script Security Plugin 1.70 and earlier could be circumvented through crafted method calls on objects that implement GroovyInterceptable.
- CVE-2020-2148MEDIUMCVSS 4.3EG 4.32020-03-09
A missing permission check in Jenkins Mac Plugin 1.1.0 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified SSH server using attacker-specified credentials.
- CVE-2020-2188MEDIUMCVSS 4.3EG 4.32020-05-06
A missing permission check in Jenkins Amazon EC2 Plugin 1.50.1 and earlier in form-related methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins.
- CVE-2020-21990HIGHCVSS 7.5EG 7.52021-04-29
Emmanuel MyDomoAtHome (MDAH) REST API REST API Domoticz ISS Gateway 0.2.40 is affected by an information disclosure vulnerability due to improper access control enforcement. An unauthenticated remote attacker can exploit this, via a specia…
- CVE-2020-2228HIGHCVSS 8.8EG 8.82020-07-15
Jenkins Gitlab Authentication Plugin 1.5 and earlier does not perform group authorization checks properly, resulting in a privilege escalation vulnerability.
- CVE-2020-2233MEDIUMCVSS 6.5EG 6.52020-08-12
A missing permission check in Jenkins Pipeline Maven Integration Plugin 3.8.2 and earlier allows users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins.
- CVE-2020-2258MEDIUMCVSS 4.3EG 4.32020-09-16
Jenkins Health Advisor by CloudBees Plugin 3.2.0 and earlier does not correctly perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to view that HTTP endpoint.
- CVE-2020-22784HIGHCVSS 7.5EG 7.52021-04-28
In Etherpad UeberDB < 0.4.4, due to MySQL omitting trailing spaces on char / varchar columns during comparisons, retrieving database records using UeberDB's MySQL connector could allow bypassing access controls enforced on key names.
- CVE-2020-23362HIGHCVSS 7.1EG 7.12023-05-09
Insecure Permissons vulnerability found in Shop_CMS YerShop all versions allows a remote attacker to escalate privileges via the cover_id parameter.
- CVE-2020-23449HIGHCVSS 7.5EG 7.52021-01-26
newbee-mall all versions are affected by incorrect access control to remotely gain privileges through NewBeeMallIndexConfigServiceImpl.java. Unauthorized changes can be made to any user information through the userID.
- CVE-2020-24264CRITICALCVSS 9.8EG 9.82021-03-16
Portainer 1.24.1 and earlier is affected by incorrect access control that may lead to remote arbitrary code execution. The restriction checks for bind mounts are applied only on the client-side and not the server-side, which can lead to sp…
- CVE-2020-24401MEDIUMCVSS 6.5EG 6.52020-11-09
Magento versions 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect authorization vulnerability. A user can still access resources provisioned under their old role after an administrator removes the role or disables the user's ac…
- CVE-2020-24492MEDIUMCVSS 4.4EG 4.42021-02-17
Insufficient access control in the firmware for the Intel(R) 722 Ethernet Controllers before version 1.5 may allow a privileged user to potentially enable a denial of service via local access.
- CVE-2020-24493MEDIUMCVSS 4.4EG 4.42021-02-17
Insufficient access control in the firmware for the Intel(R) 700-series of Ethernet Controllers before version 8.0 may allow a privileged user to potentially enable denial of service via local access.
- CVE-2020-24494MEDIUMCVSS 4.4EG 4.42021-02-17
Insufficient access control in the firmware for the Intel(R) 722 Ethernet Controllers before version 1.4.3 may allow a privileged user to potentially enable denial of service via local access.
- CVE-2020-24495MEDIUMCVSS 4.4EG 4.42021-02-17
Insufficient access control in the firmware for the Intel(R) 700-series of Ethernet Controllers before version 7.3 may allow a privileged user to potentially enable denial of service via local access.
- CVE-2020-24497MEDIUMCVSS 4.4EG 4.42021-02-17
Insufficient Access Control in the firmware for Intel(R) E810 Ethernet Controllers before version 1.4.1.13 may allow a privileged user to potentially enable denial of service via local access.
- CVE-2020-24503MEDIUMCVSS 5.5EG 5.52021-02-17
Insufficient access control in some Intel(R) Ethernet E810 Adapter drivers for Linux before version 1.0.4 may allow an authenticated user to potentially enable information disclosure via local access.
- CVE-2020-24595MEDIUMCVSS 5.3EG 5.32020-09-25
Mitel MiCloud Management Portal before 6.1 SP5 could allow an attacker, by sending a crafted request, to retrieve sensitive information due to insufficient access control.
- CVE-2020-24618MEDIUMCVSS 6.5EG 6.52020-08-27
In JetBrains YouTrack versions before 2020.3.4313, 2020.2.11008, 2020.1.11011, 2019.1.65514, 2019.2.65515, and 2019.3.65516, an attacker can retrieve an issue description without appropriate access.
- CVE-2020-24674HIGHCVSS 8.8EG 8.82020-12-22
In S+ Operations and S+ Historian, not all client commands correctly check user permission as expected. Authenticated but Unauthorized remote users could execute a Denial-of-Service (DoS) attack, execute arbitrary code, or obtain more priv…
- CVE-2020-24716HIGHCVSS 7.8EG 7.82020-08-27
OpenZFS before 2.0.0-rc1, when used on FreeBSD, allows execute permissions for all directories.
- CVE-2020-24718HIGHCVSS 8.2EG 8.22020-09-25
bhyve, as used in FreeBSD through 12.1 and illumos (e.g., OmniOS CE through r151034 and OpenIndiana through Hipster 2020.04), does not properly restrict VMCS and VMCB read/write operations, as demonstrated by a root user in a container on …
- CVE-2020-24771HIGHCVSS 7.5EG 7.52022-03-30
Incorrect access control in NexusPHP 1.5.beta5.20120707 allows unauthorized attackers to access published content.
- CVE-2020-24941HIGHCVSS 7.5EG 7.52020-09-04
An issue was discovered in Laravel before 6.18.35 and 7.x before 7.24.0. The $guarded property is mishandled in some situations involving requests with JSON column nesting expressions.
- CVE-2020-24981MEDIUMCVSS 5.3EG 5.32020-09-04
An Incorrect Access Control vulnerability exists in /ucms/chk.php in UCMS 1.4.8. This results in information leak via an error message caused by directly accessing the website built by UCMS.
- CVE-2020-25025MEDIUMCVSS 4.3EG 4.32020-09-02
The l10nmgr (aka Localization Manager) extension before 7.4.0, 8.x before 8.7.0, and 9.x before 9.2.0 for TYPO3 allows Information Disclosure (translatable fields).
- CVE-2020-25049CRITICALCVSS 9.8EG 9.82020-08-31
An issue was discovered on Samsung mobile devices with P(9.0) and Q(10.0) software. StatusBarService has insufficient DEX access control. The Samsung ID is SVE-2020-17797 (August 2020).
- CVE-2020-25055CRITICALCVSS 9.8EG 9.82020-08-31
An issue was discovered on Samsung mobile devices with O(8.x), P(9.0), and Q(10.0) software. The persona service allows attackers (who control an unprivileged SecureFolder process) to bypass admin restrictions in KnoxContainer. The Samsung…
- CVE-2020-2506HIGHCVSS 7.3EG 9.8⚠ KEV2021-02-03
The vulnerability have been reported to affect earlier versions of QTS. If exploited, this improper access control vulnerability could allow attackers to compromise the security of the software by gaining privileges, or reading sensitive i…
- CVE-2020-2507CRITICALCVSS 9.8EG 9.82021-02-03
The vulnerability have been reported to affect earlier versions of QTS. If exploited, this command injection vulnerability could allow remote attackers to run arbitrary commands. This issue affects: QNAP Systems Inc. Helpdesk versions prio…
- CVE-2020-25160MEDIUMCVSS 6.8EG 6.32022-04-14
Improper access controls in the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 enables attackers to extract and tamper with the devices network configuration.
- CVE-2020-25167MEDIUMCVSS 4.9EG 6.52022-04-18
OSIsoft PI Vision 2020 versions prior to 3.5.0 could disclose information to a user with insufficient privileges for an AF attribute.
- CVE-2020-25239HIGHCVSS 8.8EG 8.82021-03-15
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.0). The webserver could allow unauthorized actions via special urls for unpriviledged users. The settings of the UMC authorization server could be chang…
Map vulnerabilities like CWE-863 to your infrastructure
EchelonGraph correlates every CVE — across CWE-863 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →