CWE-863— Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.— MITRE CWE catalog
3,791 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-863page 11 of 76
- CVE-2020-25240HIGHCVSS 8.8EG 8.82021-03-15
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.0). Unpriviledged users can access services when guessing the url. An attacker could impact availability, integrity and gain information from logs and t…
- CVE-2020-25251CRITICALCVSS 9.1EG 9.12020-09-11
An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. Client-side authentication is used for critical functions such as adding users or r…
- CVE-2020-25282CRITICALCVSS 9.8EG 9.82020-09-11
An issue was discovered on LG mobile devices with Android OS 10 software. The lguicc software (for the LG Universal Integrated Circuit Card) allows attackers to bypass intended access restrictions on property values. The LG ID is LVE-SMP-2…
- CVE-2020-25283CRITICALCVSS 9.8EG 9.82020-09-11
An issue was discovered on LG mobile devices with Android OS 8.0, 8.1, 9.0, and 10 software. BT manager allows attackers to bypass intended access restrictions on a certain mode. The LG ID is LVE-SMP-200021 (September 2020).
- CVE-2020-25284MEDIUMCVSS 4.1EG 4.12020-09-13
The rbd block device driver in drivers/block/rbd.c in the Linux kernel through 5.8.9 used incomplete permission checking for access to rbd devices, which could be leveraged by local attackers to map or unmap rbd block devices, aka CID-f44d…
- CVE-2020-25564HIGHCVSS 8.8EG 8.82021-08-11
In SapphireIMS 5.0, it is possible to create local administrator on any client with credentials of a non-privileged user by directly accessing RemoteMgmtTaskSave (Automation Tasks) feature.
- CVE-2020-25580MEDIUMCVSS 5.3EG 5.32021-03-26
In FreeBSD 12.2-STABLE before r369346, 11.4-STABLE before r369345, 12.2-RELEASE before p4 and 11.4-RELEASE before p8 a regression in the login.access(5) rule processor has the effect of causing rules to fail to match even when they should …
- CVE-2020-25610MEDIUMCVSS 5.3EG 5.32020-12-18
The AWV component of Mitel MiCollab before 9.2 could allow an attacker to gain access to a web conference due to insufficient access control for conference codes.
- CVE-2020-25612MEDIUMCVSS 4.9EG 4.92020-12-18
The NuPoint Messenger of Mitel MiCollab before 9.2 could allow an attacker with escalated privilege to access user files due to insufficient access control. Successful exploit could potentially allow an attacker to gain access to sensitive…
- CVE-2020-25655MEDIUMCVSS 5.7EG 5.72020-11-09
An issue was discovered in ManagedClusterView API, that could allow secrets to be disclosed to users without the correct permissions. Views created for an admin user would be made available for a short time to users with only view permissi…
- CVE-2020-25699HIGHCVSS 7.5EG 7.52020-11-19
In moodle, insufficient capability checks could lead to users with the ability to course restore adding additional capabilities to roles within that course. Versions affected: 3.9 to 3.9.2, 3.8 to 3.8.5, 3.7 to 3.7.8, 3.5 to 3.5.14 and ear…
- CVE-2020-25701MEDIUMCVSS 5.3EG 5.32020-11-19
If the upload course tool in Moodle was used to delete an enrollment method which did not exist or was not already enabled, the tool would erroneously enable that enrollment method. This could lead to unintended users gaining access to the…
- CVE-2020-25722HIGHCVSS 8.8EG 8.82022-02-18
Multiple flaws were found in the way samba AD DC implemented access and conformance checking of stored data. An attacker could use this flaw to cause total domain compromise.
- CVE-2020-25869HIGHCVSS 7.5EG 7.52020-09-27
An information leak was discovered in MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4. Handling of actor ID does not necessarily use the correct database or correct wiki.
- CVE-2020-26028MEDIUMCVSS 4.9EG 4.92020-12-28
An issue was discovered in Zammad before 3.4.1. Admin Users without a ticket.* permission can access Tickets.
- CVE-2020-26029MEDIUMCVSS 6.5EG 6.52020-12-28
An issue was discovered in Zammad before 3.4.1. There are wrong authorization checks for impersonation requests via X-On-Behalf-Of. The authorization checks are performed for the actual user and not the one given in the X-On-Behalf-Of head…
- CVE-2020-26102HIGHCVSS 7.5EG 7.52020-09-25
In cPanel before 88.0.3, an insecure auth policy API key is used by Dovecot on a templated VM (SEC-550).
- CVE-2020-26121HIGHCVSS 7.5EG 7.52020-09-27
An issue was discovered in the FileImporter extension for MediaWiki before 1.34.4. An attacker can import a file even when the target page is protected against "page creation" and the attacker should not be able to create it. This occurs b…
- CVE-2020-26200MEDIUMCVSS 6.8EG 6.82021-02-26
A component of Kaspersky custom boot loader allowed loading of untrusted UEFI modules due to insufficient check of their authenticity. This component is incorporated in Kaspersky Rescue Disk (KRD) and was trusted by the Authentication Agen…
- CVE-2020-26223HIGHCVSS 7.7EG 7.72020-11-13
Spree is a complete open source e-commerce solution built with Ruby on Rails. In Spree from version 3.7 and before versions 3.7.13, 4.0.5, and 4.1.12, there is an authorization bypass vulnerability. The perpetrator could query the API v2 O…
- CVE-2020-26250MEDIUMCVSS 6.3EG 6.32020-12-01
OAuthenticator is an OAuth login mechanism for JupyterHub. In oauthenticator from version 0.12.0 and before 0.12.2, the deprecated (in jupyterhub 1.2) configuration `Authenticator.whitelist`, which should be transparently mapped to `Authen…
- CVE-2020-26506MEDIUMCVSS 4.3EG 4.32020-11-05
An Authorization Bypass vulnerability in the Marmind web application with version 4.1.141.0 allows users with lower privileges to gain control to files uploaded by administrative users. The accessed files were not visible by the low privil…
- CVE-2020-26555MEDIUMCVSS 5.4EG 5.42021-05-24
Bluetooth legacy BR/EDR PIN code pairing in Bluetooth Core Specification 1.0B through 5.2 may permit an unauthenticated nearby device to spoof the BD_ADDR of the peer device to complete pairing without knowledge of the PIN.
- CVE-2020-26557HIGHCVSS 7.5EG 7.52021-05-24
Mesh Provisioning in the Bluetooth Mesh profile 1.0 and 1.0.1 may permit a nearby device (without possession of the AuthValue used in the provisioning protocol) to determine the AuthValue via a brute-force attack (unless the AuthValue is s…
- CVE-2020-26559HIGHCVSS 8.8EG 8.82021-05-24
Bluetooth Mesh Provisioning in the Bluetooth Mesh profile 1.0 and 1.0.1 may permit a nearby device (participating in the provisioning protocol) to identify the AuthValue used given the Provisioner’s public key, and the confirmation numbe…
- CVE-2020-26560HIGHCVSS 8.1EG 8.12021-05-24
Bluetooth Mesh Provisioning in the Bluetooth Mesh profile 1.0 and 1.0.1 may permit a nearby device, reflecting the authentication evidence from a Provisioner, to complete authentication without possessing the AuthValue, and potentially acq…
- CVE-2020-26876HIGHCVSS 7.5EG 7.52020-10-07
The wp-courses plugin through 2.0.27 for WordPress allows remote attackers to bypass the intended payment step (for course videos and materials) by using the /wp-json REST API, as exploited in the wild in September 2020. This occurs becaus…
- CVE-2020-27156CRITICALCVSS 9.8EG 9.82020-10-15
Veritas APTARE versions prior to 10.5 did not perform adequate authorization checks. This vulnerability could allow for remote code execution by an unauthenticated user.
- CVE-2020-27362HIGHCVSS 8.8EG 8.82021-07-01
An issue exists within the SSH console of Akkadian Provisioning Manager 4.50.02 which allows a low-level privileged user to escape the web configuration file editor and escalate privileges.
- CVE-2020-27609MEDIUMCVSS 5.3EG 5.32020-10-21
BigBlueButton through 2.2.28 records a video meeting despite the deactivation of video recording in the user interface. This may result in data storage beyond what is authorized for a specific meeting topic or participant.
- CVE-2020-27873MEDIUMCVSS 6.5EG 6.52021-02-04
This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of NETGEAR R7450 1.2.0.62_1.0.1 routers. Authentication is not required to exploit this vulnerability. The specific flaw exist…
- CVE-2020-27901MEDIUMCVSS 6.3EG 6.32021-04-02
A logic issue was addressed with improved restrictions. This issue is fixed in macOS Big Sur 11.1, Security Update 2020-001 Catalina, Security Update 2020-007 Mojave, macOS Big Sur 11.0.1. A sandboxed process may be able to circumvent sand…
- CVE-2020-28050CRITICALCVSS 9.1EG 9.12021-03-05
Zoho ManageEngine Desktop Central before build 10.0.647 allows a single authentication secret from multiple agents to communicate with the server.
- CVE-2020-28053MEDIUMCVSS 6.5EG 6.52020-11-23
HashiCorp Consul and Consul Enterprise 1.2.0 up to 1.8.5 allowed operators with operator:read ACL permissions to read the Connect CA private key configuration. Fixed in 1.6.10, 1.7.10, and 1.8.6.
- CVE-2020-28211HIGHCVSS 7.8EG 7.82020-11-19
A CWE-863: Incorrect Authorization vulnerability exists in PLC Simulator on EcoStruxureª Control Expert (now Unity Pro) (all versions) that could cause bypass of authentication when overwriting memory using a debugger.
- CVE-2020-28397MEDIUMCVSS 5.3EG 5.32021-08-10
A vulnerability has been identified in SIMATIC Drive Controller family (All versions < V2.9.2), SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (incl. SIPLUS variants) (All versions < V21.9), SIMATIC S7 PLCSIM Advanced (All versions > V2 <…
- CVE-2020-28401MEDIUMCVSS 6.5EG 6.52021-01-29
An improper authorization vulnerability exists in Star Practice Management Web version 2019.2.0.6, allowing an unauthorized user to access WIP details about jobs he should not have access to.
- CVE-2020-28402MEDIUMCVSS 5.4EG 8.82021-01-29
An improper authorization vulnerability exists in Star Practice Management Web version 2019.2.0.6, allowing an unauthorized user to access Launcher Configuration Panel.
- CVE-2020-28404MEDIUMCVSS 6.5EG 6.52021-01-29
An improper authorization vulnerability exists in Star Practice Management Web version 2019.2.0.6, allowing an unauthorized user to access the Billing page without the appropriate privileges.
- CVE-2020-28405HIGHCVSS 8.8EG 8.82021-01-29
An improper authorization vulnerability exists in Star Practice Management Web version 2019.2.0.6, allowing an unauthorized user to change the privileges of any user of the application. This can be used to grant himself the administrative …
- CVE-2020-28406MEDIUMCVSS 6.5EG 6.52021-01-29
An improper authorization vulnerability exists in Star Practice Management Web version 2019.2.0.6, allowing an unauthorized user to access details about jobs he should not have access to via the Audit Trail Feature.
- CVE-2020-28872CRITICALCVSS 9.8EG 9.82021-04-12
An authorization bypass vulnerability in Monitorr v1.7.6m in Monitorr/assets/config/_installation/_register.php allows an unauthorized person to create valid credentials.
- CVE-2020-29020CRITICALCVSS 9.1EG 9.12021-03-05
Improper Access Control vulnerability in web service of Secomea SiteManager allows remote attacker to access the web UI from the internet using the configured credentials. This issue affects: Secomea SiteManager All versions prior to 9.4.6…
- CVE-2020-29158MEDIUMCVSS 4.3EG 4.32020-12-28
An issue was discovered in Zammad before 3.5.1. An Agent with Customer permissions in a Group can bypass intended access control on internal Articles via the Ticket detail view.
- CVE-2020-29160HIGHCVSS 7.5EG 7.52020-12-28
An issue was discovered in Zammad before 3.5.1. A REST API call allows an attacker to change Ticket Article data in a way that defeats auditing.
- CVE-2020-29165CRITICALCVSS 9.8EG 9.82021-02-03
PacsOne Server (PACS Server In One Box) below 7.1.1 is affected by incorrect access control, which can result in remotely gaining administrator privileges.
- CVE-2020-29189HIGHCVSS 8.1EG 8.12020-12-24
Incorrect Access Control vulnerability in TerraMaster TOS <= 4.2.06 allows remote authenticated attackers to bypass read-only restriction and obtain full access to any folder within the NAS
- CVE-2020-29374LOWCVSS 3.6EG 3.62020-11-28
An issue was discovered in the Linux kernel before 5.7.3, related to mm/gup.c and mm/huge_memory.c. The get_user_pages (aka gup) implementation, when used for a copy-on-write page, does not properly consider the semantics of read operation…
- CVE-2020-29454MEDIUMCVSS 4.3EG 4.32020-12-02
Editors/LogViewerController.cs in Umbraco through 8.9.1 allows a user to visit a logviewer endpoint even if they lack Applications.Settings access.
- CVE-2020-29538MEDIUMCVSS 4.9EG 4.92021-01-29
Archer before 6.9 P1 (6.9.0.1) contains an improper access control vulnerability in an API. A remote authenticated malicious administrative user can potentially exploit this vulnerability to gather information about the system, and may use…
Map vulnerabilities like CWE-863 to your infrastructure
EchelonGraph correlates every CVE — across CWE-863 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →