CWE-863— Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.— MITRE CWE catalog
3,791 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-863page 12 of 76
- CVE-2020-29605MEDIUMCVSS 4.3EG 4.32021-01-29
An issue was discovered in MantisBT before 2.24.4. Due to insufficient access-level checks, any logged-in user allowed to perform Group Actions can get access to the Summary fields of private Issues via bug_arr[]= in a crafted bug_actiongr…
- CVE-2020-3140CRITICALCVSS 9.8EG 9.82020-07-16
A vulnerability in the web management interface of Cisco Prime License Manager (PLM) Software could allow an unauthenticated, remote attacker to gain unauthorized access to an affected device. The vulnerability is due to insufficient valid…
- CVE-2020-3150MEDIUMCVSS 5.9EG 5.92020-07-16
A vulnerability in the web-based management interface of Cisco Small Business RV110W and RV215W Series Routers could allow an unauthenticated, remote attacker to download sensitive information from the device, which could include the devic…
- CVE-2020-3227CRITICALCVSS 9.8EG 9.82020-06-03
A vulnerability in the authorization controls for the Cisco IOx application hosting infrastructure in Cisco IOS XE Software could allow an unauthenticated, remote attacker to execute Cisco IOx API commands without proper authorization. The…
- CVE-2020-3229HIGHCVSS 8.8EG 8.82020-06-03
A vulnerability in Role Based Access Control (RBAC) functionality of Cisco IOS XE Web Management Software could allow a Read-Only authenticated, remote attacker to execute commands or configuration changes as an Admin user. The vulnerabili…
- CVE-2020-3231MEDIUMCVSS 4.7EG 4.72020-06-03
A vulnerability in the 802.1X feature of Cisco Catalyst 2960-L Series Switches and Cisco Catalyst CDB-8P Switches could allow an unauthenticated, adjacent attacker to forward broadcast traffic before being authenticated on the port. The vu…
- CVE-2020-3335MEDIUMCVSS 5.5EG 5.52020-06-03
A vulnerability in the key store of Cisco Application Services Engine Software could allow an authenticated, local attacker to read sensitive information of other users on an affected device. The vulnerability is due to insufficient author…
- CVE-2020-3360MEDIUMCVSS 5.3EG 5.32020-06-18
A vulnerability in the Web Access feature of Cisco IP Phones Series 7800 and Series 8800 could allow an unauthenticated, remote attacker to view sensitive information on an affected device. The vulnerability is due to improper access contr…
- CVE-2020-3364MEDIUMCVSS 5.3EG 5.32020-06-18
A vulnerability in the access control list (ACL) functionality of the standby route processor management interface of Cisco IOS XR Software could allow an unauthenticated, remote attacker to reach the configured IP addresses on the standby…
- CVE-2020-3374CRITICALCVSS 9.9EG 9.92020-07-31
A vulnerability in the web-based management interface of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to bypass authorization, enabling them to access sensitive information, modify the system configuration, o…
- CVE-2020-3386HIGHCVSS 8.8EG 8.82020-07-31
A vulnerability in the REST API endpoint of Cisco Data Center Network Manager (DCNM) could allow an authenticated, remote attacker with a low-privileged account to bypass authorization on the API of an affected device. The vulnerability is…
- CVE-2020-3404HIGHCVSS 7.8EG 7.82020-09-24
A vulnerability in the persistent Telnet/Secure Shell (SSH) CLI of Cisco IOS XE Software could allow an authenticated, local attacker to gain shell access on an affected device and execute commands on the underlying operating system (OS) w…
- CVE-2020-3412MEDIUMCVSS 4.3EG 4.32020-08-17
A vulnerability in the scheduled meeting template feature of Cisco Webex Meetings could allow an authenticated, remote attacker to create a scheduled meeting template that would belong to another user in their organization. The vulnerabili…
- CVE-2020-3413MEDIUMCVSS 4.3EG 4.32020-08-17
A vulnerability in the scheduled meeting template feature of Cisco Webex Meetings could allow an authenticated, remote attacker to delete a scheduled meeting template that belongs to another user in their organization. The vulnerability is…
- CVE-2020-3467HIGHCVSS 7.7EG 7.72020-10-08
A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to modify parts of the configuration on an affected device. The vulnerability is due to improper en…
- CVE-2020-3472MEDIUMCVSS 5.0EG 5.02020-08-17
A vulnerability in the contacts feature of Cisco Webex Meetings could allow an authenticated, remote attacker with a legitimate user account to access sensitive information. The vulnerability is due to improper access restrictions on users…
- CVE-2020-3473HIGHCVSS 7.8EG 7.82020-09-04
A vulnerability in task group assignment for a specific CLI command in Cisco IOS XR Software could allow an authenticated, local CLI shell user to elevate privileges and gain full administrative control of the device. The vulnerability is …
- CVE-2020-3474MEDIUMCVSS 4.3EG 8.12020-09-24
Multiple vulnerabilities in the web management framework of Cisco IOS XE Software could allow an authenticated, remote attacker with read-only privileges to gain unauthorized read access to sensitive data or cause the web management softwa…
- CVE-2020-3477MEDIUMCVSS 5.5EG 5.52020-09-24
A vulnerability in the CLI parser of Cisco IOS Software and Cisco IOS XE Software could allow an authenticated, local attacker to access files from the flash: filesystem. The vulnerability is due to insufficient application of restrictions…
- CVE-2020-3522MEDIUMCVSS 6.3EG 6.32020-08-26
A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) Software could allow an authenticated, remote attacker to bypass authorization on an affected device and access sensitive information that is…
- CVE-2020-3530HIGHCVSS 8.4EG 8.42020-09-04
A vulnerability in task group assignment for a specific CLI command in Cisco IOS XR Software could allow an authenticated, local attacker to execute that command, even though administrative privileges should be required. The attacker must …
- CVE-2020-35501LOWCVSS 3.4EG 3.42022-03-30
A flaw was found in the Linux kernels implementation of audit rules, where a syscall can unexpectedly not be correctly not be logged by the audit subsystem
- CVE-2020-35547CRITICALCVSS 9.1EG 9.12021-01-29
A library index page in NuPoint Messenger in Mitel MiCollab before 9.2 FP1 could allow an unauthenticated attacker to gain access (view and modify) to user data.
- CVE-2020-35682HIGHCVSS 8.8EG 8.82021-03-13
Zoho ManageEngine ServiceDesk Plus before 11134 allows an Authentication Bypass (only during SAML login).
- CVE-2020-3578MEDIUMCVSS 5.3EG 6.52020-10-21
A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to bypass a configured access rule and acce…
- CVE-2020-3592MEDIUMCVSS 6.5EG 6.52020-11-06
A vulnerability in the web-based management interface of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to bypass authorization and modify the configuration of an affected system. The vulnerability is due to in…
- CVE-2020-35948CRITICALCVSS 9.9EG 9.92021-01-01
An issue was discovered in the XCloner Backup and Restore plugin before 4.2.13 for WordPress. It gave authenticated attackers the ability to modify arbitrary files, including PHP files. Doing so would allow an attacker to achieve remote co…
- CVE-2020-35951CRITICALCVSS 9.9EG 9.92021-01-01
An issue was discovered in the Quiz and Survey Master plugin before 7.0.1 for WordPress. It allows users to delete arbitrary files such as wp-config.php file, which could effectively take a site offline and allow an attacker to reinstall w…
- CVE-2020-3600HIGHCVSS 7.8EG 7.82020-11-06
A vulnerability in Cisco SD-WAN Software could allow an authenticated, local attacker to elevate privileges to root on the underlying operating system. The vulnerability is due to insufficient security controls on the CLI. An attacker coul…
- CVE-2020-36173MEDIUMCVSS 5.3EG 5.32021-01-06
The Ninja Forms plugin before 3.4.28 for WordPress lacks escaping for submissions-table fields.
- CVE-2020-36175MEDIUMCVSS 5.3EG 5.32021-01-06
The Ninja Forms plugin before 3.4.27.1 for WordPress allows attackers to bypass validation via the email field.
- CVE-2020-36176HIGHCVSS 7.5EG 7.52021-01-06
The iThemes Security (formerly Better WP Security) plugin before 7.7.0 for WordPress does not enforce a new-password requirement for an existing account until the second login occurs.
- CVE-2020-36238MEDIUMCVSS 5.3EG 5.32021-04-01
The /rest/api/1.0/render resource in Jira Server and Data Center before version 8.5.13, from version 8.6.0 before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to determine if a username is…
- CVE-2020-36287MEDIUMCVSS 5.3EG 5.32021-04-09
The dashboard gadgets preference resource of the Atlassian gadgets plugin used in Jira Server and Jira Data Center before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to obtain gadget rela…
- CVE-2020-36289MEDIUMCVSS 5.3EG 9.02021-05-12
Affected versions of Atlassian Jira Server and Data Center allow an unauthenticated user to enumerate users via an Information Disclosure vulnerability in the QueryComponentRendererValue!Default.jspa endpoint. The affected versions are bef…
- CVE-2020-36610MEDIUMCVSS 4.3EG 8.02022-12-08
A vulnerability was found in annyshow DuxCMS 2.1. It has been declared as problematic. This vulnerability affects unknown code. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The exploit has bee…
- CVE-2020-36622MEDIUMCVSS 4.3EG 6.52022-12-21
A vulnerability was found in sah-comp bienlein and classified as problematic. This issue affects some unknown processing. The manipulation leads to cross-site request forgery. The attack may be initiated remotely. The name of the patch is …
- CVE-2020-36623MEDIUMCVSS 4.3EG 6.52022-12-21
A vulnerability was found in Pengu. It has been declared as problematic. Affected by this vulnerability is the function runApp of the file src/index.js. The manipulation leads to cross-site request forgery. The attack can be launched remot…
- CVE-2020-36625MEDIUMCVSS 4.3EG 8.82022-12-22
A vulnerability was found in destiny.gg chat. It has been rated as problematic. This issue affects the function websocket.Upgrader of the file main.go. The manipulation leads to cross-site request forgery. The attack may be initiated remot…
- CVE-2020-36710MEDIUMCVSS 5.3EG 5.32023-06-07
The WPS Hide Login plugin for WordPress is vulnerable to login page disclosure even when the settings of the plugin are set to hide the login page making it possible for unauthenticated attackers to brute force credentials on sites in vers…
- CVE-2020-36714HIGHCVSS 7.4EG 7.42023-10-20
The Brizy plugin for WordPress is vulnerable to authorization bypass due to a incorrect capability check on the is_administrator() function in versions up to, and including, 1.0.125. This makes it possible for authenticated attackers to ac…
- CVE-2020-36920HIGHCVSS 8.8EG 8.82026-01-06
iDS6 DSSPro Digital Signage System 6.2 contains an improper access control vulnerability that allows authenticated users to elevate privileges through console JavaScript functions. Attackers can create users, modify roles and permissions, …
- CVE-2020-36948CRITICALCVSS 9.8EG 9.82026-01-27
VestaCP 0.9.8-26 contains a session token vulnerability in the LoginAs module that allows remote attackers to manipulate authentication tokens. Attackers can exploit insufficient token validation to access user accounts and perform unautho…
- CVE-2020-36969HIGHCVSS 8.8EG 8.82026-01-28
M/Monit 3.7.4 contains a privilege escalation vulnerability that allows authenticated users to modify user permissions by manipulating the admin parameter. Attackers can send a POST request to the /api/1/admin/users/update endpoint with a …
- CVE-2020-3811HIGHCVSS 7.5EG 7.52020-05-26
qmail-verify as used in netqmail 1.06 is prone to a mail-address verification bypass vulnerability.
- CVE-2020-3844LOWCVSS 3.3EG 3.32020-02-27
This issue was addressed with improved checks. This issue is fixed in iOS 13.3.1 and iPadOS 13.3.1. Users removed from an iMessage conversation may still be able to alter state.
- CVE-2020-3852MEDIUMCVSS 5.3EG 5.32020-10-27
A logic issue was addressed with improved validation. This issue is fixed in Safari 13.0.5. A URL scheme may be incorrectly ignored when determining multimedia permission for a website.
- CVE-2020-3866MEDIUMCVSS 5.5EG 5.52020-02-27
This was addressed with additional checks by Gatekeeper on files mounted through a network share. This issue is fixed in macOS Catalina 10.15.3. Searching for and opening a file from an attacker controlled NFS mount may bypass Gatekeeper.
- CVE-2020-3873LOWCVSS 3.3EG 3.32020-02-27
This issue was addressed with improved setting propagation. This issue is fixed in iOS 13.3.1 and iPadOS 13.3.1. Turning off "Load remote content in messages” may not apply to all mail previews.
- CVE-2020-3923HIGHCVSS 8.1EG 8.12020-02-27
DVR firmware in TAT-76 and TAT-77 series of products, provided by TONNET, contain misconfigured authentication mechanism. Attackers can crack the default password and gain access to the system.
Map vulnerabilities like CWE-863 to your infrastructure
EchelonGraph correlates every CVE — across CWE-863 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →