CWE-863— Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.— MITRE CWE catalog
3,791 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-863page 13 of 76
- CVE-2020-3952CRITICALCVSS 9.8EG 9.8⚠ KEV2020-04-10
Under certain conditions, vmdir that ships with VMware vCenter Server, as part of an embedded or external Platform Services Controller (PSC), does not correctly implement access controls.
- CVE-2020-4014MEDIUMCVSS 4.3EG 4.32020-06-01
The /profile/deleteWatch.do resource in Atlassian Fisheye and Crucible before version 4.8.1 allows remote attackers to remove another user's watching settings for a repository via an improper authorization vulnerability.
- CVE-2020-4026MEDIUMCVSS 4.3EG 4.32020-06-03
The CustomAppsRestResource list resource in Atlassian Navigator Links before version 3.3.23, from version 4.0.0 before version 4.3.7, from version 5.0.0 before 5.0.1, and from version 5.1.0 before 5.1.1 allows remote attackers to enumerate…
- CVE-2020-4029MEDIUMCVSS 4.3EG 4.32020-07-01
The /rest/project-templates/1.0/createshared resource in Atlassian Jira Server and Data Center before version 8.5.5, from 8.6.0 before 8.7.2, and from 8.8.0 before 8.8.1 allows remote attackers to enumerate project names via an improper au…
- CVE-2020-4249MEDIUMCVSS 6.5EG 6.52020-05-28
IBM Security Identity Governance and Intelligence 5.2.6 could disclose highly sensitive information to other authenticated users on the sytem due to incorrect authorization. IBM X-Force ID: 175485.
- CVE-2020-4348MEDIUMCVSS 6.5EG 6.52020-05-27
IBM Spectrum Scale 4.2.0.0 through 4.2.3.21 and 5.0.0.0 through 5.0.4.4 could allow an authenticated GUI user to perform unauthorized actions due to missing function level access control. IBM X-Force ID: 178414
- CVE-2020-4446MEDIUMCVSS 4.3EG 4.32020-05-06
IBM Business Process Manager 8.0, 8.5, and 8.6 and IBM Business Automation Workflow 18.0 and 19.0 could allow a remote attacker to bypass security restrictions, caused by the failure to perform insufficient authorization checks. IBM X-Forc…
- CVE-2020-4482MEDIUMCVSS 6.5EG 6.52020-11-06
IBM UrbanCode Deploy (UCD) 6.2.7.3, 6.2.7.4, 7.0.3.0, and 7.0.4.0 could allow an authenticated user to bypass security. A user with access to a snapshot could apply unauthorized additional statuses via direct rest calls. IBM X-Force ID: 18…
- CVE-2020-4495HIGHCVSS 8.8EG 8.82021-06-02
IBM Jazz Foundation and IBM Engineering products could allow a remote attacker to bypass security restrictions, caused by improper access control. By sending a specially-crafted request to the REST API, an attacker could exploit this vulne…
- CVE-2020-4621HIGHCVSS 8.8EG 8.82020-09-22
IBM Data Risk Manager (iDNA) 2.0.6 could allow an authenticated user to escalate their privileges to administrator due to insufficient authorization checks. IBM X-Force ID: 184981.
- CVE-2020-4646MEDIUMCVSS 4.3EG 4.32021-05-19
IBM Sterling B2B Integrator Standard Edition 5.2.0.0 through 5.2.6.5, 6.0.0.0 through 6.0.3.3, and 6.1.0.0 through 6.1.0.2 could allow an authenticated user to view pages they shoiuld not have access to due to improper authorization contro…
- CVE-2020-4648MEDIUMCVSS 6.5EG 6.52020-08-19
A vulnerability exsists in IBM Planning Analytics 2.0 whereby avatars in Planning Analytics Workspace could be modified by other users without authorization to do so. IBM X-Force ID: 186019.
- CVE-2020-4654MEDIUMCVSS 6.5EG 6.52021-10-08
IBM Sterling File Gateway 2.2.0.0 through 6.1.1.0 could allow an authenticated user to obtain sensitive information due to improper permission control. IBM X-Force ID: 186090.
- CVE-2020-4794MEDIUMCVSS 5.4EG 5.42020-12-21
IBM Automation Workstream Services 19.0.3, 20.0.1, 20.0.2, IBM Business Automation Workflow 18.0, 19.0, and 20.0 and IBM Business Process Manager 8.6 could allow an authenticated user to obtain sensitive information or cuase a denial of se…
- CVE-2020-4848MEDIUMCVSS 5.4EG 5.42021-03-30
IBM UrbanCode Deploy (UCD) 6.2.7.9, 7.0.5.4, and 7.1.1.1 could allow an authenticated user to initiate a plugin or compare process resources that they should not have access to. IBM X-Force ID: 190293.
- CVE-2020-4873MEDIUMCVSS 5.3EG 5.32021-01-19
IBM Planning Analytics 2.0 could allow an attacker to obtain sensitive information due to an overly permissive CORS policy. IBM X-Force ID: 190836.
- CVE-2020-4877CRITICALCVSS 9.8EG 9.82022-01-21
IBM Cognos Controller 10.4.0, 10.4.1, and 10.4.2 could be vulnerable to unauthorized modifications by using public fields in public classes. IBM X-Force ID: 190843.
- CVE-2020-5194MEDIUMCVSS 5.4EG 5.42020-01-14
The zip API endpoint in Cerberus FTP Server 8 allows an authenticated attacker without zip permission to use the zip functionality via an unrestricted API endpoint. Improper permission verification occurs when calling the file/ajax_downloa…
- CVE-2020-5197MEDIUMCVSS 4.3EG 4.32020-01-13
An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) 5.1 through 12.6.1. It has Incorrect Access Control.
- CVE-2020-5239HIGHCVSS 8.7EG 8.72020-02-13
In Mailu before version 1.7, an authenticated user can exploit a vulnerability in Mailu fetchmail script and gain full access to a Mailu instance. Mailu servers that have open registration or untrusted users are most impacted. The master a…
- CVE-2020-5240HIGHCVSS 7.6EG 7.62020-03-13
In wagtail-2fa before 1.4.1, any user with access to the CMS can view and delete other users 2FA devices by going to the correct path. The user does not require special permissions in order to do so. By deleting the other users device they…
- CVE-2020-5242HIGHCVSS 7.7EG 7.72020-02-20
openHAB before 2.5.2 allow a remote attacker to use REST calls to install the EXEC binding or EXEC transformation service and execute arbitrary commands on the system with the privileges of the user running openHAB. Starting with version 2…
- CVE-2020-5251HIGHCVSS 7.7EG 7.72020-03-04
In parser-server before version 4.1.0, you can fetch all the users objects, by using regex in the NoSQL query. Using the NoSQL, you can use a regex on sessionToken and find valid accounts this way.
- CVE-2020-5275HIGHCVSS 7.6EG 7.62020-03-30
In symfony/security-http before versions 4.4.7 and 5.0.7, when a `Firewall` checks access control rule, it iterate overs each rule's attributes and stops as soon as the accessDecisionManager decides to grant access on the attribute, preven…
- CVE-2020-5279MEDIUMCVSS 4.1EG 4.12020-04-20
In PrestaShop between versions 1.5.0.0 and 1.7.6.5, there are improper access control since the the version 1.5.0.0 for legacy controllers. - admin-dev/index.php/configure/shop/customer-preferences/ - admin-dev/index.php/improve/internatio…
- CVE-2020-5287MEDIUMCVSS 4.1EG 4.12020-04-20
In PrestaShop between versions 1.5.5.0 and 1.7.6.5, there is improper access control on customers search. The problem is fixed in 1.7.6.5.
- CVE-2020-5288MEDIUMCVSS 4.1EG 4.12020-04-20
"In PrestaShop between versions 1.7.0.0 and 1.7.6.5, there is improper access controls on product attributes page. The problem is fixed in 1.7.6.5.
- CVE-2020-5293MEDIUMCVSS 6.5EG 6.52020-04-20
In PrestaShop between versions 1.7.0.0 and 1.7.6.5, there are improper access controls on product page with combinations, attachments and specific prices. The problem is fixed in 1.7.6.5.
- CVE-2020-5318HIGHCVSS 7.5EG 7.52020-02-06
Dell EMC Isilon OneFS versions 8.1.2, 8.1.0.4, 8.1.0.3, and 8.0.0.7 contain a vulnerability in some configurations. An attacker may exploit this vulnerability to gain access to restricted files. The non-RAN HTTP and WebDAV file-serving com…
- CVE-2020-5333MEDIUMCVSS 4.3EG 4.32020-05-04
RSA Archer, versions prior to 6.7 P3 (6.7.0.3), contain an authorization bypass vulnerability in the REST API. A remote authenticated malicious Archer user could potentially exploit this vulnerability to view unauthorized information.
- CVE-2020-5343HIGHCVSS 7.3EG 7.32020-05-04
Dell Client platforms restored using a Dell OS recovery image downloaded before December 20, 2019, may contain an insecure inherited permissions vulnerability. A local authenticated malicious user with low privileges could exploit this vul…
- CVE-2020-5372HIGHCVSS 8.6EG 8.62020-07-06
Dell EMC PowerStore versions prior to 1.0.1.0.5.002 contain a vulnerability that exposes test interface ports to external network. A remote unauthenticated attacker could potentially cause Denial of Service via test interface ports which a…
- CVE-2020-5418MEDIUMCVSS 4.3EG 4.32020-09-03
Cloud Foundry CAPI (Cloud Controller) versions prior to 1.98.0 allow authenticated users having only the "cloud_controller.read" scope, but no roles in any spaces, to list all droplets in all spaces (whereas they should see none).
- CVE-2020-5582MEDIUMCVSS 4.3EG 4.32020-06-30
Cybozu Garoon 4.0.0 to 5.0.1 allows remote authenticated attackers to bypass access restriction to alter the data for the file attached to Report via unspecified vectors.
- CVE-2020-5598HIGHCVSS 7.5EG 7.52020-07-07
TCP/IP function included in the firmware of Mitsubishi Electric GOT2000 series (CoreOS with version -Y and earlier installed in GT27 Model, GT25 Model, and GT23 Model) contains an improper access control vulnerability, which may which may …
- CVE-2020-5855MEDIUMCVSS 4.3EG 4.32020-02-06
When the Windows Logon Integration feature is configured for all versions of BIG-IP Edge Client for Windows, unauthorized users who have physical access to an authorized user's machine can get shell access under unprivileged user.
- CVE-2020-5863HIGHCVSS 8.6EG 8.62020-03-27
In NGINX Controller versions prior to 3.2.0, an unauthenticated attacker with network access to the Controller API can create unprivileged user accounts. The user which is created is only able to upload a new license to the system but cann…
- CVE-2020-6214MEDIUMCVSS 4.7EG 4.72020-04-14
SAP S/4HANA (Financial Products Subledger), version 100, uses an incorrect authorization object in some reports. Although the affected reports are protected with other authorization objects, exploitation of the vulnerability would allow an…
- CVE-2020-6307MEDIUMCVSS 4.3EG 4.32020-01-14
Automated Note Search Tool (update provided in SAP Basis 7.0, 7.01, 7.02, 7.31, 7.4, 7.5, 7.51, 7.52, 7.53 and 7.54) does not perform sufficient authorization checks leading to the reading of sensitive information.
- CVE-2020-6311MEDIUMCVSS 6.5EG 6.52020-09-09
Banking services from SAP 9.0 (Bank Analyzer), version - 500, and SAP S/4HANA for financial products subledger, version � 100, does not correctly perform necessary authorization checks for an authenticated user due to Improper Authorizat…
- CVE-2020-6320HIGHCVSS 8.1EG 8.12020-09-09
SAP Marketing (Servlet), version-130,140,150, allows an authenticated attacker to invoke certain functions that are restricted. Limited knowledge of payload is required for an attacker to exploit the vulnerability and perform tasks related…
- CVE-2020-6362MEDIUMCVSS 6.5EG 6.52020-10-20
SAP Banking Services version 500, use an incorrect authorization object in some of its reports. Although the affected reports are protected with otherauthorization objects, exploitation of the vulnerability could lead to privilege escalati…
- CVE-2020-6380HIGHCVSS 8.8EG 8.82020-02-11
Insufficient policy enforcement in extensions in Google Chrome prior to 79.0.3945.130 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted Chrome Extension.
- CVE-2020-6528MEDIUMCVSS 4.3EG 4.32020-07-22
Incorrect security UI in basic auth in Google Chrome on iOS prior to 84.0.4147.89 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.
- CVE-2020-6641MEDIUMCVSS 4.3EG 4.32021-06-02
Two authorization bypass through user-controlled key vulnerabilities in the Fortinet FortiPresence 2.1.0 administration interface may allow an attacker to gain access to some user data via portal manager or portal users parameters.
- CVE-2020-6752LOWCVSS 3.8EG 3.82020-06-17
In OMERO before 5.6.1, group owners can access members' data in other groups.
- CVE-2020-7038HIGHCVSS 7.5EG 7.52021-04-28
A vulnerability was discovered in Management component of Avaya Equinox Conferencing that could potentially allow an unauthenticated, remote attacker to gain access to screen sharing and whiteboard sessions. The affected versions of Manage…
- CVE-2020-7251MEDIUMCVSS 5.0EG 5.02020-02-14
Improper access control vulnerability in Configuration Tool in McAfee Mcafee Endpoint Security (ENS) Prior to 10.6.1 February 2020 Update allows local users to disable security features via unauthorised use of the configuration tool from o…
- CVE-2020-7300MEDIUMCVSS 4.6EG 6.32020-08-12
Improper Authorization vulnerability in McAfee Data Loss Prevention (DLP) ePO extension prior to 11.5.3 allows authenticated remote attackers to change the configuration when logged in with view only privileges via carefully constructed HT…
- CVE-2020-7499MEDIUMCVSS 6.5EG 6.52020-06-16
A CWE-863: Incorrect Authorization vulnerability exists in U.motion Servers and Touch Panels (affected versions listed in the security notification) which could cause unauthorized access when a low privileged user makes unauthorized change…
Map vulnerabilities like CWE-863 to your infrastructure
EchelonGraph correlates every CVE — across CWE-863 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →