CWE-863— Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.— MITRE CWE catalog
3,791 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-863page 14 of 76
- CVE-2020-7583HIGHCVSS 7.8EG 7.82020-08-14
A vulnerability has been identified in Automation License Manager 5 (All versions), Automation License Manager 6 (All versions < V6.0.8). The application does not properly validate the users' privileges when executing some operations, whic…
- CVE-2020-7692HIGHCVSS 7.4EG 7.42020-07-09
PKCE support is not implemented in accordance with the RFC for OAuth 2.0 for Native Apps. Without the use of PKCE, the authorization code returned by an authorization server is not enough to guarantee that the client that issued the initia…
- CVE-2020-7921MEDIUMCVSS 4.6EG 5.32020-05-06
Improper serialization of internal state in the authorization subsystem in MongoDB Server's authorization subsystem permits a user with valid credentials to bypass IP whitelisting protection mechanisms following administrative action. This…
- CVE-2020-7955MEDIUMCVSS 5.3EG 5.32020-01-31
HashiCorp Consul and Consul Enterprise 1.4.1 through 1.6.2 did not uniformly enforce ACLs across all API endpoints, resulting in potential unintended information disclosure. Fixed in 1.6.3.
- CVE-2020-8086CRITICALCVSS 9.8EG 9.82020-01-28
The mod_auth_ldap and mod_auth_ldap2 Community Modules through 2020-01-27 for Prosody incompletely verify the XMPP address passed to the is_admin() function. This grants remote entities admin-only functionality if their username matches th…
- CVE-2020-8119MEDIUMCVSS 4.3EG 4.32020-02-04
Improper authorization in Nextcloud server 17.0.0 causes leaking of previews and files when a file-drop share link is opened via the gallery app.
- CVE-2020-8142MEDIUMCVSS 6.8EG 6.82020-04-03
A security restriction bypass vulnerability has been discovered in Revive Adserver version < 5.0.5 by HackerOne user hoangn144. Revive Adserver, like many other applications, requires the logged in user to type the current password in orde…
- CVE-2020-8151HIGHCVSS 7.5EG 7.52020-05-12
There is a possible information disclosure issue in Active Resource <v5.1.1 that could allow an attacker to create specially crafted requests to access data in an unexpected way and possibly leak information.
- CVE-2020-8212CRITICALCVSS 9.8EG 9.82020-08-17
Improper access control in Citrix XenMobile Server 10.12 before RP3, Citrix XenMobile Server 10.11 before RP6, Citrix XenMobile Server 10.10 RP6 and Citrix XenMobile Server before 10.9 RP5 allows access to privileged functionality.
- CVE-2020-8278MEDIUMCVSS 5.3EG 5.32020-11-19
Improper access control in Nextcloud Social app version 0.3.1 allowed to read posts of any user.
- CVE-2020-8334MEDIUMCVSS 6.1EG 6.12020-06-09
The BIOS tamper detection mechanism was not triggered in Lenovo ThinkPad T495s, X395, T495, A485, A285, A475, A275 which may allow for unauthorized access.
- CVE-2020-8463HIGHCVSS 7.5EG 7.52020-12-17
A vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 SP2 could allow an attacker to bypass a global authorization check for anonymous users by manipulating request paths.
- CVE-2020-8495HIGHCVSS 7.5EG 7.52020-01-30
In Kronos Web Time and Attendance (webTA) 3.8.x and later 3.x versions before 4.0, the com.threeis.webta.H491delegate servlet allows an attacker with Timekeeper or Supervisor privileges to gain unauthorized administrative privileges within…
- CVE-2020-8576MEDIUMCVSS 5.4EG 5.42020-09-02
Clustered Data ONTAP versions prior to 9.3P19, 9.5P14, 9.6P9 and 9.7 are susceptible to a vulnerability which when successfully exploited could lead to addition or modification of data or disclosure of sensitive information.
- CVE-2020-8581MEDIUMCVSS 6.5EG 6.52021-01-19
Clustered Data ONTAP versions prior to 9.3P20 and 9.5 are susceptible to a vulnerability which could allow an authenticated but unauthorized attacker to overwrite arbitrary data when VMware vStorage support is enabled.
- CVE-2020-8806HIGHCVSS 7.5EG 7.52021-02-05
Electric Coin Company Zcashd before 2.1.1-1 allows attackers to trigger consensus failure and double spending. A valid chain could be incorrectly rejected because timestamp requirements on block headers were not properly enforced.
- CVE-2020-8919LOWCVSS 3.5EG 3.52020-12-10
An information leak vulnerability exists in Gerrit versions prior to 2.15.21, 2.16.25, 3.0.15, 3.1.10, 3.2.5 where a missing access check on the branch REST API allows an attacker with only the default set of priviledges to read all other …
- CVE-2020-9004HIGHCVSS 8.8EG 8.82020-04-14
A remote authenticated authorization-bypass vulnerability in Wowza Streaming Engine 4.8.0 and earlier allows any read-only user to issue requests to the administration panel in order to change functionality. For example, a read-only user m…
- CVE-2020-9081LOWCVSS 3.5EG 3.52024-12-27
There is an improper authorization vulnerability in some Huawei smartphones. An attacker could perform a series of operation in specific mode to exploit this vulnerability. Successful exploit could allow the attacker to bypass app lock. (V…
- CVE-2020-9090HIGHCVSS 7.8EG 7.82020-10-12
FusionAccess version 6.5.1 has an improper authorization vulnerability. A command is authorized with incorrect privilege. Attackers with other privilege can execute the command to exploit this vulnerability. This may compromise normal serv…
- CVE-2020-9241HIGHCVSS 7.0EG 7.02020-08-17
Huawei 5G Mobile WiFi E6878-370 with versions of 10.0.3.1(H563SP1C00),10.0.3.1(H563SP21C233) have an improper authorization vulnerability. The device does not restrict certain data received from WAN port. Successful exploit could allow an …
- CVE-2020-9245MEDIUMCVSS 5.5EG 5.52020-08-10
HUAWEI P30 versions Versions earlier than 10.1.0.160(C00E160R2P11);HUAWEI P30 Pro versions Versions earlier than 10.1.0.160(C00E160R2P8) have a denial of service vulnerability. Certain system configuration can be modified because of improp…
- CVE-2020-9248MEDIUMCVSS 6.7EG 6.72020-07-31
Huawei FusionComput 8.0.0 have an improper authorization vulnerability. A module does not verify some input correctly and authorizes files with incorrect access. Attackers can exploit this vulnerability to launch privilege escalation attac…
- CVE-2020-9286MEDIUMCVSS 6.5EG 6.52020-04-07
An improper authorization vulnerability in FortiADC may allow a remote authenticated user with low privileges to perform certain actions such as rebooting the system.
- CVE-2020-9379MEDIUMCVSS 6.5EG 6.52020-02-25
The Software Development Kit of the MiContact Center Business with Site Based Security 8.0 through 9.0.1.0 before KB496276 allows an authenticated user to access sensitive information. A successful exploit could allow unauthorized access t…
- CVE-2020-9381HIGHCVSS 7.5EG 7.52020-02-24
controllers/admin.js in Total.js CMS 13 allows remote attackers to execute arbitrary code via a POST to the /admin/api/widgets/ URI. This can be exploited in conjunction with CVE-2019-15954.
- CVE-2020-9399MEDIUMCVSS 5.5EG 5.52020-02-28
The Avast AV parsing engine allows virus-detection bypass via a crafted ZIP archive. This affects versions before 12 definitions 200114-0 of Antivirus Pro, Antivirus Pro Plus, and Antivirus for Linux.
- CVE-2020-9492HIGHCVSS 8.8EG 8.82021-01-26
In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.0, WebHDFS client might send SPNEGO authorization header to remote URL without proper verification.
- CVE-2020-9696MEDIUMCVSS 5.5EG 5.52020-08-19
Adobe Acrobat and Reader versions 2020.009.20074 and earlier, 2020.001.30002, 2017.011.30171 and earlier, and 2015.006.30523 and earlier have a security bypass vulnerability. Successful exploitation could lead to security feature bypass.
- CVE-2020-9712MEDIUMCVSS 5.5EG 5.52020-08-19
Adobe Acrobat and Reader versions 2020.009.20074 and earlier, 2020.001.30002, 2017.011.30171 and earlier, and 2015.006.30523 and earlier have a security bypass vulnerability. Successful exploitation could lead to security feature bypass.
- CVE-2020-9933LOWCVSS 3.3EG 3.32020-10-16
An authorization issue was addressed with improved state management. This issue is fixed in iOS 13.6 and iPadOS 13.6, tvOS 13.4.8, watchOS 6.2.8. A malicious application may be able to read sensitive location information.
- CVE-2021-0067MEDIUMCVSS 6.7EG 6.72021-06-09
Improper access control in system firmware for some Intel(R) NUCs may allow a privileged user to potentially enable escalation of privilege via local access.
- CVE-2021-0110MEDIUMCVSS 5.5EG 5.52021-11-17
Improper access control in some Intel(R) Thunderbolt(TM) Windows DCH Drivers before version 1.41.1054.0 may allow unauthenticated user to potentially enable denial of service via local access.
- CVE-2021-0124MEDIUMCVSS 6.6EG 6.62022-02-09
Improper access control in the firmware for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via physical access.
- CVE-2021-0129MEDIUMCVSS 5.7EG 5.72021-06-09
Improper access control in BlueZ may allow an authenticated user to potentially enable information disclosure via adjacent access.
- CVE-2021-0151HIGHCVSS 7.8EG 7.82021-11-17
Improper access control in the installer for some Intel(R) Wireless Bluetooth(R) and Killer(TM) Bluetooth(R) products in Windows 10 may allow an authenticated user to potentially enable escalation of privilege via local access.
- CVE-2021-0164HIGHCVSS 7.8EG 7.82022-02-09
Improper access control in firmware for Intel(R) PROSet/Wireless Wi-Fi in multiple operating systems and Killer(TM) Wi-Fi in Windows 10 and 11 may allow an unauthenticated user to potentially enable escalation of privilege via local access.
- CVE-2021-0167MEDIUMCVSS 6.7EG 6.72022-02-09
Improper access control in software for Intel(R) PROSet/Wireless Wi-Fi and Killer(TM) Wi-Fi in Windows 10 and 11 may allow a privileged user to potentially enable escalation of privilege via local access.
- CVE-2021-0171MEDIUMCVSS 5.5EG 5.52022-02-09
Improper access control in software for Intel(R) PROSet/Wireless Wi-Fi and Killer(TM) Wi-Fi in Windows 10 and 11 may allow an authenticated user to potentially enable information disclosure via local access.
- CVE-2021-0196HIGHCVSS 7.8EG 7.82021-08-11
Improper access control in kernel mode driver for some Intel(R) NUC 9 Extreme Laptop Kits before version 2.2.0.20 may allow an authenticated user to potentially enable escalation of privilege via local access.
- CVE-2021-0198MEDIUMCVSS 4.4EG 4.42021-11-17
Improper access control in the firmware for the Intel(R) Ethernet Network Controller E810 before version 1.5.5.6 may allow a privileged user to potentially enable a denial of service via local access.
- CVE-2021-0260HIGHCVSS 7.3EG 7.32021-04-22
An improper authorization vulnerability in the Simple Network Management Protocol daemon (snmpd) service of Juniper Networks Junos OS leads an unauthenticated attacker being able to perform SNMP read actions, an Exposure of System Data to …
- CVE-2021-0317HIGHCVSS 7.8EG 7.82021-01-11
In createOrUpdate of Permission.java and related code, there is possible permission escalation due to a logic error. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is neede…
- CVE-2021-0319HIGHCVSS 7.3EG 7.32021-01-11
In checkCallerIsSystemOr of CompanionDeviceManagerService.java, there is a possible way to get a nearby Bluetooth device's MAC address without appropriate permissions due to a permissions bypass. This could lead to local escalation of priv…
- CVE-2021-0376HIGHCVSS 7.8EG 7.82021-03-10
In checkUriPermission and related functions of MediaProvider.java, there is a possible way to access external files due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges neede…
- CVE-2021-0382MEDIUMCVSS 5.5EG 5.52021-03-10
In checkSlicePermission of SliceManagerService.java, there is a possible resource exposure due to an incorrect permission check. This could lead to local information disclosure with no additional execution privileges needed. User interacti…
- CVE-2021-0415MEDIUMCVSS 5.5EG 5.52021-08-18
In memory management driver, there is a possible information disclosure due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for e…
- CVE-2021-0472HIGHCVSS 7.8EG 7.82021-06-11
In shouldLockKeyguard of LockTaskController.java, there is a possible way to exit App Pinning without a PIN due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User …
- CVE-2021-0505HIGHCVSS 7.8EG 7.82021-06-21
In the Settings app, there is a possible way to disable an always-on VPN due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for…
- CVE-2021-0571HIGHCVSS 7.8EG 7.82021-06-22
In ActivityTaskManagerService.startActivity() and AppTaskImpl.startActivity() of ActivityTaskManagerService.java and AppTaskImpl.java, there is possible access to restricted activities due to a permissions bypass. This could lead to local …
Map vulnerabilities like CWE-863 to your infrastructure
EchelonGraph correlates every CVE — across CWE-863 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →