CWE-863— Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.— MITRE CWE catalog
3,791 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-863page 15 of 76
- CVE-2021-0644MEDIUMCVSS 5.5EG 5.52021-10-06
In conditionallyRemoveIdentifiers of SubscriptionController.java, there is a possible way to retrieve a trackable identifier due to a missing permission check. This could lead to local information disclosure with User execution privileges …
- CVE-2021-0645HIGHCVSS 7.8EG 7.82021-08-17
In shouldBlockFromTree of ExternalStorageProvider.java, there is a possible permissions bypass. This could lead to local escalation of privilege, allowing an app to read private app directories in external storage, which should be restrict…
- CVE-2021-0649HIGHCVSS 7.8EG 7.82021-12-15
In stopVpnProfile of Vpn.java, there is a possible VPN profile reset due to a permissions bypass. This could lead to local escalation of privilege CONTROL_ALWAYS_ON_VPN with no additional execution privileges needed. User interaction is no…
- CVE-2021-0680MEDIUMCVSS 5.5EG 5.52021-10-06
In system properties, there is a possible information disclosure due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploita…
- CVE-2021-0681MEDIUMCVSS 5.5EG 5.52021-10-06
In system properties, there is a possible information disclosure due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploita…
- CVE-2021-0682MEDIUMCVSS 5.5EG 5.52021-10-06
In sendAccessibilityEvent of NotificationManagerService.java, there is a possible disclosure of notification data due to a missing permission check. This could lead to local information disclosure with User execution privileges needed. Use…
- CVE-2021-0686MEDIUMCVSS 5.5EG 5.52021-10-06
In getDefaultSmsPackage of RoleManagerService.java, there is a possible way to get information about the default sms app of a different device user due to a missing permission check. This could lead to local information disclosure with no …
- CVE-2021-0694HIGHCVSS 7.8EG 7.82022-04-12
In setServiceForegroundInnerLocked of ActiveServices.java, there is a possible way for a background application to regain foreground permissions due to insufficient background restrictions. This could lead to local escalation of privilege …
- CVE-2021-1034LOWCVSS 3.3EG 3.32021-12-15
In getLine1NumberForDisplay of PhoneInterfaceManager.java, there is apossible way to determine whether an app is installed, without querypermissions due to a missing permission check. This could lead to localinformation disclosure with no …
- CVE-2021-1054MEDIUMCVSS 5.5EG 5.52021-01-08
NVIDIA GPU Display Driver for Windows, all versions, contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape in which the software does not perform or incorrectly performs an authorization check when an a…
- CVE-2021-1055MEDIUMCVSS 5.3EG 5.32021-01-08
NVIDIA GPU Display Driver for Windows, all versions, contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape in which improper access control may lead to denial of service and information disclosure.
- CVE-2021-1076MEDIUMCVSS 6.6EG 7.82021-04-21
NVIDIA GPU Display Driver for Windows and Linux, all versions, contains a vulnerability in the kernel mode layer (nvlddmkm.sys or nvidia.ko) where improper access control may lead to denial of service, information disclosure, or data corru…
- CVE-2021-1086HIGHCVSS 7.1EG 7.12021-04-29
NVIDIA vGPU driver contains a vulnerability in the Virtual GPU Manager (vGPU plugin) where it allows guests to control unauthorized resources, which may lead to integrity and confidentiality loss or information disclosure. This affects vGP…
- CVE-2021-1107HIGHCVSS 7.8EG 7.82021-08-11
NVIDIA Linux kernel distributions contain a vulnerability in nvmap NVMAP_IOC_WRITE* paths, where improper access controls may lead to code execution, complete denial of service, and seriously compromised integrity of all system components.
- CVE-2021-1113MEDIUMCVSS 4.7EG 4.72021-08-11
NVIDIA camera firmware contains a difficult to exploit vulnerability where a highly privileged attacker can cause unauthorized modification to camera resources, which may result in complete denial of service and partial loss of data integr…
- CVE-2021-1143MEDIUMCVSS 4.3EG 4.32021-01-13
A vulnerability in Cisco Connected Mobile Experiences (CMX) API authorizations could allow an authenticated, remote attacker to enumerate what users exist on the system. The vulnerability is due to a lack of authorization checks for certai…
- CVE-2021-1144HIGHCVSS 8.8EG 8.82021-01-13
A vulnerability in Cisco Connected Mobile Experiences (CMX) could allow a remote, authenticated attacker without administrative privileges to alter the password of any user on an affected system. The vulnerability is due to incorrect handl…
- CVE-2021-1269MEDIUMCVSS 6.3EG 6.32021-01-20
Multiple vulnerabilities in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an authenticated, remote attacker to view, modify, and delete data without proper authorization. For more information ab…
- CVE-2021-1270MEDIUMCVSS 6.3EG 6.32021-01-20
Multiple vulnerabilities in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an authenticated, remote attacker to view, modify, and delete data without proper authorization. For more information ab…
- CVE-2021-1305HIGHCVSS 8.8EG 4.32021-01-20
Multiple vulnerabilities in the web-based management interface of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to bypass authorization and modify the configuration of an affected system, gain access to sensit…
- CVE-2021-1539HIGHCVSS 8.1EG 8.12021-06-04
Multiple vulnerabilities in the authorization process of Cisco ASR 5000 Series Software (StarOS) could allow an authenticated, remote attacker to bypass authorization and execute a subset of CLI commands on an affected device. For more inf…
- CVE-2021-1540HIGHCVSS 8.1EG 8.12021-06-04
Multiple vulnerabilities in the authorization process of Cisco ASR 5000 Series Software (StarOS) could allow an authenticated, remote attacker to bypass authorization and execute a subset of CLI commands on an affected device. For more inf…
- CVE-2021-1577CRITICALCVSS 9.1EG 9.12021-08-25
A vulnerability in an API endpoint of Cisco Application Policy Infrastructure Controller (APIC) and Cisco Cloud Application Policy Infrastructure Controller (Cloud APIC) could allow an unauthenticated, remote attacker to read or write arbi…
- CVE-2021-1583MEDIUMCVSS 4.4EG 4.42021-08-25
A vulnerability in the fabric infrastructure file system access control of Cisco Nexus 9000 Series Fabric Switches in Application Centric Infrastructure (ACI) mode could allow an authenticated, local attacker to read arbitrary files on an …
- CVE-2021-1638HIGHCVSS 7.7EG 5.52021-01-12
Microsoft is aware of the "Impersonation in the Passkey Entry Protocol" vulnerability. For more information regarding the vulnerability, please see this statement from the Bluetooth SIG. To address the vulnerability, Microsof…
- CVE-2021-1669HIGHCVSS 8.8EG 8.82021-01-12
Windows Remote Desktop Security Feature Bypass Vulnerability
- CVE-2021-1854MEDIUMCVSS 4.3EG 4.32021-09-08
A call termination issue with was addressed with improved logic. This issue is fixed in iOS 14.5 and iPadOS 14.5. A legacy cellular network can automatically answer an incoming call when an ongoing call ends or drops. .
- CVE-2021-1903MEDIUMCVSS 5.3EG 5.32021-11-12
Possible denial of service scenario can occur due to lack of length check on Channel Switch Announcement IE in beacon or probe response frame in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics …
- CVE-2021-1932HIGHCVSS 8.4EG 8.42021-10-20
Improper access control in trusted application environment can cause unauthorized access to CDSP or ADSP VM memory with either privilege in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon I…
- CVE-2021-20119HIGHCVSS 7.1EG 7.12021-11-09
The password change utility for the Arris SurfBoard SB8200 can have safety measures bypassed that allow any logged-in user to change the administrator password.
- CVE-2021-20136CRITICALCVSS 9.8EG 9.82021-11-01
ManageEngine Log360 Builds < 5235 are affected by an improper access control vulnerability allowing database configuration overwrite. An unauthenticated remote attacker can send a specially crafted message to Log360 to change its backend d…
- CVE-2021-20149CRITICALCVSS 9.8EG 9.82021-12-30
Trendnet AC2600 TEW-827DRU version 2.08B01 does not have sufficient access controls for the WAN interface. The default iptables ruleset for governing access to services on the device only apply to IPv4. All services running on the devices …
- CVE-2021-20179HIGHCVSS 8.1EG 8.12021-03-15
A flaw was found in pki-core. An attacker who has successfully compromised a key could use this flaw to renew the corresponding certificate over and over again, as long as it is not explicitly revoked. The highest threat from this vulnerab…
- CVE-2021-20188HIGHCVSS 7.0EG 7.02021-02-11
A flaw was found in podman before 1.7.0. File permissions for non-root users running in a privileged container are not correctly checked. This flaw can be abused by a low-privileged user inside the container to access any other file in the…
- CVE-2021-20229MEDIUMCVSS 4.3EG 4.32021-02-23
A flaw was found in PostgreSQL in versions before 13.2. This flaw allows a user with SELECT privilege on one column to craft a special query that returns all columns of the table. The highest threat from this vulnerability is to confidenti…
- CVE-2021-20281MEDIUMCVSS 5.3EG 5.32021-03-15
It was possible for some users without permission to view other users' full names to do so via the online users block in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17.
- CVE-2021-20282MEDIUMCVSS 5.3EG 5.32021-03-15
When creating a user account, it was possible to verify the account without having access to the verification email link/secret in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17.
- CVE-2021-20283MEDIUMCVSS 4.3EG 4.32021-03-15
The web service responsible for fetching other users' enrolled courses did not validate that the requesting user had permission to view that information in each course in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17.
- CVE-2021-20290MEDIUMCVSS 6.1EG 6.12022-03-25
An improper authorization handling flaw was found in Foreman. The OpenSCAP plugin for the smart-proxy allows foreman clients to execute actions that should be limited to the Foreman Server. This flaw allows an authenticated local attacker …
- CVE-2021-20306MEDIUMCVSS 4.3EG 4.32021-06-01
A flaw was found in the BPMN editor in version jBPM 7.51.0.Final. Any authenticated user from any project can see the name of Ruleflow Groups from other projects, despite the user not having access to those projects. The highest threat fro…
- CVE-2021-20429MEDIUMCVSS 5.3EG 5.32021-05-14
IBM QRadar User Behavior Analytics 1.0.0 through 4.1.0 could disclose sensitive information due an overly permissive cross-domain policy. IBM X-Force ID: 196334.
- CVE-2021-20461MEDIUMCVSS 6.5EG 6.52021-06-30
IBM Cognos Analytics 10.0 and 11.1 is susceptible to a weakness in the implementation of the System Appearance configuration setting. An attacker could potentially bypass business logic to modify the appearance and behavior of the applicat…
- CVE-2021-20538CRITICALCVSS 9.1EG 9.12021-05-10
IBM Cloud Pak for Security (CP4S) 1.5.0.0 and 1.5.0.1 could allow a user to obtain sensitive information or perform actions they should not have access to due to incorrect authorization mechanisms. IBM X-Force ID: 198919.
- CVE-2021-20539MEDIUMCVSS 5.3EG 5.32021-08-02
IBM Cloud Pak for Security (CP4S) 1.5.0.0, 1.5.1.0, 1.6.0.0, 1.6.1.0, 1.7.0.0, and 1.7.1.0 could disclose sensitive information to an unauthorized user through HTTP GET requests. This information could be used in further attacks against th…
- CVE-2021-20540MEDIUMCVSS 5.3EG 5.32021-08-02
IBM Cloud Pak for Security (CP4S) 1.5.0.0, 1.5.1.0, 1.6.0.0, 1.6.1.0, 1.7.0.0, and 1.7.1.0 could disclose sensitive information to an unauthorized user through HTTP GET requests. This information could be used in further attacks against th…
- CVE-2021-20541MEDIUMCVSS 5.3EG 5.32021-08-02
IBM Cloud Pak for Security (CP4S) 1.5.0.0, 1.5.1.0, 1.6.0.0, 1.6.1.0, 1.7.0.0, and 1.7.1.0 could disclose sensitive information to an unauthorized user through HTTP GET requests. This information could be used in further attacks against th…
- CVE-2021-20582MEDIUMCVSS 5.3EG 5.32021-09-14
IBM Security Secret Server up to 11.0 stores sensitive information in URL parameters. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, referrer header or browser history. IBM X-Force …
- CVE-2021-20599CRITICALCVSS 9.1EG 7.52021-10-14
Cleartext Transmission of Sensitive InformationCleartext transmission of sensitive information vulnerability in MELSEC iQ-R series Safety CPU R08/16/32/120SFCPU firmware versions "26" and prior and MELSEC iQ-R series SIL2 Process CPU R08/1…
- CVE-2021-20624MEDIUMCVSS 6.5EG 6.52021-03-18
Improper access control vulnerability in Scheduler of Cybozu Office 10.0.0 to 10.8.4 allows an authenticated attacker to bypass access restriction and alter the data of Scheduler via unspecified vectors.
- CVE-2021-20625MEDIUMCVSS 4.3EG 4.32021-03-18
Improper access control vulnerability in Bulletin Board of Cybozu Office 10.0.0 to 10.8.4 allows an authenticated attacker to bypass access restriction and alter the data of Bulletin Board via unspecified vectors.
Map vulnerabilities like CWE-863 to your infrastructure
EchelonGraph correlates every CVE — across CWE-863 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →