CWE-863— Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.— MITRE CWE catalog
3,791 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-863page 17 of 76
- CVE-2021-22176MEDIUMCVSS 4.3EG 4.32021-03-24
An issue has been discovered in GitLab affecting all versions starting with 3.0.1. Improper access control allows demoted project members to access details on authored merge requests
- CVE-2021-22180MEDIUMCVSS 4.3EG 4.32021-03-26
An issue has been discovered in GitLab affecting all versions starting from 13.4. Improper access control allows unauthorized users to access details on analytic pages.
- CVE-2021-22186MEDIUMCVSS 4.9EG 4.92021-03-24
An authorization issue in GitLab CE/EE version 9.4 and up allowed a group maintainer to modify group CI/CD variables which should be restricted to group owners
- CVE-2021-22209HIGHCVSS 7.5EG 7.52021-05-06
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.8. GitLab was not properly validating authorisation tokens which resulted in GraphQL mutation being executed.
- CVE-2021-22211LOWCVSS 3.1EG 3.12021-05-06
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7. GitLab Dependency Proxy, under certain circumstances, can impersonate a user resulting in possibly incorrect access handling.
- CVE-2021-22236MEDIUMCVSS 5.5EG 5.52021-08-25
Due to improper handling of OAuth client IDs, new subscriptions generated OAuth tokens on an incorrect OAuth client application. This vulnerability is present in GitLab CE/EE since version 14.1.
- CVE-2021-22239MEDIUMCVSS 5.0EG 5.02021-09-09
An unauthorized user was able to insert metadata when creating new issue on GitLab CE/EE 14.0 and later.
- CVE-2021-22240MEDIUMCVSS 4.2EG 4.22021-08-05
Improper access control in GitLab EE versions 13.11.6, 13.12.6, and 14.0.2 allows users to be created via single sign on despite user cap being enabled
- CVE-2021-22243MEDIUMCVSS 5.0EG 5.02021-08-25
Under specialized conditions, GitLab CE/EE versions starting 7.10 may allow existing GitLab users to use an invite URL meant for another email address to gain access into a group.
- CVE-2021-22244LOWCVSS 3.1EG 6.52021-08-25
Improper authorization in the vulnerability report feature in GitLab EE affecting all versions since 13.1 allowed a reporter to access vulnerability data
- CVE-2021-22247MEDIUMCVSS 4.3EG 4.32021-08-25
Improper authorization in GitLab CE/EE affecting all versions since 13.0 allows guests in private projects to view CI/CD analytics
- CVE-2021-22248MEDIUMCVSS 5.3EG 5.32021-08-23
Improper authorization on the pipelines page in GitLab CE/EE affecting all versions since 13.12 allowed unauthorized users to view some pipeline information for public projects that have access to pipelines restricted to members only
- CVE-2021-22250MEDIUMCVSS 5.4EG 5.42021-08-25
Improper authorization in GitLab CE/EE affecting all versions since 13.3 allowed users to view and delete impersonation tokens that administrators created for their account
- CVE-2021-22251MEDIUMCVSS 4.3EG 4.32021-08-23
Improper validation of invited users' email address in GitLab EE affecting all versions since 12.2 allowed projects to add members with email address domain that should be blocked by group settings
- CVE-2021-22253MEDIUMCVSS 4.9EG 4.92021-08-23
Improper authorization in GitLab EE affecting all versions since 13.4 allowed a user who previously had the necessary access to trigger deployments to protected environments under specific conditions after the access has been removed
- CVE-2021-22256MEDIUMCVSS 5.4EG 5.42021-08-25
Improper authorization in GitLab CE/EE affecting all versions since 12.6 allowed guest users to create issues for Sentry errors and track their status
- CVE-2021-22262MEDIUMCVSS 5.4EG 4.32021-10-05
Missing access control in all GitLab versions starting from 13.12 before 14.0.9, all versions starting from 14.1 before 14.1.4, and all versions starting from 14.2 before 14.2.2 with Jira Cloud integration enabled allows Jira users without…
- CVE-2021-22334HIGHCVSS 7.4EG 7.42021-06-03
There is an Improper Access Control vulnerability in Huawei Smartphone. Successful exploitation of this vulnerability may cause app redirections.
- CVE-2021-22361HIGHCVSS 7.8EG 7.82021-06-22
There is an improper authorization vulnerability in eCNS280 V100R005C00, V100R005C10 and eSE620X vESS V100R001C10SPC200, V100R001C20SPC200. A file access is not authorized correctly. Attacker with low access may launch privilege escalation…
- CVE-2021-22385HIGHCVSS 7.8EG 7.82021-08-10
A component of the Huawei smartphone has a External Control of System or Configuration Setting vulnerability. Local attackers may exploit this vulnerability to cause Kernel Code Execution.
- CVE-2021-22389CRITICALCVSS 9.8EG 9.82021-08-02
There is a Permission Control Vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may cause certain codes to be executed.
- CVE-2021-22398MEDIUMCVSS 4.6EG 4.62021-08-02
There is a logic error vulnerability in several smartphones. The software does not properly restrict certain operation when the Digital Balance function is on. Successful exploit could allow the attacker to bypass the Digital Balance limit…
- CVE-2021-22468LOWCVSS 3.3EG 3.32021-10-28
A component of the HarmonyOS has a Exposure of Sensitive Information to an Unauthorized Actor vulnerability. Local attackers may exploit this vulnerability to cause kernel address leakage.
- CVE-2021-22515MEDIUMCVSS 4.8EG 4.82021-07-12
Multi-Factor Authentication (MFA) functionality can be bypassed, allowing the use of single factor authentication in NetIQ Advanced Authentication versions prior to 6.3 SP4 Patch 1.
- CVE-2021-22521MEDIUMCVSS 6.7EG 6.72021-07-30
A privileged escalation vulnerability has been identified in Micro Focus ZENworks Configuration Management, affecting version 2020 Update 1 and all prior versions. The vulnerability could be exploited to gain unauthorized system privileges.
- CVE-2021-22535MEDIUMCVSS 4.9EG 4.92021-09-28
Unauthorized information security disclosure vulnerability on Micro Focus Directory and Resource Administrator (DRA) product, affecting all DRA versions prior to 10.1 Patch 1. The vulnerability could lead to unauthorized information disclo…
- CVE-2021-22861MEDIUMCVSS 6.5EG 6.52021-03-03
An improper access control vulnerability was identified in GitHub Enterprise Server that allowed authenticated users of the instance to gain write access to unauthorized repositories via specifically crafted pull requests and REST API requ…
- CVE-2021-22862MEDIUMCVSS 6.5EG 6.52021-03-03
An improper access control vulnerability was identified in GitHub Enterprise Server that allowed an authenticated user with the ability to fork a repository to disclose Actions secrets for the parent repository of the fork. This vulnerabil…
- CVE-2021-22863HIGHCVSS 8.1EG 8.12021-03-03
An improper access control vulnerability was identified in the GitHub Enterprise Server GraphQL API that allowed authenticated users of the instance to modify the maintainer collaboration permission of a pull request without proper authori…
- CVE-2021-22865MEDIUMCVSS 6.5EG 6.52021-04-02
An improper access control vulnerability was identified in GitHub Enterprise Server that allowed access tokens generated from a GitHub App's web authentication flow to read private repository metadata via the REST API without having been g…
- CVE-2021-22966HIGHCVSS 8.8EG 8.82021-11-19
Privilege escalation from Editor to Admin using Groups in Concrete CMS versions 8.5.6 and below. If a group is granted "view" permissions on the bulkupdate page, then users in that group can escalate to being an administrator with a specia…
- CVE-2021-23015HIGHCVSS 7.2EG 7.22021-05-10
On BIG-IP 15.1.x before 15.1.3, 14.1.x before 14.1.4.2, 13.1.0.8 through 13.1.3.6, and all versions of 16.0.x, when running in Appliance Mode, an authenticated user assigned the 'Administrator' role may be able to bypass Appliance Mode res…
- CVE-2021-23136MEDIUMCVSS 6.5EG 6.52021-06-11
Improper Authorization vulnerability in Gallagher Command Centre Server allows macro overrides to be performed by an unprivileged Command Centre Operator. This issue affects: Gallagher Command Centre 8.40 versions prior to 8.40.1888 (MR3);…
- CVE-2021-23140CRITICALCVSS 9.9EG 8.82021-06-11
Improper Authorization vulnerability in Gallagher Command Centre Server allows command line macros to be modified by an unauthorised Command Centre Operator. This issue affects: Gallagher Command Centre 8.40 versions prior to 8.40.1888 (MR…
- CVE-2021-23152HIGHCVSS 7.8EG 7.82022-02-09
Improper access control in the Intel(R) Advisor software before version 2021.2 may allow an authenticated user to potentially enable escalation of privilege via local access.
- CVE-2021-23175HIGHCVSS 8.2EG 8.22021-12-23
NVIDIA GeForce Experience contains a vulnerability in user authorization, where GameStream does not correctly apply individual user access controls for users on the same device, which, with user intervention, may lead to escalation of priv…
- CVE-2021-23188LOWCVSS 3.3EG 3.32022-08-18
Improper access control for some Intel(R) PROSet/Wireless WiFi and Killer(TM) WiFi products may allow an authenticated user to potentially enable information disclosure via local access.
- CVE-2021-23203HIGHCVSS 7.5EG 7.52023-04-25
Improper access control in reporting engine of Odoo Community 14.0 through 15.0, and Odoo Enterprise 14.0 through 15.0, allows remote attackers to download PDF reports for arbitrary documents, via crafted requests.
- CVE-2021-23803CRITICALCVSS 9.8EG 9.82021-12-17
This affects the package latte/latte before 2.10.6. There is a way to bypass allowFunctions that will affect the security of the application. When the template is set to allow/disallow the use of certain functions, adding control character…
- CVE-2021-24006MEDIUMCVSS 6.3EG 8.82021-09-06
An improper access control vulnerability in FortiManager versions 6.4.0 to 6.4.3 may allow an authenticated attacker with a restricted user profile to access the SD-WAN Orchestrator panel via directly visiting its URL.
- CVE-2021-24146HIGHCVSS 7.5EG 7.52021-03-18
Lack of authorisation checks in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5, did not properly restrict access to the export files, allowing unauthenticated users to exports all events data in CSV or XML format …
- CVE-2021-24207MEDIUMCVSS 4.3EG 4.32021-04-05
By default, the WP Page Builder WordPress plugin before 1.2.4 allows subscriber-level users to edit and make changes to any and all posts pages - user roles must be specifically blocked from editing posts and pages.
- CVE-2021-24244MEDIUMCVSS 6.5EG 6.52021-05-06
An AJAX action registered by the WPBakery Page Builder (Visual Composer) Clipboard WordPress plugin before 4.5.8 did not have capability checks, allowing low privilege users, such as subscribers, to update the license options (key, email).
- CVE-2021-24278HIGHCVSS 7.5EG 7.52021-05-14
In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, unauthenticated users can use the wpcf7r_get_nonce AJAX action to retrieve a valid nonce for any WordPress action/function.
- CVE-2021-24279MEDIUMCVSS 6.5EG 6.52021-05-14
In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, low level users, such as subscribers, could use the import_from_debug AJAX action to install any plugin from the WordPress repository.
- CVE-2021-24281MEDIUMCVSS 4.3EG 4.32021-05-14
In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, any authenticated user, such as a subscriber, could use the delete_action_post AJAX action to delete any post on a target site.
- CVE-2021-24282MEDIUMCVSS 6.3EG 6.32021-05-14
In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, any authenticated user, such as a subscriber, could use the various AJAX actions in the plugin to do a variety of things. For example, an attacker could use wpcf7r_reset_…
- CVE-2021-24379MEDIUMCVSS 5.3EG 5.32021-06-21
The Comments Like Dislike WordPress plugin before 1.1.4 allows users to like/dislike posted comments, however does not prevent them from replaying the AJAX request to add a like. This allows any user (even unauthenticated) to add unlimited…
- CVE-2021-24405MEDIUMCVSS 6.5EG 6.52021-07-06
The Easy Cookies Policy WordPress plugin through 1.6.2 is lacking any capability and CSRF check when saving its settings, allowing any authenticated users (such as subscriber) to change them. If users can't register, this can be done throu…
- CVE-2021-24652MEDIUMCVSS 6.5EG 6.52021-09-27
The PostX – Gutenberg Blocks for Post Grid WordPress plugin before 2.4.10 performs incorrect checks before allowing any logged in user to perform some ajax based requests, allowing any user to modify, delete or add ultp_options values.
Map vulnerabilities like CWE-863 to your infrastructure
EchelonGraph correlates every CVE — across CWE-863 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →