CWE-863— Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.— MITRE CWE catalog
3,793 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-863page 18 of 76
- CVE-2021-24717HIGHCVSS 8.8EG 8.82021-11-01
The AutomatorWP WordPress plugin before 1.7.6 does not perform capability checks which allows users with Subscriber roles to enumerate automations, disclose title of private posts or user emails, call functions, or perform privilege escala…
- CVE-2021-24733MEDIUMCVSS 4.3EG 4.32022-01-24
The WP Post Page Clone WordPress plugin before 1.2 allows users with a role as low as Contributor to clone and view other users' draft and password-protected posts which they cannot view normally.
- CVE-2021-24742MEDIUMCVSS 6.5EG 6.52021-11-01
The Logo Slider and Showcase WordPress plugin before 1.3.37 allows Editor users to update the plugin's settings via the rtWLSSettings AJAX action because it uses a nonce for authorisation instead of a capability check.
- CVE-2021-24757MEDIUMCVSS 5.3EG 5.32021-11-01
The Stylish Price List WordPress plugin before 6.9.0 does not perform capability checks in its spl_upload_ser_img AJAX action (available to both unauthenticated and authenticated users), which could allow unauthenticated users to upload im…
- CVE-2021-24770MEDIUMCVSS 6.5EG 6.52021-11-01
The Stylish Price List WordPress plugin before 6.9.1 does not perform capability checks in its spl_upload_ser_img AJAX action (available to authenticated users), which could allow any authenticated users, such as subscriber, to upload arbi…
- CVE-2021-24783MEDIUMCVSS 6.5EG 6.52021-11-08
The Post Expirator WordPress plugin before 2.6.0 does not have proper capability checks in place, which could allow users with a role as low as Contributor to schedule deletion of arbitrary posts.
- CVE-2021-24788MEDIUMCVSS 6.5EG 6.52021-11-08
The Batch Cat WordPress plugin through 0.3 defines 3 custom AJAX actions, which both require authentication but are available for all roles. As a result, any authenticated user (including simple subscribers) can add/set/delete arbitrary ca…
- CVE-2021-24819MEDIUMCVSS 4.3EG 4.32021-12-13
The Page/Post Content Shortcode WordPress plugin through 1.0 does not have proper authorisation in place, allowing users with a role as low as contributor to access draft/private/password protected/trashed posts/pages they should not be al…
- CVE-2021-24824MEDIUMCVSS 4.3EG 4.32022-03-07
The [field] shortcode included with the Custom Content Shortcode WordPress plugin before 4.0.1, allows authenticated users with a role as low as contributor, to access arbitrary post metadata. This could lead to sensitive data disclosure, …
- CVE-2021-24836MEDIUMCVSS 4.3EG 4.32021-12-13
The Temporary Login Without Password WordPress plugin before 1.7.1 does not have authorisation and CSRF checks when updating its settings, which could allows any logged-in users, such as subscribers to update them
- CVE-2021-24842MEDIUMCVSS 5.4EG 5.42021-11-29
The Bulk Datetime Change WordPress plugin before 1.12 does not enforce capability checks which allows users with Contributor roles to 1) list private post titles of other users and 2) change the posted date of other users' posts.
- CVE-2021-24851MEDIUMCVSS 4.3EG 4.32021-11-17
The Insert Pages WordPress plugin before 3.7.0 allows users with a role as low as Contributor to access content and metadata from arbitrary posts/pages regardless of their author and status (ie private), using a shortcode. Password protect…
- CVE-2021-24872MEDIUMCVSS 6.5EG 6.52021-12-13
The Get Custom Field Values WordPress plugin before 4.0 allows users with a role as low as Contributor to access other posts metadata without validating the permissions. Eg. contributors can access admin posts metadata.
- CVE-2021-24905HIGHCVSS 8.0EG 8.02022-03-21
The Advanced Contact form 7 DB WordPress plugin before 1.8.7 does not have authorisation nor CSRF checks in the acf7_db_edit_scr_file_delete AJAX action, and does not validate the file to be deleted, allowing any authenticated user to dele…
- CVE-2021-24906HIGHCVSS 7.5EG 7.52022-01-24
The Protect WP Admin WordPress plugin before 3.6.2 does not check for authorisation in the lib/pwa-deactivate.php file, which could allow unauthenticated users to disable the plugin (and therefore the protection offered) via a crafted requ…
- CVE-2021-24917HIGHCVSS 7.5EG 7.52021-12-06
The WPS Hide Login WordPress plugin before 1.9.1 has a bug which allows to get the secret login page by setting a random referer string and making a request to /wp-admin/options.php as an unauthenticated user.
- CVE-2021-24947MEDIUMCVSS 6.5EG 6.52022-02-07
The RVM WordPress plugin before 6.4.2 does not have proper authorisation, CSRF checks and validation of the rvm_upload_regions_file_path parameter in the rvm_import_regions AJAX action, allowing any authenticated user, such as subscriber, …
- CVE-2021-24993MEDIUMCVSS 6.5EG 6.52022-02-07
The Ultimate Product Catalog WordPress plugin before 5.0.26 does not have authorisation and CSRF checks in some AJAX actions, which could allow any authenticated users, such as subscriber to call them and add arbitrary products, or change …
- CVE-2021-25097MEDIUMCVSS 6.5EG 6.52022-02-01
The LabTools WordPress plugin through 1.0 does not have proper authorisation and CSRF check in place when deleting publications, allowing any authenticated users, such as subscriber to delete arbitrary publication
- CVE-2021-25228MEDIUMCVSS 5.3EG 5.32021-02-04
An improper access control vulnerability in Trend Micro Apex One (on-prem and SaaS), OfficeScan XG SP1, and Worry-Free Business Security 10.0 SP1 could allow an unauthenticated user to obtain information about hotfix history.
- CVE-2021-25229MEDIUMCVSS 5.3EG 5.32021-02-04
An improper access control vulnerability in Trend Micro Apex One (on-prem and SaaS) and OfficeScan XG SP1 could allow an unauthenticated user to obtain information about the database server.
- CVE-2021-25244MEDIUMCVSS 5.3EG 5.32021-02-04
An improper access control vulnerability in Worry-Free Business Security 10.0 SP1 could allow an unauthenticated user to obtain various pieces of configuration informaiton.
- CVE-2021-25245MEDIUMCVSS 5.3EG 5.32021-02-04
An improper access control vulnerability in Worry-Free Business Security 10.0 SP1 could allow an unauthenticated user to obtain various pieces of settings informaiton.
- CVE-2021-25246MEDIUMCVSS 6.5EG 6.52021-02-04
An improper access control information disclosure vulnerability in Trend Micro Apex One, Apex One as a Service, OfficeScan XG SP1, and Worry-Free Business Security could allow an unauthenticated user to create a bogus agent on an affected …
- CVE-2021-25336LOWCVSS 2.8EG 3.32021-03-04
Improper access control in NotificationManagerService in Samsung mobile devices prior to SMR Mar-2021 Release 1 allows untrusted applications to acquire notification access via sending a crafted malicious intent.
- CVE-2021-25337MEDIUMCVSS 4.4EG 9.0⚠ KEV2021-03-04
Improper access control in clipboard service in Samsung mobile devices prior to SMR Mar-2021 Release 1 allows untrusted applications to read or write certain local files.
- CVE-2021-25338MEDIUMCVSS 4.4EG 5.22021-03-04
Improper memory access control in RKP in Samsung mobile devices prior to SMR Mar-2021 Release 1 allows an attacker, given a compromised kernel, to write certain part of RKP EL2 memory region.
- CVE-2021-25340MEDIUMCVSS 5.1EG 2.42021-03-04
Improper access control vulnerability in Samsung keyboard version prior to SMR Feb-2021 Release 1 allows physically proximate attackers to change in arbitrary settings during Initialization State.
- CVE-2021-25349MEDIUMCVSS 5.5EG 7.82021-03-25
Using unsafe PendingIntent in Slow Motion Editor prior to version 3.5.18.5 allows local attackers unauthorized action without permission via hijacking the PendingIntent.
- CVE-2021-25351LOWCVSS 3.2EG 2.42021-03-25
Improper Access Control in EmailValidationView in Samsung Account prior to version 10.7.0.7 and 12.1.1.3 allows physically proximate attackers to log out user account on device without user password.
- CVE-2021-25352MEDIUMCVSS 5.5EG 7.82021-03-25
Using PendingIntent with implicit intent in Bixby Voice prior to version 3.0.52.14 allows attackers to execute privileged action by hijacking and modifying the intent.
- CVE-2021-25356HIGHCVSS 7.1EG 8.82021-04-09
An improper caller check vulnerability in Managed Provisioning prior to SMR APR-2021 Release 1 allows unprivileged application to install arbitrary application, grant device admin permission and then delete several installed application.
- CVE-2021-25366LOWCVSS 3.2EG 2.92021-03-25
Improper access control in Samsung Internet prior to version 13.2.1.70 allows physically proximate attackers to bypass the secret mode's authentication.
- CVE-2021-25369MEDIUMCVSS 6.2EG 9.0⚠ KEV2021-03-26
An improper access control vulnerability in sec_log file prior to SMR MAR-2021 Release 1 exposes sensitive kernel information to userspace.
- CVE-2021-25373MEDIUMCVSS 5.5EG 7.82021-04-09
Using unsafe PendingIntent in Customization Service prior to version 2.2.02.1 in Android O(8.x), 2.4.03.0 in Android P(9.0), 2.7.02.1 in Android Q(10.0) and 2.9.01.1 in Android R(11.0) allows local attackers to perform unauthorized action …
- CVE-2021-25374HIGHCVSS 8.6EG 7.52021-04-09
An improper authorization vulnerability in Samsung Members "samsungrewards" scheme for deeplink in versions 2.4.83.9 in Android O(8.1) and below, and 3.9.00.9 in Android P(9.0) and above allows remote attackers to access a user data relate…
- CVE-2021-25382MEDIUMCVSS 6.1EG 5.52021-04-23
An improper authorization of using debugging command in Secure Folder prior to SMR Oct-2020 Release 1 allows unauthorized access to contents in Secure Folder via debugging command.
- CVE-2021-25397MEDIUMCVSS 6.8EG 5.52021-06-11
An improper access control vulnerability in TelephonyUI prior to SMR MAY-2021 Release 1 allows local attackers to write arbitrary files of telephony process via untrusted applications.
- CVE-2021-25399HIGHCVSS 7.1EG 7.12021-06-11
Improper configuration in Smart Manager prior to version 11.0.05.0 allows attacker to access the file with system privilege.
- CVE-2021-25400HIGHCVSS 7.8EG 7.82021-06-11
Intent redirection vulnerability in Samsung Internet prior to version 14.0.1.20 allows attacker to execute privileged action.
- CVE-2021-25401HIGHCVSS 7.8EG 7.82021-06-11
Intent redirection vulnerability in Samsung Health prior to version 6.16 allows attacker to execute privileged action.
- CVE-2021-25403LOWCVSS 3.3EG 3.32021-06-11
Intent redirection vulnerability in Samsung Account prior to version 10.8.0.4 in Android P(9.0) and below, and 12.2.0.9 in Android Q(10.0) and above allows attacker to access contacts and file provider using SettingWebView component.
- CVE-2021-25405MEDIUMCVSS 5.5EG 5.52021-06-11
An improper access control vulnerability in ScreenOffActivity in Samsung Notes prior to version 4.2.04.27 allows untrusted applications to access local files.
- CVE-2021-25406MEDIUMCVSS 6.5EG 6.52021-06-11
Information exposure vulnerability in Gear S Plugin prior to version 2.2.05.20122441 allows unstrusted applications to access connected BT device information.
- CVE-2021-25409LOWCVSS 2.4EG 2.42021-06-11
Improper access in Notification setting prior to SMR JUN-2021 Release 1 allows physically proximate attackers to set arbitrary notification via physically configuring device.
- CVE-2021-25410HIGHCVSS 7.1EG 7.12021-06-11
Improper access control of a component in CallBGProvider prior to SMR JUN-2021 Release 1 allows local attackers to access arbitrary files with an escalated privilege.
- CVE-2021-25412HIGHCVSS 7.8EG 7.82021-06-11
An improper access control vulnerability in genericssoservice prior to SMR JUN-2021 Release 1 allows local attackers to execute protected activity with system privilege via untrusted applications.
- CVE-2021-25417HIGHCVSS 7.5EG 7.52021-06-11
Improper authorization in SDP SDK prior to SMR JUN-2021 Release 1 allows access to internal storage.
- CVE-2021-25418HIGHCVSS 7.8EG 7.82021-06-11
Improper component protection vulnerability in Samsung Internet prior to version 14.0.1.62 allows untrusted applications to execute arbitrary activity in specific condition.
- CVE-2021-25431MEDIUMCVSS 5.5EG 5.52021-07-08
Improper access control vulnerability in Cameralyzer prior to versions 3.2.1041 in 3.2.x, 3.3.1040 in 3.3.x, and 3.4.4210 in 3.4.x allows untrusted applications to access some functions of Cameralyzer.
Map vulnerabilities like CWE-863 to your infrastructure
EchelonGraph correlates every CVE — across CWE-863 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →