CWE-863— Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.— MITRE CWE catalog
3,793 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-863page 19 of 76
- CVE-2021-25433MEDIUMCVSS 5.5EG 5.52021-07-08
Improper authorization vulnerability in Tizen factory reset policy prior to Firmware update JUL-2021 Release allows untrusted applications to perform factory reset using dbus signal.
- CVE-2021-25437CRITICALCVSS 9.8EG 9.82021-07-08
Improper access control vulnerability in Tizen FOTA service prior to Firmware update JUL-2021 Release allows attackers to arbitrary code execution by replacing FOTA update file.
- CVE-2021-25438HIGHCVSS 7.8EG 7.82021-07-08
Improper access control vulnerability in Samsung Members prior to versions 2.4.85.11 in Android O(8.1) and below, and 3.9.10.11 in Android P(9.0) and above allows untrusted applications to cause local file inclusion in webview.
- CVE-2021-25439LOWCVSS 3.3EG 3.32021-07-08
Improper access control vulnerability in Samsung Members prior to versions 2.4.85.11 in Android O(8.1) and below, and 3.9.10.11 in Android P(9.0) and above allows untrusted applications to cause arbitrary webpage loading in webview.
- CVE-2021-25440HIGHCVSS 7.8EG 7.82021-07-08
Improper access control vulnerability in FactoryCameraFB prior to version 3.4.74 allows untrusted applications to access arbitrary files with an escalated privilege.
- CVE-2021-25470HIGHCVSS 7.9EG 7.92021-10-06
An improper caller check logic of SMC call in TEEGRIS secure OS prior to SMR Oct-2021 Release 1 can be used to compromise TEE.
- CVE-2021-25472MEDIUMCVSS 4.0EG 3.32021-10-06
An improper access control vulnerability in BluetoothSettingsProvider prior to SMR Oct-2021 Release 1 allows untrusted application to overwrite some Bluetooth information.
- CVE-2021-25476MEDIUMCVSS 4.1EG 4.42021-10-06
An information disclosure vulnerability in Widevine TA log prior to SMR Oct-2021 Release 1 allows attackers to bypass the ASLR protection mechanism in TEE.
- CVE-2021-25501MEDIUMCVSS 5.7EG 3.32021-11-05
An improper access control vulnerability in SCloudBnRReceiver in SecTelephonyProvider prior to SMR Nov-2021 Release 1 allows untrusted application to call some protected providers.
- CVE-2021-25506MEDIUMCVSS 4.0EG 4.02021-11-05
Non-existent provider in Samsung Health prior to 6.19.1.0001 allows attacker to access it via malicious content provider or lead to denial of service.
- CVE-2021-25507MEDIUMCVSS 5.7EG 5.72021-11-05
Improper authorization vulnerability in Samsung Flow mobile application prior to 4.8.03.5 allows Samsung Flow PC application connected with user device to access part of notification data in Secure Folder without authorization.
- CVE-2021-25648CRITICALCVSS 9.8EG 9.82021-02-16
Mobile application "Testes de Codigo" 11.4 and prior allows an attacker to gain access to the administrative interface and premium features by tampering the boolean value of parameters "isAdmin" and "isPremium" located on device storage.
- CVE-2021-25652MEDIUMCVSS 4.9EG 5.52021-06-24
An information disclosure vulnerability was discovered in the directory and file management of Avaya Aura Appliance Virtualization Platform Utilities (AVPU). This vulnerability may potentially allow any local user to access system function…
- CVE-2021-25774MEDIUMCVSS 4.3EG 4.32021-02-03
In JetBrains TeamCity before 2020.2.1, a user could get access to the GitHub access token of another user.
- CVE-2021-25777MEDIUMCVSS 5.3EG 5.32021-02-03
In JetBrains TeamCity before 2020.2.1, permissions during token removal were checked improperly.
- CVE-2021-25920MEDIUMCVSS 6.5EG 6.52021-03-22
In OpenEMR, versions v2.7.2-rc1 to 6.0.0 are vulnerable to Improper Access Control when creating a new user, which leads to a malicious user able to read and send sensitive messages on behalf of the victim user.
- CVE-2021-25954MEDIUMCVSS 4.3EG 4.32021-08-09
In “Dolibarr” application, 2.8.1 to 13.0.4 don’t restrict or incorrectly restricts access to a resource from an unauthorized actor. A low privileged attacker can modify the Private Note which only an administrator has rights to do, t…
- CVE-2021-26025HIGHCVSS 7.8EG 7.82021-01-26
PlugIns\IDE_ACDStd.apl in ACDSee Professional 2021 14.0 1721 has a User Mode Write Access Violation starting at IDE_ACDStd!zlibVersion+0x0000000000004e5e via a crafted BMP image.
- CVE-2021-26026HIGHCVSS 7.8EG 7.82021-01-26
PlugIns\IDE_ACDStd.apl in ACDSee Professional 2021 14.0 1721 has a User Mode Write Access Violation starting at IDE_ACDStd!JPEGTransW+0x000000000000c7f4 via a crafted BMP image.
- CVE-2021-26027MEDIUMCVSS 5.3EG 5.32021-03-04
An issue was discovered in Joomla! 3.0.0 through 3.9.24. Incorrect ACL checks could allow unauthorized change of the category for an article.
- CVE-2021-26040CRITICALCVSS 9.1EG 9.12021-08-24
An issue was discovered in Joomla! 4.0.0. The media manager does not correctly check the user's permissions before executing a file deletion command.
- CVE-2021-26107MEDIUMCVSS 6.3EG 4.32021-11-02
An improper access control vulnerability [CWE-284] in FortiManager versions 6.4.4 and 6.4.5 may allow an authenticated attacker with a restricted user profile to modify the VPN tunnel status of other VDOMs using VPN Manager.
- CVE-2021-26258HIGHCVSS 7.8EG 7.82022-05-12
Improper access control for the Intel(R) Killer(TM) Control Center software before version 2.4.3337.0 may allow an authorized user to potentially enable escalation of privilege via local access.
- CVE-2021-26273HIGHCVSS 7.8EG 7.82021-07-07
The Agent in NinjaRMM 5.0.909 has Incorrect Access Control.
- CVE-2021-26360HIGHCVSS 7.8EG 7.82022-11-09
An attacker with local access to the system can make unauthorized modifications of the security configuration of the SOC registers. This could allow potential corruption of AMD secure processor’s encrypted memory contents which may lead …
- CVE-2021-26376MEDIUMCVSS 5.5EG 5.52022-05-11
Insufficient checks in System Management Unit (SMU) FeatureConfig may result in reenabling features potentially resulting in denial of resources and/or denial of service.
- CVE-2021-26387LOWCVSS 3.9EG 3.92024-08-13
Insufficient access controls in ASP kernel may allow a privileged attacker with access to AMD signing keys and the BIOS menu or UEFI shell to map DRAM regions in protected areas, potentially leading to a loss of platform integrity.
- CVE-2021-26418MEDIUMCVSS 4.6EG 7.12021-05-11
Microsoft SharePoint Server Spoofing Vulnerability
- CVE-2021-26563HIGHCVSS 8.2EG 6.72021-02-26
Incorrect authorization vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.4-25553 allows local users to execute arbitrary code via unspecified vectors.
- CVE-2021-26718MEDIUMCVSS 5.5EG 5.52021-04-01
KIS for macOS in some use cases was vulnerable to AV bypass that potentially allowed an attacker to disable anti-virus protection.
- CVE-2021-26753CRITICALCVSS 9.9EG 9.92021-02-12
NeDi 1.9C allows an authenticated user to inject PHP code in the System Files function on the endpoint /System-Files.php via the txt HTTP POST parameter. This allows an attacker to obtain access to the operating system where NeDi is instal…
- CVE-2021-26845HIGHCVSS 7.5EG 7.52021-06-14
Information Exposure vulnerability in Hitachi ABB Power Grids eSOMS allows unauthorized user to gain access to report data if the URL used to access the report is discovered. This issue affects: Hitachi ABB Power Grids eSOMS 6.0 versions p…
- CVE-2021-26964HIGHCVSS 7.1EG 7.12021-03-05
A remote authentication restriction bypass vulnerability was discovered in Aruba AirWave Management Platform version(s): Prior to 8.2.12.0. A vulnerability in the AirWave web-based management interface could allow an authenticated remote a…
- CVE-2021-27086HIGHCVSS 7.8EG 7.82021-04-13
Windows Services and Controller App Elevation of Privilege Vulnerability
- CVE-2021-27099MEDIUMCVSS 6.8EG 6.82021-03-05
In SPIRE before versions 0.8.5, 0.9.4, 0.10.2, 0.11.3 and 0.12.1, the "aws_iid" Node Attestor improperly normalizes the path provided through the agent ID templating feature, which may allow the issuance of an arbitrary SPIFFE ID within th…
- CVE-2021-27177CRITICALCVSS 9.8EG 9.82021-02-10
An issue was discovered on FiberHome HG6245D devices through RP2613. It is possible to bypass authentication by sending the decoded value of the GgpoZWxwCmxpc3QKd2hvCg== string to the telnet server.
- CVE-2021-27195MEDIUMCVSS 5.9EG 5.92021-03-25
Improper Authorization vulnerability in Netop Vision Pro up to and including to 9.7.1 allows an attacker to replay network traffic.
- CVE-2021-27225MEDIUMCVSS 5.4EG 5.42021-03-01
In Dataiku DSS before 8.0.6, insufficient access control in the Jupyter notebooks integration allows users (who have coding permissions) to read and overwrite notebooks in projects that they are not authorized to access.
- CVE-2021-27306HIGHCVSS 7.5EG 7.52021-03-18
An improper access control vulnerability in the JWT plugin in Kong Gateway prior to 2.3.2.0 allows unauthenticated users access to authenticated routes without a valid token JWT.
- CVE-2021-27474CRITICALCVSS 10.0EG 7.52022-03-23
Rockwell Automation FactoryTalk AssetCentre v10.00 and earlier does not properly restrict all functions relating to IIS remoting services. This vulnerability may allow a remote, unauthenticated attacker to modify sensitive data in FactoryT…
- CVE-2021-27509HIGHCVSS 7.5EG 7.52021-02-19
In Visualware MyConnection Server before 11.0b build 5382, each published report is not associated with its own access code.
- CVE-2021-27613HIGHCVSS 7.8EG 7.82021-05-11
Under certain conditions, SAP Business One Chef cookbook, version - 9.2, 9.3, 10.0, used to install SAP Business One, allows an attacker to exploit an insecure temporary folder for incoming & outgoing payroll data and to access information…
- CVE-2021-27616HIGHCVSS 7.8EG 7.82021-05-11
Under certain conditions, SAP Business One Hana Chef Cookbook, versions - 8.82, 9.0, 9.1, 9.2, 9.3, 10.0, used to install SAP Business One for SAP HANA, allows an attacker to exploit an insecure temporary backup path and to access informat…
- CVE-2021-27661HIGHCVSS 8.8EG 8.82021-07-01
Successful exploitation of this vulnerability could give an authenticated Facility Explorer SNC Series Supervisory Controller (F4-SNC) user an unintended level of access to the controller’s file system, allowing them to access or modify …
- CVE-2021-27663HIGHCVSS 8.2EG 9.82021-08-30
A vulnerability in versions 10.1 through 10.5 of Johnson Controls CEM Systems AC2000 allows a remote attacker to access to the system without adequate authorization. This issue affects: Johnson Controls CEM Systems AC2000 10.1; 10.2; 10.3;…
- CVE-2021-27772HIGHCVSS 7.1EG 6.52022-05-12
Users are able to read group conversations without actively taking part in them. Next to one to one conversations, users are able to start group conversations with multiple users. It was found possible to obtain the contents of these group…
- CVE-2021-27793MEDIUMCVSS 5.3EG 5.32021-08-12
ntermittent authorization failure in aaa tacacs+ with Brocade Fabric OS versions before Brocade Fabric OS v9.0.1b and after 9.0.0, also in Brocade Fabric OS before Brocade Fabric OS v8.2.3a and after v8.2.0 could cause a user with a valid …
- CVE-2021-27941MEDIUMCVSS 4.6EG 4.62021-05-06
Unconstrained Web access to the device's private encryption key in the QR code pairing mode in the eWeLink mobile application (through 4.9.2 on Android and through 4.9.1 on iOS) allows a physically proximate attacker to eavesdrop on Wi-Fi …
- CVE-2021-28146MEDIUMCVSS 6.5EG 6.52021-03-22
The team sync HTTP API in Grafana Enterprise 7.4.x before 7.4.5 has an Incorrect Access Control issue. On Grafana instances using an external authentication service, this vulnerability allows any authenticated user to add external groups t…
- CVE-2021-28373HIGHCVSS 7.5EG 7.52021-03-13
The auth_internal plugin in Tiny Tiny RSS (aka tt-rss) before 2021-03-12 allows an attacker to log in via the OTP code without a valid password. NOTE: this issue only affected the git master branch for a short time. However, all end users …
Map vulnerabilities like CWE-863 to your infrastructure
EchelonGraph correlates every CVE — across CWE-863 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →