CWE-863— Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.— MITRE CWE catalog
3,793 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-863page 20 of 76
- CVE-2021-28500CRITICALCVSS 9.1EG 7.82022-01-14
An issue has recently been discovered in Arista EOS where the incorrect use of EOS's AAA API’s by the OpenConfig and TerminAttr agents could result in unrestricted access to the device for local users with nopassword configuration.
- CVE-2021-28501CRITICALCVSS 9.1EG 7.82022-01-14
An issue has recently been discovered in Arista EOS where the incorrect use of EOS's AAA API’s by the OpenConfig and TerminAttr agents could result in unrestricted access to the device for local users with nopassword configuration.
- CVE-2021-28504HIGHCVSS 7.5EG 7.52022-04-01
On Arista Strata family products which have “TCAM profile” feature enabled when Port IPv4 access-list has a rule which matches on “vxlan” as protocol then that rule and subsequent rules ( rules declared after it in ACL ) do not mat…
- CVE-2021-28505HIGHCVSS 7.5EG 7.52022-04-14
On affected Arista EOS platforms, if a VXLAN match rule exists in an IPv4 access-list that is applied to the ingress of an L2 or an L3 port/SVI, the VXLAN rule and subsequent ACL rules in that access list will ignore the specified IP proto…
- CVE-2021-28506CRITICALCVSS 9.1EG 9.12022-01-14
An issue has recently been discovered in Arista EOS where certain gNOI APIs incorrectly skip authorization and authentication which could potentially allow a factory reset of the device.
- CVE-2021-28507MEDIUMCVSS 5.5EG 7.12022-01-14
An issue has recently been discovered in Arista EOS where, under certain conditions, the service ACL configured for OpenConfig gNOI and OpenConfig RESTCONF might be bypassed, which results in the denied requests being forwarded to the agen…
- CVE-2021-28544MEDIUMCVSS 4.3EG 4.32022-04-12
Apache Subversion SVN authz protected copyfrom paths regression Subversion servers reveal 'copyfrom' paths that should be hidden according to configured path-based authorization (authz) rules. When a node has been copied from a protected l…
- CVE-2021-28567MEDIUMCVSS 6.5EG 6.52021-09-08
Magento versions 2.4.2 (and earlier), 2.4.1-p1 (and earlier) and 2.3.6-p1 (and earlier) are vulnerable to an Improper Authorization vulnerability in the customers module. Successful exploitation could allow a low-privileged user to modify …
- CVE-2021-28661MEDIUMCVSS 4.3EG 4.32021-10-07
Default SilverStripe GraphQL Server (aka silverstripe/graphql) 3.x through 3.4.1 permission checker not inherited by query subclass.
- CVE-2021-28674MEDIUMCVSS 5.4EG 5.42021-07-30
The node management page in SolarWinds Orion Platform before 2020.2.5 HF1 allows an attacker to create or delete a node (outside of the attacker's perimeter) via an account with write permissions. This occurs because node IDs are predictab…
- CVE-2021-28681MEDIUMCVSS 5.3EG 5.32021-03-18
Pion WebRTC before 3.0.15 didn't properly tear down the DTLS Connection when certificate verification failed. The PeerConnectionState was set to failed, but a user could ignore that and continue to use the PeerConnection. )A WebRTC impleme…
- CVE-2021-28696MEDIUMCVSS 6.8EG 6.82021-08-27
IOMMU page mapping issues on x86 T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Both AMD and Intel allow ACPI tables to specify regions of memory which shoul…
- CVE-2021-28791HIGHCVSS 7.8EG 7.82021-03-18
The unofficial SwiftFormat extension before 1.3.7 for Visual Studio Code allows remote attackers to execute arbitrary code by constructing a malicious workspace with a crafted swiftformat.path configuration value that triggers execution up…
- CVE-2021-28793CRITICALCVSS 9.8EG 9.82021-04-20
vscode-restructuredtext before 146.0.0 contains an incorrect access control vulnerability, where a crafted project folder could execute arbitrary binaries via crafted workspace configuration.
- CVE-2021-28799CRITICALCVSS 10.0EG 10.0⚠ KEV2021-05-13
An improper authorization vulnerability has been reported to affect QNAP NAS running HBS 3 (Hybrid Backup Sync. ) If exploited, the vulnerability allows remote attackers to log in to a device. This issue affects: QNAP Systems Inc. HBS 3 ve…
- CVE-2021-28819HIGHCVSS 8.8EG 8.82021-03-23
The Windows Installation component of TIBCO Software Inc.'s TIBCO FTL - Community Edition, TIBCO FTL - Developer Edition, and TIBCO FTL - Enterprise Edition contains a vulnerability that theoretically allows a low privileged attacker with …
- CVE-2021-28821HIGHCVSS 8.8EG 8.82021-03-23
The Windows Installation component of TIBCO Software Inc.'s TIBCO Enterprise Message Service, TIBCO Enterprise Message Service - Community Edition, and TIBCO Enterprise Message Service - Developer Edition contains a vulnerability that theo…
- CVE-2021-28823HIGHCVSS 8.8EG 8.82021-03-23
The Windows Installation component of TIBCO Software Inc.'s TIBCO eFTL - Community Edition, TIBCO eFTL - Developer Edition, and TIBCO eFTL - Enterprise Edition contains a vulnerability that theoretically allows a low privileged attacker wi…
- CVE-2021-28824HIGHCVSS 8.8EG 8.82021-03-23
The Windows Installation component of TIBCO Software Inc.'s TIBCO ActiveSpaces - Community Edition, TIBCO ActiveSpaces - Developer Edition, and TIBCO ActiveSpaces - Enterprise Edition contains a vulnerability that theoretically allows a lo…
- CVE-2021-28825HIGHCVSS 8.8EG 8.82021-04-14
The Windows Installation component of TIBCO Software Inc.'s TIBCO Messaging - Eclipse Mosquitto Distribution - Core - Community Edition and TIBCO Messaging - Eclipse Mosquitto Distribution - Core - Enterprise Edition contains a vulnerabili…
- CVE-2021-28826HIGHCVSS 8.8EG 8.82021-04-14
The Windows Installation component of TIBCO Software Inc.'s TIBCO Messaging - Eclipse Mosquitto Distribution - Bridge - Community Edition and TIBCO Messaging - Eclipse Mosquitto Distribution - Bridge - Enterprise Edition contains a vulnera…
- CVE-2021-28911CRITICALCVSS 9.8EG 9.82021-09-09
BAB TECHNOLOGIE GmbH eibPort V3 prior version 3.9.1 allow unauthenticated attackers access to /tmp path which contains some sensitive data (e.g. device serial number). Having those info, a possible loginId can be self-calculated in a brute…
- CVE-2021-28936HIGHCVSS 7.5EG 7.52021-03-29
The Acexy Wireless-N WiFi Repeater REV 1.0 (28.08.06.1) Web management administrator password can be changed by sending a specially crafted HTTP GET request. The administrator username has to be known (default:admin) whereas no previous au…
- CVE-2021-29141MEDIUMCVSS 6.5EG 6.52021-04-29
A remote disclosure of sensitive information vulnerability was discovered in Aruba ClearPass Policy Manager version(s) prior to 6.9.5, 6.8.9, 6.7.14-HF1. Aruba has released patches for Aruba ClearPass Policy Manager that address this secur…
- CVE-2021-29144MEDIUMCVSS 6.5EG 6.52021-04-29
A remote disclosure of sensitive information vulnerability was discovered in Aruba ClearPass Policy Manager version(s) prior to 6.9.5, 6.8.9, 6.7.14-HF1. Aruba has released patches for Aruba ClearPass Policy Manager that address this secur…
- CVE-2021-29158MEDIUMCVSS 4.9EG 4.92021-04-23
Sonatype Nexus Repository Manager 3 Pro up to and including 3.30.0 has Incorrect Access Control.
- CVE-2021-29394MEDIUMCVSS 6.5EG 6.52022-02-04
Account Hijacking in /northstar/Admin/changePassword.jsp in Northstar Technologies Inc NorthStar Club Management 6.3 allows remote authenticated users to change the password of any targeted user accounts via lack of proper authorization in…
- CVE-2021-29424HIGHCVSS 7.5EG 7.52021-04-06
The Net::Netmask module before 2.0000 for Perl does not properly consider extraneous zero characters at the beginning of an IP address string, which (in some situations) allows attackers to bypass access control that is based on IP address…
- CVE-2021-29437HIGHCVSS 8.0EG 8.02021-04-13
ScratchOAuth2 is an Oauth implementation for Scratch. Any ScratchOAuth2-related data normally accessible and modifiable by a user can be read and modified by a third party. 1. Scratch user visits 3rd party site. 2. 3rd party site asks user…
- CVE-2021-29439HIGHCVSS 7.2EG 7.22021-04-13
The Grav admin plugin prior to version 1.10.11 does not correctly verify caller's privileges. As a consequence, users with the permission `admin.login` can install third-party plugins and their dependencies. By installing the right plugin,…
- CVE-2021-29452HIGHCVSS 8.1EG 8.12021-04-16
a12n-server is an npm package which aims to provide a simple authentication system. A new HAL-Form was added to allow editing users in version 0.18.0. This feature should only have been accessible to admins. Unfortunately, privileges were …
- CVE-2021-29628HIGHCVSS 7.5EG 7.52021-05-28
In FreeBSD 13.0-STABLE before n245764-876ffe28796c, 12.2-STABLE before r369857, 13.0-RELEASE before p1, and 12.2-RELEASE before p7, a system call triggering a fault could cause SMAP protections to be disabled for the duration of the system…
- CVE-2021-29642MEDIUMCVSS 5.3EG 5.32021-03-30
GistPad before 0.2.7 allows a crafted workspace folder to change the URL for the Gist API, which leads to leakage of GitHub access tokens.
- CVE-2021-29658HIGHCVSS 8.8EG 8.82021-03-31
The unofficial vscode-rufo extension before 0.0.4 for Visual Studio Code allows attackers to execute arbitrary binaries if the user opens a crafted workspace folder.
- CVE-2021-29659MEDIUMCVSS 6.5EG 6.52021-05-20
ownCloud 10.7 has an incorrect access control vulnerability, leading to remote information disclosure. Due to a bug in the related API endpoint, the attacker can enumerate all users in a single request by entering three whitespaces. Second…
- CVE-2021-29662HIGHCVSS 7.5EG 7.52021-03-31
The Data::Validate::IP module through 0.29 for Perl does not properly consider extraneous zero characters at the beginning of an IP address string, which (in some situations) allows attackers to bypass access control that is based on IP ad…
- CVE-2021-29671LOWCVSS 3.3EG 3.32021-04-09
IBM Spectrum Scale 5.1.0.1 could allow a local attacker to bypass the filesystem audit logging mechanism when file audit logging is enabled. IBM X-Force ID: 199478.
- CVE-2021-29678HIGHCVSS 8.7EG 8.72021-12-09
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 9.7, 10.1, 10.5, 11.1, and 11.5 could allow a user with DBADM authority to access other databases and read or modify files. IBM X-Force ID: 199914.
- CVE-2021-29751MEDIUMCVSS 4.3EG 4.32021-06-28
IBM Business Automation Workflow 18.0, 19.0, and 20.0 and IBM Business Process Manager 8.5 and 8.6 could allow an authenticated user to obtain sensitive information about another user under nondefault configurations. IBM X-Force ID: 201779.
- CVE-2021-29760MEDIUMCVSS 4.3EG 4.32021-10-06
IBM Sterling B2B Integrator Standard Edition 5.2.0.0 through 6.1.1.0 could allow an authenticated user to download unauthorized files through the dashboard user interface. IBM X-Force ID: 202213.
- CVE-2021-29883MEDIUMCVSS 4.3EG 4.32021-10-21
IBM Standards Processing Engine (IBM Transformation Extender Advanced 9.0 and 10.0) does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a…
- CVE-2021-29943CRITICALCVSS 9.1EG 9.12021-04-13
When using ConfigurableInternodeAuthHadoopPlugin for authentication, Apache Solr versions prior to 8.8.2 would forward/proxy distributed requests using server credentials instead of original client credentials. This would result in incorre…
- CVE-2021-29959MEDIUMCVSS 4.3EG 4.32021-06-24
When a user has already allowed a website to access microphone and camera, disabling camera sharing would not fully prevent the website from re-enabling it without an additional prompt. This was only possible if the website kept recording …
- CVE-2021-29961MEDIUMCVSS 4.3EG 4.32021-06-24
When styling and rendering an oversized `<select>` element, Firefox did not apply correct clipping which allowed an attacker to paint over the user interface. This vulnerability affects Firefox < 89.
- CVE-2021-3006HIGHCVSS 7.5EG 7.52021-01-03
The breed function in the smart contract implementation for Farm in Seal Finance (Seal), an Ethereum token, lacks access control and thus allows price manipulation, as exploited in the wild in December 2020 and January 2021.
- CVE-2021-30120CRITICALCVSS 9.9EG 7.52021-07-09
Kaseya VSA before 9.5.7 allows attackers to bypass the 2FA requirement. The need to use 2FA for authentication in enforce client-side instead of server-side and can be bypassed using a local proxy. Thus rendering 2FA useless. Detailed desc…
- CVE-2021-30127HIGHCVSS 7.3EG 7.32021-04-03
TerraMaster F2-210 devices through 2021-04-03 use UPnP to make the admin web server accessible over the Internet on TCP port 8181, which is arguably inconsistent with the "It is only available on the local network" documentation. NOTE: man…
- CVE-2021-30144MEDIUMCVSS 4.3EG 4.32021-04-06
The Dashboard plugin through 1.0.2 for GLPI allows remote low-privileged users to bypass access control on viewing information about the last ten events, the connected users, and the users in the tech category. For example, plugins/dashboa…
- CVE-2021-30192CRITICALCVSS 9.8EG 9.82021-05-25
CODESYS V2 Web-Server before 1.1.9.20 has an Improperly Implemented Security Check.
- CVE-2021-30205MEDIUMCVSS 5.3EG 5.32023-06-27
Incorrect access control in the component /index.php?mod=system&op=orgtree of dzzoffice 2.02.1_SC_UTF8 allows unauthenticated attackers to browse departments and usernames.
Map vulnerabilities like CWE-863 to your infrastructure
EchelonGraph correlates every CVE — across CWE-863 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →