CWE-863— Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.— MITRE CWE catalog
3,793 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-863page 21 of 76
- CVE-2021-30344HIGHCVSS 7.5EG 7.52022-06-14
Improper authorization of a replayed LTE security mode command can lead to a denial of service in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdrag…
- CVE-2021-3044CRITICALCVSS 9.8EG 9.82021-06-22
An improper authorization vulnerability in Palo Alto Networks Cortex XSOAR enables a remote unauthenticated attacker with network access to the Cortex XSOAR server to perform unauthorized actions through the REST API. This issue impacts: C…
- CVE-2021-3049LOWCVSS 2.6EG 4.32021-09-08
An improper authorization vulnerability in the Palo Alto Networks Cortex XSOAR server enables an authenticated network-based attacker with investigation read permissions to download files from incident investigations of which they are awar…
- CVE-2021-30503CRITICALCVSS 9.8EG 9.82021-04-13
The unofficial GLSL Linting extension before 1.4.0 for Visual Studio Code allows remote code execution via a crafted glslangValidatorPath in the workspace configuration.
- CVE-2021-30531MEDIUMCVSS 6.5EG 6.52021-06-07
Insufficient policy enforcement in Content Security Policy in Google Chrome prior to 91.0.4472.77 allowed a remote attacker to bypass content security policy via a crafted HTML page.
- CVE-2021-30532MEDIUMCVSS 4.3EG 4.32021-06-07
Insufficient policy enforcement in Content Security Policy in Google Chrome prior to 91.0.4472.77 allowed a remote attacker to bypass content security policy via a crafted HTML page.
- CVE-2021-30533MEDIUMCVSS 6.5EG 9.0⚠ KEV2021-06-07
Insufficient policy enforcement in PopupBlocker in Google Chrome prior to 91.0.4472.77 allowed a remote attacker to bypass navigation restrictions via a crafted iframe.
- CVE-2021-30534MEDIUMCVSS 6.5EG 6.52021-06-07
Insufficient policy enforcement in iFrameSandbox in Google Chrome prior to 91.0.4472.77 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page.
- CVE-2021-30537MEDIUMCVSS 4.3EG 4.32021-06-07
Insufficient policy enforcement in cookies in Google Chrome prior to 91.0.4472.77 allowed a remote attacker to bypass cookie policy via a crafted HTML page.
- CVE-2021-30538MEDIUMCVSS 4.3EG 4.32021-06-07
Insufficient policy enforcement in content security policy in Google Chrome prior to 91.0.4472.77 allowed a remote attacker to bypass content security policy via a crafted HTML page.
- CVE-2021-30539MEDIUMCVSS 5.4EG 5.42021-06-07
Insufficient policy enforcement in content security policy in Google Chrome prior to 91.0.4472.77 allowed a remote attacker to bypass content security policy via a crafted HTML page.
- CVE-2021-30571CRITICALCVSS 9.6EG 9.62021-08-03
Insufficient policy enforcement in DevTools in Google Chrome prior to 92.0.4515.107 allowed an attacker who convinced a user to install a malicious extension to potentially perform a sandbox escape via a crafted HTML page.
- CVE-2021-30577HIGHCVSS 7.8EG 7.82021-08-03
Insufficient policy enforcement in Installer in Google Chrome prior to 92.0.4515.107 allowed a remote attacker to perform local privilege escalation via a crafted file.
- CVE-2021-30580MEDIUMCVSS 6.5EG 6.52021-08-03
Insufficient policy enforcement in Android intents in Google Chrome prior to 92.0.4515.107 allowed an attacker who convinced a user to install a malicious application to obtain potentially sensitive information via a crafted HTML page.
- CVE-2021-30583MEDIUMCVSS 6.5EG 6.52021-08-03
Insufficient policy enforcement in image handling in iOS in Google Chrome on iOS prior to 92.0.4515.107 allowed a remote attacker to leak cross-origin data via a crafted HTML page.
- CVE-2021-3062HIGHCVSS 8.1EG 8.82021-11-10
An improper access control vulnerability in PAN-OS software enables an attacker with authenticated access to GlobalProtect portals and gateways to connect to the EC2 instance metadata endpoint for VM-Series firewalls hosted on Amazon AWS. …
- CVE-2021-30638HIGHCVSS 7.5EG 7.52021-04-27
Information Exposure vulnerability in context asset handling of Apache Tapestry allows an attacker to download files inside WEB-INF if using a specially-constructed URL. This was caused by an incomplete fix for CVE-2020-13953. This issue a…
- CVE-2021-30713HIGHCVSS 7.8EG 9.0⚠ KEV2021-09-08
A permissions issue was addressed with improved validation. This issue is fixed in macOS Big Sur 11.4. A malicious application may be able to bypass Privacy preferences. Apple is aware of a report that this issue may have been actively exp…
- CVE-2021-30751MEDIUMCVSS 5.5EG 5.52021-09-08
This issue was addressed with improved data protection. This issue is fixed in macOS Big Sur 11.4. A malicious application may be able to bypass certain Privacy preferences.
- CVE-2021-30783MEDIUMCVSS 6.5EG 6.52021-09-08
An access issue was addressed with improved access restrictions. This issue is fixed in macOS Big Sur 11.5, Security Update 2021-004 Catalina, Security Update 2021-005 Mojave. A sandboxed process may be able to circumvent sandbox restricti…
- CVE-2021-30856CRITICALCVSS 9.1EG 9.12021-08-24
This issue was addressed by adding a new Remote Login option for opting into Full Disk Access for Secure Shell sessions. This issue is fixed in macOS Big Sur 11.3. A malicious unsandboxed app on a system with Remote Login enabled may bypas…
- CVE-2021-30925CRITICALCVSS 9.1EG 9.12021-08-24
The issue was addressed with improved permissions logic. This issue is fixed in watchOS 8, macOS Big Sur 11.6, iOS 15 and iPadOS 15. A malicious application may be able to bypass Privacy preferences.
- CVE-2021-30972MEDIUMCVSS 5.5EG 5.52021-08-24
This issue was addressed with improved checks. This issue is fixed in Security Update 2022-001 Catalina, macOS Big Sur 11.6.3. A malicious application may be able to bypass certain Privacy preferences.
- CVE-2021-30975HIGHCVSS 8.6EG 8.62021-08-24
This issue was addressed by disabling execution of JavaScript when viewing a scripting dictionary. This issue is fixed in macOS Monterey 12.1, Security Update 2021-008 Catalina, macOS Big Sur 11.6.2. A malicious OSAX scripting addition may…
- CVE-2021-30987MEDIUMCVSS 5.5EG 5.52021-08-24
An access issue was addressed with improved access restrictions. This issue is fixed in macOS Monterey 12.1. A device may be passively tracked via BSSIDs.
- CVE-2021-31158MEDIUMCVSS 6.5EG 6.52021-05-19
In the Query Engine in Couchbase Server 6.5.x and 6.6.x through 6.6.1, Common Table Expression queries were not correctly checking the user's permissions, allowing read-access to resources beyond what those users were explicitly allowed to…
- CVE-2021-31165HIGHCVSS 7.8EG 7.82021-05-11
Windows Container Manager Service Elevation of Privilege Vulnerability
- CVE-2021-3153MEDIUMCVSS 6.5EG 6.52021-03-26
HashiCorp Terraform Enterprise up to v202102-2 failed to enforce an organization-level setting that required users within an organization to have two-factor authentication enabled. Fixed in v202103-1.
- CVE-2021-31548MEDIUMCVSS 6.5EG 6.52021-04-22
An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2. A MediaWiki user who is partially blocked or was unsuccessfully blocked could bypass AbuseFilter and have their edits completed.
- CVE-2021-31552MEDIUMCVSS 5.4EG 5.42021-04-22
An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2. It incorrectly executed certain rules related to blocking accounts after account creation. Such rules would allow for user accounts to be created while bloc…
- CVE-2021-31554MEDIUMCVSS 5.4EG 5.42021-04-22
An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2. It improperly handled account blocks for certain automatically created MediaWiki user accounts, thus allowing nefarious users to remain unblocked.
- CVE-2021-31577CRITICALCVSS 9.8EG 9.82023-02-06
In Boa, there is a possible escalation of privilege due to a missing permission check. This could lead to remote escalation of privilege from a proximal attacker with no additional execution privileges needed. User interaction is not neede…
- CVE-2021-31590HIGHCVSS 8.8EG 8.82021-07-19
PwnDoc all versions until 0.4.0 (2021-08-23) has incorrect JSON Webtoken handling, leading to incorrect access control. With a valid JSON Webtoken that is used for authentication and authorization, a user can keep his admin privileges even…
- CVE-2021-31601HIGHCVSS 7.1EG 6.52021-11-08
An issue was discovered in Hitachi Vantara Pentaho through 9.1 and Pentaho Business Intelligence Server through 7.x. They implement a series of web services using the SOAP protocol to allow scripting interaction with the backend server. An…
- CVE-2021-31602MEDIUMCVSS 5.3EG 9.02021-11-08
An issue was discovered in Hitachi Vantara Pentaho through 9.1 and Pentaho Business Intelligence Server through 7.x. The Security Model has different layers of Access Control. One of these layers is the applicationContext security, which i…
- CVE-2021-31727HIGHCVSS 7.8EG 7.82021-05-17
Incorrect access control in zam64.sys, zam32.sys in MalwareFox AntiMalware 2.74.0.150 where IOCTL's 0x80002014, 0x80002018 expose unrestricted disk read/write capabilities respectively. A non-privileged process can open a handle to \.\Zema…
- CVE-2021-31728HIGHCVSS 7.8EG 7.82021-05-17
Incorrect access control in zam64.sys, zam32.sys in MalwareFox AntiMalware 2.74.0.150 allows a non-privileged process to open a handle to \.\ZemanaAntiMalware, register itself with the driver by sending IOCTL 0x80002010, allocate executabl…
- CVE-2021-31793HIGHCVSS 7.5EG 7.52021-05-06
An issue exists on NightOwl WDB-20-V2 WDB-20-V2_20190314 devices that allows an unauthenticated user to gain access to snapshots and video streams from the doorbell. The binary app offers a web server on port 80 that allows an unauthentica…
- CVE-2021-31829MEDIUMCVSS 5.5EG 5.52021-05-06
kernel/bpf/verifier.c in the Linux kernel through 5.12.1 performs undesirable speculative loads, leading to disclosure of stack content via side-channel attacks, aka CID-801c6058d14a. The specific concern is not protecting the BPF stack ar…
- CVE-2021-31864MEDIUMCVSS 5.3EG 5.32021-04-28
Redmine before 4.0.9, 4.1.x before 4.1.3, and 4.2.x before 4.2.1 allows attackers to bypass the add_issue_notes permission requirement by leveraging the incoming mail handler.
- CVE-2021-31865MEDIUMCVSS 5.3EG 5.32021-04-28
Redmine before 4.0.9, 4.1.x before 4.1.3, and 4.2.x before 4.2.1 allows users to circumvent the allowed filename extensions of uploaded attachments.
- CVE-2021-31876MEDIUMCVSS 6.5EG 6.52021-05-13
Bitcoin Core 0.12.0 through 0.21.1 does not properly implement the replacement policy specified in BIP125, which makes it easier for attackers to trigger a loss of funds, or a denial of service attack against downstream projects such as Li…
- CVE-2021-31926MEDIUMCVSS 6.5EG 6.52021-04-30
AMP Application Deployment Service in CubeCoders AMP 2.1.x before 2.1.1.2 allows a remote, authenticated user to open ports in the local system firewall by crafting an HTTP(S) request directly to the applicable API endpoint (despite not ha…
- CVE-2021-32002MEDIUMCVSS 4.3EG 3.32021-08-05
Improper Access Control vulnerability in web service of Secomea SiteManager allows local attacker without credentials to gather network information and configuration of the SiteManager. This issue affects: Secomea SiteManager All versions …
- CVE-2021-32062MEDIUMCVSS 5.3EG 5.32021-05-06
MapServer before 7.0.8, 7.1.x and 7.2.x before 7.2.3, 7.3.x and 7.4.x before 7.4.5, and 7.5.x and 7.6.x before 7.6.3 does not properly enforce the MS_MAP_NO_PATH and MS_MAP_PATTERN restrictions that are intended to control the locations fr…
- CVE-2021-32076MEDIUMCVSS 5.3EG 5.32021-08-26
Access Restriction Bypass via referrer spoof was discovered in SolarWinds Web Help Desk 12.7.2. An attacker can access the 'Web Help Desk Getting Started Wizard', especially the admin account creation page, from a non-privileged IP address…
- CVE-2021-32163CRITICALCVSS 9.8EG 9.82023-02-17
Authentication vulnerability in MOSN v.0.23.0 allows attacker to escalate privileges via case-sensitive JWT authorization.
- CVE-2021-32460HIGHCVSS 7.8EG 7.82021-06-03
The Trend Micro Maximum Security 2021 (v17) consumer product is vulnerable to an improper access control vulnerability in the installer which could allow a local attacker to escalate privileges on a target machine. Please note than an atta…
- CVE-2021-32587MEDIUMCVSS 4.3EG 4.32021-08-06
An improper access control vulnerability in FortiManager and FortiAnalyzer GUI interface 7.0.0, 6.4.5 and below, 6.2.8 and below, 6.0.11 and below, 5.6.11 and below may allow a remote and authenticated attacker with restricted user profile…
- CVE-2021-32619CRITICALCVSS 9.8EG 9.82021-05-28
Deno is a runtime for JavaScript and TypeScript that uses V8 and is built in Rust. In Deno versions 1.5.0 to 1.10.1, modules that are dynamically imported through `import()` or `new Worker` might have been able to bypass network and file s…
Map vulnerabilities like CWE-863 to your infrastructure
EchelonGraph correlates every CVE — across CWE-863 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →