CWE-863— Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.— MITRE CWE catalog
3,793 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-863page 22 of 76
- CVE-2021-32620HIGHCVSS 8.8EG 8.82021-05-28
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions prior to 11.10.13, 12.6.7, and 12.10.2, a user disabled on a wiki using email verification for registration canouldre-acti…
- CVE-2021-32701HIGHCVSS 7.5EG 7.52021-06-22
ORY Oathkeeper is an Identity & Access Proxy (IAP) and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules. When you make a request to an endpoint that requires the scope `foo` using an access token gran…
- CVE-2021-32716MEDIUMCVSS 4.4EG 4.42021-06-24
Shopware is an open source eCommerce platform. In versions prior to 6.4.1.1 the admin api has exposed some internal hidden fields when an association has been loaded with a to many reference. Users are recommend to update to version 6.4.1.…
- CVE-2021-32777HIGHCVSS 8.6EG 8.62021-08-24
Envoy is an open source L7 proxy and communication bus designed for large modern service oriented architectures. In affected versions when ext-authz extension is sending request headers to the external authorization service it must merge m…
- CVE-2021-32779HIGHCVSS 8.6EG 8.62021-08-24
Envoy is an open source L7 proxy and communication bus designed for large modern service oriented architectures. In affected versions envoy incorrectly handled a URI '#fragment' element as part of the path element. Envoy is configured with…
- CVE-2021-32829CRITICALCVSS 9.6EG 9.92021-08-17
ZStack is open source IaaS(infrastructure as a service) software aiming to automate datacenters, managing resources of compute, storage, and networking all by APIs. Affected versions of ZStack REST API are vulnerable to post-authentication…
- CVE-2021-32960HIGHCVSS 8.5EG 8.82022-04-01
Rockwell Automation FactoryTalk Services Platform v6.11 and earlier, if FactoryTalk Security is enabled and deployed contains a vulnerability that may allow a remote, authenticated attacker to bypass FactoryTalk Security policies based on …
- CVE-2021-32986CRITICALCVSS 9.8EG 9.82022-04-04
After Automation Direct CLICK PLC CPU Modules: C0-1x CPUs with firmware prior to v3.00 is unlocked by an authorized user, the unlocked state does not timeout. If the programming software is interrupted, the PLC remains unlocked. All subseq…
- CVE-2021-33058HIGHCVSS 7.8EG 7.82021-11-17
Improper access control in the installer Intel(R)Administrative Tools for Intel(R) Network Adaptersfor Windowsbefore version 1.4.0.21 may allow an unauthenticated user to potentially enable escalation of privilege via local access.
- CVE-2021-33118HIGHCVSS 7.8EG 7.82021-11-17
Improper access control in the software installer for the Intel(R) Serial IO driver for Intel(R) NUC 11 Gen before version 30.100.2104.1 may allow an authenticated user to potentially enable escalation of privilege via local access.
- CVE-2021-33119MEDIUMCVSS 5.5EG 5.52022-02-09
Improper access control in the Intel(R) RealSense(TM) DCM before version 20210625 may allow an authenticated user to potentially enable information disclosure via local access.
- CVE-2021-3332MEDIUMCVSS 5.3EG 5.32021-03-01
WPS Hide Login 1.6.1 allows remote attackers to bypass a protection mechanism via post_password.
- CVE-2021-33335HIGHCVSS 7.2EG 7.22021-08-03
Privilege escalation vulnerability in Liferay Portal 7.0.3 through 7.3.4, and Liferay DXP 7.1 before fix pack 20, and 7.2 before fix pack 9 allows remote authenticated users with permission to update/edit users to take over a company admin…
- CVE-2021-33346CRITICALCVSS 9.8EG 9.82021-06-24
There is an arbitrary password modification vulnerability in a D-LINK DSL-2888A router product. An attacker can use this vulnerability to modify the password of the admin user without authorization.
- CVE-2021-3337HIGHCVSS 7.5EG 7.52021-01-28
The Hide-Thread-Content plugin through 2021-01-27 for MyBB allows remote attackers to bypass intended content-reading restrictions by clicking on reply or quote in the postbit.
- CVE-2021-33504MEDIUMCVSS 4.9EG 4.92022-06-02
Couchbase Server before 7.1.0 has Incorrect Access Control.
- CVE-2021-33577MEDIUMCVSS 5.3EG 5.32021-06-18
An issue was discovered in Cleo LexiCom 5.5.0.0. The requirement for the sender of an AS2 message to identify themselves (via encryption and signing of the message) can be bypassed by changing the Content-Type of the message to text/plain.
- CVE-2021-33663MEDIUMCVSS 5.3EG 5.32021-06-09
SAP NetWeaver AS ABAP, versions - KRNL32NUC - 7.22,7.22EXT, KRNL32UC - 7.22,7.22EXT, KRNL64NUC - 7.22,7.22EXT,7.49, KRNL64UC - 8.04,7.22,7.22EXT,7.49,7.53,7.73, KERNEL - 7.22,8.04,7.49,7.53,7.73,7.77,7.81,7.82,7.83,7.84, allows an unauthor…
- CVE-2021-33686MEDIUMCVSS 5.3EG 5.32021-09-14
Under certain conditions, SAP Business One version - 10.0, allows an unauthorized attacker to get access to some encrypted sensitive information, but does not have control over kind or degree.
- CVE-2021-33718MEDIUMCVSS 5.3EG 5.32021-07-13
A vulnerability has been identified in Mendix Applications using Mendix 7 (All versions < V7.23.22), Mendix Applications using Mendix 8 (All versions < V8.18.7), Mendix Applications using Mendix 9 (All versions < V9.3.0). Write access chec…
- CVE-2021-33786HIGHCVSS 8.1EG 8.82021-07-14
Windows LSA Security Feature Bypass Vulnerability
- CVE-2021-33881MEDIUMCVSS 4.2EG 4.22021-06-06
On NXP MIFARE Ultralight and NTAG cards, an attacker can interrupt a write operation (aka conduct a "tear off" attack) over RFID to bypass a Monotonic Counter protection mechanism. The impact depends on how the anti tear-off feature is use…
- CVE-2021-33895HIGHCVSS 8.1EG 8.12021-06-25
ETINET BACKBOX E4.09 and H4.09 mismanages password access control. When a user uses the User ID of the process running BBSV to login to the Backbox UI application, the system procedure (USER_AUTHENTICATE_) used for verifying the Password r…
- CVE-2021-33981MEDIUMCVSS 4.3EG 4.32021-09-08
An insecure, direct object vulnerability in hunting/fishing license retrieval function of the "Fish | Hunt FL" iOS app versions 3.8.0 and earlier allows a remote authenticated attacker to retrieve other people's personal information and im…
- CVE-2021-34110HIGHCVSS 7.8EG 7.82021-07-08
WinWaste.NET version 1.0.6183.16475 has incorrect permissions, allowing a local unprivileged user to replace the executable with a malicious file that will be executed with "LocalSystem" privileges.
- CVE-2021-34203HIGHCVSS 8.1EG 8.12021-06-16
D-Link DIR-2640-US 1.01B04 is vulnerable to Incorrect Access Control. Router ac2600 (dir-2640-us), when setting PPPoE, will start quagga process in the way of whole network monitoring, and this function uses the original default password a…
- CVE-2021-34272HIGHCVSS 7.5EG 7.52021-08-03
A security flaw in the 'owned' function of a smart contract implementation for RobotCoin (RBTC), a tradeable Ethereum ERC20 token, allows attackers to hijack victim accounts and arbitrarily increase the digital supply of assets.
- CVE-2021-34273HIGHCVSS 7.5EG 7.52021-08-03
A security flaw in the 'owned' function of a smart contract implementation for BTC2X (B2X), a tradeable Ethereum ERC20 token, allows attackers to hijack victim accounts and arbitrarily increase the digital supply of assets.
- CVE-2021-34396LOWCVSS 3.0EG 2.32021-06-22
Bootloader contains a vulnerability in access permission settings where unauthorized software may be able to overwrite NVIDIA MB2 code, which would result in limited denial of service.
- CVE-2021-34434MEDIUMCVSS 5.3EG 5.32021-08-30
In Eclipse Mosquitto versions 2.0 to 2.0.11, when using the dynamic security plugin, if the ability for a client to make subscriptions on a topic is revoked when a durable client is offline, then existing subscriptions for that client are …
- CVE-2021-34466MEDIUMCVSS 5.7EG 6.12021-07-16
Windows Hello Security Feature Bypass Vulnerability
- CVE-2021-34469HIGHCVSS 8.2EG 8.12021-07-14
Microsoft Office Security Feature Bypass Vulnerability
- CVE-2021-34548HIGHCVSS 7.5EG 7.52021-06-29
An issue was discovered in Tor before 0.4.6.5, aka TROVE-2021-003. An attacker can forge RELAY_END or RELAY_RESOLVED to bypass the intended access control for ending a stream.
- CVE-2021-3456HIGHCVSS 7.1EG 7.12022-03-30
An improper authorization handling flaw was found in Foreman. The Salt plugin for the smart-proxy allows foreman clients to execute actions that should be limited to the Foreman Server. This flaw allows an authenticated local attacker to a…
- CVE-2021-3457MEDIUMCVSS 6.1EG 6.12021-05-12
An improper authorization handling flaw was found in Foreman. The Shellhooks plugin for the smart-proxy allows Foreman clients to execute actions that should be limited to the Foreman Server. This flaw allows an authenticated local attacke…
- CVE-2021-34626MEDIUMCVSS 4.3EG 4.32021-07-07
A vulnerability in the deleteCustomType function of the WP Upload Restriction WordPress plugin allows low-level authenticated users to delete custom extensions added by administrators. This issue affects versions 2.2.3 and prior.
- CVE-2021-34627MEDIUMCVSS 4.3EG 4.32021-07-07
A vulnerability in the getSelectedMimeTypesByRole function of the WP Upload Restriction WordPress plugin allows low-level authenticated users to view custom extensions added by administrators. This issue affects versions 2.2.3 and prior.
- CVE-2021-34647MEDIUMCVSS 6.5EG 6.52021-09-22
The Ninja Forms WordPress plugin is vulnerable to sensitive information disclosure via the bulk_export_submissions function found in the ~/includes/Routes/Submissions.php file, in versions up to and including 3.5.7. This allows authenticat…
- CVE-2021-34648MEDIUMCVSS 6.4EG 4.32021-09-22
The Ninja Forms WordPress plugin is vulnerable to arbitrary email sending via the trigger_email_action function found in the ~/includes/Routes/Submissions.php file, in versions up to and including 3.5.7. This allows authenticated attackers…
- CVE-2021-3469MEDIUMCVSS 5.4EG 5.42021-06-03
Foreman versions before 2.3.4 and before 2.4.0 is affected by an improper authorization handling flaw. An authenticated attacker can impersonate the foreman-proxy if product enable the Puppet Certificate authority (CA) to sign certificate …
- CVE-2021-3493HIGHCVSS 8.8EG 9.0⚠ KEV2021-04-17
The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system. Due to the combination of unprivileged user namespaces along…
- CVE-2021-3499MEDIUMCVSS 5.6EG 5.62021-06-02
A vulnerability was found in OVN Kubernetes in versions up to and including 0.3.0 where the Egress Firewall does not reliably apply firewall rules when there is multiple DNS rules. It could lead to potentially lose of confidentiality, inte…
- CVE-2021-3511MEDIUMCVSS 4.3EG 4.32021-04-28
Disclosure of sensitive information to an unauthorized user vulnerability in Buffalo broadband routers (BHR-4GRV firmware Ver.1.99 and prior, DWR-HP-G300NH firmware Ver.1.83 and prior, HW-450HP-ZWE firmware Ver.1.99 and prior, WHR-300HP fi…
- CVE-2021-35112HIGHCVSS 8.4EG 7.82022-06-14
A user with user level permission can access graphics protected region due to improper access control in register configuration in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial…
- CVE-2021-3512HIGHCVSS 8.8EG 8.82021-04-28
Improper access control vulnerability in Buffalo broadband routers (BHR-4GRV firmware Ver.1.99 and prior, DWR-HP-G300NH firmware Ver.1.83 and prior, HW-450HP-ZWE firmware Ver.1.99 and prior, WHR-300HP firmware Ver.1.99 and prior, WHR-300 f…
- CVE-2021-35197HIGHCVSS 7.5EG 7.52021-07-02
In MediaWiki before 1.31.15, 1.32.x through 1.35.x before 1.35.3, and 1.36.x before 1.36.1, bots have certain unintended API access. When a bot account has a "sitewide block" applied, it is able to still "purge" pages through the MediaWiki…
- CVE-2021-35202MEDIUMCVSS 4.3EG 4.32021-09-30
NETSCOUT Systems nGeniusONE 6.3.0 build 1196 allows Authorization Bypass (to access an endpoint) in FDSQueryService.
- CVE-2021-35248MEDIUMCVSS 6.8EG 4.32021-12-20
It has been reported that any Orion user, e.g. guest accounts can query the Orion.UserSettings entity and enumerate users and their basic settings.
- CVE-2021-35249MEDIUMCVSS 4.3EG 4.32022-05-17
This broken access control vulnerability pertains specifically to a domain admin who can access configuration & user data of other domains which they should not have access to. Please note the admin is unable to modify the data (read only …
- CVE-2021-35336CRITICALCVSS 9.8EG 9.82021-07-01
Tieline IP Audio Gateway 2.6.4.8 and below is affected by Incorrect Access Control. A vulnerability in the Tieline Web Administrative Interface could allow an unauthenticated user to access a sensitive part of the system with a high privil…
Map vulnerabilities like CWE-863 to your infrastructure
EchelonGraph correlates every CVE — across CWE-863 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →