CWE-863— Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.— MITRE CWE catalog
3,793 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-863page 23 of 76
- CVE-2021-35368CRITICALCVSS 9.8EG 9.82021-11-05
OWASP ModSecurity Core Rule Set 3.1.x before 3.1.2, 3.2.x before 3.2.1, and 3.3.x before 3.3.2 is affected by a Request Body Bypass via a trailing pathname.
- CVE-2021-35465LOWCVSS 3.4EG 3.42021-08-23
Certain Arm products before 2021-08-23 do not properly consider the effect of exceptions on a VLLDM instruction. A Non-secure handler may have read or write access to part of a Secure context. This affects Arm Cortex-M33 r0p0 through r1p0,…
- CVE-2021-35526MEDIUMCVSS 6.3EG 7.82021-09-08
Backup file without encryption vulnerability is found in Hitachi ABB Power Grids System Data Manager – SDM600 allows attacker to gain access to sensitive information. This issue affects: Hitachi ABB Power Grids System Data Manager – SD…
- CVE-2021-35534HIGHCVSS 7.2EG 7.22021-11-18
Insufficient security control vulnerability in internal database access mechanism of Hitachi Energy Relion 670/650/SAM600-IO, Relion 650, GMS600, PWC600 allows attacker who successfully exploited this vulnerability, of which the product do…
- CVE-2021-35550MEDIUMCVSS 5.9EG 5.92021-10-20
Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Dif…
- CVE-2021-35551MEDIUMCVSS 5.5EG 5.52021-10-20
Vulnerability in the RDBMS Security component of Oracle Database Server. Supported versions that are affected are 12.2.0.1, 19c and 21c. Easily exploitable vulnerability allows high privileged attacker having DBA privilege with network acc…
- CVE-2021-35552MEDIUMCVSS 5.3EG 5.32021-10-20
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Diagnostics). Supported versions that are affected are 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticat…
- CVE-2021-35553MEDIUMCVSS 5.4EG 6.52021-10-20
Vulnerability in the PeopleSoft Enterprise CS Student Records product of Oracle PeopleSoft (component: Class Search). The supported version that is affected is 9.2. Easily exploitable vulnerability allows low privileged attacker with netwo…
- CVE-2021-35559MEDIUMCVSS 5.3EG 5.32021-10-20
Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Swing). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12, 17; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0…
- CVE-2021-3560HIGHCVSS 7.8EG 9.0⚠ KEV2022-02-16
It was found that polkit could be tricked into bypassing the credential checks for D-Bus requests, elevating the privileges of the requestor to the root user. This flaw could be used by an unprivileged local attacker to, for example, creat…
- CVE-2021-3563HIGHCVSS 7.4EG 9.12022-08-26
A flaw was found in openstack-keystone. Only the first 72 characters of an application secret are verified allowing attackers bypass some password complexity which administrators may be counting on. The highest threat from this vulnerabili…
- CVE-2021-3577HIGHCVSS 8.8EG 8.82021-11-12
An unauthenticated remote code execution vulnerability was reported in some Motorola-branded Binatone Hubble Cameras that could allow an attacker on the same network unauthorized access to the device.
- CVE-2021-35943CRITICALCVSS 9.8EG 9.82021-09-29
Couchbase Server 6.5.x and 6.6.x through 6.6.2 has Incorrect Access Control. Externally managed users are not prevented from using an empty password, per RFC4513.
- CVE-2021-35949MEDIUMCVSS 5.3EG 5.32021-09-07
The shareinfo controller in the ownCloud Server before 10.8.0 allows an attacker to bypass the permission checks for upload only shares and list metadata about the share.
- CVE-2021-36039MEDIUMCVSS 6.5EG 6.52021-09-01
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability via the `quoteId` parameter. An attacker can abuse this vulnerability to disclose sens…
- CVE-2021-36091LOWCVSS 3.5EG 4.32021-07-26
Agents are able to list appointments in the calendars without required permissions. This issue affects: OTRS AG ((OTRS)) Community Edition: 6.0.x version 6.0.1 and later versions. OTRS AG OTRS: 7.0.x versions prior to 7.0.27.
- CVE-2021-36132HIGHCVSS 8.8EG 8.82021-07-02
An issue was discovered in the FileImporter extension in MediaWiki through 1.36. For certain relaxed configurations of the $wgFileImporterRequiredRight variable, it might not validate all appropriate user rights, thus allowing a user with …
- CVE-2021-36167MEDIUMCVSS 4.3EG 5.32021-12-09
An improper authorization vulnerabiltiy [CWE-285] in FortiClient Windows versions 7.0.0 and 6.4.6 and below and 6.2.8 and below may allow an unauthenticated attacker to bypass the webfilter control via modifying the session-id paramater.
- CVE-2021-36169MEDIUMCVSS 4.2EG 6.02021-12-13
A Hidden Functionality in Fortinet FortiOS 7.x before 7.0.1, FortiOS 6.4.x before 6.4.7 allows attacker to Execute unauthorized code or commands via specific hex read/write operations.
- CVE-2021-36177MEDIUMCVSS 4.2EG 4.32022-02-02
An improper access control vulnerability [CWE-284] in FortiAuthenticator HA service 6.3.2 and below, 6.2.x, 6.1.x, 6.0.x may allow an attacker on the same vlan as the HA management interface to make an unauthenticated direct connection to …
- CVE-2021-36183HIGHCVSS 7.4EG 7.82021-11-02
An improper authorization vulnerability [CWE-285] in FortiClient for Windows versions 7.0.1 and below and 6.4.2 and below may allow a local unprivileged attacker to escalate their privileges to SYSTEM via the named pipe responsible for For…
- CVE-2021-36225HIGHCVSS 8.8EG 8.82023-02-06
Western Digital My Cloud devices before OS5 allow REST API access by low-privileged accounts, as demonstrated by API commands for firmware uploads and installation.
- CVE-2021-36230HIGHCVSS 8.8EG 8.82021-07-20
HashiCorp Terraform Enterprise releases up to v202106-1 did not properly perform authorization checks on a subset of API requests executed using the run token, allowing privilege escalation to organization owner. Fixed in v202107-1.
- CVE-2021-36232HIGHCVSS 8.8EG 8.82021-08-31
Improper Authorization in multiple functions in MIK.starlight 7.9.5.24363 allows an authenticated attacker to escalate privileges.
- CVE-2021-36305MEDIUMCVSS 6.5EG 6.52021-11-12
Dell PowerScale OneFS contains an Unsynchronized Access to Shared Data in a Multithreaded Context in SMB CA handling. An authenticated user of SMB on a cluster with CA could potentially exploit this vulnerability, leading to a denial of se…
- CVE-2021-36311MEDIUMCVSS 6.0EG 7.82021-11-23
Dell EMC Networker versions prior to 19.5 contain an Improper Authorization vulnerability. Any local malicious user with networker user privileges may exploit this vulnerability to upload malicious file to unauthorized locations and execut…
- CVE-2021-36383MEDIUMCVSS 4.3EG 4.32021-07-12
Xen Orchestra (with xo-web through 5.80.0 and xo-server through 5.84.0) mishandles authorization, as demonstrated by modified WebSocket resourceSet.getAll data is which the attacker changes the permission field from none to admin. The atta…
- CVE-2021-3658MEDIUMCVSS 6.5EG 6.52022-03-02
bluetoothd from bluez incorrectly saves adapters' Discoverable status when a device is powered down, and restores it when powered up. If a device is powered down while discoverable, it will be discoverable when powered on again. This could…
- CVE-2021-36749MEDIUMCVSS 6.5EG 9.02021-09-24
In the Druid ingestion system, the InputSource is used for reading data from a certain data source. However, the HTTP InputSource allows authenticated users to read data from other sources than intended, such as the local file system, with…
- CVE-2021-36758MEDIUMCVSS 5.4EG 5.42021-07-16
1Password Connect server before 1.2 is missing validation checks, permitting users to create Secrets Automation access tokens that can be used to perform privilege escalation. Malicious users authorized to create Secrets Automation access …
- CVE-2021-36778HIGHCVSS 7.3EG 7.32022-05-02
A Incorrect Authorization vulnerability in SUSE Rancher allows administrators of third-party repositories to gather credentials that are sent to their servers. This issue affects: SUSE Rancher Rancher versions prior to 2.5.12; Rancher vers…
- CVE-2021-36909HIGHCVSS 8.8EG 8.12021-11-18
Authenticated Database Reset vulnerability in WordPress WP Reset PRO Premium plugin (versions <= 5.98) allows any authenticated user to wipe the entire database regardless of their authorization. It leads to a complete website reset and ta…
- CVE-2021-37038HIGHCVSS 7.5EG 7.52021-12-07
There is an Improper access control vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may affect service confidentiality.
- CVE-2021-3705CRITICALCVSS 9.8EG 9.82021-11-01
Potential security vulnerabilities have been discovered on a certain HP LaserJet Pro printer that may allow an unauthorized user to reconfigure, reset the device.
- CVE-2021-37101MEDIUMCVSS 6.8EG 6.82021-09-09
There is an improper authorization vulnerability in AIS-BW50-00 9.0.6.2(H100SP10C00) and 9.0.6.2(H100SP15C00). Due to improper authorization mangement, an attakcer can exploit this vulnerability by physical accessing the device and implant…
- CVE-2021-37109HIGHCVSS 7.8EG 7.82022-02-09
There is a security protection bypass vulnerability with the modem.Successful exploitation of this vulnerability may cause memory protection failure.
- CVE-2021-37115MEDIUMCVSS 5.5EG 5.52022-02-09
There is an unauthorized rewriting vulnerability with the memory access management module on ACPU.Successful exploitation of this vulnerability may affect service confidentiality.
- CVE-2021-37234MEDIUMCVSS 6.5EG 6.52023-02-03
Incorrect Access Control vulnerability in Modern Honey Network commit 0abf0db9cd893c6d5c727d036e1f817c02de4c7b allows remote attackers to view sensitive information via crafted PUT request to Web API.
- CVE-2021-37292HIGHCVSS 7.2EG 7.22022-04-11
An Access Control vulnerability exists in KevinLAB Inc Building Energy Management System 4ST BEMS 1.0.0 due to an undocumented backdoor account. A malicious user can log in using the backdor account with admin highest privileges and obtain…
- CVE-2021-37409HIGHCVSS 7.8EG 7.82022-08-18
Improper access control for some Intel(R) PROSet/Wireless WiFi and Killer(TM) WiFi products may allow a privileged user to potentially enable escalation of privilege via local access.
- CVE-2021-37421CRITICALCVSS 9.8EG 9.82021-08-30
Zoho ManageEngine ADSelfService Plus 6103 and prior is vulnerable to admin portal access-restriction bypass.
- CVE-2021-37517HIGHCVSS 7.5EG 7.52022-03-31
An Access Control vulnerability exists in Dolibarr ERP/CRM 13.0.2, fixed version is 14.0.0,in the forgot-password function becuase the application allows email addresses as usernames, which can cause a Denial of Service.
- CVE-2021-37598MEDIUMCVSS 5.3EG 5.32021-08-19
WP Cerber before 8.9.3 allows bypass of /wp-json access control via a trailing ? character.
- CVE-2021-37604HIGHCVSS 7.5EG 7.52021-08-05
In version 6.5 of Microchip MiWi software and all previous versions including legacy products, there is a possibility of frame counters being validated/updated prior to the message authentication. With this vulnerability in place, an attac…
- CVE-2021-37605HIGHCVSS 7.5EG 7.52021-08-05
In version 6.5 Microchip MiWi software and all previous versions including legacy products, the stack is validating only two out of four Message Integrity Check (MIC) bytes.
- CVE-2021-3763MEDIUMCVSS 4.3EG 4.32022-08-23
A flaw was found in the Red Hat AMQ Broker management console in version 7.8 where an existing user is able to access some limited information even when the role the user is assigned to should not be allow access to the management console.…
- CVE-2021-37705CRITICALCVSS 10.0EG 10.02021-08-13
OneFuzz is an open source self-hosted Fuzzing-As-A-Service platform. Starting with OneFuzz 2.12.0 or greater, an incomplete authorization check allows an authenticated user from any Azure Active Directory tenant to make authorized API call…
- CVE-2021-37791MEDIUMCVSS 4.9EG 4.92022-06-30
MyAdmin v1.0 is affected by an incorrect access control vulnerability in viewing personal center in /api/user/userData?userCode=admin.
- CVE-2021-37841HIGHCVSS 7.8EG 7.82021-08-12
Docker Desktop before 3.6.0 suffers from incorrect access control. If a low-privileged account is able to access the server running the Windows containers, it can lead to a full container compromise in both process isolation and Hyper-V is…
- CVE-2021-37852HIGHCVSS 7.8EG 7.82022-02-09
ESET products for Windows allows untrusted process to impersonate the client of a pipe, which can be leveraged by attacker to escalate privileges in the context of NT AUTHORITY\SYSTEM.
Map vulnerabilities like CWE-863 to your infrastructure
EchelonGraph correlates every CVE — across CWE-863 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →