CWE-863— Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.— MITRE CWE catalog
3,793 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-863page 25 of 76
- CVE-2021-39876MEDIUMCVSS 4.3EG 4.32022-03-28
In all versions of GitLab CE/EE since version 11.3, the endpoint for auto-completing Assignee discloses the members of private groups.
- CVE-2021-39883MEDIUMCVSS 4.3EG 4.32021-10-04
Improper authorization checks in all versions of GitLab EE starting from 13.11 before 14.1.7, all versions starting from 14.2 before 14.2.5, and all versions starting from 14.3 before 14.3.1 allows subgroup members to see epics from all pa…
- CVE-2021-39891MEDIUMCVSS 5.9EG 4.92021-10-05
In all versions of GitLab CE/EE since version 8.0, access tokens created as part of admin's impersonation of a user are not cleared at the end of impersonation which may lead to unnecessary sensitive info disclosure.
- CVE-2021-39902MEDIUMCVSS 4.3EG 4.32021-11-04
Incorrect Authorization in GitLab CE/EE 13.4 or above allows a user with guest membership in a project to modify the severity of an incident.
- CVE-2021-39903MEDIUMCVSS 6.5EG 6.52021-11-04
In all versions of GitLab CE/EE since version 13.0, a privileged user, through an API call, can change the visibility level of a group or a project to a restricted option even after the instance administrator sets that visibility option as…
- CVE-2021-39904MEDIUMCVSS 4.3EG 4.32021-11-05
An Improper Access Control vulnerability in the GraphQL API in all versions of GitLab CE/EE starting from 13.1 before 14.2.6, all versions starting from 14.3 before 14.3.4, and all versions starting from 14.4 before 14.4.1 allows a Merge R…
- CVE-2021-39911MEDIUMCVSS 4.3EG 4.32021-11-05
An improper access control flaw in all versions of GitLab CE/EE starting from 13.9 before 14.2.6, all versions starting from 14.3 before 14.3.4, and all versions starting from 14.4 before 14.4.1 exposes private email address of Issue and M…
- CVE-2021-39918LOWCVSS 3.1EG 3.12021-12-13
Incorrect Authorization in GitLab EE affecting all versions starting from 11.1 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allows a user to add comments to a vulnerability wh…
- CVE-2021-39930MEDIUMCVSS 4.3EG 4.32021-12-13
Missing authorization in GitLab EE versions between 12.4 and 14.3.6, between 14.4.0 and 14.4.4, and between 14.5.0 and 14.5.2 allowed an attacker to access a user's custom project and group templates
- CVE-2021-39934MEDIUMCVSS 4.3EG 4.32021-12-13
Improper access control allows any project member to retrieve the service desk email address in GitLab CE/EE versions starting 12.10 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.…
- CVE-2021-39936LOWCVSS 3.5EG 3.52021-12-13
Improper access control in GitLab CE/EE affecting all versions starting from 10.7 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allows an attacker in possession of a deploy tok…
- CVE-2021-39943MEDIUMCVSS 4.3EG 4.32022-02-09
An authorization logic error in the External Status Check API in GitLab EE affecting all versions starting from 14.1 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allowed a use…
- CVE-2021-39945LOWCVSS 2.7EG 2.72021-12-13
Improper access control in the GitLab CE/EE API affecting all versions starting from 9.4 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allows an author of a Merge Request to ap…
- CVE-2021-39986MEDIUMCVSS 5.5EG 5.52022-02-09
There is an unauthorized rewriting vulnerability with the memory access management module on ACPU.Successful exploitation of this vulnerability may affect service confidentiality.
- CVE-2021-39991MEDIUMCVSS 5.5EG 5.52022-02-09
There is an unauthorized rewriting vulnerability with the memory access management module on ACPU.Successful exploitation of this vulnerability may affect service confidentiality.
- CVE-2021-39994CRITICALCVSS 9.8EG 9.82022-02-09
There is an arbitrary address access vulnerability with the product line test code.Successful exploitation of this vulnerability may affect service confidentiality, integrity, and availability.
- CVE-2021-40016MEDIUMCVSS 6.5EG 6.52022-07-12
Improper permission control vulnerability in the Bluetooth module.Successful exploitation of this vulnerability will affect confidentiality.
- CVE-2021-40044HIGHCVSS 8.8EG 8.82022-02-09
There is a permission verification vulnerability in the Bluetooth module.Successful exploitation of this vulnerability may cause unauthorized operations.
- CVE-2021-40104HIGHCVSS 7.5EG 7.52021-09-27
An issue was discovered in Concrete CMS through 8.5.5. There is an SVG sanitizer bypass.
- CVE-2021-4026MEDIUMCVSS 4.3EG 4.32021-11-30
bookstack is vulnerable to Improper Access Control
- CVE-2021-40456MEDIUMCVSS 5.3EG 7.52021-10-13
Windows AD FS Security Feature Bypass Vulnerability
- CVE-2021-40504MEDIUMCVSS 4.9EG 4.92021-11-10
A certain template role in SAP NetWeaver Application Server for ABAP and ABAP Platform - versions 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, contains transport authorizations, which exceed expected display o…
- CVE-2021-40639HIGHCVSS 7.5EG 7.52021-09-15
Improper access control in Jfinal CMS 5.1.0 allows attackers to access sensitive information via /classes/conf/db.properties&config=filemanager.config.js.
- CVE-2021-40654MEDIUMCVSS 6.5EG 6.52021-09-24
An information disclosure issue exist in D-LINK-DIR-615 B2 2.01mt. An attacker can obtain a user name and password by forging a post request to the / getcfg.php page
- CVE-2021-40655HIGHCVSS 7.5EG 9.0⚠ KEV2021-09-24
An informtion disclosure issue exists in D-LINK-DIR-605 B2 Firmware Version : 2.01MT. An attacker can obtain a user name and password by forging a post request to the / getcfg.php page
- CVE-2021-40692MEDIUMCVSS 4.3EG 4.32022-09-29
Insufficient capability checks made it possible for teachers to download users outside of their courses.
- CVE-2021-40875HIGHCVSS 7.5EG 7.52021-09-22
Improper Access Control in Gurock TestRail versions < 7.2.0.3014 resulted in sensitive information exposure. A threat actor can access the /files.md5 file on the client side of a Gurock TestRail application, disclosing a full list of appli…
- CVE-2021-40884HIGHCVSS 8.1EG 8.12021-10-11
Projectsend version r1295 is affected by sensitive information disclosure. Because of not checking authorization in ids parameter in files-edit.php and id parameter in process.php function, a user with uploader role can download and edit a…
- CVE-2021-40990MEDIUMCVSS 6.5EG 6.52021-10-15
A remote disclosure of sensitive information vulnerability was discovered in Aruba ClearPass Policy Manager version(s): ClearPass Policy Manager 6.10.x prior to 6.10.2 - - ClearPass Policy Manager 6.9.x prior to 6.9.7-HF1 - - ClearPass Pol…
- CVE-2021-40991HIGHCVSS 7.2EG 7.22021-10-15
A remote disclosure of sensitive information vulnerability was discovered in Aruba ClearPass Policy Manager version(s): ClearPass Policy Manager 6.10.x prior to 6.10.2 - - ClearPass Policy Manager 6.9.x prior to 6.9.7-HF1 - - ClearPass Pol…
- CVE-2021-41013MEDIUMCVSS 5.3EG 5.32021-12-08
An improper access control vulnerability [CWE-284] in FortiWeb versions 6.4.1 and below and 6.3.15 and below in the Report Browse section of Log & Report may allow an unauthorized and unauthenticated user to access the Log reports via thei…
- CVE-2021-41020HIGHCVSS 8.8EG 8.82022-05-04
An improper access control vulnerability [CWE-284] in FortiIsolator versions 2.3.2 and below may allow an authenticated, non privileged attacker to regenerate the CA certificate via the regeneration URL.
- CVE-2021-41082HIGHCVSS 7.5EG 7.52021-09-20
Discourse is a platform for community discussion. In affected versions any private message that includes a group had its title and participating user exposed to users that do not have access to the private messages. However, access control…
- CVE-2021-41093HIGHCVSS 7.4EG 7.42021-10-04
Wire is an open source secure messenger. In affected versions if the an attacker gets an old but valid access token they can take over an account by changing the email. This issue has been resolved in version 3.86 which uses a new endpoint…
- CVE-2021-41189HIGHCVSS 7.2EG 7.22021-10-29
DSpace is an open source turnkey repository application. In version 7.0, any community or collection administrator can escalate their permission up to become system administrator. This vulnerability only exists in 7.0 and does not impact 6…
- CVE-2021-41230MEDIUMCVSS 5.3EG 5.32021-11-05
Pomerium is an open source identity-aware access proxy. In affected versions changes to the OIDC claims of a user after initial login are not reflected in policy evaluation when using `allowed_idp_claims` as part of policy. If using `allow…
- CVE-2021-41233MEDIUMCVSS 6.5EG 6.52022-03-10
Nextcloud text is a collaborative document editing using Markdown built for the nextcloud server. Due to an issue with the Nextcloud Text application, which is by default shipped with Nextcloud Server, an attacker is able to access the fol…
- CVE-2021-41241MEDIUMCVSS 4.3EG 4.32022-03-08
Nextcloud server is a self hosted system designed to provide cloud style services. The groupfolders application for Nextcloud allows sharing a folder with a group of people. In addition, it allows setting "advanced permissions" on subfolde…
- CVE-2021-41244CRITICALCVSS 9.1EG 9.12021-11-15
Grafana is an open-source platform for monitoring and observability. In affected versions when the fine-grained access control beta feature is enabled and there is more than one organization in the Grafana instance admins are able to acces…
- CVE-2021-41325MEDIUMCVSS 6.5EG 6.52021-09-30
Broken access control for user creation in Pydio Cells 2.2.9 allows remote anonymous users to create standard users via the profile parameter. (In addition, such users can be granted several admin permissions via the Roles parameter.)
- CVE-2021-4133HIGHCVSS 8.8EG 8.82022-01-25
A flaw was found in Keycloak in versions from 12.0.0 and before 15.1.1 which allows an attacker with any existing user account to create new default user accounts via the administrative REST API even when new user registration is disabled.
- CVE-2021-41528MEDIUMCVSS 5.3EG 5.32025-02-07
An error when handling authorization related to the import / export interfaces on the RISC Platform prior to the saas-2021-12-29 release can potentially be exploited to access the import / export functionality with low privileges.
- CVE-2021-41554HIGHCVSS 8.8EG 8.82021-10-05
ARCHIBUS Web Central 21.3.3.815 (a version from 2014) does not properly validate requests for access to data and functionality in these affected endpoints: /archibus/schema/ab-edit-users.axvw, /archibus/schema/ab-data-dictionary-table.axvw…
- CVE-2021-41564MEDIUMCVSS 5.3EG 6.52021-10-08
Tad Honor viewing book list function is vulnerable to authorization bypass, thus remote attackers can use special parameters to delete articles arbitrarily without logging in.
- CVE-2021-41568MEDIUMCVSS 5.3EG 6.52021-10-08
Tad Web is vulnerable to authorization bypass, thus remote attackers can exploit the vulnerability to use the original function of viewing bulletin boards and uploading files in the system.
- CVE-2021-41571MEDIUMCVSS 6.5EG 6.52022-02-01
In Apache Pulsar it is possible to access data from BookKeeper that does not belong to the topics accessible by the authenticated user. The Admin API get-message-by-id requires the user to input a topic and a ledger id. The ledger id is a …
- CVE-2021-41591CRITICALCVSS 9.4EG 9.42021-10-04
ACINQ Eclair before 0.6.3 allows loss of funds because of dust HTLC exposure.
- CVE-2021-41592CRITICALCVSS 9.4EG 9.42021-10-04
Blockstream c-lightning through 0.10.1 allows loss of funds because of dust HTLC exposure.
- CVE-2021-41593HIGHCVSS 8.6EG 8.62021-10-04
Lightning Labs lnd before 0.13.3-beta allows loss of funds because of dust HTLC exposure.
- CVE-2021-41608HIGHCVSS 7.5EG 7.52022-01-28
A file disclosure vulnerability in the UploadedImageDisplay.aspx endpoint of SelectSurvey.NET before 5.052.000 allows a remote, unauthenticated attacker to retrieve survey user submitted data by modifying the value of the ID parameter in s…
Map vulnerabilities like CWE-863 to your infrastructure
EchelonGraph correlates every CVE — across CWE-863 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →