CWE-863— Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.— MITRE CWE catalog
3,793 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-863page 26 of 76
- CVE-2021-41795MEDIUMCVSS 6.5EG 6.52021-09-29
The Safari app extension bundled with 1Password for Mac 7.7.0 through 7.8.x before 7.8.7 is vulnerable to authorization bypass. By targeting a vulnerable component of this extension, a malicious web page could read a subset of 1Password va…
- CVE-2021-41801HIGHCVSS 8.8EG 8.82021-10-11
The ReplaceText extension through 1.41 for MediaWiki has Incorrect Access Control. When a user is blocked after submitting a replace job, the job is still run, even if it may be run at a later time (due to the job queue backlog)
- CVE-2021-41805HIGHCVSS 8.8EG 8.82021-12-12
HashiCorp Consul Enterprise before 1.8.17, 1.9.x before 1.9.11, and 1.10.x before 1.10.4 has Incorrect Access Control. An ACL token (with the default operator:write permissions) in one namespace can be used for unintended privilege escalat…
- CVE-2021-41850HIGHCVSS 7.8EG 7.82022-03-11
An issue was discovered in Luna Simo PPR1.180610.011/202001031830. A pre-installed app with a package name of com.skyroam.silverhelper writes three IMEI values to system properties at system startup. The system property values can be obtai…
- CVE-2021-41873CRITICALCVSS 10.0EG 10.02021-10-26
Penguin Aurora TV Box 41502 is a high-end network HD set-top box produced by Tencent Video and Skyworth Digital. An unauthorized access vulnerability exists in the Penguin Aurora Box. An attacker can use the vulnerability to gain unauthori…
- CVE-2021-4194MEDIUMCVSS 6.5EG 6.52022-01-06
bookstack is vulnerable to Improper Access Control
- CVE-2021-41975HIGHCVSS 7.5EG 9.12021-10-08
TadTools special page is vulnerable to authorization bypass, thus remote attackers can use the specific parameter to delete arbitrary files in the system without logging in.
- CVE-2021-41976MEDIUMCVSS 5.3EG 5.32021-10-08
Tad Uploader edit book list function is vulnerable to authorization bypass, thus remote attackers can use the function to amend the folder names in the book list without logging in.
- CVE-2021-42000MEDIUMCVSS 5.3EG 6.52022-02-10
When a password reset or password change flow with an authentication policy is configured and the adapter in the reset or change policy supports multiple parallel reset flows, an existing user can reset another existing users password.
- CVE-2021-42002CRITICALCVSS 9.8EG 9.82021-11-11
Zoho ManageEngine ADManager Plus before 7115 is vulnerable to a filter bypass that leads to file-upload remote code execution.
- CVE-2021-42025MEDIUMCVSS 6.5EG 6.52021-11-09
A vulnerability has been identified in Mendix Applications using Mendix 8 (All versions < V8.18.13), Mendix Applications using Mendix 9 (All versions < V9.6.2). Applications built with affected versions of Mendix Studio Pro do not properly…
- CVE-2021-42026MEDIUMCVSS 4.3EG 4.32021-11-09
A vulnerability has been identified in Mendix Applications using Mendix 8 (All versions < V8.18.13), Mendix Applications using Mendix 9 (All versions < V9.6.2). Applications built with affected versions of Mendix Studio Pro do not properly…
- CVE-2021-42124HIGHCVSS 8.8EG 8.82021-12-07
An improper access control vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to perform a session takeover.
- CVE-2021-42126HIGHCVSS 8.8EG 8.82021-12-07
An improper authorization control vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to perform privilege escalation.
- CVE-2021-42135HIGHCVSS 8.1EG 8.12021-10-11
HashiCorp Vault and Vault Enterprise 1.8.x through 1.8.4 may have an unexpected interaction between glob-related policies and the Google Cloud secrets engine. Users may, in some situations, have more privileges than intended, e.g., a user …
- CVE-2021-42137MEDIUMCVSS 5.3EG 5.32021-10-11
An issue was discovered in Zammad before 5.0.1. In some cases, there is improper enforcement of the privilege requirement for viewing a list of tickets that shows title, state, etc.
- CVE-2021-42192HIGHCVSS 8.8EG 8.82022-05-04
Konga v0.14.9 is affected by an incorrect access control vulnerability where a specially crafted request can lead to privilege escalation.
- CVE-2021-42288MEDIUMCVSS 5.7EG 6.12021-11-10
Windows Hello Security Feature Bypass Vulnerability
- CVE-2021-42292HIGHCVSS 7.8EG 9.0⚠ KEV2021-11-10
Microsoft Excel Security Feature Bypass Vulnerability
- CVE-2021-42299MEDIUMCVSS 5.6EG 5.62021-10-20
Microsoft Surface Pro 3 Security Feature Bypass Vulnerability
- CVE-2021-42671HIGHCVSS 7.5EG 7.52021-11-05
An incorrect access control vulnerability exists in Sourcecodester Engineers Online Portal in PHP in nia_munoz_monitoring_system/admin/uploads. An attacker can leverage this vulnerability in order to bypass access controls and access all t…
- CVE-2021-4268MEDIUMCVSS 4.3EG 8.82022-12-21
A vulnerability, which was classified as problematic, was found in phpRedisAdmin up to 1.17.3. This affects an unknown part. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. Upgrading to…
- CVE-2021-42725HIGHCVSS 7.8EG 7.82021-11-16
Adobe Bridge version 11.1.1 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious M4A file, potentially resulting in arbitrary code execution in the context of the current user. User interac…
- CVE-2021-4275MEDIUMCVSS 4.3EG 8.82022-12-21
A vulnerability, which was classified as problematic, was found in katlings pyambic-pentameter. Affected is an unknown function. The manipulation leads to cross-site request forgery. It is possible to launch the attack remotely. The name o…
- CVE-2021-42758HIGHCVSS 8.8EG 8.82021-12-08
An improper access control vulnerability [CWE-284] in FortiWLC 8.6.1 and below may allow an authenticated and remote attacker with low privileges to execute any command as an admin user with full access rights via bypassing the GUI restric…
- CVE-2021-42837CRITICALCVSS 9.8EG 9.82021-11-05
An issue was discovered in Talend Data Catalog before 7.3-20210930. After setting up SAML/OAuth, authentication is not correctly enforced on the native login page. Any valid user from the SAML/OAuth provider can be used as the username wit…
- CVE-2021-42855HIGHCVSS 7.8EG 7.82022-03-10
It was discovered that the SteelCentral AppInternals Dynamic Sampling Agent (DSA) uses the ".debug_command.config" file to store a json string that contains a list of IDs and pre-configured commands. The config file is subsequently used by…
- CVE-2021-42954HIGHCVSS 7.8EG 7.82021-11-17
Zoho Remote Access Plus Server Windows Desktop Binary fixed from 10.1.2121.1 is affected by incorrect access control. The installation directory is vulnerable to weak file permissions by allowing full control for Windows Everyone user grou…
- CVE-2021-42955HIGHCVSS 7.3EG 7.82021-11-17
Zoho Remote Access Plus Server Windows Desktop binary fixed in version 10.1.2132 is affected by an unauthorized password reset vulnerability. Because of the designed password reset mechanism, any non-admin Windows user can reset the passwo…
- CVE-2021-43051HIGHCVSS 7.1EG 6.82021-12-14
The Spotfire Server component of TIBCO Software Inc.'s TIBCO Spotfire Server, TIBCO Spotfire Server, and TIBCO Spotfire Server contains a difficult to exploit vulnerability that allows malicious custom API clients with network access to ex…
- CVE-2021-43145HIGHCVSS 8.1EG 8.12022-02-04
With certain LDAP configurations, Zammad 5.0.1 was found to be vulnerable to unauthorized access with existing user accounts.
- CVE-2021-43337MEDIUMCVSS 6.5EG 6.52021-11-17
SchedMD Slurm 21.08.* before 21.08.4 has Incorrect Access Control. On sites using the new AccountingStoreFlags=job_script and/or job_env options, the access control rules in SlurmDBD may permit users to request job scripts and environment …
- CVE-2021-4334HIGHCVSS 8.8EG 8.82023-10-20
The Fancy Product Designer plugin for WordPress is vulnerable to unauthorized modification of site options due to a missing capability check on the fpd_update_options function in versions up to, and including, 4.6.9. This makes it possible…
- CVE-2021-43411HIGHCVSS 7.5EG 7.52021-11-07
An issue was discovered in GNU Hurd before 0.9 20210404-9. When trying to exec a setuid executable, there's a window of time when the process already has the new privileges, but still refers to the old task and is accessible through the ol…
- CVE-2021-43414HIGHCVSS 7.0EG 7.02021-11-07
An issue was discovered in GNU Hurd before 0.9 20210404-9. The use of an authentication protocol in the proc server is vulnerable to man-in-the-middle attacks, which can be exploited for local privilege escalation to get full root access.
- CVE-2021-4352MEDIUMCVSS 5.3EG 5.32023-06-07
The JobSearch WP Job Board plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the save_locsettings function in versions up to, and including, 1.8.1. This makes it possible for unauthenticated at…
- CVE-2021-43553LOWCVSS 3.1EG 3.12021-11-17
PI Vision could disclose information to a user with insufficient privileges for an AF attribute that is the child of another attribute and is configured as a Limits property.
- CVE-2021-43560MEDIUMCVSS 5.3EG 5.32021-11-22
A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. Insufficient capability checks made it possible to fetch other users' calendar action events.
- CVE-2021-43703CRITICALCVSS 9.8EG 9.82021-12-09
An Incorrect Access Control vulnerability exists in zzcms less than or equal to 2019 via admin.php. After disabling JavaScript, you can directly access the administrator console.
- CVE-2021-43771HIGHCVSS 7.8EG 7.82021-11-30
Trend Micro Antivirus for Mac 2021 v11 (Consumer) is vulnerable to an improper access control privilege escalation vulnerability that could allow an attacker to establish a connection that could lead to full local privilege escalation with…
- CVE-2021-43781MEDIUMCVSS 6.4EG 6.42021-12-06
Invenio-Drafts-Resources is a submission/deposit module for Invenio, a software framework for research data management. Invenio-Drafts-Resources prior to versions 0.13.7 and 0.14.6 does not properly check permissions when a record is publi…
- CVE-2021-43858HIGHCVSS 8.8EG 8.82021-12-27
MinIO is a Kubernetes native application for cloud storage. Prior to version `RELEASE.2021-12-27T07-23-18Z`, a malicious client can hand-craft an HTTP API call that allows for updating policy for a user and gaining higher privileges. The p…
- CVE-2021-43948MEDIUMCVSS 4.3EG 4.32022-02-15
Affected versions of Atlassian Jira Service Management Server and Data Center allow authenticated remote attackers to view the names of private objects via an Improper Authorization vulnerability in the "Move objects" feature. The affected…
- CVE-2021-43974MEDIUMCVSS 5.3EG 5.32022-01-11
An issue was discovered in SysAid ITIL 20.4.74 b10. The /enduserreg endpoint is used to register end users anonymously, but does not respect the server-side setting that determines if anonymous users are allowed to register new accounts. C…
- CVE-2021-44204HIGHCVSS 7.8EG 7.82022-02-04
Local privilege escalation via named pipe due to improper access control checks. The following products are affected: Acronis Cyber Protect 15 (Windows) before build 28035, Acronis Agent (Windows) before build 27147, Acronis Cyber Protect …
- CVE-2021-44465MEDIUMCVSS 4.3EG 5.32023-04-25
Improper access control in Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier allows authenticated attackers to subscribe to receive future notifications and comments related to arbitrary business records in the system, v…
- CVE-2021-44586HIGHCVSS 7.5EG 7.52022-01-10
An issue was discovered in dst-admin v1.3.0. The product has an unauthorized arbitrary file download vulnerability that can expose sensitive information.
- CVE-2021-44595HIGHCVSS 8.8EG 8.82022-04-29
Wondershare Dr. Fone Latest version as of 2021-12-06 is vulnerable to Incorrect Access Control. A normal user can send manually crafted packets to the ElevationService.exe and execute arbitrary code without any validation with SYSTEM privi…
- CVE-2021-44836MEDIUMCVSS 4.3EG 4.32022-01-18
An issue was discovered in Delta RM 1.2. The /risque/risque/workflow/reset endpoint is lacking access controls, and it is possible for an unprivileged user to reopen a risk with a POST request, using the risqueID parameter to identify the …
- CVE-2021-44877HIGHCVSS 7.5EG 7.52021-12-21
Dalmark Systems Systeam 2.22.8 build 1724 is vulnerable to Incorrect Access Control. The Systeam application is an ERP system that uses a mixed architecture based on SaaS tenant and user management, and on-premise database and web applicat…
Map vulnerabilities like CWE-863 to your infrastructure
EchelonGraph correlates every CVE — across CWE-863 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →