CWE-863— Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.— MITRE CWE catalog
3,793 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-863page 27 of 76
- CVE-2021-45074MEDIUMCVSS 4.3EG 5.42022-03-02
JFrog Artifactory before 7.29.3 and 6.23.38, is vulnerable to Broken Access Control, a low-privileged user is able to delete other known users OAuth token, which will force a reauthentication on an active session or in the next UI session.
- CVE-2021-45089MEDIUMCVSS 5.2EG 5.22021-12-21
Stormshield Endpoint Security 2.x before 2.1.2 has Incorrect Access Control.
- CVE-2021-45091MEDIUMCVSS 4.3EG 4.32021-12-21
Stormshield Endpoint Security from 2.1.0 to 2.1.1 has Incorrect Access Control.
- CVE-2021-45102HIGHCVSS 8.8EG 8.82021-12-16
An issue was discovered in HTCondor 9.0.x before 9.0.4 and 9.1.x before 9.1.2. When authenticating to an HTCondor daemon using a SciToken, a user may be granted authorizations beyond what the token should allow.
- CVE-2021-45310MEDIUMCVSS 5.3EG 5.32022-02-14
Sangoma Technologies Corporation Switchvox Version 102409 is affected by an information disclosure vulnerability due to an improper access restriction. Users information such as first name, last name, acount id, server uuid, email address,…
- CVE-2021-45339HIGHCVSS 7.8EG 7.82021-12-27
Privilege escalation vulnerability in Avast Antivirus prior to 20.4 allows a local user to gain elevated privileges by "hollowing" trusted process which could lead to the bypassing of Avast self-defense.
- CVE-2021-45379HIGHCVSS 8.8EG 8.82021-12-30
Glewlwyd 2.0.0, fixed in 2.6.1 is affected by an incorrect access control vulnerability. One user can attempt to log in as another user without its password.
- CVE-2021-45457HIGHCVSS 7.5EG 7.52022-01-06
In Apache Kylin, Cross-origin requests with credentials are allowed to be sent from any origin. This issue affects Apache Kylin 2 version 2.6.6 and prior versions; Apache Kylin 3 version 3.1.2 and prior versions; Apache Kylin 4 version 4.0…
- CVE-2021-45466CRITICALCVSS 9.8EG 9.82022-12-26
In CWP (aka Control Web Panel or CentOS Web Panel) before 0.9.8.1107, attackers can make a crafted request to api/?api=add_server&DHCP= to add an authorized_keys text file in the /resources/ folder.
- CVE-2021-45730MEDIUMCVSS 6.0EG 4.92022-05-19
JFrog Artifactory prior to 7.31.10, is vulnerable to Broken Access Control where a Project Admin is able to create, edit and delete Repository Layouts while Repository Layouts configuration should only be available for Platform Administrat…
- CVE-2021-46371HIGHCVSS 7.5EG 7.52022-02-14
antd-admin 5.5.0 is affected by an incorrect access control vulnerability. Unauthorized access to some interfaces in the foreground leads to leakage of sensitive information.
- CVE-2021-46418HIGHCVSS 7.5EG 7.52022-04-07
An unauthorized file creation vulnerability in Telesquare TLR-2855KS6 via PUT method can allow creation of CGI scripts.
- CVE-2021-46419CRITICALCVSS 9.1EG 9.12022-04-07
An unauthorized file deletion vulnerability in Telesquare TLR-2855KS6 via DELETE method can allow deletion of system files and scripts.
- CVE-2021-46561HIGHCVSS 7.2EG 7.22022-01-26
controller/org.controller/org.controller.js in the CVE Services API 1.1.1 before 5c50baf3bda28133a3bc90b854765a64fb538304 allows an organizational administrator to transfer a user account to an arbitrary new organization, and thereby achie…
- CVE-2021-46785MEDIUMCVSS 5.3EG 5.32022-05-13
The Property module has a vulnerability in permission control.This vulnerability can be exploited to obtain the unique device identifier.
- CVE-2021-46890CRITICALCVSS 9.8EG 9.82023-07-05
Vulnerability of incomplete read and write permission verification in the GPU module. Successful exploitation of this vulnerability may affect service confidentiality, integrity, and availability.
- CVE-2021-46891CRITICALCVSS 9.8EG 9.82023-07-05
Vulnerability of incomplete read and write permission verification in the GPU module. Successful exploitation of this vulnerability may affect service confidentiality, integrity, and availability.
- CVE-2022-0027MEDIUMCVSS 4.3EG 4.32022-05-11
An improper authorization vulnerability in Palo Alto Network Cortex XSOAR software enables authenticated users in non-Read-Only groups to generate an email report that contains summary information about all incidents in the Cortex XSOAR in…
- CVE-2022-0117MEDIUMCVSS 6.5EG 6.52022-02-12
Policy bypass in Blink in Google Chrome prior to 97.0.4692.71 allowed a remote attacker to leak cross-origin data via a crafted HTML page.
- CVE-2022-0143CRITICALCVSS 9.3EG 9.82022-09-19
When the LDAP connector is started with StartTLS configured, unauthenticated access is granted. This issue affects: all versions of the LDAP connector prior to 1.5.20.9. The LDAP connector is bundled with Identity Management (IDM) and Remo…
- CVE-2022-0164MEDIUMCVSS 4.3EG 4.32022-02-21
The Coming soon and Maintenance mode WordPress plugin before 3.5.3 does not have authorisation and CSRF checks in its coming_soon_send_mail AJAX action, allowing any authenticated users, with a role as low as subscriber to send arbitrary e…
- CVE-2022-0172MEDIUMCVSS 5.3EG 6.52022-01-18
An issue has been discovered in GitLab CE/EE affecting all versions starting with 12.3. Under certain conditions it was possible to bypass the IP restriction for public projects through GraphQL allowing unauthorised users to read titles of…
- CVE-2022-0273MEDIUMCVSS 6.5EG 6.52022-01-30
Improper Access Control in Pypi calibreweb prior to 0.6.16.
- CVE-2022-0305MEDIUMCVSS 6.5EG 6.52022-02-12
Inappropriate implementation in Service Worker API in Google Chrome prior to 97.0.4692.99 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page.
- CVE-2022-0309MEDIUMCVSS 6.5EG 6.52022-02-12
Inappropriate implementation in Autofill in Google Chrome prior to 97.0.4692.99 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page.
- CVE-2022-0333LOWCVSS 3.8EG 3.82022-01-25
A flaw was found in Moodle in versions 3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versions. The calendar:manageentries capability allowed managers to access or modify any calendar event, but should have been rest…
- CVE-2022-0334MEDIUMCVSS 4.3EG 4.32022-01-25
A flaw was found in Moodle in versions 3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versions. Insufficient capability checks could lead to users accessing their grade report for courses where they did not have the …
- CVE-2022-0373MEDIUMCVSS 4.3EG 4.32022-04-01
Improper access control in GitLab CE/EE versions 12.4 to 14.5.4, 14.5 to 14.6.4, and 12.6 to 14.7.1 allows project non-members to retrieve the service desk email address
- CVE-2022-0390MEDIUMCVSS 4.3EG 4.32022-04-01
Improper access control in Gitlab CE/EE versions 12.7 to 14.5.4, 14.6 to 14.6.4, and 14.7 to 14.7.1 allowed for project non-members to retrieve issue details when it was linked to an item from the vulnerability dashboard.
- CVE-2022-0404MEDIUMCVSS 6.5EG 6.52022-04-04
The Material Design for Contact Form 7 WordPress plugin through 2.6.4 does not check authorization or that the option mentioned in the notice param belongs to the plugin when processing requests to the cf7md_dismiss_notice action, allowing…
- CVE-2022-0406MEDIUMCVSS 4.3EG 4.32022-04-03
Improper Authorization in GitHub repository janeczku/calibre-web prior to 0.6.16.
- CVE-2022-0442MEDIUMCVSS 4.3EG 4.32022-03-07
The UsersWP WordPress plugin before 1.2.3.1 is missing access controls when updating a user avatar, and does not make sure file names for user avatars are unique, allowing a logged in user to overwrite another users avatar.
- CVE-2022-0451MEDIUMCVSS 6.5EG 6.52022-02-18
Dart SDK contains the HTTPClient in dart:io library whcih includes authorization headers when handling cross origin redirects. These headers may be explicitly set and contain sensitive information. By default, HttpClient handles redirectio…
- CVE-2022-0482CRITICALCVSS 9.1EG 9.12022-03-09
Exposure of Private Personal Information to an Unauthorized Actor in GitHub repository alextselegidis/easyappointments prior to 1.4.3.
- CVE-2022-0574MEDIUMCVSS 6.5EG 6.52022-05-16
Improper Access Control in GitHub repository publify/publify prior to 9.2.8.
- CVE-2022-0577MEDIUMCVSS 6.5EG 6.52022-03-02
Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository scrapy/scrapy prior to 2.6.1.
- CVE-2022-0580HIGHCVSS 7.1EG 7.12022-02-14
Incorrect Authorization in Packagist librenms/librenms prior to 22.2.0.
- CVE-2022-0594MEDIUMCVSS 5.3EG 5.32022-07-25
The Professional Social Sharing Buttons, Icons & Related Posts WordPress plugin before 9.7.6 does not have proper authorisation check in one of the AJAX action, available to unauthenticated (in v < 9.7.5) and author+ (in v9.7.5) users, all…
- CVE-2022-0633MEDIUMCVSS 6.5EG 6.52022-02-17
The UpdraftPlus WordPress plugin Free before 1.22.3 and Premium before 2.22.3 do not properly validate a user has the required privileges to access a backup's nonce identifier, which may allow any users with an account on the site (such as…
- CVE-2022-0670CRITICALCVSS 9.1EG 9.12022-07-25
A flaw was found in Openstack manilla owning a Ceph File system "share", which enables the owner to read/write any manilla share or entire file system. The vulnerability is due to a bug in the "volumes" plugin in Ceph Manager. This allows …
- CVE-2022-0720MEDIUMCVSS 5.4EG 5.42022-03-28
The Amelia WordPress plugin before 1.0.47 does not have proper authorisation when managing appointments, allowing any customer to update other's booking, as well as retrieve sensitive information about the bookings, such as the full name a…
- CVE-2022-0726MEDIUMCVSS 5.4EG 5.42022-02-23
Missing Authorization in GitHub repository chocobozzz/peertube prior to 4.1.0.
- CVE-2022-0727MEDIUMCVSS 5.4EG 5.42022-02-23
Improper Access Control in GitHub repository chocobozzz/peertube prior to 4.1.0.
- CVE-2022-0732HIGHCVSS 7.5EG 7.52022-02-24
The backend infrastructure shared by multiple mobile device monitoring services does not adequately authenticate or authorize API requests, creating an IDOR (Insecure Direct Object Reference) vulnerability.
- CVE-2022-0735CRITICALCVSS 10.0EG 9.82022-03-28
An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.10 before 14.6.5, all versions starting from 14.7 before 14.7.4, all versions starting from 14.8 before 14.8.2. An unauthorised user was able to steal run…
- CVE-2022-0740LOWCVSS 3.1EG 4.32022-04-04
Incorrect authorization in the Asana integration's branch restriction feature in all versions of GitLab CE/EE starting from version 7.8.0 before 14.7.7, all versions starting from 14.8 before 14.8.5, all versions starting from 14.9 before …
- CVE-2022-0756MEDIUMCVSS 6.5EG 6.52022-03-07
Missing Authorization in GitHub repository salesagility/suitecrm prior to 7.12.5.
- CVE-2022-0762MEDIUMCVSS 5.5EG 5.52022-02-26
Incorrect Authorization in GitHub repository microweber/microweber prior to 1.3.
- CVE-2022-0775MEDIUMCVSS 4.3EG 4.32024-01-16
The WooCommerce WordPress plugin before 6.2.1 does not have proper authorisation check when deleting reviews, which could allow any authenticated users, such as subscriber to delete arbitrary comment
- CVE-2022-0821MEDIUMCVSS 6.5EG 6.52022-03-11
Improper Authorization in GitHub repository orchardcms/orchardcore prior to 1.3.0.
Map vulnerabilities like CWE-863 to your infrastructure
EchelonGraph correlates every CVE — across CWE-863 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →