CWE-863— Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.— MITRE CWE catalog
3,794 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-863page 28 of 76
- CVE-2022-0824HIGHCVSS 8.8EG 9.02022-03-02
Improper Access Control to Remote Code Execution in GitHub repository webmin/webmin prior to 1.990.
- CVE-2022-0825MEDIUMCVSS 5.4EG 5.42022-04-04
The Amelia WordPress plugin before 1.0.49 does not have proper authorisation when managing appointments, allowing any customer to update other's booking status, as well as retrieve sensitive information about the bookings, such as the full…
- CVE-2022-0829HIGHCVSS 8.1EG 8.12022-03-02
Improper Authorization in GitHub repository webmin/webmin prior to 1.990.
- CVE-2022-0837MEDIUMCVSS 5.4EG 5.42022-04-04
The Amelia WordPress plugin before 1.0.48 does not have proper authorisation when handling Amelia SMS service, allowing any customer to send paid test SMS notification as well as retrieve sensitive information about the admin, such as the …
- CVE-2022-0860CRITICALCVSS 9.1EG 9.12022-03-11
Improper Authorization in GitHub repository cobbler/cobbler prior to 3.3.2.
- CVE-2022-0866MEDIUMCVSS 5.3EG 5.32022-05-10
This is a concurrency issue that can result in the wrong caller principal being returned from the session context of an EJB that is configured with a RunAs principal. In particular, the org.jboss.as.ejb3.component.EJBComponent class has an…
- CVE-2022-0920HIGHCVSS 7.5EG 7.52022-04-11
The Salon booking system Free and Pro WordPress plugins before 7.6.3 do not have proper authorisation in some of its endpoints, which could allow customers to access all bookings and other customer's data
- CVE-2022-0981HIGHCVSS 8.8EG 8.82022-03-23
A flaw was found in Quarkus. The state and potentially associated permissions can leak from one web request to another in RestEasy Reactive. This flaw allows a low-privileged user to perform operations on the database with a different set …
- CVE-2022-0984MEDIUMCVSS 4.3EG 4.32022-04-29
Users with the capability to configure badge criteria (teachers and managers by default) were able to configure course badges with profile field criteria, which should only be available for site badges.
- CVE-2022-0985MEDIUMCVSS 4.3EG 4.32022-04-29
Insufficient capability checks could allow users with the moodle/site:uploadusers capability to delete users, without having the necessary moodle/user:delete capability.
- CVE-2022-1105MEDIUMCVSS 4.3EG 4.32022-04-04
An improper access control vulnerability in GitLab CE/EE affecting all versions from 13.11 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allows an unauthorized user to access pipeline analytics even when public pipelines …
- CVE-2022-1124MEDIUMCVSS 4.3EG 4.32022-05-11
An improper authorization issue has been discovered in GitLab CE/EE affecting all versions prior to 14.8.6, all versions from 14.9.0 prior to 14.9.4, and 14.10.0, allowing Guest project members to access trace log of jobs when it is enabled
- CVE-2022-1132MEDIUMCVSS 6.1EG 6.12022-07-23
Inappropriate implementation in Virtual Keyboard in Google Chrome on Chrome OS prior to 100.0.4896.60 allowed a local attacker to bypass navigation restrictions via physical access to the device.
- CVE-2022-1177MEDIUMCVSS 4.3EG 4.32022-03-30
Accounting User Can Download Patient Reports in openemr in GitHub repository openemr/openemr prior to 6.1.0.
- CVE-2022-1193MEDIUMCVSS 4.3EG 4.32022-04-11
Improper access control in GitLab CE/EE versions 10.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allows a malicious actor to obtain details of the latest commit in a private project via Merge Requests under certain cir…
- CVE-2022-1223MEDIUMCVSS 6.5EG 6.52022-04-04
Incorrect Authorization in GitHub repository phpipam/phpipam prior to 1.4.6.
- CVE-2022-1224MEDIUMCVSS 6.5EG 6.52022-04-04
Improper Authorization in GitHub repository phpipam/phpipam prior to 1.4.6.
- CVE-2022-1309CRITICALCVSS 9.6EG 9.62022-07-25
Insufficient policy enforcement in developer tools in Google Chrome prior to 100.0.4896.88 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page.
- CVE-2022-1365MEDIUMCVSS 6.5EG 6.52022-04-15
Exposure of Private Personal Information to an Unauthorized Actor in GitHub repository lquixada/cross-fetch prior to 3.1.5.
- CVE-2022-1401MEDIUMCVSS 6.9EG 7.52022-08-17
Improper Access Control vulnerability in the /Exago/WrImageResource.adx route as used in Device42 Asset Management Appliance allows an unauthenticated attacker to read sensitive server files with root permissions. This issue affects: Devic…
- CVE-2022-1417MEDIUMCVSS 4.3EG 4.32022-05-10
Improper access control in GitLab CE/EE affecting all versions starting from 8.12 before 14.8.6, all versions starting from 14.9 before 14.9.4, and all versions starting from 14.10 before 14.10.1 allows non-project members to access conten…
- CVE-2022-1423HIGHCVSS 7.1EG 8.82022-05-19
Improper access control in the CI/CD cache mechanism in GitLab CE/EE affecting all versions starting from 1.0.2 before 14.8.6, all versions from 14.9.0 before 14.9.4, and all versions from 14.10.0 before 14.10.1 allows a malicious actor wi…
- CVE-2022-1460MEDIUMCVSS 6.1EG 4.92022-05-11
An issue has been discovered in GitLab affecting all versions starting from 9.2 before 14.8.6, all versions starting from 14.9 before 14.9.4, all versions starting from 14.10 before 14.10.1. GitLab was not performing correct authorizations…
- CVE-2022-1466MEDIUMCVSS 6.5EG 6.52022-04-26
Due to improper authorization, Red Hat Single Sign-On is vulnerable to users performing actions that they should not be allowed to perform. It was possible to add users to the master realm even though no respective permission was granted.
- CVE-2022-1482MEDIUMCVSS 6.5EG 6.52022-07-26
Inappropriate implementation in WebGL in Google Chrome prior to 101.0.4951.41 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
- CVE-2022-1499MEDIUMCVSS 6.3EG 6.32022-07-26
Inappropriate implementation in WebAuthentication in Google Chrome prior to 101.0.4951.41 allowed a remote attacker to bypass same origin policy via a crafted HTML page.
- CVE-2022-1502MEDIUMCVSS 4.3EG 4.32022-05-04
Permissions were not properly verified in the API on projects using version control in Git. This allowed projects to be modified by users with only ProjectView permissions.
- CVE-2022-1545MEDIUMCVSS 4.3EG 4.32022-05-11
It was possible to disclose details of confidential notes created via the API in Gitlab CE/EE affecting all versions from 13.2 prior to 14.8.6, 14.9 prior to 14.9.4, and 14.10 prior to 14.10.1 if an unauthorised project member was tagged i…
- CVE-2022-1553MEDIUMCVSS 4.9EG 4.92022-05-16
Leaking password protected articles content due to improper access control in GitHub repository publify/publify prior to 9.2.8. Attackers can leverage this vulnerability to view the contents of any password-protected article present on the…
- CVE-2022-1589HIGHCVSS 7.5EG 7.52022-05-30
The Change wp-admin login WordPress plugin before 1.1.0 does not properly check for authorisation and is also missing CSRF check when updating its settings, which could allow unauthenticated users to change the settings. The attacked could…
- CVE-2022-1631HIGHCVSS 8.8EG 8.82022-05-09
Users Account Pre-Takeover or Users Account Takeover. in GitHub repository microweber/microweber prior to 1.2.15. Victim Account Take Over. Since, there is no email confirmation, an attacker can easily create an account in the application …
- CVE-2022-1706MEDIUMCVSS 6.5EG 6.52022-05-17
A vulnerability was found in Ignition where ignition configs are accessible from unprivileged containers in VMs running on VMware products. This issue is only relevant in user environments where the Ignition config contains secrets. The hi…
- CVE-2022-1746HIGHCVSS 7.6EG 7.62022-06-24
The authentication mechanism used by poll workers to administer voting using the tested version of Dominion Voting Systems ImageCast X can expose cryptographic secrets used to protect election information. An attacker could leverage this v…
- CVE-2022-1753MEDIUMCVSS 5.4EG 4.32022-05-17
A vulnerability, which was classified as critical, was found in WoWonder. Affected is the file /requests.php which is responsible to handle group messages. The manipulation of the argument group_id allows posting messages in other groups. …
- CVE-2022-1801HIGHCVSS 7.5EG 7.52022-06-20
The Very Simple Contact Form WordPress plugin before 11.6 exposes the solution to the captcha in the rendered contact form, both as hidden input fields and as plain text in the page, making it very easy for bots to bypass the captcha check…
- CVE-2022-1874HIGHCVSS 8.8EG 8.82022-07-27
Insufficient policy enforcement in Safe Browsing in Google Chrome on Mac prior to 102.0.5005.61 allowed a remote attacker to bypass downloads protection policy via a crafted HTML page.
- CVE-2022-1935MEDIUMCVSS 6.5EG 6.52022-06-06
Incorrect authorization in GitLab EE affecting all versions from 12.0 before 14.9.5, all versions starting from 14.10 before 14.10.4, all versions starting from 15.0 before 15.0.1 allowed an attacker already in possession of a valid Projec…
- CVE-2022-1936MEDIUMCVSS 6.5EG 6.52022-06-06
Incorrect authorization in GitLab EE affecting all versions from 12.0 before 14.9.5, all versions starting from 14.10 before 14.10.4, all versions starting from 15.0 before 15.0.1 allowed an attacker already in possession of a valid Projec…
- CVE-2022-1944MEDIUMCVSS 5.4EG 7.12022-06-06
When the feature is configured, improper authorization in the Interactive Web Terminal in GitLab CE/EE affecting all versions from 11.3 prior to 14.9.5, 14.10 prior to 14.10.4, and 15.0 prior to 15.0.1 allows users with the Developer role …
- CVE-2022-1949HIGHCVSS 7.5EG 7.52022-06-02
An access control bypass vulnerability found in 389-ds-base. That mishandling of the filter that would yield incorrect results, but as that has progressed, can be determined that it actually is an access control bypass. This may allow any …
- CVE-2022-1981LOWCVSS 2.7EG 2.72022-07-01
An issue has been discovered in GitLab EE affecting all versions starting from 12.2 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1. In GitLab, if a group enables the setting to restrict access to users belonging to specif…
- CVE-2022-1983MEDIUMCVSS 6.5EG 4.32022-07-01
Incorrect authorization in GitLab EE affecting all versions from 10.7 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1, allowed an attacker already in possession of a valid Deploy Key or a Deploy Token to misuse it from any…
- CVE-2022-20002HIGHCVSS 7.8EG 7.82022-03-30
In incfs, there is a possible way of mounting on arbitrary paths due to a missing permission check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.P…
- CVE-2022-2019HIGHCVSS 7.3EG 7.52022-06-09
A vulnerability classified as critical was found in SourceCodester Prison Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /classes/Users.php?f=save of the component New User Creation. The manip…
- CVE-2022-20217MEDIUMCVSS 6.5EG 6.52022-07-13
There is a unauthorized broadcast in the SprdContactsProvider. A third-party app could use this issue to delete Fdn contact.Product: AndroidVersions: Android SoCAndroid ID: A-232441378
- CVE-2022-20321LOWCVSS 3.3EG 3.32022-08-12
In Settings, there is a possible way for an application without permissions to read content of WiFi QR codes due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed.…
- CVE-2022-20323MEDIUMCVSS 5.5EG 5.52022-08-12
In PackageManager, there is a possible package installation disclosure due to a missing permission check. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitatio…
- CVE-2022-20326MEDIUMCVSS 5.5EG 5.52022-08-12
In Telephony, there is a possible disclosure of SIM identifiers due to a missing permission check. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation.Produ…
- CVE-2022-20558LOWCVSS 3.3EG 3.32022-12-16
In registerReceivers of DeviceCapabilityListener.java, there is a possible way to change preferred TTY mode due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User …
- CVE-2022-20572MEDIUMCVSS 6.7EG 6.72022-12-16
In verity_target of dm-verity-target.c, there is a possible way to modify read-only files due to a missing permission check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not …
Map vulnerabilities like CWE-863 to your infrastructure
EchelonGraph correlates every CVE — across CWE-863 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →