CWE-863— Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.— MITRE CWE catalog
3,794 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-863page 30 of 76
- CVE-2022-23139HIGHCVSS 8.8EG 8.82022-05-12
ZTE's ZXMP M721 product has a permission and access control vulnerability. Since the folder permission viewed by sftp is 666, which is inconsistent with the actual permission. It’s easy for?users to?ignore the modification?of?the file pe…
- CVE-2022-23182HIGHCVSS 8.8EG 8.82022-08-18
Improper access control in the Intel(R) Data Center Manager software before version 4.1 may allow an unauthenticated user to potentially enable escalation of privilege via adjacent access.
- CVE-2022-23255MEDIUMCVSS 5.9EG 5.92022-02-09
Microsoft OneDrive for Android Security Feature Bypass Vulnerability
- CVE-2022-2326MEDIUMCVSS 6.4EG 8.12022-08-05
An issue has been discovered in GitLab CE/EE affecting all versions before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1. It may be possible to gain access to a private project through…
- CVE-2022-23433MEDIUMCVSS 4.3EG 5.32022-02-11
Improper access control vulnerability in Reminder prior to versions 12.3.01.3000 in Android S(12), 12.2.05.6000 in Android R(11) and 11.6.08.6000 in Andoid Q(10) allows attackers to register reminders or execute exporeted activities remote…
- CVE-2022-23442MEDIUMCVSS 4.3EG 4.32022-08-03
An improper access control vulnerability [CWE-284] in FortiOS versions 6.2.0 through 6.2.11, 6.4.0 through 6.4.8 and 7.0.0 through 7.0.5 may allow an authenticated attacker with a restricted user profile to gather the checksum information …
- CVE-2022-23443HIGHCVSS 7.5EG 7.52022-05-04
An improper access control in Fortinet FortiSOAR before 7.2.0 allows unauthenticated attackers to access gateway API data via crafted HTTP GET requests.
- CVE-2022-23451HIGHCVSS 8.1EG 8.12022-09-06
An authorization flaw was found in openstack-barbican. The default policy rules for the secret metadata API allowed any authenticated user to add, modify, or delete metadata from any secret regardless of ownership. This flaw allows an atta…
- CVE-2022-23452MEDIUMCVSS 4.9EG 4.92022-09-01
An authorization flaw was found in openstack-barbican, where anyone with an admin role could add secrets to a different project container. This flaw allows an attacker on the network to consume protected resources and cause a denial of ser…
- CVE-2022-23473MEDIUMCVSS 4.3EG 4.32022-12-13
Tuleap is an Open Source Suite to improve management of software developments and collaboration. In versions prior to 14.2.99.148, Authorizations are not properly verified when accessing MediaWiki standalone resources. Users with read only…
- CVE-2022-23488MEDIUMCVSS 6.5EG 6.52022-12-17
BigBlueButton is an open source web conferencing system. Versions prior to 2.4-rc-6 are vulnerable to Insertion of Sensitive Information Into Sent Data. The moderators-only webcams lock setting is not enforced on the backend, which allows …
- CVE-2022-23490MEDIUMCVSS 4.3EG 4.32022-12-16
BigBlueButton is an open source web conferencing system. Versions prior to 2.4.0 expose sensitive information to Unauthorized Actors. This issue affects meetings with polls, where the attacker is a meeting participant. Subscribing to the c…
- CVE-2022-2354HIGHCVSS 7.2EG 7.22022-08-15
The WP-DBManager WordPress plugin before 2.80.8 does not prevent administrators from running arbitrary commands on the server in multisite installations, where only super-administrators should.
- CVE-2022-23551MEDIUMCVSS 5.3EG 5.32022-12-21
aad-pod-identity assigns Azure Active Directory identities to Kubernetes applications and has now been deprecated as of 24 October 2022. The NMI component in AAD Pod Identity intercepts and validates token requests based on regex. In this …
- CVE-2022-23553HIGHCVSS 7.5EG 7.52022-12-28
Alpine is a scaffolding library in Java. Alpine prior to version 1.10.4 allows URL access filter bypass. This issue has been fixed in version 1.10.4. There are no known workarounds.
- CVE-2022-23615MEDIUMCVSS 5.4EG 5.42022-02-09
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions any user with SCRIPT right can save a document with the right of the current user which allow accessing API requi…
- CVE-2022-23627MEDIUMCVSS 5.0EG 5.02022-02-08
ArchiSteamFarm (ASF) is a C# application with primary purpose of idling Steam cards from multiple accounts simultaneously. Due to a bug in ASF code, introduced in version V5.2.2.2, the program didn't adequately verify effective access of t…
- CVE-2022-23700MEDIUMCVSS 5.5EG 5.52022-04-04
A local unauthorized read access to files vulnerability was discovered in HPE OneView version(s): Prior to 6.6. HPE has provided a software update to resolve this vulnerability in HPE OneView.
- CVE-2022-23705HIGHCVSS 7.5EG 7.52022-05-09
A security vulnerability has been identified in HPE Nimble Storage Hybrid Flash Arrays, HPE Nimble Storage All Flash Arrays, and HPE Nimble Storage Secondary Flash Arrays which could potentially allow the upload, but not execution, of unau…
- CVE-2022-23730CRITICALCVSS 9.8EG 9.82022-03-11
The public API error causes for the attacker to be able to bypass API access control.
- CVE-2022-23739CRITICALCVSS 9.8EG 9.82023-01-17
An incorrect authorization vulnerability was identified in GitHub Enterprise Server, allowing for escalation of privileges in GraphQL API requests from GitHub Apps. This vulnerability allowed an app installed on an organization to gain acc…
- CVE-2022-23741HIGHCVSS 7.2EG 7.22022-12-14
An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed a scoped user-to-server token to escalate to full admin/owner privileges. An attacker would require an account with admin access to install a …
- CVE-2022-23773HIGHCVSS 7.5EG 7.52022-02-11
cmd/go in Go before 1.16.14 and 1.17.x before 1.17.7 can misinterpret branch names that falsely appear to be version tags. This can lead to incorrect access control if an actor is supposed to be able to create branches but not tags.
- CVE-2022-23775CRITICALCVSS 9.8EG 9.82022-05-25
TrueStack Direct Connect 1.4.7 has Incorrect Access Control.
- CVE-2022-23822MEDIUMCVSS 6.8EG 6.82022-04-27
In this physical attack, an attacker may potentially exploit the Zynq-7000 SoC First Stage Boot Loader (FSBL) by bypassing authentication and loading a malicious image onto the device. This in turn may further allow the attacker to perform…
- CVE-2022-23994LOWCVSS 3.3EG 3.32022-02-11
An Improper access control vulnerability in StBedtimeModeReceiver in Wear OS 3.0 prior to Firmware update Feb-2022 Release allows untrusted applications to change bedtime mode without a proper permission.
- CVE-2022-23998MEDIUMCVSS 6.2EG 6.22022-02-11
Improper access control vulnerability in Camera prior to versions 11.1.02.16 in Android R(11), 10.5.03.77 in Android Q(10) and 9.0.6.68 in Android P(9) allows untrusted applications to take a picture in screenlock status.
- CVE-2022-24002MEDIUMCVSS 4.0EG 5.32022-02-11
Improper Authorization vulnerability in Link Sharing prior to version 12.4.00.3 allows attackers to open protected activity via PreconditionActivity.
- CVE-2022-2408MEDIUMCVSS 4.3EG 4.32022-07-14
The Guest account feature in Mattermost version 6.7.0 and earlier fails to properly restrict the permissions, which allows a guest user to fetch a list of all public channels in the team, in spite of not being part of those channels.
- CVE-2022-24110MEDIUMCVSS 6.5EG 6.52022-02-14
Kiteworks MFT 7.5 may allow an unauthorized user to reset other users' passwords. This is fixed in version 7.6 and later.
- CVE-2022-24128HIGHCVSS 8.0EG 8.02022-03-13
Timescale TimescaleDB 1.x and 2.x before 2.5.2 may allow privilege escalation during extension installation. The installation process uses commands such as CREATE x IF NOT EXIST that allow an unprivileged user to precreate objects. These o…
- CVE-2022-24189MEDIUMCVSS 6.5EG 6.52022-11-28
The user_token authorization header on the Ourphoto App version 1.4.1 /apiv1/* end-points is not implemented properly. Removing the value causes all requests to succeed, bypassing authorization and session management. The impact of this vu…
- CVE-2022-24306CRITICALCVSS 9.8EG 9.82022-03-02
Zoho ManageEngine SharePoint Manager Plus before 4329 allows account takeover because authorization is mishandled.
- CVE-2022-24307CRITICALCVSS 9.8EG 9.82022-02-03
Mastodon before 3.3.2 and 3.4.x before 3.4.6 has incorrect access control because it does not compact incoming signed JSON-LD activities. (JSON-LD signing has been supported since version 1.6.0.)
- CVE-2022-24466MEDIUMCVSS 4.1EG 4.12022-05-10
Windows Hyper-V Security Feature Bypass Vulnerability
- CVE-2022-2456MEDIUMCVSS 4.9EG 2.72022-08-05
An issue has been discovered in GitLab CE/EE affecting all versions before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1. It may be possible for malicious group or project maintainers …
- CVE-2022-24584MEDIUMCVSS 6.5EG 6.52022-05-11
Incorrect access control in Yubico OTP functionality of the YubiKey hardware tokens along with the Yubico OTP validation server. The Yubico OTP supposedly creates hardware bound second factor credentials. When a user reprograms the OTP fun…
- CVE-2022-2459LOWCVSS 2.7EG 2.72022-08-05
An issue has been discovered in GitLab EE affecting all versions before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1. It may be possible for email invited members to join a project ev…
- CVE-2022-24609CRITICALCVSS 9.8EG 9.82022-03-10
Luocms v2.0 is affected by an incorrect access control vulnerability. Through /admin/templates/template_manage.php, an attacker can write an arbitrary shell file.
- CVE-2022-24714MEDIUMCVSS 5.3EG 5.32022-03-08
Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Installations of Icinga 2 with the IDO writer enabled are affected. If you use service custom variables in role restrictions, and you regularly …
- CVE-2022-24721HIGHCVSS 8.1EG 8.12022-03-15
CometD is a scalable comet implementation for web messaging. In any version prior to 5.0.11, 6.0.6, and 7.0.6, internal usage of Oort and Seti channels is improperly authorized, so any remote user could subscribe and publish to those chann…
- CVE-2022-24730HIGHCVSS 7.7EG 7.72022-03-23
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with version 1.3.0 but before versions 2.1.11, 2.2.6, and 2.3.0 is vulnerable to a path traversal bug, compounded by an improper access control bug,…
- CVE-2022-24748MEDIUMCVSS 6.8EG 6.82022-03-09
Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In versions prior to 6.4.8.2 it is possible to modify customers and to create orders without App Permission. This issue is a result …
- CVE-2022-24755HIGHCVSS 8.1EG 8.12022-03-15
Bareos is open source software for backup, archiving, and recovery of data for operating systems. When Bareos Director >= 18.2 >= 18.2 but prior to 21.1.0, 20.0.6, and 19.2.12 is built and configured for PAM authentication, it will skip au…
- CVE-2022-24778HIGHCVSS 7.5EG 7.52022-03-25
The imgcrypt library provides API exensions for containerd to support encrypted container images and implements the ctd-decoder command line tool for use by containerd to decrypt encrypted container images. The imgcrypt function `CheckAuth…
- CVE-2022-24783CRITICALCVSS 10.0EG 10.02022-03-25
Deno is a runtime for JavaScript and TypeScript. The versions of Deno between release 1.18.0 and 1.20.2 (inclusive) are vulnerable to an attack where a malicious actor controlling the code executed in a Deno runtime could bypass all permis…
- CVE-2022-24841MEDIUMCVSS 6.5EG 6.52022-04-18
fleetdm/fleet is an open source device management, built on osquery. All versions of fleet making use of the teams feature are affected by this authorization bypass issue. Fleet instances without teams, or with teams but without restricted…
- CVE-2022-24865MEDIUMCVSS 6.5EG 6.52022-04-20
HumHub is an Open Source Enterprise Social Network. In affected versions users who are forced to change their password by an administrator may retrieve other users' data. This issue has been resolved by commit `eb83de20`. It is recommended…
- CVE-2022-24923MEDIUMCVSS 4.0EG 3.32022-02-11
Improper access control vulnerability in Samsung SearchWidget prior to versions 2.3.00.6 in China models allows untrusted applications to load arbitrary URL and local files in webview.
- CVE-2022-24924LOWCVSS 2.2EG 5.32022-02-11
An improper access control in LiveWallpaperService prior to versions 3.0.9.0 allows to create a specific named system directory without a proper permission.
Map vulnerabilities like CWE-863 to your infrastructure
EchelonGraph correlates every CVE — across CWE-863 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →