CWE-863— Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.— MITRE CWE catalog
3,794 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-863page 31 of 76
- CVE-2022-24930MEDIUMCVSS 4.4EG 3.32022-03-10
An Improper access control vulnerability in StRetailModeReceiver in Wear OS 3.0 prior to Firmware update MAR-2022 Release allows untrusted applications to reset default app settings without a proper permission
- CVE-2022-24931HIGHCVSS 7.9EG 7.82022-03-10
Improper access control vulnerability in dynamic receiver in ApkInstaller prior to SMR MAR-2022 Release allows unauthorized attackers to execute arbitrary activity without a proper permission
- CVE-2022-24935HIGHCVSS 7.5EG 7.52022-04-28
Lexmark products through 2022-02-10 have Incorrect Access Control.
- CVE-2022-2501MEDIUMCVSS 5.9EG 7.52022-08-05
An improper access control issue in GitLab EE affecting all versions from 12.0 prior to 15.0.5, 15.1 prior to 15.1.4, and 15.2 prior to 15.2.1 allows an attacker to bypass IP allow-listing and download artifacts. This attack only bypasses …
- CVE-2022-25091MEDIUMCVSS 5.3EG 5.32023-04-27
Infopop Ultimate Bulletin Board up to v5.47a was discovered to allow all messages posted inside private forums to be disclosed by unauthenticated users via the quote reply feature.
- CVE-2022-2512MEDIUMCVSS 6.5EG 6.52022-08-05
An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.0 before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1. Membership changes are not reflected in TOD…
- CVE-2022-25214HIGHCVSS 7.4EG 7.42022-03-10
Improper access control on the LocalClientList.asp interface allows an unauthenticated remote attacker to obtain sensitive information concerning devices on the local area network, including IP and MAC addresses. Improper access control on…
- CVE-2022-25215MEDIUMCVSS 5.3EG 5.32022-03-10
Improper access control on the LocalMACConfig.asp interface allows an unauthenticated remote attacker to add (or remove) client MAC addresses to (or from) a list of banned hosts. Clients with those MAC addresses are then prevented from acc…
- CVE-2022-25237CRITICALCVSS 9.8EG 9.82022-06-02
Bonita Web 2021.2 is affected by a authentication/authorization bypass vulnerability due to an overly broad exclude pattern used in the RestAPIAuthorizationFilter. By appending ;i18ntranslation or /../i18ntranslation/ to the end of a URL, …
- CVE-2022-25270MEDIUMCVSS 6.5EG 6.52022-02-17
The Quick Edit module does not properly check entity access in some circumstances. This could result in users with the "access in-place editing" permission viewing some content they are are not authorized to access. Sites are only affected…
- CVE-2022-25274MEDIUMCVSS 5.4EG 5.42023-04-26
Drupal 9.3 implemented a generic entity access API for entity revisions. However, this API was not completely integrated with existing permissions, resulting in some possible access bypass for users who have access to use revisions of cont…
- CVE-2022-25318MEDIUMCVSS 4.3EG 4.32022-02-18
An issue was discovered in Cerebrate through 1.4. An incorrect sharing group ACL allowed an unprivileged user to edit and modify sharing groups.
- CVE-2022-25335HIGHCVSS 7.5EG 7.52022-02-18
RigoBlock Dragos through 2022-02-17 lacks the onlyOwner modifier for setMultipleAllowances. This enables token manipulation, as exploited in the wild in February 2022. NOTE: although 2022-02-17 is the vendor's vulnerability announcement da…
- CVE-2022-25342HIGHCVSS 8.1EG 8.12022-04-20
An issue was discovered on Olivetti d-COLOR MF3555 2XD_S000.002.271 devices. The Web Application is affected by Broken Access Control. It does not properly validate requests for access to data and functionality under the /mngset/authset pa…
- CVE-2022-25364HIGHCVSS 8.1EG 8.12022-03-17
In Gradle Enterprise before 2021.4.2, the default built-in build cache configuration allowed anonymous write access. If this was not manually changed, a malicious actor with network access to the build cache could potentially populate it w…
- CVE-2022-2539MEDIUMCVSS 5.3EG 5.32022-08-05
An issue has been discovered in GitLab CE/EE affecting all versions starting from 14.6 prior to 15.0.5, 15.1 prior to 15.1.4, and 15.2 prior to 15.2.1, allowed a project member to filter issues by contact and organization.
- CVE-2022-25402CRITICALCVSS 9.1EG 9.12022-02-24
An incorrect access control issue in HMS v1.0 allows unauthenticated attackers to read and modify all PHP files.
- CVE-2022-25584HIGHCVSS 7.5EG 7.52022-04-05
Seyeon Tech Co., Ltd FlexWATCH FW3170-PS-E Network Video System 4.23-3000_GY allows attackers to access sensitive information.
- CVE-2022-25649MEDIUMCVSS 5.0EG 8.82022-08-05
Multiple Improper Access Control vulnerabilities in StoreApps Affiliate For WooCommerce premium plugin <= 4.7.0 at WordPress.
- CVE-2022-25685HIGHCVSS 7.5EG 7.52022-12-13
Denial of service in Modem module due to improper authorization while error handling in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearables
- CVE-2022-25899CRITICALCVSS 9.8EG 9.82022-08-18
Authentication bypass for the Open AMT Cloud Toolkit software maintained by Intel(R) before versions 2.0.2 and 2.2.2 may allow an unauthenticated user to potentially enable escalation of privilege via network access.
- CVE-2022-2597MEDIUMCVSS 5.4EG 8.82022-09-05
The Visual Portfolio, Photo Gallery & Post Grid WordPress plugin before 2.19.0 does not have proper authorisation checks in some of its REST endpoints, allowing users with a role as low as contributor to call them and inject arbitrary CSS …
- CVE-2022-26017HIGHCVSS 8.0EG 8.02022-08-18
Improper access control in the Intel(R) DSA software for before version 22.2.14 may allow an authenticated user to potentially enable escalation of privilege via adjacent access.
- CVE-2022-26143CRITICALCVSS 9.8EG 9.8⚠ KEV2022-03-10
The TP-240 (aka tp240dvr) component in Mitel MiCollab before 9.4 SP1 FP1 and MiVoice Business Express through 8.1 allows remote attackers to obtain sensitive information and cause a denial of service (performance degradation and excessive …
- CVE-2022-26279CRITICALCVSS 9.8EG 9.82022-03-24
EyouCMS v1.5.5 was discovered to have no access control in the component /data/sqldata.
- CVE-2022-26479CRITICALCVSS 9.8EG 9.82022-07-17
An issue was discovered in Poly EagleEye Director II before 2.2.2.1. Existence of a certain file (which can be created via an rsync backdoor) causes all API calls to execute as admin without authentication.
- CVE-2022-26501CRITICALCVSS 9.8EG 9.8⚠ KEV2022-03-17
Veeam Backup & Replication 10.x and 11.x has Incorrect Access Control (issue 1 of 2).
- CVE-2022-26563HIGHCVSS 8.8EG 8.82023-07-18
An issue was discovered in Tildeslash Monit before 5.31.0, allows remote attackers to gain escilated privlidges due to improper PAM-authorization.
- CVE-2022-26572HIGHCVSS 7.5EG 7.52022-04-04
Xerox ColorQube 8580 was discovered to contain an access control issue which allows attackers to print, view the status, and obtain sensitive information.
- CVE-2022-2661CRITICALCVSS 9.9EG 8.82022-08-16
Sequi PortBloque S has an improper authorization vulnerability, which may allow a low-privileged user to perform administrative functions using specifically crafted requests.
- CVE-2022-26629CRITICALCVSS 9.1EG 9.12022-03-24
An Access Control vulnerability exists in SoroushPlus+ Messenger 1.0.30 in the Lock Screen Security Feature function due to insufficient permissions and privileges, which allows a malicious attacker bypass the lock screen function.
- CVE-2022-26668HIGHCVSS 7.3EG 7.32022-06-20
ASUS Control Center API has a broken access control vulnerability. An unauthenticated remote attacker can call privileged API functions to perform partial system operations or cause partial disrupt of service.
- CVE-2022-26676CRITICALCVSS 9.8EG 9.82022-04-07
aEnrich a+HRD has inadequate privilege restrictions, an unauthenticated remote attacker can use the API function to upload and execute malicious scripts to control the system or disrupt service.
- CVE-2022-26767MEDIUMCVSS 5.5EG 5.52022-05-26
The issue was addressed with additional permissions checks. This issue is fixed in macOS Monterey 12.4, macOS Big Sur 11.6.6. A malicious application may be able to bypass Privacy preferences.
- CVE-2022-26834HIGHCVSS 7.5EG 7.52022-06-13
Improper access control vulnerability in Rakuten Casa version AP_F_V1_4_1 or AP_F_V2_0_0 allows a remote attacker to obtain the information stored in the product because the product is set to accept HTTP connections from the WAN side by de…
- CVE-2022-26857CRITICALCVSS 9.0EG 8.82022-05-26
Dell OpenManage Enterprise Versions 3.8.3 and prior contain an improper authorization vulnerability. A remote authenticated malicious user with low privileges may potentially exploit this vulnerability to bypass blocked functionalities and…
- CVE-2022-26913HIGHCVSS 7.4EG 7.42022-05-10
Windows Authentication Information Disclosure Vulnerability
- CVE-2022-26949MEDIUMCVSS 5.3EG 6.52022-03-30
Archer 6.x through 6.9 SP2 P1 (6.9.2.1) contains an improper access control vulnerability on attachments. A remote authenticated malicious user could potentially exploit this vulnerability to gain access to files that should only be allowe…
- CVE-2022-27055HIGHCVSS 7.5EG 7.52022-04-19
ecjia-daojia 1.38.1-20210202629 is vulnerable to information leakage via content/apps/installer/classes/Helper.php. When the web program is installed, a new environment file is created, and the database information is recorded, including t…
- CVE-2022-27128CRITICALCVSS 9.8EG 9.82022-04-10
An incorrect access control issue at /admin/run_ajax.php in zbzcms v1.0 allows attackers to arbitrarily add administrator accounts.
- CVE-2022-27134HIGHCVSS 7.5EG 7.52022-05-13
EOSIO batdappboomx v327c04cf has an Access-control vulnerability in the `transfer` function of the smart contract which allows remote attackers to win the cryptocurrency without paying ticket fee via the `std::string memo` parameter.
- CVE-2022-27484MEDIUMCVSS 5.4EG 4.32022-08-03
A unverified password change in Fortinet FortiADC version 6.2.0 through 6.2.3, 6.1.x, 6.0.x, 5.x.x allows an authenticated attacker to bypass the Old Password check in the password change form via a crafted HTTP request.
- CVE-2022-27511HIGHCVSS 8.1EG 8.12022-06-16
Corruption of the system by a remote, unauthenticated user. The impact of this can include the reset of the administrator password at the next device reboot, allowing an attacker with ssh access to connect with the default administrator cr…
- CVE-2022-27551MEDIUMCVSS 5.3EG 6.52022-08-03
HCL Launch could allow an authenticated user to obtain sensitive information in some instances due to improper security checking.
- CVE-2022-27575LOWCVSS 3.3EG 3.32022-04-11
Information exposure vulnerability in One UI Home prior to SMR April-2022 Release 1 allows to access currently launched foreground app information without permission.
- CVE-2022-27583CRITICALCVSS 9.1EG 9.12022-10-31
A remote unprivileged attacker can interact with the configuration interface of a Flexi-Compact FLX3-CPUC1 or FLX3-CPUC2 running an affected firmware version to potentially impact the availability of the FlexiCompact.
- CVE-2022-27608MEDIUMCVSS 6.0EG 6.02022-04-04
Forcepoint One Endpoint prior to version 22.01 installed on Microsoft Windows is vulnerable to registry key tampering by users with Administrator privileges. This could result in a user disabling anti-tampering mechanisms which would then …
- CVE-2022-27609MEDIUMCVSS 6.0EG 6.02022-04-04
Forcepoint One Endpoint prior to version 22.01 installed on Microsoft Windows does not provide sufficient anti-tampering protection of services by users with Administrator privileges. This could result in a user disabling Forcepoint One En…
- CVE-2022-27642HIGHCVSS 8.8EG 8.82023-03-29
This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of NETGEAR R6700v3 1.0.4.120_10.0.91 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists wi…
- CVE-2022-27645HIGHCVSS 8.8EG 8.82023-03-29
This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of NETGEAR R6700v3 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within readycloud_co…
Map vulnerabilities like CWE-863 to your infrastructure
EchelonGraph correlates every CVE — across CWE-863 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →