CWE-863— Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.— MITRE CWE catalog
3,794 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-863page 32 of 76
- CVE-2022-27661MEDIUMCVSS 4.3EG 4.32022-07-04
Operation restriction bypass vulnerability in Workflow of Cybozu Garoon 4.0.0 to 5.5.1 allows a remote authenticated attacker to alter the data of Workflow.
- CVE-2022-27668CRITICALCVSS 9.8EG 9.82022-06-14
Depending on the configuration of the route permission table in file 'saprouttab', it is possible for an unauthenticated attacker to execute SAProuter administration commands in SAP NetWeaver and ABAP Platform - versions KERNEL 7.49, 7.77,…
- CVE-2022-2778CRITICALCVSS 9.8EG 9.82022-09-30
In affected versions of Octopus Deploy it is possible to bypass rate limiting on login using null bytes.
- CVE-2022-27836HIGHCVSS 8.4EG 7.82022-04-11
Improper access control and path traversal vulnerability in Storage Manager and Storage Manager Service prior to SMR Apr-2022 Release 1 allow local attackers to access arbitrary system files without a proper permission. The patch adds prop…
- CVE-2022-27838HIGHCVSS 7.7EG 7.82022-04-11
Improper access control vulnerability in FactoryCamera prior to version 2.1.96 allows attacker to access the file with system privilege.
- CVE-2022-28067HIGHCVSS 8.6EG 8.62022-05-04
An incorrect access control issue in Sandboxie Classic v5.55.13 allows attackers to cause a Denial of Service (DoS) in the Sandbox via a crafted executable.
- CVE-2022-28321CRITICALCVSS 9.8EG 9.82022-09-19
The Linux-PAM package before 1.5.2-6.1 for openSUSE Tumbleweed allows authentication bypass for SSH logins. The pam_access.so module doesn't correctly restrict login if a user tries to connect from an IP address that is not resolvable via …
- CVE-2022-28542MEDIUMCVSS 6.8EG 5.52022-04-11
Improper sanitization of incoming intent in Galaxy Store prior to version 4.5.40.5 allows local attackers to access privileged content providers as Galaxy Store permission.
- CVE-2022-28601MEDIUMCVSS 6.5EG 6.52022-05-10
A Two-Factor Authentication (2FA) bypass vulnerability in "Simple 2FA Plugin for Moodle" by LMS Doctor allows remote attackers to overwrite the phone number used for confirmation via the profile.php file. Therefore, allowing them to bypass…
- CVE-2022-2861MEDIUMCVSS 6.5EG 6.52022-09-26
Inappropriate implementation in Extensions API in Google Chrome prior to 104.0.5112.101 allowed an attacker who convinced a user to install a malicious extension to inject arbitrary scripts into WebUI via a crafted HTML page.
- CVE-2022-28704HIGHCVSS 7.2EG 7.22022-06-13
Improper access control vulnerability in Rakuten Casa version AP_F_V1_4_1 or AP_F_V2_0_0 allows a remote attacker to log in with the root privilege and perform an arbitrary operation if the product is in its default settings in which is se…
- CVE-2022-28718MEDIUMCVSS 4.3EG 4.32022-07-04
Operation restriction bypass vulnerability in Bulletin of Cybozu Garoon 4.0.0 to 5.5.1 allow a remote authenticated attacker to alter the data of Bulletin.
- CVE-2022-28749MEDIUMCVSS 6.5EG 4.32022-06-15
Zooms On-Premise Meeting Connector MMR before version 4.8.113.20220526 fails to properly check the permissions of a Zoom meeting attendee. As a result, a threat actor in the Zooms waiting room can join the meeting without the consent of th…
- CVE-2022-28753HIGHCVSS 7.1EG 5.42022-08-11
Zoom On-Premise Meeting Connector MMR before version 4.8.129.20220714 contains an improper access control vulnerability. As a result, a malicious actor can join a meeting which they are authorized to join without appearing to the other par…
- CVE-2022-28754HIGHCVSS 7.1EG 5.42022-08-11
Zoom On-Premise Meeting Connector MMR before version 4.8.129.20220714 contains an improper access control vulnerability. As a result, a malicious actor can join a meeting which they are authorized to join without appearing to the other par…
- CVE-2022-28774MEDIUMCVSS 5.5EG 5.52022-05-11
Under certain conditions, the SAP Host Agent logfile shows information which would otherwise be restricted.
- CVE-2022-28775MEDIUMCVSS 5.1EG 3.32022-04-11
Improper access control vulnerability in Samsung Flow prior to version 4.8.06.5 allows attacker to write the file without Samsung Flow permission.
- CVE-2022-28776MEDIUMCVSS 5.9EG 7.82022-04-11
Improper access control vulnerability in Galaxy Store prior to version 4.5.36.4 allows attacker to install applications from Galaxy Store without user interactions.
- CVE-2022-28777MEDIUMCVSS 4.3EG 3.32022-04-11
Improper access control vulnerability in Samsung Members prior to version 13.6.08.5 allows local attacker to execute call function without CALL_PHONE permission.
- CVE-2022-28778MEDIUMCVSS 4.4EG 3.32022-04-11
Improper access control vulnerability in Samsung Security Supporter prior to version 1.2.40.0 allows attacker to set the arbitrary folder as Secret Folder without Samsung Security Supporter permission
- CVE-2022-28782MEDIUMCVSS 4.6EG 4.62022-05-03
Improper access control vulnerability in Contents To Window prior to SMR May-2022 Release 1 allows physical attacker to install package before completion of Setup wizard. The patch blocks entry point of the vulnerability.
- CVE-2022-28866HIGHCVSS 8.8EG 8.82022-10-12
Multiple Improper Access Control was discovered in Nokia AirFrame BMC Web GUI < R18 Firmware v4.13.00. It does not properly validate requests for access to (or editing of) data and functionality in all endpoints under /#settings/* and /api…
- CVE-2022-28940HIGHCVSS 7.5EG 7.52022-05-04
In H3C MagicR100 <=V100R005, the / Ajax / ajaxget interface can be accessed without authorization. It sends a large amount of data through ajaxmsg to carry out DOS attack.
- CVE-2022-29047MEDIUMCVSS 5.3EG 5.32022-04-12
Jenkins Pipeline: Shared Groovy Libraries Plugin 564.ve62a_4eb_b_e039 and earlier, except 2.21.3, allows attackers able to submit pull requests (or equivalent), but not able to commit directly to the configured SCM, to effectively change t…
- CVE-2022-29081CRITICALCVSS 9.8EG 9.82022-04-28
Zoho ManageEngine Access Manager Plus before 4302, Password Manager Pro before 12007, and PAM360 before 5401 are vulnerable to access-control bypass on a few Rest API URLs (for SSOutAction. SSLAction. LicenseMgr. GetProductDetails. GetDash…
- CVE-2022-29114MEDIUMCVSS 5.5EG 5.52022-05-10
Windows Print Spooler Information Disclosure Vulnerability
- CVE-2022-29176CRITICALCVSS 9.9EG 9.92022-05-05
Rubygems is a package registry used to supply software for the Ruby language ecosystem. Due to a bug in the yank action, it was possible for any RubyGems.org user to remove and replace certain gems even if that user was not authorized to d…
- CVE-2022-29218HIGHCVSS 7.7EG 7.72022-05-13
RubyGems is a package registry used to supply software for the Ruby language ecosystem. An ordering mistake in the code that accepts gem uploads allowed some gems (with platforms ending in numbers, like `arm64-darwin-21`) to be temporarily…
- CVE-2022-29270MEDIUMCVSS 4.3EG 4.32022-06-29
In Nagios XI through 5.8.5, it is possible for a user without password verification to change his e-mail address.
- CVE-2022-29271MEDIUMCVSS 6.5EG 6.52022-06-29
In Nagios XI through 5.8.5, a read-only Nagios user (due to an incorrect permission check) is able to schedule downtime for any host/services. This allows an attacker to permanently disable all monitoring checks.
- CVE-2022-29423LOWCVSS 3.8EG 9.82022-05-06
Pro Features Lock Bypass vulnerability in Countdown & Clock plugin <= 2.3.2 at WordPress.
- CVE-2022-29484HIGHCVSS 8.1EG 8.12022-07-04
Operation restriction bypass vulnerability in Space of Cybozu Garoon 4.0.0 to 5.9.0 allows a remote authenticated attacker to delete the data of Space.
- CVE-2022-29490HIGHCVSS 8.5EG 8.82022-09-12
Improper Authorization vulnerability exists in the Workplace X WebUI of the Hitachi Energy MicroSCADA X SYS600 allows an authenticated user to execute any MicroSCADA internal scripts irrespective of the authenticated user's role. This issu…
- CVE-2022-29538MEDIUMCVSS 5.3EG 5.32022-05-12
RESI Gemini-Net Web 4.2 is affected by Improper Access Control in authorization logic. An unauthenticated user is able to access some critical resources.
- CVE-2022-29564HIGHCVSS 7.5EG 7.52022-06-07
Jamf Private Access before 2022-05-16 has Incorrect Access Control, in which an unauthorized user can reach a system in the internal infrastructure, aka WND-44801.
- CVE-2022-29619MEDIUMCVSS 6.5EG 6.52022-07-12
Under certain conditions SAP BusinessObjects Business Intelligence Platform 4.x - versions 420,430 allows user Administrator to view, edit or modify rights of objects it doesn't own and which would otherwise be restricted.
- CVE-2022-29633CRITICALCVSS 9.8EG 9.82022-05-26
An access control issue in Linglong v1.0 allows attackers to access the background of the application via a crafted cookie.
- CVE-2022-29854MEDIUMCVSS 6.8EG 6.82022-05-13
A vulnerability in Mitel 6900 Series IP (MiNet) phones excluding 6970, versions 1.8 (1.8.0.12) and earlier, could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for…
- CVE-2022-29855MEDIUMCVSS 6.8EG 6.82022-05-11
Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.36…
- CVE-2022-29871MEDIUMCVSS 6.7EG 6.72023-08-11
Improper access control in the Intel(R) CSME software installer before version 2239.3.7.0 may allow an authenticated user to potentially enable escalation of privilege via local access.
- CVE-2022-2989HIGHCVSS 7.1EG 7.12022-09-13
An incorrect handling of the supplementary groups in the Podman container engine might lead to the sensitive information disclosure or possible data modification if an attacker has direct access to the affected container where supplementar…
- CVE-2022-2990HIGHCVSS 7.1EG 7.12022-09-13
An incorrect handling of the supplementary groups in the Buildah container engine might lead to the sensitive information disclosure or possible data modification if an attacker has direct access to the affected container where supplementa…
- CVE-2022-29906CRITICALCVSS 9.8EG 9.82022-04-29
The admin API module in the QuizGame extension for MediaWiki through 1.37.2 (before 665e33a68f6fa1167df99c0aa18ed0157cdf9f66) omits a check for the quizadmin user.
- CVE-2022-29935HIGHCVSS 7.5EG 7.52022-04-29
USU Oracle Optimization before 5.17.5 allows attackers to discover the quantum credentials via an agent-installer download. NOTE: this is not an Oracle Corporation product.
- CVE-2022-30016HIGHCVSS 8.8EG 8.82022-05-23
Rescue Dispatch Management System 1.0 is vulnerable to Incorrect Access Control via http://localhost/rdms/admin/?page=system_info.
- CVE-2022-30164HIGHCVSS 7.8EG 8.42022-06-15
Kerberos AppContainer Security Feature Bypass Vulnerability
- CVE-2022-30203HIGHCVSS 7.4EG 7.42022-07-12
Windows Boot Manager Security Feature Bypass Vulnerability
- CVE-2022-3024MEDIUMCVSS 5.4EG 5.42022-09-26
The Simple Bitcoin Faucets WordPress plugin through 1.7.0 does not have any authorisation and CSRF in an AJAX action, allowing any authenticated users, such as subscribers to call it and add/delete/edit Bonds. Furthermore, due to the lack …
- CVE-2022-30290HIGHCVSS 7.5EG 7.52022-07-05
In OpenCTI through 5.2.4, a broken access control vulnerability has been identified in the profile endpoint. An attacker can abuse the identified vulnerability in order to arbitrarily change their registered e-mail address as well as their…
- CVE-2022-30308CRITICALCVSS 9.8EG 9.82022-06-13
In Festo Controller CECC-X-M1 product family in multiple versions, the http-endpoint "cecc-x-web-viewer-request-on" POST request doesn’t check for port syntax. This can result in unauthorized execution of system commands with root privil…
Map vulnerabilities like CWE-863 to your infrastructure
EchelonGraph correlates every CVE — across CWE-863 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →