CWE-863— Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.— MITRE CWE catalog
3,794 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-863page 33 of 76
- CVE-2022-30309CRITICALCVSS 9.8EG 9.82022-06-13
In Festo Controller CECC-X-M1 product family in multiple versions, the http-endpoint "cecc-x-web-viewer-request-off" POST request doesn’t check for port syntax. This can result in unauthorized execution of system commands with root privi…
- CVE-2022-30310CRITICALCVSS 9.8EG 9.82022-06-13
In Festo Controller CECC-X-M1 product family in multiple versions, the http-endpoint "cecc-x-acknerr-request" POST request doesn’t check for port syntax. This can result in unauthorized execution of system commands with root privileges d…
- CVE-2022-30311CRITICALCVSS 9.8EG 9.82022-06-13
In Festo Controller CECC-X-M1 product family in multiple versions, the http-endpoint "cecc-x-refresh-request" POST request doesn’t check for port syntax. This can result in unauthorized execution of system commands with root privileges d…
- CVE-2022-3032MEDIUMCVSS 6.5EG 6.52022-12-22
When receiving an HTML email that contained an <code>iframe</code> element, which used a <code>srcdoc</code> attribute to define the inner HTML document, remote objects specified in the nested document, for example images or videos, were n…
- CVE-2022-30356MEDIUMCVSS 4.7EG 8.82024-10-25
OvalEdge 5.2.8.0 and earlier is affected by a Privilege Escalation vulnerability via a POST request to /user/assignuserrole via the userid and role parameters . Authentication is required with OE_ADMIN role privilege.
- CVE-2022-30358HIGHCVSS 8.8EG 8.82024-10-25
OvalEdge 5.2.8.0 and earlier is affected by an Account Takeover vulnerability via a POST request to /user/updatePassword via the userId and newPsw parameters. Authentication is required.
- CVE-2022-3044MEDIUMCVSS 6.5EG 6.52022-09-26
Inappropriate implementation in Site Isolation in Google Chrome prior to 105.0.5195.52 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page.
- CVE-2022-3045HIGHCVSS 8.8EG 8.82022-09-26
Insufficient validation of untrusted input in V8 in Google Chrome prior to 105.0.5195.52 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
- CVE-2022-3047MEDIUMCVSS 6.5EG 6.52022-09-26
Insufficient policy enforcement in Extensions API in Google Chrome prior to 105.0.5195.52 allowed an attacker who convinced a user to install a malicious extension to bypass downloads policy via a crafted HTML page.
- CVE-2022-3048MEDIUMCVSS 6.8EG 6.82022-09-26
Inappropriate implementation in Chrome OS lockscreen in Google Chrome on Chrome OS prior to 105.0.5195.52 allowed a local attacker to bypass lockscreen navigation restrictions via physical access to the device.
- CVE-2022-3056MEDIUMCVSS 6.5EG 6.52022-09-26
Insufficient policy enforcement in Content Security Policy in Google Chrome prior to 105.0.5195.52 allowed a remote attacker to bypass content security policy via a crafted HTML page.
- CVE-2022-3057MEDIUMCVSS 6.5EG 6.52022-09-26
Inappropriate implementation in iframe Sandbox in Google Chrome prior to 105.0.5195.52 allowed a remote attacker to leak cross-origin data via a crafted HTML page.
- CVE-2022-30584CRITICALCVSS 9.6EG 8.82022-05-26
Archer Platform 6.3 before 6.11 (6.11.0.0) contains an Improper Access Control Vulnerability within SSO ADFS functionality that could potentially be exploited by malicious users to compromise the affected system. 6.10 P3 (6.10.0.3) and 6.9…
- CVE-2022-30585MEDIUMCVSS 6.5EG 6.52022-05-26
The REST API in Archer Platform 6.x before 6.11 (6.11.0.0) contains an Authorization Bypass Vulnerability. A remote authenticated malicious user could potentially exploit this vulnerability to view sensitive information. 6.10 P3 (6.10.0.3)…
- CVE-2022-30586HIGHCVSS 7.2EG 7.22022-06-06
Gradle Enterprise through 2022.2.2 has Incorrect Access Control that leads to code execution.
- CVE-2022-30587HIGHCVSS 7.5EG 7.52022-06-06
Gradle Enterprise through 2022.2.2 has Incorrect Access Control that leads to information disclosure.
- CVE-2022-30594HIGHCVSS 7.8EG 7.82022-05-12
The Linux kernel before 5.17.2 mishandles seccomp permissions. The PTRACE_SEIZE code path allows attackers to bypass intended restrictions on setting the PT_SUSPEND_SECCOMP flag.
- CVE-2022-30717MEDIUMCVSS 4.0EG 7.52022-06-07
Improper caller check in AR Emoji prior to SMR Jun-2022 Release 1 allows untrusted applications to use some camera functions via deeplink.
- CVE-2022-30730MEDIUMCVSS 4.6EG 4.62022-06-07
Improper authorization in Samsung Pass prior to 1.0.00.33 allows physical attackers to acess account list without authentication.
- CVE-2022-30745MEDIUMCVSS 4.0EG 5.52022-06-07
Improper access control vulnerability in Quick Share prior to version 13.1.2.4 allows attacker to access internal files in Quick Share.
- CVE-2022-30757MEDIUMCVSS 4.0EG 3.32022-07-12
Improper authorization in isemtelephony prior to SMR Jul-2022 Release 1 allows attacker to obtain CID without ACCESS_FINE_LOCATION permission.
- CVE-2022-31039MEDIUMCVSS 4.3EG 4.32022-06-27
Greenlight is a simple front-end interface for your BigBlueButton server. In affected versions an attacker can view any room's settings even though they are not authorized to do so. Only the room owner and administrator should be able to v…
- CVE-2022-31087HIGHCVSS 7.8EG 7.82022-06-27
LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. In versions prior to 8.0 the tmp directory, which is accessible by /lam/tmp/, allows interpretation of .php (…
- CVE-2022-31107HIGHCVSS 7.1EG 7.12022-07-15
Grafana is an open-source platform for monitoring and observability. In versions 5.3 until 9.0.3, 8.5.9, 8.4.10, and 8.3.10, it is possible for a malicious user who has authorization to log into a Grafana instance via a configured OAuth Id…
- CVE-2022-31139MEDIUMCVSS 5.9EG 5.92022-07-11
UnsafeAccessor (UA) is a bridge to access jdk.internal.misc.Unsafe & sun.misc.Unsafe. Normally, if UA is loaded as a named module, the internal data of UA is protected by JVM and others can only access UA via UA's standard API. The main ap…
- CVE-2022-31153MEDIUMCVSS 6.5EG 6.52022-07-15
OpenZeppelin Contracts for Cairo is a library for contract development written in Cairo for StarkNet, a decentralized ZK Rollup. Version 0.2.0 is vulnerable to an error that renders account contracts unusable on live networks. This issue a…
- CVE-2022-31154MEDIUMCVSS 6.4EG 6.42022-08-01
Sourcegraph is an opensource code search and navigation engine. It is possible for an authenticated Sourcegraph user to edit the Code Monitors owned by any other Sourcegraph user. This includes being able to edit both the trigger and the a…
- CVE-2022-31155MEDIUMCVSS 4.3EG 4.32022-08-01
Sourcegraph is an opensource code search and navigation engine. In Sourcegraph versions before 3.41.0, it is possible for an attacker to delete other users’ saved searches due to a bug in the authorization check. The vulnerability does n…
- CVE-2022-31168MEDIUMCVSS 5.4EG 5.42022-07-22
Zulip is an open source team chat tool. Due to an incorrect authorization check in Zulip Server 5.4 and earlier, a member of an organization could craft an API call that grants organization administrator privileges to one of their bots. Th…
- CVE-2022-31178MEDIUMCVSS 4.3EG 4.32022-08-01
eLabFTW is an electronic lab notebook manager for research teams. A vulnerability was discovered which allows a logged in user to read a template without being authorized to do so. This vulnerability has been patched in 4.3.4. Users are ad…
- CVE-2022-31190MEDIUMCVSS 5.3EG 5.32022-08-01
DSpace open source software is a repository application which provides durable access to digital resources. dspace-xmlui is a UI component for DSpace. In affected versions metadata on a withdrawn Item is exposed via the XMLUI "mets.xml" ob…
- CVE-2022-31252MEDIUMCVSS 4.4EG 4.42022-10-06
A Incorrect Authorization vulnerability in chkstat of SUSE Linux Enterprise Server 12-SP5; openSUSE Leap 15.3, openSUSE Leap 15.4, openSUSE Leap Micro 5.2 did not consider group writable path components, allowing local attackers with acces…
- CVE-2022-31589MEDIUMCVSS 6.5EG 6.52022-06-14
Due to improper authorization check, business users who are using Israeli File from SHAAM program (/ATL/VQ23 transaction), are granted more than needed authorization to perform certain transaction, which may lead to users getting access to…
- CVE-2022-31595HIGHCVSS 8.8EG 8.82022-06-14
SAP Financial Consolidation - version 1010,�does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.
- CVE-2022-31609HIGHCVSS 7.8EG 7.82022-08-05
NVIDIA vGPU software contains a vulnerability in the Virtual GPU Manager (vGPU plugin), where it allows the guest VM to allocate resources for which the guest is not authorized. This vulnerability may lead to loss of data integrity and con…
- CVE-2022-31644HIGHCVSS 7.8EG 7.82023-06-14
Potential vulnerabilities have been identified in the system BIOS of certain HP PC products, which might allow arbitrary code execution, escalation of privilege, denial of service, and information disclosure.
- CVE-2022-31646HIGHCVSS 7.8EG 7.82023-06-14
Potential vulnerabilities have been identified in the system BIOS of certain HP PC products, which might allow arbitrary code execution, escalation of privilege, denial of service, and information disclosure.
- CVE-2022-31667MEDIUMCVSS 6.4EG 6.42024-11-14
Harbor fails to validate the user permissions when updating a robot account that belongs to a project that the authenticated user doesn’t have access to. By sending a request that attempts to update a robot account, and specifying a …
- CVE-2022-31668HIGHCVSS 7.4EG 7.42024-11-14
Harbor fails to validate the user permissions when updating p2p preheat policies. By sending a request to update a p2p preheat policy with an id that belongs to a project that the currently authenticated user doesn't have access to, the a…
- CVE-2022-31669MEDIUMCVSS 6.4EG 6.42024-11-14
Harbor fails to validate the user permissions when updating tag immutability policies. By sending a request to update a tag immutability policy with an id that belongs to a project that the currently authenticated user doesn’t have ac…
- CVE-2022-31670HIGHCVSS 7.7EG 7.72024-11-14
Harbor fails to validate the user permissions when updating tag retention policies. By sending a request to update a tag retention policy with an id that belongs to a project that the currently authenticated user doesn’t have access …
- CVE-2022-31671HIGHCVSS 7.4EG 7.42024-11-14
Harbor fails to validate user permissions when reading and updating job execution logs through the P2P preheat execution logs. By sending a request that attempts to read/update P2P preheat execution logs and specifying different job IDs, m…
- CVE-2022-31675HIGHCVSS 7.5EG 7.52022-08-10
VMware vRealize Operations contains an authentication bypass vulnerability. An unauthenticated malicious actor with network access may be able to create a user with administrative privileges.
- CVE-2022-31744MEDIUMCVSS 6.5EG 6.52022-12-22
An attacker could have injected CSS into stylesheets accessible via internal URIs, such as resource:, and in doing so bypass a page's Content Security Policy. This vulnerability affects Firefox ESR < 91.11, Thunderbird < 102, Thunderbird <…
- CVE-2022-31746MEDIUMCVSS 6.5EG 6.52022-12-22
Internal URLs are protected by a secret UUID key, which could have been leaked to web page through the Referrer header. This vulnerability affects Firefox for iOS < 102.
- CVE-2022-31876MEDIUMCVSS 5.3EG 5.32022-06-17
netgear wnap320 router WNAP320_V2.0.3_firmware is vulnerable to Incorrect Access Control via /recreate.php, which can leak all users cookies.
- CVE-2022-3188MEDIUMCVSS 5.3EG 5.32022-12-21
Dataprobe iBoot-PDU FW versions prior to 1.42.06162022 contain a vulnerability where unauthenticated users could open PHP index pages without authentication and download the history file from the device; the history file includes the late…
- CVE-2022-32255MEDIUMCVSS 5.3EG 5.32022-06-14
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.1). The affected application consists of a web service that lacks proper access control for some of the endpoints. This could lead to unauthorized acces…
- CVE-2022-32259MEDIUMCVSS 6.5EG 6.52022-06-14
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.1). The system images for installation or update of the affected application contain unit test scripts with sensitive information. An attacker could gai…
- CVE-2022-32290MEDIUMCVSS 4.3EG 4.32022-07-06
The client in Northern.tech Mender 3.2.0, 3.2.1, and 3.2.2 has Incorrect Access Control. It listens on a random, unprivileged TCP port and exposes an HTTP proxy to facilitate API calls from additional client components running on the devic…
Map vulnerabilities like CWE-863 to your infrastructure
EchelonGraph correlates every CVE — across CWE-863 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →