CWE-863— Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.— MITRE CWE catalog
3,794 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-863page 34 of 76
- CVE-2022-32294CRITICALCVSS 9.8EG 9.82022-07-11
Zimbra Collaboration Open Source 8.8.15 does not encrypt the initial-login randomly created password (from the "zmprove ca" command). It is visible in cleartext on port UDP 514 (aka the syslog port). NOTE: a third party reports that this c…
- CVE-2022-32295CRITICALCVSS 9.8EG 9.82022-07-01
On Ampere Altra and AltraMax devices before SRP 1.09, the Altra reference design of UEFI accesses allows insecure access to SPI-NOR by the OS/hypervisor component.
- CVE-2022-32310CRITICALCVSS 9.8EG 9.82022-07-05
An access control issue in Ingredient Stock Management System v1.0 allows attackers to take over user accounts via a crafted POST request to /isms/classes/Users.php.
- CVE-2022-3248MEDIUMCVSS 4.4EG 4.42023-10-05
A flaw was found in OpenShift API, as admission checks do not enforce "custom-host" permissions. This issue could allow an attacker to violate the boundaries, as permissions will not be applied.
- CVE-2022-32532CRITICALCVSS 9.8EG 9.82022-06-29
Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured to be bypassed on some servlet containers. Applications using RegExPatternMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass.
- CVE-2022-32854MEDIUMCVSS 5.5EG 5.52022-09-20
This issue was addressed with improved checks. This issue is fixed in iOS 15.7 and iPadOS 15.7, iOS 16, macOS Big Sur 11.7. An app may be able to bypass Privacy preferences.
- CVE-2022-32945MEDIUMCVSS 4.3EG 4.32022-12-15
An access issue was addressed with additional sandbox restrictions on third-party apps. This issue is fixed in macOS Ventura 13. An app may be able to record audio with paired AirPods.
- CVE-2022-33174CRITICALCVSS 9.8EG 7.52022-06-13
Power Distribution Units running on Powertek firmware (multiple brands) before 3.30.30 allows remote authorization bypass in the web interface. To exploit the vulnerability, an attacker must send an HTTP packet to the data retrieval interf…
- CVE-2022-33198CRITICALCVSS 9.8EG 5.32022-07-21
Unauthenticated WordPress Options Change vulnerability in Biplob Adhikari's Accordions plugin <= 2.0.2 at WordPress.
- CVE-2022-3330MEDIUMCVSS 4.3EG 4.32022-10-17
It was possible for a guest user to read a todo targeting an inaccessible note in Gitlab CE/EE affecting all versions from 15.0 prior to 15.2.5, 15.3 prior to 15.3.4, and 15.4 prior to 15.4.1.
- CVE-2022-33323HIGHCVSS 7.5EG 7.52023-02-02
Active Debug Code vulnerability in robot controller of Mitsubishi Electric Corporation industrial robot MELFA SD/SQ Series and MELFA F-Series allows a remote unauthenticated attacker to gain unauthorized access by authentication bypass thr…
- CVE-2022-33632MEDIUMCVSS 4.7EG 4.72022-07-12
Microsoft Office Security Feature Bypass Vulnerability
- CVE-2022-33702MEDIUMCVSS 6.2EG 5.52022-07-12
Improper authorization vulnerability in Knoxguard prior to SMR Jul-2022 Release 1 allows local attacker to disable keyguard and bypass Knoxguard lock by factory reset.
- CVE-2022-33705LOWCVSS 3.3EG 3.32022-07-12
Information exposure in Calendar prior to version 12.3.05.10000 allows attacker to access calendar schedule without READ_CALENDAR permission.
- CVE-2022-33718MEDIUMCVSS 6.2EG 3.32022-08-05
An improper access control vulnerability in Wi-Fi Service prior to SMR AUG-2022 Release 1 allows untrusted applications to manipulate the list of apps that can use mobile data.
- CVE-2022-33913HIGHCVSS 7.5EG 7.52022-06-20
In Mahara 21.04 before 21.04.6, 21.10 before 21.10.4, and 22.04.2, files can sometimes be downloaded through thumb.php with no permission check.
- CVE-2022-34046HIGHCVSS 7.5EG 7.52022-07-20
An access control issue in Wavlink WN533A8 M33A8.V5030.190716 allows attackers to obtain usernames and passwords via view-source:http://IP_ADDRESS/sysinit.shtml?r=52300 and searching for [logincheck(user);].
- CVE-2022-3413MEDIUMCVSS 4.3EG 4.32022-11-10
Incorrect authorization during display of Audit Events in GitLab EE affecting all versions from 14.5 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2, allowed Developers to view the project's Audit Events and Developers or M…
- CVE-2022-34180HIGHCVSS 7.5EG 7.52022-06-23
Jenkins Embeddable Build Status Plugin 2.0.3 and earlier does not correctly perform the ViewStatus permission check in the HTTP endpoint it provides for "unprotected" status badge access, allowing attackers without any permissions to obtai…
- CVE-2022-34255HIGHCVSS 8.8EG 8.82022-08-16
Adobe Commerce versions 2.4.3-p2 (and earlier), 2.3.7-p3 (and earlier) and 2.4.4 (and earlier) are affected by an Improper Access Control vulnerability that could result in Privilege escalation. An attacker with a low privilege account cou…
- CVE-2022-34307MEDIUMCVSS 4.3EG 4.32022-08-01
IBM CICS TX 11.1 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cook…
- CVE-2022-34397MEDIUMCVSS 6.9EG 5.72023-02-13
Dell Unisphere for PowerMax vApp, VASA Provider vApp, and Solution Enabler vApp version 10.0.0.5 and below contains an authorization bypass vulnerability, allowing users to perform actions in which they are not authorized.
- CVE-2022-34434MEDIUMCVSS 6.7EG 6.72022-10-11
Cloud Mobility for Dell Storage versions 1.3.0 and earlier contains an Improper Access Control vulnerability within the Postgres database. A threat actor with root level access to either the vApp or containerized versions of Cloud Mobility…
- CVE-2022-34487CRITICALCVSS 9.8EG 5.32022-07-21
Unauthenticated Arbitrary Option Update vulnerability in biplob018's Shortcode Addons plugin <= 3.0.2 at WordPress.
- CVE-2022-34570HIGHCVSS 7.5EG 7.52022-07-25
WAVLINK WN579 X3 M79X3.V5030.191012/M79X3.V5030.191012 contains an information leak which allows attackers to obtain the key information via accessing the messages.txt page.
- CVE-2022-34571HIGHCVSS 8.0EG 8.02022-07-25
An access control issue in Wavlink WiFi-Repeater RPTA2-77W.M4300.01.GD.2017Sep19 allows attackers to obtain the system key information and execute arbitrary commands via accessing the page syslog.shtml.
- CVE-2022-34782MEDIUMCVSS 4.3EG 4.32022-06-30
An incorrect permission check in Jenkins requests-plugin Plugin 2.2.16 and earlier allows attackers with Overall/Read permission to view the list of pending requests.
- CVE-2022-34785MEDIUMCVSS 4.3EG 4.32022-06-30
Jenkins build-metrics Plugin 1.3 and earlier does not perform permission checks in multiple HTTP endpoints, allowing attackers with Overall/Read permission to obtain information about jobs otherwise inaccessible to them.
- CVE-2022-34814MEDIUMCVSS 4.3EG 4.32022-06-30
Jenkins Request Rename Or Delete Plugin 1.1.0 and earlier does not correctly perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to view an administrative configuration page listing pending reque…
- CVE-2022-34827CRITICALCVSS 9.9EG 9.92022-11-18
Carel Boss Mini 1.5.0 has Improper Access Control.
- CVE-2022-34908HIGHCVSS 8.2EG 7.52023-02-27
An issue was discovered in the A4N (Aremis 4 Nomad) application 1.5.0 for Android. It possesses an authentication mechanism; however, some features do not require any token or cookie in a request. Therefore, an attacker may send a simple H…
- CVE-2022-35203HIGHCVSS 7.2EG 7.22022-08-23
An access control issue in TrendNet TV-IP572PI v1.0 allows unauthenticated attackers to access sensitive system information.
- CVE-2022-35487HIGHCVSS 7.5EG 7.52022-08-08
Zammad 5.2.0 suffers from Incorrect Access Control. Zammad did not correctly perform authorization on certain attachment endpoints. This could be abused by an unauthenticated attacker to gain access to attachments, such as emails or attach…
- CVE-2022-35489MEDIUMCVSS 6.5EG 6.52022-08-08
In Zammad 5.2.0, customers who have secondary organizations assigned were able to see all organizations of the system rather than only those to which they are assigned.
- CVE-2022-35582HIGHCVSS 8.8EG 8.82022-09-13
Penta Security Systems Inc WAPPLES 4.0.*, 5.0.0.*, 5.0.12.* are vulnerable to Incorrect Access Control. The operating system that WAPPLES runs on has a built-in non-privileged user penta with a predefined password. The password for this us…
- CVE-2022-35692MEDIUMCVSS 5.3EG 5.32022-08-19
Adobe Commerce versions 2.4.3-p2 (and earlier), 2.3.7-p3 (and earlier) and 2.4.4 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnera…
- CVE-2022-35716MEDIUMCVSS 6.5EG 6.52022-08-01
IBM UrbanCode Deploy (UCD) 6.2.0.0 through 6.2.7.16, 7.0.0.0 through 7.0.5.11, 7.1.0.0 through 7.1.2.7, and 7.2.0.0 through 7.2.3.0 could allow an authenticated user to obtain sensitive information in some instances due to improper securit…
- CVE-2022-3582MEDIUMCVSS 4.3EG 3.52022-10-18
A vulnerability has been found in SourceCodester Simple Cold Storage Management System 1.0 and classified as problematic. Affected by this vulnerability is an unknown functionality. The manipulation of the argument change password leads to…
- CVE-2022-3585MEDIUMCVSS 4.3EG 4.32022-10-18
A vulnerability classified as problematic has been found in SourceCodester Simple Cold Storage Management System 1.0. Affected is an unknown function of the file /csms/?page=contact_us of the component Contact Us. The manipulation leads to…
- CVE-2022-35890CRITICALCVSS 9.8EG 9.82022-07-15
An issue was discovered in Inductive Automation Ignition before 7.9.20 and 8.x before 8.1.17. Designer and Vision Client Session IDs are mishandled. An attacker can determine which session IDs were generated in the past and then hijack ses…
- CVE-2022-35921LOWCVSS 3.5EG 3.52022-08-01
fof/byobu is a private discussions extension for Flarum forum. Affected versions were found to not respect private discussion disablement by users. Users of Byobu should update the extension to version 1.1.7, where this has been patched. U…
- CVE-2022-35924CRITICALCVSS 9.1EG 9.12022-08-02
NextAuth.js is a complete open source authentication solution for Next.js applications. `next-auth` users who are using the `EmailProvider` either in versions before `4.10.3` or `3.29.10` are affected. If an attacker could forge a request …
- CVE-2022-36009MEDIUMCVSS 5.0EG 5.02022-08-19
gomatrixserverlib is a Go library for matrix protocol federation. Dendrite is a Matrix homeserver written in Go, an alternative to Synapse. The power level parsing within gomatrixserverlib was failing to parse the `"events_default"` key of…
- CVE-2022-36051HIGHCVSS 8.7EG 8.72022-08-31
ZITADEL combines the ease of Auth0 and the versatility of Keycloak.**Actions**, introduced in ZITADEL **1.42.0** on the API and **1.56.0** for Console, is a feature, where users with role.`ORG_OWNER` are able to create Javascript Code, whi…
- CVE-2022-36074MEDIUMCVSS 6.4EG 6.42022-09-15
Nextcloud server is an open source personal cloud product. Affected versions of this package are vulnerable to Information Exposure which fails to strip the Authorization header on HTTP downgrade. This can lead to account access exposure a…
- CVE-2022-36103HIGHCVSS 7.2EG 7.22022-09-13
Talos Linux is a Linux distribution built for Kubernetes deployments. Talos worker nodes use a join token to get accepted into the Talos cluster. Due to improper validation of the request while signing a worker node CSR (certificate signin…
- CVE-2022-36109MEDIUMCVSS 5.3EG 5.32022-09-09
Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where supplementary groups are not set up properly. If an attacker has direct access to a container and manipulat…
- CVE-2022-36115HIGHCVSS 7.1EG 7.12022-08-25
An issue was discovered in Blue Prism Enterprise 6.0 through 7.01. In a misconfigured environment that exposes the Blue Prism Application server, it is possible for an authenticated user to reverse engineer the Blue Prism software and circ…
- CVE-2022-36116MEDIUMCVSS 5.3EG 5.32022-08-25
An issue was discovered in Blue Prism Enterprise 6.0 through 7.01. In a misconfigured environment that exposes the Blue Prism Application server, it is possible for an authenticated user to reverse engineer the Blue Prism software and circ…
- CVE-2022-36117LOWCVSS 3.1EG 3.12022-08-25
An issue was discovered in Blue Prism Enterprise 6.0 through 7.01. In a misconfigured environment that exposes the Blue Prism Application server, it is possible for an authenticated user to reverse engineer the Blue Prism software and circ…
Map vulnerabilities like CWE-863 to your infrastructure
EchelonGraph correlates every CVE — across CWE-863 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →