CWE-863— Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.— MITRE CWE catalog
3,794 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-863page 35 of 76
- CVE-2022-36118MEDIUMCVSS 5.3EG 5.32022-08-25
An issue was discovered in Blue Prism Enterprise 6.0 through 7.01. In a misconfigured environment that exposes the Blue Prism Application server, it is possible for an authenticated user to reverse engineer the Blue Prism software and circ…
- CVE-2022-36120HIGHCVSS 8.1EG 8.12022-08-26
An issue was discovered in Blue Prism Enterprise 6.0 through 7.01. In a misconfigured environment that exposes the Blue Prism Application server, it is possible for an authenticated user to reverse engineer the Blue Prism software and circ…
- CVE-2022-36121MEDIUMCVSS 5.3EG 5.32022-08-26
An issue was discovered in Blue Prism Enterprise 6.0 through 7.01. In a misconfigured environment that exposes the Blue Prism Application server, it is possible for an authenticated user to reverse engineer the Blue Prism software and circ…
- CVE-2022-36126HIGHCVSS 7.2EG 7.22022-07-16
An issue was discovered in Inductive Automation Ignition before 7.9.20 and 8.x before 8.1.17. The ScriptInvoke function allows remote attackers to execute arbitrary code by supplying a Python script.
- CVE-2022-36129CRITICALCVSS 9.1EG 9.12022-07-26
HashiCorp Vault Enterprise 1.7.0 through 1.9.7, 1.10.4, and 1.11.0 clusters using Integrated Storage expose an unauthenticated API endpoint that could be abused to override the voter status of a node within a Vault HA cluster, introducing …
- CVE-2022-36263HIGHCVSS 7.3EG 7.32022-08-19
StreamLabs Desktop Application 1.9.0 is vulnerable to Incorrect Access Control via obs64.exe. An attacker can execute arbitrary code via a crafted .exe file.
- CVE-2022-36387HIGHCVSS 7.6EG 9.82022-09-06
Broken Access Control vulnerability in Alessio Caiazza's About Me plugin <= 1.0.12 at WordPress.
- CVE-2022-36562HIGHCVSS 8.8EG 8.82022-08-30
Incorrect access control in the install directory (C:\Ruby31-x64) of Rubyinstaller2 v3.1.2 and below allows authenticated attackers to execute arbitrary code via overwriting binaries located in the directory.
- CVE-2022-36563HIGHCVSS 8.8EG 8.82022-08-30
Incorrect access control in the install directory (C:\RailsInstaller) of Rubyinstaller2 v3.1.2 and below allows authenticated attackers to execute arbitrary code via overwriting binaries located in the directory.
- CVE-2022-36564HIGHCVSS 8.8EG 8.82022-08-30
Incorrect access control in the install directory (C:\Strawberry) of StrawberryPerl v5.32.1.1 and below allows authenticated attackers to execute arbitrary code via overwriting binaries located in the directory.
- CVE-2022-36565HIGHCVSS 8.8EG 8.82022-08-30
Incorrect access control in the install directory (C:\Wamp64) of Wamp v3.2.6 and below allows authenticated attackers to execute arbitrary code via overwriting binaries located in the directory.
- CVE-2022-36634HIGHCVSS 8.8EG 8.82022-10-07
An access control issue in ZKTeco ZKBioSecurity V5000 3.0.5_r allows attackers to arbitrarily create admin users via a crafted HTTP request.
- CVE-2022-36755CRITICALCVSS 9.8EG 9.82022-08-28
D-Link DIR845L A1 contains a authentication vulnerability via an AUTHORIZED_GROUP=1 value, as demonstrated by a request for getcfg.php.
- CVE-2022-36785HIGHCVSS 7.5EG 7.52022-11-17
D-Link – G integrated Access Device4 Information Disclosure & Authorization Bypass. *Information Disclosure – file contains a URL with private IP at line 15 "login.asp" A. The window.location.href = http://192.168.1.1/setupWizard.asp…
- CVE-2022-36800MEDIUMCVSS 4.3EG 4.32022-08-03
Affected versions of Atlassian Jira Service Management Server and Data Center allow remote attackers without the "Browse Users" permission to view groups via an Information Disclosure vulnerability in the browsegroups.action endpoint. The …
- CVE-2022-36848MEDIUMCVSS 5.1EG 5.52022-09-09
Improper Authorization vulnerability in setDualDARPolicyCmd prior to SMR Sep-2022 Release 1 allows local attackers to cause local permanent denial of service.
- CVE-2022-36852LOWCVSS 1.9EG 3.32022-09-09
Improper Authorization vulnerability in Video Editor prior to SMR Sep-2022 Release 1 allows local attacker to access internal application data.
- CVE-2022-36857LOWCVSS 1.9EG 2.42022-09-09
Improper Authorization vulnerability in Photo Editor prior to SMR Sep-2022 Release 1 allows physical attackers to read internal application data.
- CVE-2022-36876LOWCVSS 1.8EG 2.42022-09-09
Improper authorization in UPI payment in Samsung Pass prior to version 4.0.04.10 allows physical attackers to access account list without authentication.
- CVE-2022-37002CRITICALCVSS 9.8EG 9.82022-08-10
The SystemUI module has a privilege escalation vulnerability. Successful exploitation of this vulnerability can cause malicious applications to pop up windows or run in the background.
- CVE-2022-37017HIGHCVSS 7.5EG 7.52022-12-01
Symantec Endpoint Protection (Windows) agent, prior to 14.3 RU6/14.3 RU5 Patch 1, may be susceptible to a Security Control Bypass vulnerability, which is a type of issue that can potentially allow a threat actor to circumvent existing secu…
- CVE-2022-37172HIGHCVSS 7.8EG 7.82022-08-30
Incorrect access control in the install directory (C:\msys64) of Msys2 v20220603 and below allows authenticated attackers to execute arbitrary code via overwriting binaries located in the directory.
- CVE-2022-37176CRITICALCVSS 9.8EG 9.82022-08-30
Tenda AC6(AC1200) v5.0 Firmware v02.03.01.114 and below contains a vulnerability which allows attackers to remove the Wi-Fi password and force the device into open security mode via a crafted packet sent to goform/setWizard.
- CVE-2022-37326HIGHCVSS 7.8EG 7.82023-04-27
Docker Desktop for Windows before 4.6.0 allows attackers to delete (or create) any file through the dockerBackendV2 windowscontainers/start API by controlling the pidfile field inside the DaemonJSON field in the WindowsContainerStartReques…
- CVE-2022-3740MEDIUMCVSS 6.5EG 4.92023-01-26
An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.9 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2. A group owner may be able to bypass External Authorization check, if it is enabled, to …
- CVE-2022-37767CRITICALCVSS 9.8EG 9.82022-09-12
Pebble Templates 3.1.5 allows attackers to bypass a protection mechanism and implement arbitrary code execution with springbok. NOTE: the vendor disputes this because input to the Pebble templating engine is intended to include arbitrary J…
- CVE-2022-3780HIGHCVSS 7.5EG 7.52022-11-01
Database connections on deleted users could stay active on MySQL data sources in Remote Desktop Manager 2022.3.7 and below which allow deleted users to access unauthorized data. This issue affects : Remote Desktop Manager 2022.3.7 and p…
- CVE-2022-3819LOWCVSS 3.5EG 4.32022-11-10
An improper authorization issue in GitLab CE/EE affecting all versions from 15.0 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows a malicious users to set emojis on internal notes they don't have access to.
- CVE-2022-38375CRITICALCVSS 9.1EG 9.82023-02-16
An improper authorization vulnerability [CWE-285] in Fortinet FortiNAC version 9.4.0 through 9.4.1 and before 9.2.6 allows an unauthenticated user to perform some administrative operations over the FortiNAC instance via crafted HTTP POST…
- CVE-2022-38388MEDIUMCVSS 5.5EG 5.52022-10-11
IBM Navigator Mobile Android 3.4.1.1 and 3.4.1.2 app could allow a local user to obtain sensitive information due to improper access control. IBM X-Force ID: 233968.
- CVE-2022-38475MEDIUMCVSS 6.5EG 6.52022-12-22
An attacker could have written a value to the first element in a zero-length JavaScript array. Although the array was zero-length, the value was not written to an invalid memory address. This vulnerability affects Firefox < 104.
- CVE-2022-38768CRITICALCVSS 9.8EG 9.82022-09-13
The mobile application in Transtek Mojodat FAM (Fixed Asset Management) 2.4.6 allows remote attackers to bypass authorization.
- CVE-2022-38769HIGHCVSS 7.5EG 7.52022-09-13
The mobile application in Transtek Mojodat FAM (Fixed Asset Management) 2.4.6 allows remote attackers to fetch cleartext passwords upon a successful login request.
- CVE-2022-3879MEDIUMCVSS 6.5EG 6.52022-12-12
The Car Dealer (Dealership) and Vehicle sales WordPress Plugin WordPress plugin before 3.05 does not have proper authorisation and CSRF in an AJAX action, allowing any authenticated users, such as subscriber to call it and install and acti…
- CVE-2022-3880MEDIUMCVSS 6.5EG 6.52022-12-12
The Disable Json API, Login Lockdown, XMLRPC, Pingback, Stop User Enumeration Anti Hacker Scan WordPress plugin before 4.20 does not have proper authorisation and CSRF in an AJAX action, allowing any authenticated users, such as subscriber…
- CVE-2022-3881MEDIUMCVSS 5.7EG 5.72022-12-12
The WP Tools Increase Maximum Limits, Repair, Server PHP Info, Javascript errors, File Permissions, Transients, Error Log WordPress plugin before 3.43 does not have proper authorisation and CSRF in an AJAX action, allowing any authenticate…
- CVE-2022-3882MEDIUMCVSS 6.5EG 6.52022-12-12
The Memory Usage, Memory Limit, PHP and Server Memory Health Check and Fix Plugin WordPress plugin before 2.46 does not have proper authorisation and CSRF in an AJAX action, allowing any authenticated users, such as subscriber to call it a…
- CVE-2022-3883MEDIUMCVSS 6.5EG 6.52022-12-12
The Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection WordPress plugin before 7.24 does not have proper authorisation and CSRF in an AJAX action, allowing any authenticated users, such as subscriber to call it …
- CVE-2022-39029MEDIUMCVSS 6.5EG 6.52022-09-28
Smart eVision has inadequate authorization for the database query function. A remote attacker with general user privilege, who is not explicitly authorized to access the information, can access sensitive information.
- CVE-2022-39030HIGHCVSS 7.5EG 7.52022-09-28
smart eVision has inadequate authorization for system information query function. An unauthenticated remote attacker, who is not explicitly authorized to access the information, can access sensitive information.
- CVE-2022-39031MEDIUMCVSS 5.3EG 5.32022-09-28
Smart eVision has insufficient authorization for task acquisition function. An unauthorized remote attacker can exploit this vulnerability to acquire the Session IDs of other general users only.
- CVE-2022-3911HIGHCVSS 8.8EG 8.82023-01-02
The iubenda WordPress plugin before 3.3.3 does does not have authorisation and CSRF in an AJAX action, and does not ensure that the options to be updated belong to the plugin as long as they are arrays. As a result, any authenticated users…
- CVE-2022-39196MEDIUMCVSS 6.5EG 6.52022-09-05
Blackboard Learn 1.10.1 allows remote authenticated users to read unintended files by entering student credentials and then directly visiting a certain webapps/bbcms/execute/ URL. Note: The vendor disputes this stating this cannot be repro…
- CVE-2022-39214CRITICALCVSS 9.6EG 9.62023-03-14
Combodo iTop is an open source, web-based IT service management platform. Prior to versions 2.7.8 and 3.0.2-1, a user who can log in on iTop is able to take over any account just by knowing the account's username. This issue is fixed in ve…
- CVE-2022-39275MEDIUMCVSS 5.3EG 5.32022-10-06
Saleor is a headless, GraphQL commerce platform. In affected versions some GraphQL mutations were not properly checking the ID type input which allowed to access database objects that the authenticated user may not be allowed to access. Th…
- CVE-2022-39302MEDIUMCVSS 5.5EG 5.52022-10-14
Ree6 is a moderation bot. This vulnerability would allow other server owners to create configurations such as "Better-Audit-Logging" which contain a channel from another server as a target. This would mean you could send log messages to an…
- CVE-2022-39322CRITICALCVSS 9.1EG 9.12022-10-25
@keystone-6/core is a core package for Keystone 6, a content management system for Node.js. Starting with version 2.2.0 and prior to version 2.3.1, users who expected their `multiselect` fields to use the field-level access control - if co…
- CVE-2022-39337HIGHCVSS 7.5EG 7.52023-12-22
Hertzbeat is an open source, real-time monitoring system with custom-monitoring, high performance cluster, prometheus-like and agentless. Hertzbeat versions 1.20 and prior have a permission bypass vulnerability. System authentication can b…
- CVE-2022-39352MEDIUMCVSS 4.8EG 4.82022-11-08
OpenFGA is a high-performance authorization/permission engine inspired by Google Zanzibar. Versions prior to 0.2.5 are vulnerable to authorization bypass under certain conditions. You are affected by this vulnerability if you added a tuple…
- CVE-2022-39385MEDIUMCVSS 6.5EG 6.52022-11-14
Discourse is the an open source discussion platform. In some rare cases users redeeming an invitation can be added as a participant to several private message topics that they should not be added to. They are not notified of this, it happe…
Map vulnerabilities like CWE-863 to your infrastructure
EchelonGraph correlates every CVE — across CWE-863 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →