CWE-863— Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.— MITRE CWE catalog
3,794 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-863page 36 of 76
- CVE-2022-39388HIGHCVSS 7.6EG 7.62022-11-10
Istio is an open platform to connect, manage, and secure microservices. In versions on the 1.15.x branch prior to 1.15.3, a user can impersonate any workload identity within the service mesh if they have localhost access to the Istiod cont…
- CVE-2022-3978MEDIUMCVSS 4.3EG 4.32022-11-13
A vulnerability, which was classified as problematic, was found in NodeBB up to 2.5.7. This affects an unknown part of the file /register/abort. The manipulation leads to cross-site request forgery. It is possible to initiate the attack re…
- CVE-2022-39862MEDIUMCVSS 5.3EG 9.82022-10-07
Improper authorization in Dynamic Lockscreen prior to SMR Sep-2022 Release 1 in Android R(11) and 3.3.03.66 in Android S(12) allows unauthorized use of javascript interface api.
- CVE-2022-39873MEDIUMCVSS 4.3EG 4.62022-10-07
Improper authorization vulnerability in Samsung Internet prior to version 18.0.4.14 allows physical attackers to add bookmarks in secret mode without user authentication.
- CVE-2022-39902MEDIUMCVSS 6.5EG 7.52022-12-08
Improper authorization in Exynos baseband prior to SMR DEC-2022 Release 1 allows remote attacker to get sensitive information including IMEI via emergency call.
- CVE-2022-39903MEDIUMCVSS 4.0EG 3.32022-12-08
Improper access control vulnerability in RCS call prior to SMR Dec-2022 Release 1 allows local attackers to access RCS incoming call number.
- CVE-2022-39913MEDIUMCVSS 6.8EG 3.32022-12-08
Exposure of Sensitive Information to an Unauthorized Actor in Persona Manager prior to Android T(13) allows local attacker to access user profiles information.
- CVE-2022-39914MEDIUMCVSS 4.0EG 3.32022-12-08
Exposure of Sensitive Information from an Unauthorized Actor vulnerability in Samsung DisplayManagerService prior to Android T(13) allows local attacker to access connected DLNA device information.
- CVE-2022-39955HIGHCVSS 7.3EG 9.82022-09-20
The OWASP ModSecurity Core Rule Set (CRS) is affected by a partial rule set bypass by submitting a specially crafted HTTP Content-Type header field that indicates multiple character encoding schemes. A vulnerable back-end can potentially b…
- CVE-2022-39956HIGHCVSS 7.3EG 9.82022-09-20
The OWASP ModSecurity Core Rule Set (CRS) is affected by a partial rule set bypass for HTTP multipart requests by submitting a payload that uses a character encoding scheme via the Content-Type or the deprecated Content-Transfer-Encoding m…
- CVE-2022-39958HIGHCVSS 7.5EG 7.52022-09-20
The OWASP ModSecurity Core Rule Set (CRS) is affected by a response body bypass to sequentially exfiltrate small and undetectable sections of data by repeatedly submitting an HTTP Range header field with a small byte range. A restricted re…
- CVE-2022-40036MEDIUMCVSS 6.5EG 6.52023-01-26
An issue was discovered in Rawchen blog-ssm v1.0 allows an attacker to obtain sensitive user information by bypassing permission checks via the /adminGetUserList component.
- CVE-2022-4013MEDIUMCVSS 4.3EG 8.82022-11-16
A vulnerability classified as problematic was found in Hospital Management Center. Affected by this vulnerability is an unknown functionality of the file appointment.php. The manipulation leads to cross-site request forgery. The attack can…
- CVE-2022-4014MEDIUMCVSS 4.3EG 4.32022-11-16
A vulnerability, which was classified as problematic, has been found in FeehiCMS. Affected by this issue is some unknown functionality of the component Post My Comment Tab. The manipulation leads to cross-site request forgery. The attack m…
- CVE-2022-40529HIGHCVSS 7.1EG 7.12023-06-06
Memory corruption due to improper access control in kernel while processing a mapping request from root process.
- CVE-2022-40681HIGHCVSS 7.1EG 7.12023-11-14
A incorrect authorization in Fortinet FortiClient (Windows) 7.0.0 - 7.0.7, 6.4.0 - 6.4.9, 6.2.0 - 6.2.9 and 6.0.0 - 6.0.10 allows an attacker to cause denial of service via sending a crafted request to a specific named pipe.
- CVE-2022-40682HIGHCVSS 7.8EG 7.82023-04-11
A incorrect authorization in Fortinet FortiClient (Windows) 7.0.0 - 7.0.7, 6.4.0 - 6.4.9, 6.2.0 - 6.2.9 and 6.0.0 - 6.0.10 allows an attacker to execute unauthorized code or commands via sending a crafted request to a specific named pipe.
- CVE-2022-40773HIGHCVSS 8.8EG 8.82022-11-12
Zoho ManageEngine ServiceDesk Plus MSP before 10609 and SupportCenter Plus before 11025 are vulnerable to privilege escalation. This allows users to obtain sensitive data during an exportMickeyList export of requests from the list view.
- CVE-2022-40816MEDIUMCVSS 6.5EG 6.52022-09-27
Zammad 5.2.1 is vulnerable to Incorrect Access Control. Zammad's asset handling mechanism has logic to ensure that customer users are not able to see personal information of other users. This logic was not effective when used through a web…
- CVE-2022-40843MEDIUMCVSS 4.9EG 4.92022-11-15
The Tenda AC1200 V-W15Ev2 V15.11.0.10(1576) router is vulnerable to improper authorization / improper session management that allows the router login page to be bypassed. This leads to authenticated attackers having the ability to read the…
- CVE-2022-4090MEDIUMCVSS 4.3EG 8.82022-11-24
A vulnerability was found in rickxy Stock Management System and classified as problematic. This issue affects some unknown processing of the file us_transac.php?action=add. The manipulation leads to cross-site request forgery. The attack m…
- CVE-2022-41091MEDIUMCVSS 5.4EG 9.0⚠ KEV2022-11-09
Windows Mark of the Web Security Feature Bypass Vulnerability
- CVE-2022-41155MEDIUMCVSS 5.3EG 9.82022-11-19
Block BYPASS vulnerability in iQ Block Country plugin <= 1.2.18 on WordPress.
- CVE-2022-41230MEDIUMCVSS 4.3EG 4.32022-09-21
Jenkins Build-Publisher Plugin 1.22 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to obtain names and URLs of Jenkins servers that the plugin is configured to publish b…
- CVE-2022-41274MEDIUMCVSS 6.5EG 6.52022-12-13
SAP Disclosure Management - version 10.1, allows an authenticated attacker to exploit certain misconfigured application endpoints to read sensitive data. These endpoints are normally exposed over the network and successful exploitation can…
- CVE-2022-41326CRITICALCVSS 9.8EG 9.82022-11-22
The web conferencing component of Mitel MiCollab through 9.6.0.13 could allow an unauthenticated attacker to upload arbitrary scripts due to improper authorization controls. A successful exploit could allow remote code execution within the…
- CVE-2022-41574HIGHCVSS 7.5EG 7.52022-10-07
An access-control vulnerability in Gradle Enterprise 2022.4 through 2022.3.1 allows remote attackers to prevent backups from occurring, and send emails with arbitrary text content to the configured installation-administrator contact addres…
- CVE-2022-41610MEDIUMCVSS 5.0EG 5.02023-05-10
Improper authorization in Intel(R) EMA Configuration Tool before version 1.0.4 and Intel(R) MC before version 2.4 software may allow an authenticated user to potentially enable denial of service via local access.
- CVE-2022-4167MEDIUMCVSS 5.3EG 7.52023-01-12
Incorrect Authorization check affecting all versions of GitLab EE from 13.11 prior to 15.5.7, 15.6 prior to 15.6.4, and 15.7 prior to 15.7.2 allows group access tokens to continue working even after the group owner loses the ability to rev…
- CVE-2022-41797MEDIUMCVSS 6.5EG 6.52022-10-24
Improper authorization in handler for custom URL scheme vulnerability in Lemon8 App for Android versions prior to 3.3.5 and Lemon8 App for iOS versions prior to 3.3.5 allows a remote attacker to lead a user to access an arbitrary website v…
- CVE-2022-41918MEDIUMCVSS 6.3EG 6.32022-11-15
OpenSearch is a community-driven, open source fork of Elasticsearch and Kibana. There is an issue with the implementation of fine-grained access control rules (document-level security, field-level security and field masking) where they are…
- CVE-2022-41923CRITICALCVSS 9.1EG 9.12022-11-23
Grails Spring Security Core plugin is vulnerable to privilege escalation. The vulnerability allows an attacker access to one endpoint (i.e. the targeted endpoint) using the authorization requirements of a different endpoint (i.e. the donor…
- CVE-2022-41944LOWCVSS 3.5EG 3.52022-11-28
Discourse is an open-source discussion platform. In stable versions prior to 2.8.12 and beta or tests-passed versions prior to 2.9.0.beta.13, under certain conditions, a user can see notifications for topics they no longer have access to. …
- CVE-2022-41962LOWCVSS 2.7EG 2.72022-12-16
BigBlueButton is an open source web conferencing system. Versions prior to 2.4-rc-6, and 2.5-alpha-1 contain Incorrect Authorization for setting emoji status. A user with moderator rights can use the clear status feature to set any emoji s…
- CVE-2022-41970LOWCVSS 2.6EG 2.62022-12-01
Nextcloud Server is an open source personal cloud server. Prior to versions 24.0.7 and 25.0.1, disabled download shares still allow download through preview images. Images could be downloaded and previews of documents (first page) can be d…
- CVE-2022-42344HIGHCVSS 8.8EG 8.82022-10-20
Adobe Commerce versions 2.4.3-p2 (and earlier), 2.3.7-p3 (and earlier) and 2.4.4 (and earlier) are affected by an Incorrect Authorization vulnerability. An authenticated attacker can exploit this vulnerability to achieve information exposu…
- CVE-2022-42351MEDIUMCVSS 4.3EG 4.32022-12-16
Adobe Experience Manager version 6.5.14 (and earlier) is affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. A low-privileged attacker could leverage this vulnerability to disclose low level…
- CVE-2022-42724MEDIUMCVSS 4.3EG 4.32022-10-10
app/Controller/UsersController.php in MISP before 2.4.164 allows attackers to discover role names (this is information that only the site admin should have).
- CVE-2022-42788MEDIUMCVSS 5.5EG 5.52022-11-01
A permissions issue existed. This issue was addressed with improved permission validation. This issue is fixed in macOS Ventura 13. A malicious application may be able to read sensitive location information.
- CVE-2022-42849HIGHCVSS 7.8EG 7.82022-12-15
An access issue existed with privileged API calls. This issue was addressed with additional restrictions. This issue is fixed in iOS 16.2 and iPadOS 16.2, tvOS 16.2, watchOS 9.2. A user may be able to elevate privileges.
- CVE-2022-42903LOWCVSS 3.3EG 3.32022-11-17
Zoho ManageEngine SupportCenter Plus through 11024 allows low-privileged users to view the organization users list.
- CVE-2022-42975HIGHCVSS 7.5EG 7.52022-10-17
socket/transport.ex in Phoenix before 1.6.14 mishandles check_origin wildcarding. NOTE: LiveView applications are unaffected by default because of the presence of a LiveView CSRF token.
- CVE-2022-42978HIGHCVSS 7.5EG 7.52022-11-15
In the Netic User Export add-on before 1.3.5 for Atlassian Confluence, authorization is mishandled. An unauthenticated attacker could access files on the remote system.
- CVE-2022-4315MEDIUMCVSS 5.0EG 6.52023-03-08
An issue has been discovered in GitLab DAST analyzer affecting all versions starting from 2.0 before 3.0.55, which sends custom request headers with every request on the authentication page.
- CVE-2022-43400CRITICALCVSS 9.8EG 9.82022-10-21
A vulnerability has been identified in Siveillance Video Mobile Server V2022 R2 (All versions < V22.2a (80)). The mobile server component of affected applications improperly handles the log in for Active Directory accounts that are part of…
- CVE-2022-43438HIGHCVSS 8.8EG 8.82023-01-03
The Administrator function of EasyTest has an Incorrect Authorization vulnerability. A remote attacker authenticated as a general user can exploit this vulnerability to bypass the intended access restrictions, to make API functions calls, …
- CVE-2022-43465MEDIUMCVSS 5.0EG 5.02023-05-10
Improper authorization in the Intel(R) SCS software all versions may allow an authenticated user to potentially enable denial of service via local access.
- CVE-2022-4349MEDIUMCVSS 4.3EG 6.82022-12-08
A vulnerability classified as problematic has been found in CTF-hacker pwn. This affects an unknown part of the file delete.html. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The exp…
- CVE-2022-43515MEDIUMCVSS 5.3EG 9.82022-12-05
Zabbix Frontend provides a feature that allows admins to maintain the installation and ensure that only certain IP addresses can access it. In this way, any user will not be able to access the Zabbix Frontend while it is being maintained a…
- CVE-2022-43770MEDIUMCVSS 5.4EG 8.12023-04-11
Hitachi Vantara Pentaho Business Analytics Server versions before 9.3.0.0, 9.2.0.4 and 8.3.0.27 does not correctly perform an authorization check in the dashboard editor plugin API.
Map vulnerabilities like CWE-863 to your infrastructure
EchelonGraph correlates every CVE — across CWE-863 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →