CWE-863— Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.— MITRE CWE catalog
3,795 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-863page 37 of 76
- CVE-2022-43872MEDIUMCVSS 5.3EG 5.32022-12-20
IBM Financial Transaction Manager 3.2.4 authorization checks are done incorrectly for some HTTP requests which allows getting unauthorized technical information (e.g. event log entries) about the FTM SWIFT system. IBM X-Force ID: 239708.
- CVE-2022-43940HIGHCVSS 8.8EG 8.82023-04-03
Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.2, including 8.3.x do not correctly perform an authorization check in the data source management service.
- CVE-2022-4397MEDIUMCVSS 4.3EG 6.52022-12-10
A vulnerability was found in morontt zend-blog-number-2. It has been classified as problematic. Affected is an unknown function of the file application/forms/Comment.php of the component Comment Handler. The manipulation leads to cross-sit…
- CVE-2022-44039CRITICALCVSS 9.8EG 9.82022-12-05
Franklin Fueling System FFS Colibri 1.9.22.8925 is affected by: File system overwrite. The impact is: File system rewrite (remote). ¶¶ An attacker can overwrite system files like [system.conf] and [passwd], this occurs because the insecu…
- CVE-2022-44565MEDIUMCVSS 5.3EG 5.32022-12-23
An improper access validation vulnerability exists in airMAX AC <8.7.11, airFiber 60/LR <2.6.2, airFiber 60 XG/HD <v1.0.0 and airFiber GBE <1.4.1 that allows a malicious actor to retrieve status and usage data from the UISP device.
- CVE-2022-44698MEDIUMCVSS 5.4EG 9.0⚠ KEV2022-12-13
Windows SmartScreen Security Feature Bypass Vulnerability
- CVE-2022-44699MEDIUMCVSS 5.5EG 5.52022-12-13
Azure Network Watcher Agent Security Feature Bypass Vulnerability
- CVE-2022-45128MEDIUMCVSS 5.0EG 5.02023-05-10
Improper authorization in the Intel(R) EMA software before version 1.9.0.0 may allow an authenticated user to potentially enable denial of service via local access.
- CVE-2022-45168MEDIUMCVSS 6.5EG 6.52024-06-10
An issue was discovered in LIVEBOX Collaboration vDesk through v018. A Bypass of Two-Factor Authentication can occur under the /login/backup_code endpoint and the /api/v1/vdeskintegration/createbackupcodes endpoint, because the application…
- CVE-2022-45172CRITICALCVSS 9.8EG 9.82023-01-31
An issue was discovered in LIVEBOX Collaboration vDesk before v018. Broken Access Control can occur under the /api/v1/registration/validateEmail endpoint, the /api/v1/vdeskintegration/user/adduser endpoint, and the /api/v1/registration/cha…
- CVE-2022-45190MEDIUMCVSS 5.3EG 5.32023-02-08
An issue was discovered on Microchip RN4870 1.43 devices. An attacker within BLE radio range can bypass passkey entry in the legacy pairing of the device.
- CVE-2022-45353MEDIUMCVSS 4.3EG 8.12023-01-14
Broken Access Control in Betheme theme <= 26.6.1 on WordPress.
- CVE-2022-45383MEDIUMCVSS 6.5EG 6.52022-11-15
An incorrect permission check in Jenkins Support Core Plugin 1206.v14049fa_b_d860 and earlier allows attackers with Support/DownloadBundle permission to download a previously created support bundle containing information limited to users w…
- CVE-2022-45435MEDIUMCVSS 6.8EG 6.52023-01-31
IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p2, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p5, IdentityIQ 8.1 and all 8.1 patch levels prior to 8.1p7, IdentityIQ 8.0 and all 8.0 patch levels prior to 8.0p6, and all prior v…
- CVE-2022-45544HIGHCVSS 8.8EG 8.82023-02-07
Insecure Permission vulnerability in Schlix Web Inc SCHLIX CMS 2.2.7-2 allows attacker to upload arbitrary files and execute arbitrary code via the tristao parameter. NOTE: this is disputed by the vendor because an admin is intentionally a…
- CVE-2022-45636HIGHCVSS 8.1EG 8.12023-03-21
An issue discovered in MEGAFEIS, BOFEI DBD+ Application for IOS & Android v1.4.4 allows attacker to unlock model(s) without authorization via arbitrary API requests.
- CVE-2022-45760HIGHCVSS 8.8EG 8.82022-12-12
SENS v1.0 is vulnerable to Incorrect Access Control vulnerability.
- CVE-2022-45778CRITICALCVSS 9.8EG 9.82022-12-27
https://www.hillstonenet.com.cn/ Hillstone Firewall SG-6000 <= 5.0.4.0 is vulnerable to Incorrect Access Control. There is a permission bypass vulnerability in the Hillstone WEB application firewall. An attacker can enter the background of…
- CVE-2022-45874MEDIUMCVSS 5.5EG 5.52022-12-28
Huawei Aslan Children's Watch has an improper authorization vulnerability. Successful exploit could allow the attacker to access certain file.
- CVE-2022-45891CRITICALCVSS 9.1EG 9.12022-12-25
Planet eStream before 6.72.10.07 allows attackers to call restricted functions, and perform unauthenticated uploads (Upload2.ashx) or access content uploaded by other users (View.aspx after Ajax.asmx/SaveGrantAccessList).
- CVE-2022-45956MEDIUMCVSS 5.3EG 5.32022-12-12
Boa Web Server versions 0.94.13 through 0.94.14 fail to validate the correct security constraint on the HEAD HTTP method allowing everyone to bypass the Basic Authorization mechanism.
- CVE-2022-46076HIGHCVSS 7.5EG 7.52022-12-20
D-Link DIR-869 DIR869Ax_FW102B15 is vulnerable to Authentication Bypass via phpcgi.
- CVE-2022-46080CRITICALCVSS 9.8EG 9.82023-07-06
Nexxt Nebula 1200-AC 15.03.06.60 allows authentication bypass and command execution by using the HTTPD service to enable TELNET.
- CVE-2022-4613MEDIUMCVSS 5.0EG 6.52022-12-19
A vulnerability was found in Click Studios Passwordstate and Passwordstate Browser Extension Chrome and classified as critical. This issue affects some unknown processing of the component Browser Extension Provisioning. The manipulation le…
- CVE-2022-46160MEDIUMCVSS 4.3EG 4.32022-12-13
Tuleap is an Open Source Suite to improve management of software developments and collaboration. In versions prior to 14.2.99.104, project level authorizations are not properly verified when accessing the project "homepage"/dashboards. Use…
- CVE-2022-46167HIGHCVSS 8.8EG 8.82022-12-02
Capsule is a multi-tenancy and policy-based framework for Kubernetes. Prior to version 0.1.3, a ServiceAccount deployed in a Tenant Namespace, when granted with `PATCH` capabilities on its own Namespace, is able to edit it and remove the O…
- CVE-2022-46169CRITICALCVSS 9.8EG 9.8⚠ KEV2022-12-05
Cacti is an open source platform which provides a robust and extensible operational monitoring and fault management framework for users. In affected versions a command injection vulnerability allows an unauthenticated user to execute arbit…
- CVE-2022-46258MEDIUMCVSS 6.5EG 6.52023-01-09
An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed a repository-scoped token with read/write access to modify Action Workflow files without a Workflow scope. The Create or Update file contents …
- CVE-2022-46307HIGHCVSS 8.8EG 8.82023-06-02
SGUDA U-Lock central lock control service’s lock management function has incorrect authorization. A remote attacker with general privilege can exploit this vulnerability to call privileged APIs to acquire information, manipulate or disru…
- CVE-2022-46308HIGHCVSS 8.8EG 8.82023-06-02
SGUDA U-Lock central lock control service’s user management function has incorrect authorization. A remote attacker with general user privilege can exploit this vulnerability to call privileged APIs to access, modify and delete user info…
- CVE-2022-46399HIGHCVSS 7.5EG 7.52022-12-19
The Microchip RN4870 module firmware 1.43 (and the Microchip PIC LightBlue Explorer Demo 4.2 DT100112) is unresponsive with ConReqTimeoutZero.
- CVE-2022-46400MEDIUMCVSS 5.4EG 5.42022-12-19
The Microchip RN4870 module firmware 1.43 (and the Microchip PIC LightBlue Explorer Demo 4.2 DT100112) allows attackers to bypass passkey entry in legacy pairing.
- CVE-2022-46704MEDIUMCVSS 5.5EG 5.52023-02-27
A logic issue was addressed with improved state management. This issue is fixed in macOS Ventura 13.1, macOS Big Sur 11.7.2, macOS Monterey 12.6.2. An app may be able to modify protected parts of the file system.
- CVE-2022-46792HIGHCVSS 8.8EG 8.82022-12-08
Hasura GraphQL Engine before 2.15.2 mishandles row-level authorization in the Update Many API for Postgres backends. The fixed versions are 2.10.2, 2.11.3, 2.12.1, 2.13.2, 2.14.1, and 2.15.2. (Versions before 2.10.0 are unaffected.)
- CVE-2022-47002CRITICALCVSS 9.8EG 9.82023-02-01
A vulnerability in the Remember Me function of Masa CMS v7.2, 7.3, and 7.4-beta allows attackers to bypass authentication via a crafted web request.
- CVE-2022-47003CRITICALCVSS 9.8EG 9.82023-02-01
A vulnerability in the Remember Me function of Mura CMS before v10.0.580 allows attackers to bypass authentication via a crafted web request.
- CVE-2022-47553HIGHCVSS 8.6EG 8.62023-09-19
Incorrect authorisation in ekorCCP and ekorRCI, which could allow a remote attacker to obtain resources with sensitive information for the organisation, without being authenticated within the web server.
- CVE-2022-47648HIGHCVSS 7.6EG 8.82023-02-08
An Improper Access Control vulnerability allows an attacker to access the control panel of the B420 without requiring any sort of authorization or authentication due to the IP based authorization. If an authorized user has accessed a publi…
- CVE-2022-47714CRITICALCVSS 9.8EG 9.82023-02-01
Last Yard 22.09.8-1 does not enforce HSTS headers
- CVE-2022-47874MEDIUMCVSS 6.5EG 6.52023-05-02
Improper Access Control in /tc/rpc in Jedox GmbH Jedox 2020.2.5 allows remote authenticated users to view details of database connections via class 'com.jedox.etl.mngr.Connections' and method 'getGlobalConnection'.
- CVE-2022-48066CRITICALCVSS 9.8EG 9.82023-01-27
An issue in the component global.so of Totolink A830R V4.1.2cu.5182 allows attackers to bypass authentication via a crafted cookie.
- CVE-2022-48283CRITICALCVSS 9.8EG 9.82023-02-27
A piece of Huawei whole-home intelligence software has an Incorrect Privilege Assignment vulnerability. Successful exploitation of this vulnerability could allow attackers to access restricted functions.
- CVE-2022-48284CRITICALCVSS 9.8EG 9.82023-02-27
A piece of Huawei whole-home intelligence software has an Incorrect Privilege Assignment vulnerability. Successful exploitation of this vulnerability could allow attackers to access restricted functions.
- CVE-2022-48286HIGHCVSS 7.5EG 7.52023-02-09
The multi-screen collaboration module has a privilege escalation vulnerability. Successful exploitation of this vulnerability may affect data confidentiality.
- CVE-2022-48302HIGHCVSS 7.5EG 7.52023-02-09
The AMS module has a vulnerability of lacking permission verification in APIs.Successful exploitation of this vulnerability may affect data confidentiality.
- CVE-2022-48488MEDIUMCVSS 5.3EG 5.32023-06-19
Vulnerability of bypassing the default desktop security controls.Successful exploitation of this vulnerability may cause unauthorized modifications to the desktop.
- CVE-2022-48495MEDIUMCVSS 5.3EG 5.32023-06-19
Vulnerability of unauthorized access to foreground app information.Successful exploitation of this vulnerability may cause foreground app information to be obtained.
- CVE-2022-48508HIGHCVSS 7.5EG 7.52023-07-06
Inappropriate authorization vulnerability in the system apps. Successful exploitation of this vulnerability may affect service integrity.
- CVE-2022-48538MEDIUMCVSS 5.3EG 5.32023-08-22
In Cacti 1.2.19, there is an authentication bypass in the web login functionality because of improper validation in the PHP code: cacti_ldap_auth() allows a zero as the password.
- CVE-2023-0091LOWCVSS 3.8EG 3.82023-01-13
A flaw was found in Keycloak, where it did not properly check client tokens for possible revocation in its client credential flow. This flaw allows an attacker to access or modify potentially sensitive information.
Map vulnerabilities like CWE-863 to your infrastructure
EchelonGraph correlates every CVE — across CWE-863 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →