CWE-863— Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.— MITRE CWE catalog
3,796 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-863page 38 of 76
- CVE-2023-0120LOWCVSS 3.5EG 3.52023-09-01
An issue has been discovered in GitLab affecting all versions starting from 10.0 before 16.1.5, all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1. Due to improper permission validation it was poss…
- CVE-2023-0133MEDIUMCVSS 6.5EG 6.52023-01-10
Inappropriate implementation in in Permission prompts in Google Chrome on Android prior to 109.0.5414.74 allowed a remote attacker to bypass main origin permission delegation via a crafted HTML page. (Chromium security severity: Medium)
- CVE-2023-0298MEDIUMCVSS 6.5EG 6.52023-01-14
Incorrect Authorization in GitHub repository firefly-iii/firefly-iii prior to 5.8.0.
- CVE-2023-0319MEDIUMCVSS 5.8EG 5.32023-04-05
An issue has been discovered in GitLab affecting all versions starting from 13.6 before 15.8.5, all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1, allowing to read environment names supposed to …
- CVE-2023-0328MEDIUMCVSS 4.3EG 4.32023-03-06
The WPCode WordPress plugin before 2.0.7 does not have adequate privilege checks in place for several AJAX actions, only checking the nonce. This may lead to allowing any authenticated user who can edit posts to call the endpoints related …
- CVE-2023-0814MEDIUMCVSS 6.5EG 6.52023-02-14
The Profile Builder – User Profile & User Registration Forms plugin for WordPress is vulnerable to sensitive information disclosure via the [user_meta] shortcode in versions up to, and including 3.9.0. This is due to insufficient restric…
- CVE-2023-0940HIGHCVSS 8.8EG 8.82023-03-20
The ProfileGrid WordPress plugin before 5.3.1 provides an AJAX endpoint for resetting a user password but does not implement proper authorization. This allows a user with low privileges, such as subscriber, to change the password of any ac…
- CVE-2023-0952MEDIUMCVSS 6.5EG 6.52023-03-01
Improper access controls on entries in Devolutions Server 2022.3.12 and earlier could allow an authenticated user to access sensitive data without proper authorization.
- CVE-2023-0971CRITICALCVSS 9.6EG 9.62023-06-21
A logic error in SiLabs Z/IP Gateway SDK 7.18.02 and earlier allows authentication to be bypassed, remote administration of Z-Wave controllers, and S0/S2 encryption keys to be recovered.
- CVE-2023-1071LOWCVSS 3.1EG 4.32023-04-05
An issue has been discovered in GitLab affecting all versions from 15.5 before 15.8.5, all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1. Due to improper permissions checks it was possible for a…
- CVE-2023-1136CRITICALCVSS 9.8EG 7.52023-03-27
In Delta Electronics InfraSuite Device Master versions prior to 1.0.5, an unauthenticated attacker could generate a valid token, which would lead to authentication bypass.
- CVE-2023-1144HIGHCVSS 8.8EG 8.82023-03-27
Delta Electronics InfraSuite Device Master versions prior to 1.0.5 contains an improper access control vulnerability in which an attacker can use the Device-Gateway service and bypass authorization, which could result in privilege escalati…
- CVE-2023-1158MEDIUMCVSS 4.3EG 4.32023-05-24
Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.3, including 8.3.x expose dashboard prompts to users who are not part of the authorization list.
- CVE-2023-1164HIGHCVSS 8.4EG 7.82023-03-03
A vulnerability was found in KylinSoft kylin-activation on KylinOS and classified as critical. Affected by this issue is some unknown functionality of the component File Import. The manipulation leads to improper authorization. The attack …
- CVE-2023-1202MEDIUMCVSS 6.5EG 6.52023-04-02
Permission bypass when importing or synchronizing entries in User vault in Devolutions Remote Desktop Manager 2023.1.9 and prior versions allows users with restricted rights to bypass entry permission via id collision.
- CVE-2023-1417MEDIUMCVSS 4.3EG 4.32023-04-05
An issue has been discovered in GitLab affecting all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1. It was possible for an unauthorised user to add child epics linked to victim's epic in an unre…
- CVE-2023-1603MEDIUMCVSS 6.5EG 6.52023-04-02
Permission bypass when importing or synchronizing entries in User vault in Devolutions Server 2022.3.13 and prior versions allows users with restricted rights to bypass entry permission via id collision.
- CVE-2023-1779MEDIUMCVSS 4.3EG 4.32023-06-06
Exposure of Sensitive Information to an unauthorized actor vulnerability in MB Connect Lines mbCONNECT24, mymbCONNECT24 and Helmholz' myREX24 and myREX24.virtual in versions <=2.13.3 allow an authorized remote attacker with low privileges…
- CVE-2023-1832MEDIUMCVSS 6.8EG 6.82023-10-04
An improper access control flaw was found in Candlepin. An attacker can create data scoped under another customer/tenant, which can result in loss of confidentiality and availability for the affected customer/tenant.
- CVE-2023-1979MEDIUMCVSS 4.9EG 4.92023-05-08
The Web Stories for WordPress plugin supports the WordPress built-in functionality of protecting content with a password. The content is then only accessible to website visitors after entering the password. In WordPress, users with the "Au…
- CVE-2023-20018HIGHCVSS 8.6EG 6.52023-01-20
A vulnerability in the web-based management interface of Cisco IP Phone 7800 and 8800 Series Phones could allow an unauthenticated, remote attacker to bypass authentication on an affected device. This vulnerability is due to insufficien…
- CVE-2023-2002MEDIUMCVSS 6.8EG 6.82023-05-26
A vulnerability was found in the HCI sockets implementation due to a missing capability check in net/bluetooth/hci_sock.c in the Linux Kernel. This flaw allows an attacker to unauthorized execution of management commands, compromising the …
- CVE-2023-20048CRITICALCVSS 9.9EG 9.92023-11-01
A vulnerability in the web services interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to execute certain unauthorized configuration commands on a Firepower Threat Defense (FTD) devi…
- CVE-2023-20190MEDIUMCVSS 5.8EG 5.82023-09-13
A vulnerability in the classic access control list (ACL) compression feature of Cisco IOS XR Software could allow an unauthenticated, remote attacker to bypass the protection that is offered by a configured ACL on an affected device. Th…
- CVE-2023-20191MEDIUMCVSS 5.8EG 5.82023-09-13
A vulnerability in the access control list (ACL) processing on MPLS interfaces in the ingress direction of Cisco IOS XR Software could allow an unauthenticated, remote attacker to bypass a configured ACL. This vulnerability is due to in…
- CVE-2023-2020MEDIUMCVSS 4.3EG 4.32023-04-18
Insufficient permission checks in the REST API in Tribe29 Checkmk <= 2.1.0p27 and <= 2.2.0b4 (beta) allow unauthorized users to schedule downtimes for any host.
- CVE-2023-20269MEDIUMCVSS 5.0EG 9.0⚠ KEV2023-09-06
A vulnerability in the remote access VPN feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct a brute force attack in an at…
- CVE-2023-20800MEDIUMCVSS 6.5EG 6.52023-08-07
In imgsys, there is a possible system crash due to a mssing ptr check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is needed for exploitation. Patch ID: ALPS07420968; Issue ID:…
- CVE-2023-20871HIGHCVSS 7.8EG 7.82023-04-25
VMware Fusion contains a local privilege escalation vulnerability. A malicious actor with read/write access to the host operating system can elevate privileges to gain root access to the host operating system.
- CVE-2023-20877HIGHCVSS 8.8EG 8.82023-05-12
VMware Aria Operations contains a privilege escalation vulnerability. An authenticated malicious user with ReadOnly privileges can perform code execution leading to privilege escalation.
- CVE-2023-20880MEDIUMCVSS 6.7EG 6.72023-05-12
VMware Aria Operations contains a privilege escalation vulnerability. A malicious actor with administrative access to the local system can escalate privileges to 'root'.
- CVE-2023-20950HIGHCVSS 7.8EG 7.82023-04-19
In AlarmManagerActivity of AlarmManagerActivity.java, there is a possible way to bypass background activity launch restrictions via a pendingIntent. This could lead to local escalation of privilege with no additional execution privileges n…
- CVE-2023-20971HIGHCVSS 7.8EG 7.82023-03-24
In removePermission of PermissionManagerServiceImpl.java, there is a possible way to obtain dangerous permissions without user consent due to a logic error in the code. This could lead to local escalation of privilege with no additional ex…
- CVE-2023-20975HIGHCVSS 7.8EG 7.82023-03-24
In getAvailabilityStatus of EnableContentCapturePreferenceController.java, there is a possible way to bypass DISALLOW_CONTENT_CAPTURE due to a permissions bypass. This could lead to local escalation of privilege with no additional executio…
- CVE-2023-21034HIGHCVSS 7.8EG 7.82023-03-24
In multiple functions of SensorService.cpp, there is a possible access of accurate sensor data due to a permissions bypass. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not nee…
- CVE-2023-21035HIGHCVSS 7.8EG 7.82023-03-24
In multiple functions of BackupHelper.java, there is a possible way for an app to get permissions previously granted to another app with the same package name due to a permissions bypass. This could lead to local escalation of privilege wi…
- CVE-2023-21116MEDIUMCVSS 6.7EG 6.72023-05-15
In verifyReplacingVersionCode of InstallPackageHelper.java, there is a possible way to downgrade system apps below system image version due to a logic error in the code. This could lead to local escalation of privilege with System executio…
- CVE-2023-21117HIGHCVSS 7.8EG 7.82023-05-15
In registerReceiverWithFeature of ActivityManagerService.java, there is a possible way for isolated processes to register a broadcast receiver due to a permissions bypass. This could lead to local escalation of privilege with no additional…
- CVE-2023-21225HIGHCVSS 7.8EG 7.82023-06-28
there is a possible way to bypass the protected confirmation screen due to Failure to lock display power. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for explo…
- CVE-2023-21245HIGHCVSS 7.8EG 7.82023-07-13
In showNextSecurityScreenOrFinish of KeyguardSecurityContainerController.java, there is a possible way to access the lock screen during device setup due to a logic error in the code. This could lead to local escalation of privilege with no…
- CVE-2023-21254HIGHCVSS 7.8EG 7.82023-07-13
In getCurrentState of OneTimePermissionUserManager.java, there is a possible way to hold one-time permissions after the app is being killed due to a logic error in the code. This could lead to local escalation of privilege with no addition…
- CVE-2023-21256HIGHCVSS 7.8EG 7.82023-07-13
In SettingsHomepageActivity.java, there is a possible way to launch arbitrary activities via Settings due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User i…
- CVE-2023-21270HIGHCVSS 7.8EG 7.82024-11-19
In restorePermissionState of PermissionManagerServiceImpl.java, there is a possible way for an app to keep permissions that should be revoked due to incorrect permission flags cleared during an update. This could lead to local escalation o…
- CVE-2023-21311MEDIUMCVSS 5.5EG 5.52023-10-30
In Settings, there is a possible way to control private DNS settings from a secondary user due to a permissions bypass. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not…
- CVE-2023-21390HIGHCVSS 7.8EG 7.82023-10-30
In Sim, there is a possible way to evade mobile preference restrictions due to a permission bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploit…
- CVE-2023-21422MEDIUMCVSS 5.7EG 5.52023-02-09
Improper authorization vulnerability in semAddPublicDnsAddr in WifiSevice prior to SMR Jan-2023 Release 1 allows attackers to set custom DNS server without permission via binding WifiService.
- CVE-2023-21423MEDIUMCVSS 5.1EG 5.52023-02-09
Improper authorization vulnerability in ChnFileShareKit prior to SMR Jan-2023 Release 1 allows attacker to control BLE advertising without permission using unprotected action.
- CVE-2023-21424MEDIUMCVSS 5.1EG 3.32023-02-09
Improper Handling of Insufficient Permissions or Privileges vulnerability in SemChameleonHelper prior to SMR Jan-2023 Release 1 allows attacker to modify network related values, network code, carrier id and operator brand.
- CVE-2023-21560MEDIUMCVSS 6.6EG 6.62023-01-10
Windows Boot Manager Security Feature Bypass Vulnerability
- CVE-2023-21670HIGHCVSS 7.8EG 7.82023-06-06
Memory Corruption in GPU Subsystem due to arbitrary command execution from GPU in privileged mode.
Map vulnerabilities like CWE-863 to your infrastructure
EchelonGraph correlates every CVE — across CWE-863 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →