CWE-863— Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.— MITRE CWE catalog
3,796 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-863page 39 of 76
- CVE-2023-21715HIGHCVSS 7.3EG 9.0⚠ KEV2023-02-14
Microsoft Publisher Security Feature Bypass Vulnerability
- CVE-2023-21719MEDIUMCVSS 6.5EG 6.52023-01-24
Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability
- CVE-2023-22067MEDIUMCVSS 5.3EG 5.32023-10-17
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: CORBA). Supported versions that are affected are Oracle Java SE: 8u381, 8u381-perf; Oracle GraalVM Enterprise Edition: 20.3.11 an…
- CVE-2023-22248HIGHCVSS 7.5EG 7.52023-06-15
Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. An attacker could leverage this vulnera…
- CVE-2023-22251MEDIUMCVSS 4.3EG 4.32023-03-27
Adobe Commerce versions 2.4.4-p2 (and earlier) and 2.4.5-p1 (and earlier) are affected by an Incorrect Authorization vulnerability. A low-privileged authenticated attacker could leverage this vulnerability to achieve minor information disc…
- CVE-2023-22480HIGHCVSS 7.3EG 7.32023-01-14
KubeOperator is an open source Kubernetes distribution focused on helping enterprises plan, deploy and operate production-level K8s clusters. In KubeOperator versions 3.16.3 and below, API interfaces with unauthorized entities and can leak…
- CVE-2023-22482CRITICALCVSS 9.0EG 9.02023-01-26
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions of Argo CD starting with v1.8.2 and prior to 2.3.13, 2.4.19, 2.5.6, and 2.6.0-rc-3 are vulnerable to an improper authorization bug causing the API to accep…
- CVE-2023-22500HIGHCVSS 7.5EG 7.52023-01-26
GLPI is a Free Asset and IT Management Software package. Versions 10.0.0 and above, prior to 10.0.6 are vulnerable to Incorrect Authorization. This vulnerability allow unauthorized access to inventory files. Thus, if anonymous access to FA…
- CVE-2023-22518CRITICALCVSS 9.8EG 9.8⚠ KEV2023-10-31
All versions of Confluence Data Center and Server are affected by this unexploited vulnerability. This Improper Authorization vulnerability allows an unauthenticated attacker to reset Confluence and create a Confluence instance administrat…
- CVE-2023-2257HIGHCVSS 7.8EG 7.82023-04-24
Authentication Bypass in Hub Business integration in Devolutions Workspace Desktop 2023.1.1.3 and earlier on Windows and macOS allows an attacker with access to the user interface to unlock a Hub Business space without being prompted to e…
- CVE-2023-22593MEDIUMCVSS 4.0EG 4.02023-06-27
IBM Robotic Process Automation for Cloud Pak 21.0.1 through 21.0.7.3 and 23.0.0 through 23.0.3 is vulnerable to security misconfiguration of the Redis container which may provide elevated privileges. IBM X-Force ID: 244074.
- CVE-2023-22610CRITICALCVSS 9.1EG 7.52023-01-31
A CWE-863: Incorrect Authorization vulnerability exists that could cause Denial of Service against the Geo SCADA server when specific messages are sent to the server over the database server TCP port.
- CVE-2023-22620HIGHCVSS 7.5EG 7.52023-04-12
An issue was discovered in SecurePoint UTM before 12.2.5.1. The firewall's endpoint at /spcgi.cgi allows sessionid information disclosure via an invalid authentication attempt. This can afterwards be used to bypass the device's authenticat…
- CVE-2023-22833HIGHCVSS 7.6EG 7.62023-06-06
Palantir Foundry deployments running Lime2 versions between 2.519.0 and 2.532.0 were vulnerable a bug that allowed authenticated users within a Foundry organization to bypass discretionary or mandatory access controls under certain circums…
- CVE-2023-22891HIGHCVSS 8.1EG 8.12023-03-08
There exists a privilege escalation vulnerability in SmartBear Zephyr Enterprise through 7.15.0 that could be exploited by authorized users to reset passwords for other accounts.
- CVE-2023-22945MEDIUMCVSS 4.3EG 4.32023-01-11
In the GrowthExperiments extension for MediaWiki through 1.39, the growthmanagementorlist API allows blocked users (blocked in ApiManageMentorList) to enroll as mentors or edit any of their mentorship-related properties.
- CVE-2023-23064CRITICALCVSS 9.8EG 9.82023-02-17
TOTOLINK A720R V4.1.5cu.532_ B20210610 is vulnerable to Incorrect Access Control.
- CVE-2023-23192HIGHCVSS 7.2EG 7.22023-03-23
IS Decisions UserLock MFA 11.01 is vulnerable to authentication bypass using scheduled task.
- CVE-2023-23299HIGHCVSS 7.5EG 7.52023-05-23
The permission system implemented and enforced by the GarminOS TVM component in CIQ API version 1.0.0 through 4.1.7 can be bypassed entirely. A malicious application with specially crafted code and data sections could access restricted CIQ…
- CVE-2023-23304CRITICALCVSS 9.1EG 9.12023-05-23
The GarminOS TVM component in CIQ API version 2.1.0 through 4.1.7 allows applications with a specially crafted head section to use the `Toybox.SensorHistory` module without permission. A malicious application could call any functions from …
- CVE-2023-23445HIGHCVSS 7.5EG 7.52023-05-15
Improper Access Control in SICK FTMg AIR FLOW SENSOR with Partnumbers 1100214, 1100215, 1100216, 1120114, 1120116, 1122524, 1122526 allows an unprivileged remote attacker to gain unauthorized access to data fields by using a therefore unpr…
- CVE-2023-23446HIGHCVSS 7.5EG 7.52023-05-15
Improper Access Control in SICK FTMg AIR FLOW SENSOR with Partnumbers 1100214, 1100215, 1100216, 1120114, 1120116, 1122524, 1122526 allows an unprivileged remote attacker to download files by using a therefore unpriviledged account via the…
- CVE-2023-23476LOWCVSS 3.1EG 3.12023-08-02
IBM Robotic Process Automation 21.0.0 through 21.0.7.latest is vulnerable to unauthorized access to data due to insufficient authorization validation on some API routes. IBM X-Force ID: 245425.
- CVE-2023-23506MEDIUMCVSS 5.5EG 5.52023-02-27
A permissions issue was addressed with improved validation. This issue is fixed in macOS Ventura 13.2. An app may be able to access user-sensitive data.
- CVE-2023-23510MEDIUMCVSS 5.5EG 5.52023-02-27
A permissions issue was addressed with improved validation. This issue is fixed in macOS Ventura 13.2. An app may be able to access a user’s Safari history.
- CVE-2023-23538MEDIUMCVSS 5.5EG 5.52023-05-08
A logic issue was addressed with improved checks. This issue is fixed in macOS Ventura 13.3, macOS Monterey 12.6.4. An app may be able to modify protected parts of the file system.
- CVE-2023-23594CRITICALCVSS 9.8EG 9.82023-03-31
An authentication bypass vulnerability in the web client interface for the CL4NX printer before firmware version 1.13.3-u724_r2 provides remote unauthenticated attackers with access to execute commands intended only for valid/authenticated…
- CVE-2023-23604MEDIUMCVSS 6.5EG 6.52023-06-02
A duplicate `SystemPrincipal` object could be created when parsing a non-system html document via `DOMParser::ParseFromSafeString`. This could have lead to bypassing web security checks. This vulnerability affects Firefox < 109.
- CVE-2023-23696HIGHCVSS 7.0EG 7.82023-02-07
Dell Command Intel vPro Out of Band, versions prior to 4.3.1, contain an Improper Authorization vulnerability. A locally authenticated malicious users could potentially exploit this vulnerability in order to write arbitrary files to the s…
- CVE-2023-23751MEDIUMCVSS 4.3EG 4.32023-02-01
An issue was discovered in Joomla! 4.0.0 through 4.2.4. A missing ACL check allows non super-admin users to access com_actionlogs.
- CVE-2023-23918HIGHCVSS 7.5EG 7.52023-02-23
A privilege escalation vulnerability exists in Node.js <19.6.1, <18.14.1, <16.19.1 and <14.21.3 that made it possible to bypass the experimental Permissions (https://nodejs.org/api/permissions.html) feature in Node.js and access non author…
- CVE-2023-23924CRITICALCVSS 10.0EG 10.02023-02-01
Dompdf is an HTML to PDF converter. The URI validation on dompdf 2.0.1 can be bypassed on SVG parsing by passing `<image>` tags with uppercase letters. This may lead to arbitrary object unserialize on PHP < 8, through the `phar` URL wrappe…
- CVE-2023-23947CRITICALCVSS 9.1EG 9.12023-02-16
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All Argo CD versions starting with 2.3.0-rc1 and prior to 2.3.17, 2.4.23 2.5.11, and 2.6.2 are vulnerable to an improper authorization bug which allows users who ha…
- CVE-2023-24029HIGHCVSS 7.2EG 7.22023-02-03
In Progress WS_FTP Server before 8.8, it is possible for a host administrator to elevate their privileges via the administrative interface due to insufficient authorization controls applied on user modification workflows.
- CVE-2023-24047MEDIUMCVSS 6.8EG 6.82023-12-04
An Insecure Credential Management issue discovered in Connectize AC21000 G6 641.139.1.1256 allows attackers to gain escalated privileges via use of weak hashing algorithm.
- CVE-2023-24051CRITICALCVSS 9.8EG 9.82023-12-04
A client side rate limit issue discovered in Connectize AC21000 G6 641.139.1.1256 allows attackers to gain escalated privileges via brute force style attacks.
- CVE-2023-24052CRITICALCVSS 9.8EG 9.82023-12-04
An issue discovered in Connectize AC21000 G6 641.139.1.1256 allows attackers to gain control of the device via the change password functionality as it does not prompt for the current password.
- CVE-2023-24471MEDIUMCVSS 6.5EG 6.52023-08-09
An access control vulnerability was found, due to the restrictions that are applied on actual assertions not being enforced in their debug functionality. An authenticated user with reduced visibility can obtain unauthorized information vi…
- CVE-2023-24485HIGHCVSS 7.8EG 7.82023-02-16
Vulnerabilities have been identified that, collectively, allow a standard Windows user to perform operations as SYSTEM on the computer running Citrix Workspace app.
- CVE-2023-24505MEDIUMCVSS 5.3EG 5.32023-05-08
Milesight NCR/camera version 71.8.0.6-r5 discloses sensitive information through an unspecified request.
- CVE-2023-24512HIGHCVSS 8.8EG 8.82023-04-25
On affected platforms running Arista EOS, an authorized attacker with permissions to perform gNMI requests could craft a request allowing it to update arbitrary configurations in the switch. This situation occurs only when the Streaming Te…
- CVE-2023-24546HIGHCVSS 8.1EG 8.12023-06-13
On affected versions of the CloudVision Portal improper access controls on the connection from devices to CloudVision could enable a malicious actor with network access to CloudVision to get broader access to telemetry and configuration da…
- CVE-2023-24600MEDIUMCVSS 4.3EG 4.32023-05-29
OX App Suite before backend 7.10.6-rev37 allows authenticated users to bypass access controls (for reading contacts) via a move to their own address book.
- CVE-2023-24829HIGHCVSS 8.8EG 8.82023-01-31
Incorrect Authorization vulnerability in Apache Software Foundation Apache IoTDB.This issue affects the iotdb-web-workbench component from 0.13.0 before 0.13.3. iotdb-web-workbench is an optional component of IoTDB, providing a web console…
- CVE-2023-24880MEDIUMCVSS 4.4EG 9.0⚠ KEV2023-03-14
Windows SmartScreen Security Feature Bypass Vulnerability
- CVE-2023-24932MEDIUMCVSS 6.7EG 6.72023-05-09
Secure Boot Security Feature Bypass Vulnerability
- CVE-2023-24999MEDIUMCVSS 4.4EG 4.42023-03-11
HashiCorp Vault and Vault Enterprise’s approle auth method allowed any authenticated user with access to an approle destroy endpoint to destroy the secret ID of any other role by providing the secret ID accessor. This vulnerability is fi…
- CVE-2023-25017HIGHCVSS 8.1EG 8.12023-03-27
RIFARTEK IOT Wall has a vulnerability of incorrect authorization. An authenticated remote attacker with general user privilege is allowed to perform specific privileged function to access and modify all sensitive data.
- CVE-2023-25043MEDIUMCVSS 4.3EG 5.02024-04-17
Incorrect Authorization vulnerability in Supsystic Data Tables Generator.This issue affects Data Tables Generator: from n/a through 1.10.25.
- CVE-2023-2515MEDIUMCVSS 4.7EG 4.72023-05-12
Mattermost fails to restrict a user with permissions to edit other users and to create personal access tokens from elevating their privileges to system admin
Map vulnerabilities like CWE-863 to your infrastructure
EchelonGraph correlates every CVE — across CWE-863 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →