CWE-863— Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.— MITRE CWE catalog
3,796 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-863page 40 of 76
- CVE-2023-25173MEDIUMCVSS 5.3EG 5.32023-02-16
containerd is an open source container runtime. A bug was found in containerd prior to versions 1.6.18 and 1.5.18 where supplementary groups are not set up properly inside a container. If an attacker has direct access to a container and ma…
- CVE-2023-25185LOWCVSS 3.8EG 3.82023-06-16
An issue was discovered on NOKIA Airscale ASIKA Single RAN devices before 21B. A mobile network solution internal fault was found in Nokia Single RAN software releases. Certain software processes in the BTS internal software design have un…
- CVE-2023-25189LOWCVSS 3.3EG 3.32024-09-25
BTS is affected by information disclosure vulnerability where mobile network operator personnel connected over BTS Web Element Manager, regardless of the access privileges, having a possibility to read BTS service operation details perform…
- CVE-2023-2534HIGHCVSS 7.6EG 7.62023-05-08
Improper Authorization vulnerability in OTRS AG OTRS 8 (Websocket API backend) allows any as Agent authenticated attacker to track user behaviour and to gain live insight into overall system usage. User IDs can easily be correlated with re…
- CVE-2023-25415MEDIUMCVSS 5.3EG 5.32023-04-11
Aten PE8108 2.4.232 is vulnerable to Incorrect Access Control. The device allows unauthenticated access to Event Notification configuration.
- CVE-2023-25547HIGHCVSS 8.8EG 8.82023-04-18
A CWE-863: Incorrect Authorization vulnerability exists that could allow remote code execution on upload and install packages when a hacker is using a low privileged user account. Affected products: StruxureWare Data Center Expert (V7.9.2…
- CVE-2023-25548HIGHCVSS 8.8EG 8.82023-04-18
A CWE-863: Incorrect Authorization vulnerability exists that could allow access to device credentials on specific DCE endpoints not being properly secured when a hacker is using a low privileged user. Affected products: StruxureWare Da…
- CVE-2023-25559HIGHCVSS 8.2EG 8.22023-02-11
DataHub is an open-source metadata platform. When not using authentication for the metadata service, which is the default configuration, the Metadata service (GMS) will use the X-DataHub-Actor HTTP header to infer the user the frontend is …
- CVE-2023-25575HIGHCVSS 7.7EG 7.72023-02-28
API Platform Core is the server component of API Platform: hypermedia and GraphQL APIs. Resource properties secured with the `security` option of the `ApiPlatform\Metadata\ApiProperty` attribute can be disclosed to unauthorized users. The …
- CVE-2023-25594MEDIUMCVSS 6.3EG 8.82023-03-22
A vulnerability in the web-based management interface of ClearPass Policy Manager allows an attacker with read-only privileges to perform actions that change the state of the ClearPass Policy Manager instance. Successful exploitation of…
- CVE-2023-25647MEDIUMCVSS 4.7EG 4.72023-08-17
There is a permission and access control vulnerability in some ZTE mobile phones. Due to improper access control, applications in mobile phone could monitor the touch event.
- CVE-2023-25729HIGHCVSS 8.8EG 8.82023-06-02
Permission prompts for opening external schemes were only shown for <code>ContentPrincipals</code> resulting in extensions being able to open them without user interaction via <code>ExpandedPrincipals</code>. This could lead to further mal…
- CVE-2023-25749MEDIUMCVSS 4.3EG 4.32023-06-02
Android applications with unpatched vulnerabilities can be launched from a browser using Intents, exposing users to these vulnerabilities. Firefox will now confirm with users that they want to launch an external application before doing so…
- CVE-2023-2576MEDIUMCVSS 4.3EG 4.32023-07-13
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7 before 15.11.10, all versions starting from 16.0 before 16.0.6, all versions starting from 16.1 before 16.1.1. This allowed a developer to remove the CO…
- CVE-2023-25923LOWCVSS 2.7EG 7.52023-03-21
IBM Security Guardium Key Lifecycle Manager 3.0, 3.0.1, 4.0, 4.1, and 4.1.1 could allow an attacker to upload files that could be used in a denial of service attack due to incorrect authorization. IBM X-Force ID: 247629.
- CVE-2023-25924MEDIUMCVSS 5.4EG 8.82023-03-22
IBM Security Guardium Key Lifecycle Manager 3.0, 3.0.1, 4.0, 4.1, and 4.1.1 could allow an authenticated user to perform actions that they should not have access to due to improper authorization. IBM X-Force ID: 247630.
- CVE-2023-25946HIGHCVSS 8.8EG 8.82023-05-23
Authentication bypass vulnerability in Qrio Lock (Q-SL2) firmware version 2.0.9 and earlier allows a network-adjacent attacker to analyze the product's communication data and conduct an arbitrary operation under certain conditions.
- CVE-2023-26056MEDIUMCVSS 5.4EG 5.42023-03-02
XWiki Platform is a generic wiki platform. Starting in version 3.0-milestone-1, it's possible to execute a script with the right of another user, provided the target user does not have programming right. The problem has been patched in XWi…
- CVE-2023-26097HIGHCVSS 8.4EG 8.42023-04-24
An issue was discovered in Telindus Apsal 3.14.2022.235 b. Unauthorized actions that could modify the application behaviour may not be blocked.
- CVE-2023-26244HIGHCVSS 7.8EG 7.82023-04-27
An issue was discovered in the Hyundai Gen5W_L in-vehicle infotainment system AE_E_PE_EUR.S5W_L001.001.211214. The AppDMClient binary file, which is used during the firmware installation process, can be modified by an attacker to bypass th…
- CVE-2023-26245HIGHCVSS 7.8EG 7.82023-04-27
An issue was discovered in the Hyundai Gen5W_L in-vehicle infotainment system AE_E_PE_EUR.S5W_L001.001.211214. The AppUpgrade binary file, which is used during the firmware installation process, can be modified by an attacker to bypass the…
- CVE-2023-26246HIGHCVSS 7.8EG 7.82023-04-27
An issue was discovered in the Hyundai Gen5W_L in-vehicle infotainment system AE_E_PE_EUR.S5W_L001.001.211214. The AppUpgrade binary file, which is used during the firmware installation process, can be modified by an attacker to bypass the…
- CVE-2023-26258CRITICALCVSS 9.8EG 9.82023-07-03
Arcserve UDP through 9.0.6034 allows authentication bypass. The method getVersionInfo at WebServiceImpl/services/FlashServiceImpl leaks the AuthUUID token. This token can be used at /WebServiceImpl/services/VirtualStandbyServiceImpl to obt…
- CVE-2023-2640HIGHCVSS 7.8EG 9.02023-07-26
On Ubuntu kernels carrying both c914c0e27eb0 and "UBUNTU: SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.* xattrs", an unprivileged user may set privileged extended attributes on the mounted files, leading them to be set …
- CVE-2023-26484HIGHCVSS 8.2EG 8.22023-03-15
KubeVirt is a virtual machine management add-on for Kubernetes. In versions 0.59.0 and prior, if a malicious user has taken over a Kubernetes node where virt-handler (the KubeVirt node-daemon) is running, the virt-handler service account c…
- CVE-2023-26818MEDIUMCVSS 5.5EG 5.52023-05-19
Telegram 9.3.1 and 9.4.0 allows attackers to access restricted files, microphone ,or video recording via the DYLD_INSERT_LIBRARIES flag.
- CVE-2023-26829CRITICALCVSS 9.8EG 9.82023-03-31
An authentication bypass vulnerability in the Password Reset component of Gladinet CentreStack before 13.5.9808 allows remote attackers to set a new password for any valid user account, without needing the previous known password, resultin…
- CVE-2023-27107HIGHCVSS 8.8EG 8.82023-04-26
Incorrect access control in the runReport function of MyQ Solution Print Server before 8.2 Patch 32 and Central Server before 8.2 Patch 22 allows users who do not have appropriate access rights to generate internal reports using a direct U…
- CVE-2023-27384MEDIUMCVSS 4.3EG 4.32023-05-23
Operation restriction bypass vulnerability in MultiReport of Cybozu Garoon 5.15.0 allows a remote authenticated attacker to alter the data of MultiReport.
- CVE-2023-27388CRITICALCVSS 9.8EG 9.82023-05-23
Improper authentication vulnerability in T&D Corporation and ESPEC MIC CORP. data logger products allows a remote unauthenticated attacker to login to the product as a registered user. Affected products and versions are as follows: T&D Cor…
- CVE-2023-27485MEDIUMCVSS 4.3EG 4.32023-03-07
thmmniii/fbs-core is an open source feedback system for students. In versions prior to 1.5.3 when querying `subresults`, it is possible to query `subresults` from other users due to insufficient authorisation. This is only possible for log…
- CVE-2023-27486HIGHCVSS 8.1EG 8.12023-03-08
xCAT is a toolkit for deployment and administration of computer clusters. In versions prior to 2.16.5 if zones are configured as a mechanism to secure clusters in XCAT, it is possible for a local root user from one node to obtain credentia…
- CVE-2023-27523MEDIUMCVSS 5.0EG 5.02023-09-06
Improper data authorization check on Jinja templated queries in Apache Superset up to and including 2.1.0 allows for an authenticated user to issue queries on database tables they may not have access to.
- CVE-2023-27525LOWCVSS 3.1EG 4.32023-04-17
An authenticated user with Gamma role authorization could have access to metadata information using non trivial methods in Apache Superset up to and including 2.0.1
- CVE-2023-27526MEDIUMCVSS 4.3EG 4.32023-09-06
A non Admin authenticated user could incorrectly create resources using the import charts feature, on Apache Superset up to and including 2.1.0.
- CVE-2023-27578CRITICALCVSS 9.1EG 9.12023-03-20
Galaxy is an open-source platform for data analysis. All supported versions of Galaxy are affected prior to 22.01, 22.05, and 23.0 are affected by an insufficient permission check. Unsupported versions are likely affected as far back as th…
- CVE-2023-2759HIGHCVSS 8.8EG 8.82023-07-17
A hidden API exists in TapHome's core platform before version 2023.2 that allows an authenticated, low privileged user to change passwords of other users without any prior knowledge. The attacker may gain full access to the device by using…
- CVE-2023-27594MEDIUMCVSS 4.2EG 4.22023-03-17
Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to versions 1.11.15, 1.12.8, and 1.13.1, under specific conditions, Cilium may misattribute the source IP address of traffic to a cluster, ide…
- CVE-2023-27716CRITICALCVSS 9.8EG 9.82023-06-12
An issue was discovered in freakchicken kafkaUI-lite 1.2.11 allows attackers on the same network to gain escalated privileges for the nodes running on it.
- CVE-2023-2782MEDIUMCVSS 5.5EG 5.52023-05-18
Sensitive information disclosure due to improper authorization. The following products are affected: Acronis Cyber Infrastructure (ACI) before build 5.3.1-38.
- CVE-2023-27899HIGHCVSS 7.0EG 7.02023-03-10
Jenkins 2.393 and earlier, LTS 2.375.3 and earlier creates a temporary file in the default temporary directory with the default permissions for newly created files when uploading a plugin for installation, potentially allowing attackers wi…
- CVE-2023-27903MEDIUMCVSS 4.4EG 4.42023-03-10
Jenkins 2.393 and earlier, LTS 2.375.3 and earlier creates a temporary file in the default temporary directory with the default permissions for newly created files when uploading a file parameter through the CLI, potentially allowing attac…
- CVE-2023-27920MEDIUMCVSS 4.3EG 4.32023-05-23
Improper access control vulnerability in the system date/time setting page of SolarView Compact SV-CPT-MC310 versions prior to Ver.8.10 and SV-CPT-MC310F versions prior to Ver.8.10 allows a remote authenticated attacker to alter system dat…
- CVE-2023-27951MEDIUMCVSS 5.5EG 5.52023-05-08
The issue was addressed with improved checks. This issue is fixed in macOS Ventura 13.3, macOS Monterey 12.6.4, macOS Big Sur 11.7.5. An archive may be able to bypass Gatekeeper.
- CVE-2023-27954MEDIUMCVSS 6.5EG 6.52023-05-08
The issue was addressed by removing origin information. This issue is fixed in macOS Ventura 13.3, Safari 16.4, iOS 16.4 and iPadOS 16.4, iOS 15.7.4 and iPadOS 15.7.4, tvOS 16.4, watchOS 9.4. A website may be able to track sensitive user i…
- CVE-2023-28175HIGHCVSS 7.1EG 7.12023-06-15
Improper Authorization in SSH server in Bosch VMS 11.0, 11.1.0, and 11.1.1 allows a remote authenticated user to access resources within the trusted internal network via a port forwarding request.
- CVE-2023-28249MEDIUMCVSS 6.2EG 6.22023-04-11
Windows Boot Manager Security Feature Bypass Vulnerability
- CVE-2023-28270MEDIUMCVSS 6.8EG 6.82023-04-11
Windows Lock Screen Security Feature Bypass Vulnerability
- CVE-2023-28325MEDIUMCVSS 6.5EG 6.52023-05-11
An improper authorization vulnerability exists in Rocket.Chat <6.0 that could allow a hacker to manipulate the rid parameter and change the updateMessage method that only checks whether the user is allowed to edit message in the target roo…
- CVE-2023-28352HIGHCVSS 7.4EG 7.42023-05-31
An issue was discovered in Faronics Insight 10.0.19045 on Windows. By abusing the Insight UDP broadcast discovery system, an attacker-controlled artificial Student Console can connect to and attack a Teacher Console even after Enhanced Sec…
Map vulnerabilities like CWE-863 to your infrastructure
EchelonGraph correlates every CVE — across CWE-863 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →