CWE-863— Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.— MITRE CWE catalog
3,797 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-863page 41 of 76
- CVE-2023-28357MEDIUMCVSS 4.3EG 4.32023-05-11
A vulnerability has been identified in Rocket.Chat, where the ACL checks in the Slash Command /mute occur after checking whether a user is a member of a given channel, leaking private channel members to unauthorized users. This allows auth…
- CVE-2023-28468MEDIUMCVSS 6.5EG 6.52023-08-03
An issue was discovered in FvbServicesRuntimeDxe in Insyde InsydeH2O with kernel 5.0 through 5.5. The FvbServicesRuntimeDxe SMM module exposes an SMI handler that allows an attacker to interact with the SPI flash at run-time from the OS.
- CVE-2023-28611CRITICALCVSS 9.8EG 9.82023-03-23
Incorrect authorization in OMICRON StationGuard 1.10 through 2.20 and StationScout 1.30 through 2.20 allows an attacker to bypass intended access restrictions.
- CVE-2023-28634HIGHCVSS 8.8EG 8.82023-04-05
GLPI is a free asset and IT management software package. Starting in version 0.83 and prior to versions 9.5.13 and 10.0.7, a user who has the Technician profile could see and generate a Personal token for a Super-Admin. Using such token it…
- CVE-2023-28635MEDIUMCVSS 5.4EG 5.42023-10-11
vantage6 is privacy preserving federated learning infrastructure. Prior to version 4.0.0, malicious users may try to get access to resources they are not allowed to see, by creating resources with integers as names. One example where this …
- CVE-2023-28698CRITICALCVSS 9.8EG 9.82023-06-02
Wade Graphic Design FANTSY has a vulnerability of insufficient authorization check. An unauthenticated remote user can exploit this vulnerability by modifying URL parameters to gain administrator privileges to perform arbitrary system oper…
- CVE-2023-28714HIGHCVSS 8.2EG 8.22023-08-11
Improper access control in firmware for some Intel(R) PROSet/Wireless WiFi software for Windows before version 22.220 HF (Hot Fix) may allow a privileged user to potentially enable escalation of privilege via local access.
- CVE-2023-2877HIGHCVSS 8.8EG 8.82023-06-27
The Formidable Forms WordPress plugin before 6.3.1 does not adequately authorize the user or validate the plugin URL in its functionality for installing add-ons. This allows a user with a role as low as Subscriber to install and activate a…
- CVE-2023-29240MEDIUMCVSS 5.4EG 5.42023-05-03
An authenticated attacker granted a Viewer or Auditor role on a BIG-IQ can upload arbitrary files using an undisclosed iControl REST endpoint. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
- CVE-2023-29288MEDIUMCVSS 4.3EG 4.32023-06-15
Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. A privileged attacker could leverage th…
- CVE-2023-29295MEDIUMCVSS 4.3EG 4.32023-06-15
Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. A low-privileged attacker could leverag…
- CVE-2023-29296MEDIUMCVSS 4.3EG 4.32023-06-15
Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. A low-privileged attacker could leverag…
- CVE-2023-29381CRITICALCVSS 9.8EG 9.82023-07-06
An issue in Zimbra Collaboration (ZCS) v.8.8.15 and v.9.0 allows a remote attacker to escalate privileges and obtain sensitive information via the password and 2FA parameters.
- CVE-2023-29484MEDIUMCVSS 6.5EG 6.52023-10-16
In Terminalfour before 8.3.16, misconfigured LDAP users are able to login with an invalid password.
- CVE-2023-29656MEDIUMCVSS 6.1EG 6.12023-07-06
An improper authorization vulnerability in Darktrace mobile app (Android) prior to version 6.0.15 allows disabled and low-privilege users to control "antigena" actions(block/unblock traffic) from the mobile application. This vulnerability …
- CVE-2023-29708HIGHCVSS 7.5EG 7.52023-06-22
An issue was discovered in /cgi-bin/adm.cgi in WavLink WavRouter version RPT70HA1.x, allows attackers to force a factory reset via crafted payload.
- CVE-2023-29752HIGHCVSS 7.8EG 7.82023-06-09
An issue found in Facemoji Emoji Keyboard v.2.9.1.2 for Android allows unauthorized apps to cause escalation of privilege attacks by manipulating the component.
- CVE-2023-29758MEDIUMCVSS 5.5EG 5.52023-06-09
An issue found in Blue Light Filter v.1.5.5 for Android allows unauthorized apps to cause a persistent denial of service by manipulating the SharedPreference files.
- CVE-2023-29759MEDIUMCVSS 5.5EG 5.52023-06-09
An issue found in FlightAware v.5.8.0 for Android allows unauthorized apps to cause a persistent denial of service by manipulating the database files.
- CVE-2023-29761MEDIUMCVSS 5.5EG 5.52023-06-09
An issue found in Sleep v.20230303 for Android allows unauthorized apps to cause a persistent denial of service by manipulating the SharedPreference files.
- CVE-2023-29766HIGHCVSS 7.8EG 7.82023-06-09
An issue found in CrossX v.1.15.3 for Android allows a local attacker to cause an escalation of Privileges via the database files.
- CVE-2023-29818MEDIUMCVSS 5.5EG 5.52023-05-12
An issue found in Webroot SecureAnywhere Endpoint Protection CE 23.1 v.9.0.33.39 and before allows a local attacker to bypass protections via the default allowlist feature being stored as non-admin.
- CVE-2023-29819MEDIUMCVSS 5.5EG 5.52023-05-12
An issue found in Webroot SecureAnywhere Endpoint Protection CE 23.1 v.9.0.33.39 and before allows a local attacker to bypass protections via a crafted payload.
- CVE-2023-29927MEDIUMCVSS 4.3EG 4.32023-05-16
Versions of Sage 300 through 2022 implement role-based access controls that are only enforced client-side. Low-privileged Sage users, particularly those on a workstation setup in the "Windows Peer-to-Peer Network" or "Client Server Network…
- CVE-2023-30024MEDIUMCVSS 6.6EG 6.62023-04-28
The MagicJack device, a VoIP solution for internet phone calls, contains a hidden NAND flash memory partition allowing unauthorized read/write access. Attackers can exploit this by replacing the original software with a malicious version, …
- CVE-2023-3027HIGHCVSS 7.8EG 7.82023-06-05
The grc-policy-propagator allows security escalation within the cluster. The propagator allows policies which contain some dynamically obtained values (instead of the policy apply a static manifest on a managed cluster) of taking advantage…
- CVE-2023-3033MEDIUMCVSS 6.8EG 6.82023-06-02
Incorrect Authorization vulnerability in Mobatime web application allows Privilege Escalation, Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Mobatime web application: through 06.7.22.
- CVE-2023-30428HIGHCVSS 8.2EG 8.22023-07-12
Incorrect Authorization vulnerability in Apache Software Foundation Apache Pulsar Broker's Rest Producer allows authenticated user with a custom HTTP header to produce a message to any topic using the broker's admin role. This issue affect…
- CVE-2023-30429CRITICALCVSS 9.6EG 9.62023-07-12
Incorrect Authorization vulnerability in Apache Software Foundation Apache Pulsar. This issue affects Apache Pulsar: before 2.10.4, and 2.11.0. When a client connects to the Pulsar Function Worker via the Pulsar Proxy where the Pulsar Pr…
- CVE-2023-30467HIGHCVSS 7.5EG 7.52023-04-28
This vulnerability exists in Milesight 4K/H.265 Series NVR models (MS-Nxxxx-xxG, MS-Nxxxx-xxE, MS-Nxxxx-xxT, MS-Nxxxx-xxH and MS-Nxxxx-xxC), due to improper authorization at the Milesight NVR web-based management interface. A remote attack…
- CVE-2023-30544LOWCVSS 3.9EG 3.92023-04-24
Kiwi TCMS is an open source test management system. In versions of Kiwi TCMS prior to 12.2, users were able to update their email addresses via the `My profile` admin page. This page allowed them to change the email address registered with…
- CVE-2023-3066HIGHCVSS 8.1EG 8.12023-06-05
Incorrect Authorization vulnerability in Mobatime mobile application AMXGT100 allows a low-privileged user to impersonate anyone else, including administratorsThis issue affects Mobatime mobile application AMXGT100: through 1.3.20.
- CVE-2023-30705MEDIUMCVSS 6.8EG 6.82023-08-10
Improper sanitization of incoming intent in Galaxy Store prior to version 4.5.56.6?allows local attackers to access privileged content providers as Galaxy Store permission.
- CVE-2023-30771CRITICALCVSS 9.8EG 9.82023-04-17
Incorrect Authorization vulnerability in Apache Software Foundation Apache IoTDB.This issue affects the iotdb-web-workbench component on 0.13.3. iotdb-web-workbench is an optional component of IoTDB, providing a web console of the database…
- CVE-2023-30840MEDIUMCVSS 5.8EG 5.82023-05-08
Fluid is an open source Kubernetes-native distributed dataset orchestrator and accelerator for data-intensive applications. Starting in version 0.7.0 and prior to version 0.8.6, if a malicious user gains control of a Kubernetes node runnin…
- CVE-2023-30955MEDIUMCVSS 4.3EG 4.32023-06-29
A security defect was identified in Foundry workspace-server that enabled a user to bypass an authorization check and view settings related to 'Developer Mode'. This enabled users with insufficient privilege the ability to view and interac…
- CVE-2023-30995HIGHCVSS 7.5EG 7.52023-09-08
IBM Aspera Faspex 4.0 through 4.4.2 and 5.0 through 5.0.5 could allow a malicious actor to bypass IP whitelist restrictions using a specially crafted HTTP request. IBM X-Force ID: 254268.
- CVE-2023-31138HIGHCVSS 7.1EG 7.12023-05-09
DHIS2 Core contains the service layer and Web API for DHIS2, an information system for data capture. Starting in the 2.36 branch and prior to versions 2.37.9.1, 2.38.3.1, and 2.39.1.2, using object model traversal in the payload of a PATCH…
- CVE-2023-3114MEDIUMCVSS 5.0EG 5.02023-06-22
Terraform Enterprise since v202207-1 did not properly implement authorization rules for agent pools, allowing the workspace to be targeted by unauthorized agents. This authorization flaw could potentially allow a workspace to access resour…
- CVE-2023-31141MEDIUMCVSS 4.8EG 4.82023-05-08
OpenSearch is open-source software suite for search, analytics, and observability applications. Prior to versions 1.3.10 and 2.7.0, there is an issue with the implementation of fine-grained access control rules (document-level security, fi…
- CVE-2023-31226HIGHCVSS 7.5EG 7.52023-05-26
The SDK for the MediaPlaybackController module has improper permission verification. Successful exploitation of this vulnerability may affect confidentiality.
- CVE-2023-31250MEDIUMCVSS 6.5EG 6.52023-04-26
The file download facility doesn't sufficiently sanitize file paths in certain situations. This may result in users gaining access to private files that they should not have access to. Some sites may require configuration changes following…
- CVE-2023-31403CRITICALCVSS 9.6EG 9.62023-11-14
SAP Business One installation - version 10.0, does not perform proper authentication and authorization checks for SMB shared folder. As a result, any malicious user can read and write to the SMB shared folder. Additionally, the files in th…
- CVE-2023-31435HIGHCVSS 8.1EG 8.12023-05-02
Multiple components (such as Onlinetemplate-Verwaltung, Liste aller Teilbereiche, Umfragen anzeigen, and questionnaire previews) in evasys before 8.2 Build 2286 and 9.x before 9.0 Build 2401 allow authenticated attackers to read and write …
- CVE-2023-31597MEDIUMCVSS 6.5EG 6.52023-05-18
An issue in Zammad v5.4.0 allows attackers to bypass e-mail verification using an arbitrary address and manipulate the data of the generated user. Attackers are also able to gain unauthorized access to existing tickets.
- CVE-2023-31704CRITICALCVSS 9.8EG 9.82023-07-13
Sourcecodester Online Computer and Laptop Store 1.0 is vulnerable to Incorrect Access Control, which allows remote attackers to elevate privileges to the administrator's role.
- CVE-2023-31726HIGHCVSS 7.5EG 7.52023-05-23
AList 3.15.1 is vulnerable to Incorrect Access Control, which can be exploited by attackers to obtain sensitive information.
- CVE-2023-31997CRITICALCVSS 9.0EG 9.02023-07-01
UniFi OS 3.1 introduces a misconfiguration on consoles running UniFi Network that allows users on a local network to access MongoDB. Applicable Cloud Keys that are both (1) running UniFi OS 3.1 and (2) hosting the UniFi Network application…
- CVE-2023-32060MEDIUMCVSS 6.5EG 6.52023-05-09
DHIS2 Core contains the service layer and Web API for DHIS2, an information system for data capture. Starting in the 2.35 branch and prior to versions 2.36.13, 2.37.8, 2.38.2, and 2.39.0, when the Category Option Combination Sharing settin…
- CVE-2023-32061MEDIUMCVSS 5.4EG 5.42023-06-13
Discourse is an open source discussion platform. Prior to version 3.0.4 of the `stable` branch and version 3.1.0.beta5 of the `beta` and `tests-passed` branches, the lack of restrictions on the iFrame tag makes it easy for an attacker to e…
Map vulnerabilities like CWE-863 to your infrastructure
EchelonGraph correlates every CVE — across CWE-863 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →