CWE-863— Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.— MITRE CWE catalog
3,797 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-863page 42 of 76
- CVE-2023-32069CRITICALCVSS 9.9EG 9.92023-05-09
XWiki Platform is a generic wiki platform. Starting in version 3.3-milestone-2 and prior to versions 14.10.4 and 15.0-rc-1, it's possible for a user to execute anything with the right of the author of the XWiki.ClassSheet document. This ha…
- CVE-2023-32219MEDIUMCVSS 6.5EG 6.52023-06-12
A Mazda model (2015-2016) can be unlocked via an unspecified method.
- CVE-2023-32220HIGHCVSS 8.2EG 8.22023-06-12
Milesight NCR/camera version 71.8.0.6-r5 allows authentication bypass through an unspecified method.
- CVE-2023-32261MEDIUMCVSS 4.2EG 4.22023-07-19
A potential vulnerability has been identified in the Micro Focus Dimensions CM Plugin for Jenkins. The vulnerability allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. See the foll…
- CVE-2023-32353HIGHCVSS 7.8EG 7.82023-06-23
A logic issue was addressed with improved checks. This issue is fixed in iTunes 12.12.9 for Windows. An app may be able to elevate privileges.
- CVE-2023-32482MEDIUMCVSS 4.9EG 4.92023-07-20
Wyse Management Suite versions prior to 4.0 contain an improper authorization vulnerability. An authenticated malicious user with privileged access can push policies to unauthorized tenant group.
- CVE-2023-3253MEDIUMCVSS 4.3EG 4.32023-08-29
An improper authorization vulnerability exists where an authenticated, low privileged remote attacker could view a list of all the users available in the application.
- CVE-2023-32629HIGHCVSS 7.8EG 7.82023-07-26
Local privilege escalation vulnerability in Ubuntu Kernels overlayfs ovl_copy_up_meta_inode_data skip permission checks when calling ovl_do_setxattr on Ubuntu kernels
- CVE-2023-32672MEDIUMCVSS 4.3EG 4.32023-09-06
An Incorrect authorisation check in SQLLab in Apache Superset versions up to and including 2.1.0. This vulnerability allows an authenticated user to query tables that they do not have proper access to within Superset. The vulnerability can…
- CVE-2023-32683LOWCVSS 3.5EG 3.52023-06-06
Synapse is a Matrix protocol homeserver written in Python with the Twisted framework. A discovered oEmbed or image URL can bypass the `url_preview_url_blacklist` setting potentially allowing server side request forgery or bypassing network…
- CVE-2023-32748CRITICALCVSS 9.8EG 9.82023-08-14
The Linux DVS server component of Mitel MiVoice Connect through 19.3 SP2 (22.24.1500.0) could allow an unauthenticated attacker with internal network access to execute arbitrary scripts due to improper access control.
- CVE-2023-32749HIGHCVSS 8.8EG 8.82023-06-08
Pydio Cells allows users by default to create so-called external users in order to share files with them. By modifying the HTTP request sent when creating such an external user, it is possible to assign the new user arbitrary roles. By ass…
- CVE-2023-32783HIGHCVSS 7.5EG 7.52023-08-07
The event analysis component in Zoho ManageEngine ADAudit Plus 7.1.1 allows an attacker to bypass audit detection by creating or renaming user accounts with a "$" symbol suffix. NOTE: the vendor states "We do not consider this as a securit…
- CVE-2023-32967MEDIUMCVSS 5.0EG 5.02024-02-02
An incorrect authorization vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated users to bypass intended access restrictions via a network. QTS 5.x, QuT…
- CVE-2023-33071HIGHCVSS 8.4EG 8.42023-12-05
Memory corruption in Automotive OS whenever untrusted apps try to access HAb for graphics functionalities.
- CVE-2023-33190CRITICALCVSS 9.9EG 9.92023-06-29
Sealos is an open source cloud operating system distribution based on the Kubernetes kernel. In versions of Sealos prior to 4.2.1-rc4 an improper configuration of role based access control (RBAC) permissions resulted in an attacker being a…
- CVE-2023-33237HIGHCVSS 8.8EG 8.82023-08-17
TN-5900 Series firmware version v3.3 and prior is vulnerable to improper-authentication vulnerability. This vulnerability arises from inadequate authentication measures implemented in the web API handler, allowing low-privileged APIs to ex…
- CVE-2023-33254MEDIUMCVSS 6.5EG 6.52023-05-21
There is an LDAP bind credentials exposure on KACE Systems Deployment and Remote Site appliances 9.0.146. The captured credentials may provide a higher privilege level on the Active Directory domain. To exploit this, an authenticated attac…
- CVE-2023-33468CRITICALCVSS 9.1EG 9.12023-08-09
KramerAV VIA Connect (2) and VIA Go (2) devices with a version prior to 4.0.1.1326 exhibit a vulnerability that enables remote manipulation of the device. This vulnerability involves extracting the connection confirmation code remotely, by…
- CVE-2023-33651HIGHCVSS 7.5EG 7.52023-06-06
An issue in the MVC Device Simulator of Sitecore Experience Platform (XP), Experience Manager (XM), and Experience Commerce (XC) v9.0 Initial Release to v13.0 Initial Release allows attackers to bypass authorization rules.
- CVE-2023-33779HIGHCVSS 8.8EG 8.82023-05-26
A lateral privilege escalation vulnerability in XXL-Job v2.4.1 allows users to execute arbitrary commands on another user's account via a crafted POST request to the component /jobinfo/.
- CVE-2023-3379MEDIUMCVSS 5.3EG 5.32023-11-20
Wago web-based management of multiple products has a vulnerability which allows an local authenticated attacker to change the passwords of other non-admin users and thus to escalate non-root privileges.
- CVE-2023-34035HIGHCVSS 7.3EG 7.32023-07-18
Spring Security versions 5.8 prior to 5.8.5, 6.0 prior to 6.0.5, and 6.1 prior to 6.1.2 could be susceptible to authorization rule misconfiguration if the application uses requestMatchers(String) and multiple servlets, one of them be…
- CVE-2023-34051CRITICALCVSS 9.8EG 9.82023-10-20
VMware Aria Operations for Logs contains an authentication bypass vulnerability. An unauthenticated, malicious actor can inject files into the operating system of an impacted appliance which can result in remote code execution.
- CVE-2023-34106MEDIUMCVSS 6.5EG 6.52023-07-05
GLPI is a free asset and IT management software package. Versions of the software starting with 0.68 and prior to 10.0.8 have an incorrect rights check on a on a file accessible by an authenticated user. This allows access to the list of a…
- CVE-2023-34107MEDIUMCVSS 6.5EG 6.52023-07-05
GLPI is a free asset and IT management software package. Versions of the software starting with 9.2.0 and prior to 10.0.8 have an incorrect rights check on a on a file accessible by an authenticated user, allows access to the view all Know…
- CVE-2023-34146HIGHCVSS 7.8EG 7.82023-06-26
An exposed dangerous function vulnerability in the Trend Micro Apex One and Apex One as a Service security agent could allow a local attacker to escalate privileges and write an arbitrary value to specific Trend Micro agent subkeys on affe…
- CVE-2023-34147HIGHCVSS 7.8EG 7.82023-06-26
An exposed dangerous function vulnerability in the Trend Micro Apex One and Apex One as a Service security agent could allow a local attacker to escalate privileges and write an arbitrary value to specific Trend Micro agent subkeys on affe…
- CVE-2023-34148HIGHCVSS 7.8EG 7.82023-06-26
An exposed dangerous function vulnerability in the Trend Micro Apex One and Apex One as a Service security agent could allow a local attacker to escalate privileges and write an arbitrary value to specific Trend Micro agent subkeys on affe…
- CVE-2023-34161HIGHCVSS 7.5EG 7.52023-06-19
nappropriate authorization vulnerability in the SettingsProvider module.Successful exploitation of this vulnerability may cause features to perform abnormally.
- CVE-2023-34197MEDIUMCVSS 5.4EG 5.42023-07-07
Zoho ManageEngine ServiceDesk Plus before 14202, ServiceDesk Plus MSP before 14300, and SupportCenter Plus before 14300 have a privilege escalation vulnerability in the Release module that allows unprivileged users to access the Reminders …
- CVE-2023-34218CRITICALCVSS 9.1EG 9.12023-05-31
In JetBrains TeamCity before 2023.05 bypass of permission checks allowing to perform admin actions was possible
- CVE-2023-34219MEDIUMCVSS 4.3EG 4.32023-05-31
In JetBrains TeamCity before 2023.05 improper permission checks allowed users without appropriate permissions to edit Build Configuration settings via REST API
- CVE-2023-3443LOWCVSS 3.1EG 3.12023-12-01
An issue has been discovered in GitLab affecting all versions starting from 12.1 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for a Guest user to add an emoji …
- CVE-2023-3444MEDIUMCVSS 5.7EG 5.72023-07-13
An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.3 before 15.11.10, all versions starting from 16.0 before 16.0.6, all versions starting from 16.1 before 16.1.1, which allows an attacker to merge arbitra…
- CVE-2023-3459HIGHCVSS 7.2EG 7.22023-07-18
The Export and Import Users and Customers plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'hf_update_customer' function called via an AJAX action in versions up to, and inclu…
- CVE-2023-34724MEDIUMCVSS 6.8EG 6.82023-08-28
An issue was discovered in TECHView LA5570 Wireless Gateway 1.0.19_T53, allows physical attackers to gain escalated privileges via the UART interface.
- CVE-2023-3484HIGHCVSS 8.0EG 8.02023-07-21
An issue has been discovered in GitLab EE affecting all versions starting from 12.8 before 15.11.11, all versions starting from 16.0 before 16.0.7, all versions starting from 16.1 before 16.1.2. An attacker could change the name or path of…
- CVE-2023-3485LOWCVSS 3.0EG 3.02023-06-30
Insecure defaults in open-source Temporal Server before version 1.20 on all platforms allows an attacker to craft a task token with access to a namespace other than the one specified in the request. Creation of this task token must be done…
- CVE-2023-34923HIGHCVSS 8.1EG 8.12023-06-22
XML Signature Wrapping (XSW) in SAML-based Single Sign-on feature in TOPdesk v12.10.12 allows bad actors with credentials to authenticate with the Identity Provider (IP) to impersonate any TOPdesk user via SAML Response manipulation.
- CVE-2023-34958MEDIUMCVSS 4.3EG 4.32023-06-08
Incorrect access control in Chamilo 1.11.* up to 1.11.18 allows a student subscribed to a given course to download documents belonging to another student if they know the document's ID.
- CVE-2023-34965MEDIUMCVSS 5.3EG 5.32023-06-13
SSPanel-Uim 2023.3 does not restrict access to the /link/ interface which can lead to a leak of user information.
- CVE-2023-3509LOWCVSS 3.7EG 3.72024-02-21
An issue has been discovered in GitLab affecting all versions before 16.7.6, all versions starting from 16.8 before 16.8.3, all versions starting from 16.9 before 16.9.1. It was possible for group members with sub-maintainer role to change…
- CVE-2023-3511LOWCVSS 2.0EG 2.02023-12-15
An issue has been discovered in GitLab EE affecting all versions starting from 8.17 before 16.4.4, all versions starting from 16.5 before 16.5.4, all versions starting from 16.6 before 16.6.2. It was possible for auditor users to fork and …
- CVE-2023-35165MEDIUMCVSS 6.6EG 6.62023-06-23
AWS Cloud Development Kit (AWS CDK) is an open-source software development framework to define cloud infrastructure in code and provision it through AWS CloudFormation. In the packages `aws-cdk-lib` 2.0.0 until 2.80.0 and `@aws-cdk/aws-eks…
- CVE-2023-35166CRITICALCVSS 9.9EG 9.92023-06-20
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible to execute any wiki content with the right of the TipsPanel author by creating a tip UI extension. This has been patched…
- CVE-2023-35653MEDIUMCVSS 4.4EG 4.42023-10-11
In TBD of TBD, there is a possible way to access location information due to a permissions bypass. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.
- CVE-2023-3582MEDIUMCVSS 4.3EG 4.32023-07-17
Mattermost fails to verify channel membership when linking a board to a channel allowing a low-privileged authenticated user to link a Board to a private channel they don't have access to,
- CVE-2023-35836MEDIUMCVSS 6.5EG 6.52024-01-23
An issue was discovered in SolaX Pocket WiFi 3 through 3.001.02. An attacker within RF range can obtain a cleartext copy of the network configuration of the device, including the Wi-Fi PSK, during device setup and reconfiguration. Upon suc…
- CVE-2023-3584LOWCVSS 3.1EG 3.12023-07-17
Mattermost fails to properly check the authorization of POST /api/v4/teams when passing a team override scheme ID in the request, allowing an authenticated attacker with knowledge of a Team Override Scheme ID to create a new team with sa…
Map vulnerabilities like CWE-863 to your infrastructure
EchelonGraph correlates every CVE — across CWE-863 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →