CWE-863— Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.— MITRE CWE catalog
3,797 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-863page 43 of 76
- CVE-2023-3586MEDIUMCVSS 4.2EG 4.22023-07-17
Mattermost fails to disable public Boards after the "Enable Publicly-Shared Boards" configuration option is disabled, resulting in previously-shared public Boards to remain accessible.
- CVE-2023-35866MEDIUMCVSS 5.5EG 5.52023-06-19
In KeePassXC through 2.7.5, a local attacker can make changes to the Database security settings, including master password and second-factor authentication, within an authenticated KeePassXC Database session, without the need to authentica…
- CVE-2023-3590LOWCVSS 3.1EG 3.12023-07-17
Mattermost fails to delete card attachments in Boards, allowing an attacker to access deleted attachments.
- CVE-2023-35908MEDIUMCVSS 6.5EG 6.52023-07-12
Apache Airflow, versions before 2.6.3, is affected by a vulnerability that allows unauthorized read access to a DAG through the URL. It is recommended to upgrade to a version that is not affected
- CVE-2023-35939HIGHCVSS 8.1EG 8.12023-07-05
GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to version 10.0.8, an incorrect rights check on a on a file accessible by an authenticated user (or not for certain actions), allows a threat acto…
- CVE-2023-35983MEDIUMCVSS 5.5EG 5.52023-07-27
This issue was addressed with improved data protection. This issue is fixed in macOS Monterey 12.6.8, macOS Ventura 13.5, macOS Big Sur 11.7.9. An app may be able to modify protected parts of the file system.
- CVE-2023-35990LOWCVSS 3.3EG 3.32023-09-27
The issue was addressed with improved checks. This issue is fixed in iOS 17 and iPadOS 17, watchOS 10, iOS 16.7 and iPadOS 16.7, macOS Sonoma 14. An app may be able to identify what other apps a user has installed.
- CVE-2023-36089CRITICALCVSS 9.8EG 9.82023-07-31
Authentication Bypass vulnerability in D-Link DIR-645 firmware version 1.03 allows remote attackers to gain escalated privileges via function phpcgi_main in cgibin. NOTE: This vulnerability only affects products that are no longer supporte…
- CVE-2023-36090CRITICALCVSS 9.8EG 9.82023-07-31
Authentication Bypass vulnerability in D-Link DIR-885L FW102b01 allows remote attackers to gain escalated privileges via phpcgi. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
- CVE-2023-36091CRITICALCVSS 9.8EG 9.82023-07-31
Authentication Bypass vulnerability in D-Link DIR-895 FW102b07 allows remote attackers to gain escalated privileges via via function phpcgi_main in cgibin. NOTE: This vulnerability only affects products that are no longer supported by the …
- CVE-2023-36092CRITICALCVSS 9.8EG 9.82023-07-31
Authentication Bypass vulnerability in D-Link DIR-859 FW105b03 allows remote attackers to gain escalated privileges via via phpcgi_main. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
- CVE-2023-3613LOWCVSS 3.5EG 3.52023-07-17
Mattermost WelcomeBot plugin fails to to validate the membership status when inviting or adding users to channels allowing guest accounts to be added or invited to channels by default.
- CVE-2023-36339HIGHCVSS 7.5EG 7.52023-07-21
An access control issue in WebBoss.io CMS v3.7.0.1 allows attackers to access the Website Backup Tool via a crafted GET request.
- CVE-2023-36387MEDIUMCVSS 5.4EG 5.42023-09-06
An improper default REST API permission for Gamma users in Apache Superset up to and including 2.1.0 allows for an authenticated Gamma user to test database connections.
- CVE-2023-36556HIGHCVSS 8.8EG 8.82023-10-10
An incorrect authorization vulnerability [CWE-863] in FortiMail webmail version 7.2.0 through 7.2.2, version 7.0.0 through 7.0.5 and below 6.4.7 allows an authenticated attacker to login on other users accounts from the same web domain via…
- CVE-2023-36646HIGHCVSS 8.8EG 8.82023-12-12
Incorrect user role checking in multiple REST API endpoints in ProLion CryptoSpike 3.0.15P2 allows a remote attacker with low privileges to execute privileged functions and achieve privilege escalation via REST API endpoint invocation.
- CVE-2023-36826HIGHCVSS 7.7EG 7.72023-07-25
Sentry is an error tracking and performance monitoring platform. Starting in version 8.21.0 and prior to version 23.5.2, an authenticated user can download a debug or artifact bundle from arbitrary organizations and projects with a known b…
- CVE-2023-36829MEDIUMCVSS 6.8EG 6.82023-07-06
Sentry is an error tracking and performance monitoring platform. Starting in version 23.6.0 and prior to version 23.6.2, the Sentry API incorrectly returns the `access-control-allow-credentials: true` HTTP header if the `Origin` request he…
- CVE-2023-36994CRITICALCVSS 9.8EG 9.82023-07-07
In TravianZ 8.3.4 and 8.3.3, Incorrect Access Control in the installation script allows an attacker to overwrite the server configuration and inject PHP code.
- CVE-2023-37300MEDIUMCVSS 5.3EG 5.32023-06-30
An issue was discovered in the CheckUserLog API in the CheckUser extension for MediaWiki through 1.39.3. There is incorrect access control for visibility of hidden users.
- CVE-2023-37367MEDIUMCVSS 5.3EG 5.32023-09-08
An issue was discovered in Samsung Exynos Mobile Processor, Automotive Processor, and Modem (Exynos 9820, Exynos 980, Exynos 850, Exynos 1080, Exynos 2100, Exynos 2200, Exynos 1280, Exynos 1380, Exynos 1330, Exynos Modem 5123, Exynos Modem…
- CVE-2023-37491HIGHCVSS 7.5EG 7.52023-08-08
The ACL (Access Control List) of SAP Message Server - versions KERNEL 7.22, KERNEL 7.53, KERNEL 7.54, KERNEL 7.77, RNL64UC 7.22, RNL64UC 7.22EXT, RNL64UC 7.53, KRNL64NUC 7.22, KRNL64NUC 7.22EXT, can be bypassed in certain conditions, whi…
- CVE-2023-37492MEDIUMCVSS 4.9EG 4.92023-08-08
SAP NetWeaver Application Server ABAP and ABAP Platform - versions SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BAS…
- CVE-2023-37579HIGHCVSS 8.2EG 8.22023-07-12
Incorrect Authorization vulnerability in Apache Software Foundation Apache Pulsar Function Worker. This issue affects Apache Pulsar: before 2.10.4, and 2.11.0. Any authenticated user can retrieve a source's configuration or a sink's conf…
- CVE-2023-37881MEDIUMCVSS 4.9EG 8.82023-09-12
Weak access control in Wing FTP Server (Admin Web Client) allows for privilege escalation.This issue affects Wing FTP Server: <= 7.2.0.
- CVE-2023-38035CRITICALCVSS 9.8EG 9.8⚠ KEV2023-08-21
A security vulnerability in MICS Admin Portal in Ivanti MobileIron Sentry versions 9.18.0 and below, which may allow an attacker to bypass authentication controls on the administrative interface due to an insufficiently restrictive Apache …
- CVE-2023-38058MEDIUMCVSS 4.1EG 4.12023-07-24
An improper privilege check in the OTRS ticket move action in the agent interface allows any as agent authenticated attacker to to perform a move of an ticket without the needed permission. This issue affects OTRS: from 8.0.X before 8.0…
- CVE-2023-3814MEDIUMCVSS 4.9EG 4.92023-09-04
The Advanced File Manager WordPress plugin before 5.1.1 does not adequately authorize its usage on multisite installations, allowing site admin users to list and read arbitrary files and folders on the server.
- CVE-2023-38209MEDIUMCVSS 6.5EG 6.52023-08-09
Adobe Commerce versions 2.4.6-p1 (and earlier), 2.4.5-p3 (and earlier) and 2.4.4-p4 (and earlier) are affected by an Incorrect Authorization vulnerability that could lead to a Security feature bypass. A low-privileged attacker could levera…
- CVE-2023-38218HIGHCVSS 8.8EG 8.82023-10-13
Adobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier) and 2.4.4-p5 (and earlier) are affected by an Incorrect Authorization . An authenticated attacker can exploit this to achieve information exp…
- CVE-2023-38368MEDIUMCVSS 5.5EG 6.22024-06-27
IBM Security Access Manager Docker 10.0.0.0 through 10.0.7.1 could disclose sensitive information to a local user to do improper permission controls. IBM X-Force ID: 261195.
- CVE-2023-38389CRITICALCVSS 9.8EG 9.82024-06-21
Incorrect Authorization vulnerability in Artbees JupiterX Core allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects JupiterX Core: from n/a through 3.3.8.
- CVE-2023-38486HIGHCVSS 7.7EG 7.72023-09-06
A vulnerability in the secure boot implementation on affected Aruba 9200 and 9000 Series Controllers and Gateways allows an attacker to bypass security controls which would normally prohibit unsigned kernel images from executing. An att…
- CVE-2023-38488HIGHCVSS 7.1EG 7.12023-07-27
Kirby is a content management system. A vulnerability in versions prior to 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6 affects all Kirby sites that might have potential attackers in the group of authenticated Panel users or that allow ex…
- CVE-2023-38493HIGHCVSS 7.5EG 7.52023-07-25
Armeria is a microservice framework Spring supports Matrix variables. When Spring integration is used, Armeria calls Spring controllers via `TomcatService` or `JettyService` with the path that may contain matrix variables. Prior to version…
- CVE-2023-38503MEDIUMCVSS 5.7EG 5.72023-07-25
Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 10.3.0 and prior to version 10.5.0, the permission filters (i.e. `user_created IS $CURRENT_USER`) are not properly checked when using Grap…
- CVE-2023-38958MEDIUMCVSS 5.3EG 5.32023-08-03
An access control issue in ZKTeco BioAccess IVS v3.3.1 allows unauthenticated attackers to arbitrarily close and open the doors managed by the platform remotely via sending a crafted web request.
- CVE-2023-3899HIGHCVSS 7.8EG 7.82023-08-23
A vulnerability was found in subscription-manager that allows local privilege escalation due to inadequate authorization. The D-Bus interface com.redhat.RHSM1 exposes a significant number of methods to all users that could change the state…
- CVE-2023-39154MEDIUMCVSS 6.5EG 6.52023-07-26
Incorrect permission checks in Jenkins Qualys Web App Scanning Connector Plugin 2.0.10 and earlier allow attackers with global Item/Configure permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtai…
- CVE-2023-3920MEDIUMCVSS 4.3EG 4.32023-09-29
An issue has been discovered in GitLab affecting all versions starting from 11.2 before 16.2.8, all versions starting from 16.3 before 16.3.5, all versions starting from 16.4 before 16.4.1. It was possible that a maintainer to create a for…
- CVE-2023-39363MEDIUMCVSS 5.9EG 5.92023-08-07
Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine (EVM). In versions 0.2.15, 0.2.16 and 0.3.0, named re-entrancy locks are allocated incorrectly. Each function using a named re-entrancy lock gets a unique lock re…
- CVE-2023-39384HIGHCVSS 7.5EG 7.52023-08-13
Vulnerability of incomplete permission verification in the input method module. Successful exploitation of this vulnerability may cause features to perform abnormally.
- CVE-2023-3957MEDIUMCVSS 4.3EG 4.32023-07-27
The ACF Photo Gallery Field plugin for WordPress is vulnerable to unauthorized modification of data due to an insufficient restriction on the 'apg_profile_update' function in versions up to, and including, 1.9. This makes it possible for a…
- CVE-2023-3964MEDIUMCVSS 4.3EG 4.32023-12-01
An issue has been discovered in GitLab affecting all versions starting from 13.2 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for users to access composer pack…
- CVE-2023-3979LOWCVSS 3.1EG 3.12023-09-29
An issue has been discovered in GitLab affecting all versions starting from 10.6 before 16.2.8, all versions starting from 16.3 before 16.3.5, all versions starting from 16.4 before 16.4.1. It was possible that upstream members to collabor…
- CVE-2023-39965MEDIUMCVSS 6.5EG 6.52023-08-10
1Panel is an open source Linux server operation and maintenance management panel. In version 1.4.3, authenticated attackers can download arbitrary files through the API interface. This code has unauthorized access. Attackers can freely dow…
- CVE-2023-40117HIGHCVSS 7.8EG 7.82023-10-27
In resetSettingsLocked of SettingsProvider.java, there is a possible lockscreen bypass due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not ne…
- CVE-2023-40132HIGHCVSS 7.8EG 7.82025-01-21
In setActualDefaultRingtoneUri of RingtoneManager.java, there is a possible way to bypass content providers read permissions due to a missing permission check. This could lead to local escalation of privilege with no additional execution p…
- CVE-2023-40168HIGHCVSS 7.4EG 7.42023-08-17
TurboWarp is a desktop application that compiles scratch projects to JavaScript. TurboWarp Desktop versions prior to version 1.8.0 allowed a malicious project or custom extension to read arbitrary files from disk and upload them to a remot…
- CVE-2023-4019HIGHCVSS 8.8EG 8.82023-09-04
The Media from FTP WordPress plugin before 11.17 does not properly limit who can use the plugin, which may allow users with author+ privileges to move files around, like wp-config.php, which may lead to RCE in some cases.
Map vulnerabilities like CWE-863 to your infrastructure
EchelonGraph correlates every CVE — across CWE-863 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →