CWE-863— Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.— MITRE CWE catalog
3,807 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-863page 45 of 77
- CVE-2023-47320HIGHCVSS 8.1EG 8.12023-12-13
Silverpeas Core 6.3.1 is vulnerable to Incorrect Access Control. An attacker with low privileges is able to execute the administrator-only function of putting the application in "Maintenance Mode" due to broken access control. This makes t…
- CVE-2023-47716MEDIUMCVSS 6.3EG 6.32024-03-01
IBM CP4BA - Filenet Content Manager Component 5.5.8.0, 5.5.10.0, and 5.5.11.0 could allow a user to gain the privileges of another user under unusual circumstances. IBM X-Force ID: 271656.
- CVE-2023-47827HIGHCVSS 7.5EG 6.52023-11-30
Incorrect Authorization vulnerability in NicheAddons Events Addon for Elementor allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Events Addon for Elementor: from n/a through 2.1.3.
- CVE-2023-4812HIGHCVSS 7.6EG 7.62024-01-12
An issue has been discovered in GitLab EE affecting all versions starting from 15.3 before 16.5.6, all versions starting from 16.6 before 16.6.4, all versions starting from 16.7 before 16.7.2. The required CODEOWNERS approval could be bypa…
- CVE-2023-4814HIGHCVSS 7.1EG 7.12023-09-14
A Privilege escalation vulnerability exists in Trellix Windows DLP endpoint for windows which can be abused to delete any file/folder for which the user does not have permission to.
- CVE-2023-48218MEDIUMCVSS 5.3EG 5.32023-11-20
The Strapi Protected Populate Plugin protects `get` endpoints from revealing too much information. Prior to version 1.3.4, users were able to bypass the field level security. Users who tried to populate something that they didn't have acce…
- CVE-2023-48227MEDIUMCVSS 4.3EG 4.32023-12-12
Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.7.0, and 12.3.0, Backoffice users with send for approval permission but not publish permission are able to publish in some s…
- CVE-2023-48309MEDIUMCVSS 5.3EG 5.32023-11-20
NextAuth.js provides authentication for Next.js. `next-auth` applications prior to version 4.24.5 that rely on the default Middleware authorization are affected by a vulnerability. A bad actor could create an empty/mock user, by getting ho…
- CVE-2023-4853HIGHCVSS 8.1EG 8.12023-09-20
A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when accepting requests, resulting in incorrect evaluation of permissions. This issue could allow an attacker to bypass th…
- CVE-2023-48712HIGHCVSS 8.8EG 7.12023-11-24
Warpgate is an open source SSH, HTTPS and MySQL bastion host for Linux. In affected versions there is a privilege escalation vulnerability through a non-admin user's account. Limited users can impersonate another user's account if only sin…
- CVE-2023-48859HIGHCVSS 8.8EG 8.82023-12-06
TOTOLINK A3002RU version 2.0.0-B20190902.1958 has a post-authentication RCE due to incorrect access control, allows attackers to bypass front-end security restrictions and execute arbitrary code.
- CVE-2023-49239HIGHCVSS 7.5EG 7.52023-12-06
Unauthorized access vulnerability in the card management module. Successful exploitation of this vulnerability may affect service confidentiality.
- CVE-2023-49240HIGHCVSS 7.5EG 7.52023-12-06
Unauthorized access vulnerability in the launcher module. Successful exploitation of this vulnerability may affect service confidentiality.
- CVE-2023-49246HIGHCVSS 7.5EG 7.52023-12-06
Unauthorized access vulnerability in the card management module. Successful exploitation of this vulnerability may affect service confidentiality.
- CVE-2023-49273MEDIUMCVSS 5.4EG 5.42023-12-12
Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.8.1, and 12.3.4, users with low privileges (Editor, etc.) are able to access some unintended endpoints. Versions 8.18.10, 10…
- CVE-2023-49734MEDIUMCVSS 6.5EG 7.72023-12-19
An authenticated Gamma user has the ability to create a dashboard and add charts to it, this user would automatically become one of the owners of the charts allowing him to incorrectly have write permissions to these charts.This issue affe…
- CVE-2023-49783MEDIUMCVSS 4.3EG 4.32024-01-23
Silverstripe Admin provides a basic management interface for the Silverstripe Framework. In versions on the 1.x branch prior to 1.13.19 and on the 2.x branch prior to 2.1.8, users who don't have edit or delete permissions for records expos…
- CVE-2023-49947HIGHCVSS 7.5EG 7.52023-12-03
Forgejo before 1.20.5-1 allows 2FA bypass when docker login uses Basic Authentication.
- CVE-2023-49949HIGHCVSS 8.1EG 8.12023-12-26
Passwork before 6.2.0 allows remote authenticated users to bypass 2FA by sending all one million of the possible 6-digit codes.
- CVE-2023-4997HIGHCVSS 8.8EG 8.82023-10-04
Improper authorisation of regular users in ProIntegra Uptime DC software (versions below 2.0.0.33940) allows them to change passwords of all other users including administrators leading to a privilege escalation.
- CVE-2023-49982HIGHCVSS 8.8EG 8.82024-03-21
Broken access control in the component /admin/management/users of School Fees Management System v1.0 allows attackers to escalate privileges and perform Administrative actions, including adding and deleting user accounts.
- CVE-2023-5009CRITICALCVSS 9.8EG 9.62023-09-19
An issue has been discovered in GitLab EE affecting all versions starting from 13.12 before 16.2.7, all versions starting from 16.3 before 16.3.4. It was possible for an attacker to run pipeline jobs as an arbitrary user via scheduled secu…
- CVE-2023-50363HIGHCVSS 7.4EG 7.42024-04-26
An incorrect authorization vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated users to bypass intended access restrictions via a network. We have alr…
- CVE-2023-50457MEDIUMCVSS 4.3EG 4.32023-12-10
An issue was discovered in Zammad before 6.2.0. When listing tickets linked to a knowledge base answer, or knowledge base answers of a ticket, a user could see entries for which they lack permissions.
- CVE-2023-50705MEDIUMCVSS 5.3EG 5.32023-12-20
An attacker could create malicious requests to obtain sensitive information about the web server.
- CVE-2023-50726MEDIUMCVSS 6.4EG 6.42024-03-13
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. "Local sync" is an Argo CD feature that allows developers to temporarily override an Application's manifests with locally-defined manifests. Use of the feature shoul…
- CVE-2023-50732MEDIUMCVSS 6.3EG 8.32023-12-21
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible to execute a Velocity script without script right through the document tree. This has been patched in XWiki 14.10.7 and …
- CVE-2023-50777MEDIUMCVSS 4.3EG 4.32023-12-13
Jenkins PaaSLane Estimate Plugin 1.0.4 and earlier does not mask PaaSLane authentication tokens displayed on the job configuration form, increasing the potential for attackers to observe and capture them.
- CVE-2023-50811MEDIUMCVSS 6.5EG 6.52024-03-19
An issue discovered in SELESTA Visual Access Manager 4.38.6 allows attackers to modify the “computer” POST parameter related to the ID of a specific reception by POST HTTP request interception. Iterating that parameter, it has been pos…
- CVE-2023-50886MEDIUMCVSS 4.3EG 4.32024-03-15
Cross-Site Request Forgery (CSRF), Incorrect Authorization vulnerability in wpWax Legal Pages.This issue affects Legal Pages: from n/a through 1.3.7.
- CVE-2023-50946MEDIUMCVSS 6.5EG 6.52025-01-26
IBM Common Licensing 9.0 could allow an authenticated user to modify a configuration file that they should not have access to due to a broken authorization mechanism.
- CVE-2023-5106HIGHCVSS 7.5EG 8.22023-10-02
An issue has been discovered in Ultimate-licensed GitLab EE affecting all versions starting 13.12 prior to 16.2.8, 16.3.0 prior to 16.3.5, and 16.4.0 prior to 16.4.1 that could allow an attacker to impersonate users in CI pipelines through…
- CVE-2023-51379MEDIUMCVSS 4.9EG 4.92023-12-21
An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed issue comments to be updated with an improperly scoped token. This vulnerability did not allow unauthorized access to any repository content a…
- CVE-2023-51380MEDIUMCVSS 4.3EG 2.72023-12-21
An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed issue comments to be read with an improperly scoped token. This vulnerability affected all versions of GitHub Enterprise Server since 3.7 and…
- CVE-2023-51405HIGHCVSS 8.2EG 5.32024-04-24
Improper Authentication vulnerability in Repute Infosystems BookingPress allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects BookingPress: from n/a through 1.0.74.
- CVE-2023-5159LOWCVSS 2.7EG 3.82023-09-29
Mattermost fails to properly verify the permissions when managing/updating a bot allowing a User Manager role with user edit permissions to manage/update bots.
- CVE-2023-51649MEDIUMCVSS 4.3EG 3.52023-12-22
Nautobot is a Network Source of Truth and Network Automation Platform built as a web application atop the Django Python framework with a PostgreSQL or MySQL database. When submitting a Job to run via a Job Button, only the model-level `ext…
- CVE-2023-51761HIGHCVSS 8.3EG 8.32024-02-09
In Emerson Rosemount GC370XA, GC700XA, and GC1500XA products, an unauthenticated user with network access could bypass authentication and acquire admin capabilities.
- CVE-2023-5193LOWCVSS 2.7EG 4.92023-09-29
Mattermost fails to properly check permissions when retrieving a post allowing for a System Role with the permission to manage channels to read the posts of a DM conversation.
- CVE-2023-5194MEDIUMCVSS 4.3EG 2.72023-09-29
Mattermost fails to properly validate permissions when demoting and deactivating a user allowing for a system/user manager to demote / deactivate another manager
- CVE-2023-5195MEDIUMCVSS 5.4EG 6.52023-09-29
Mattermost fails to properly validate the permissions when soft deleting a team allowing a team member to soft delete other teams that they are not part of
- CVE-2023-5198MEDIUMCVSS 4.3EG 4.32023-09-29
An issue has been discovered in GitLab affecting all versions prior to 16.2.7, all versions starting from 16.3 before 16.3.5, and all versions starting from 16.4 before 16.4.1. It was possible for a removed project member to write to prote…
- CVE-2023-52077CRITICALCVSS 9.8EG 8.92023-12-27
Nexkey is a lightweight fork of Misskey v12 optimized for small to medium size servers. Prior to 12.23Q4.5, Nexkey allows external apps using tokens issued by administrators and moderators to call admin APIs. This allows malicious third-p…
- CVE-2023-52111HIGHCVSS 7.5EG 7.52024-01-16
Authorization vulnerability in the BootLoader module. Successful exploitation of this vulnerability may affect service integrity.
- CVE-2023-52361HIGHCVSS 7.5EG 7.52024-02-18
The VerifiedBoot module has a vulnerability that may cause authentication errors.Successful exploitation of this vulnerability may affect integrity.
- CVE-2023-52374HIGHCVSS 7.5EG 7.52024-02-18
Permission control vulnerability in the package management module.Successful exploitation of this vulnerability may affect service confidentiality.
- CVE-2023-52538CRITICALCVSS 9.1EG 9.12024-04-08
Vulnerability of package name verification being bypassed in the HwIms module. Impact: Successful exploitation of this vulnerability will affect availability.
- CVE-2023-52943MEDIUMCVSS 4.3EG 4.32024-12-04
Incorrect authorization vulnerability in Alert.Setting webapi component in Synology Surveillance Station before 9.2.0-11289 and 9.2.0-9289 allows remote authenticated users to to perform limited actions on the alerting function via unspeci…
- CVE-2023-52944MEDIUMCVSS 4.3EG 4.32024-12-04
Incorrect authorization vulnerability in ActionRule webapi component in Synology Surveillance Station before 9.2.0-11289 and 9.2.0-9289 allows remote authenticated users to perform limited actions on the set action rules function via unspe…
- CVE-2023-5352MEDIUMCVSS 4.3EG 4.32023-11-06
The Awesome Support WordPress plugin before 6.1.5 does not correctly authorize the wpas_edit_reply function, allowing users to edit posts for which they do not have permission.
Map vulnerabilities like CWE-863 to your infrastructure
EchelonGraph correlates every CVE — across CWE-863 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →