CWE-863— Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.— MITRE CWE catalog
3,807 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-863page 48 of 77
- CVE-2024-21280HIGHCVSS 8.1EG 8.12024-10-15
Vulnerability in the Oracle Service Contracts product of Oracle E-Business Suite (component: Authoring). Supported versions that are affected are 12.2.5-12.2.13. Easily exploitable vulnerability allows low privileged attacker with network…
- CVE-2024-21282HIGHCVSS 8.1EG 8.12024-10-15
Vulnerability in the Oracle Financials product of Oracle E-Business Suite (component: Common Components). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows low privileged attacker with networ…
- CVE-2024-21283HIGHCVSS 8.1EG 8.12024-10-15
Vulnerability in the PeopleSoft Enterprise HCM Global Payroll Core product of Oracle PeopleSoft (component: Global Payroll for Core). Supported versions that are affected are 9.2.48-9.2.50. Easily exploitable vulnerability allows low priv…
- CVE-2024-21284HIGHCVSS 7.1EG 7.12024-10-15
Vulnerability in the Oracle Banking Liquidity Management product of Oracle Financial Services Applications (component: Reports). The supported version that is affected is 14.5.0.12.0. Difficult to exploit vulnerability allows low privile…
- CVE-2024-21285HIGHCVSS 7.1EG 7.12024-10-15
Vulnerability in the Oracle Banking Liquidity Management product of Oracle Financial Services Applications (component: Reports). The supported version that is affected is 14.5.0.12.0. Difficult to exploit vulnerability allows low privile…
- CVE-2024-21287HIGHCVSS 7.5EG 9.0⚠ KEV2024-11-18
Vulnerability in the Oracle Agile PLM Framework product of Oracle Supply Chain (component: Software Development Kit, Process Extension). The supported version that is affected is 9.3.6. Easily exploitable vulnerability allows unauthentic…
- CVE-2024-21735HIGHCVSS 7.2EG 7.32024-01-09
SAP LT Replication Server - version S4CORE 103, S4CORE 104, S4CORE 105, S4CORE 106, S4CORE 107, S4CORE 108, does not perform necessary authorization checks. This could allow an attacker with high privileges to perform unintended actions, r…
- CVE-2024-21736MEDIUMCVSS 6.5EG 6.42024-01-09
SAP S/4HANA Finance for (Advanced Payment Management) - versions SAPSCORE 128, S4CORE 107, does not perform necessary authorization checks. A function import could be triggered allowing the attacker to create in-house bank accounts leading…
- CVE-2024-21987MEDIUMCVSS 5.4EG 5.42024-02-16
SnapCenter versions 4.8 prior to 5.0 are susceptible to a vulnerability which could allow an authenticated SnapCenter Server user to modify system logging configuration settings
- CVE-2024-22133MEDIUMCVSS 4.6EG 4.62024-03-12
SAP Fiori Front End Server - version 605, allows altering of approver details on the read-only field when sending leave request information. This could lead to creation of request with incorrect approver causing low impact on Confidentiali…
- CVE-2024-22208MEDIUMCVSS 6.5EG 6.52024-02-05
phpMyFAQ is an Open Source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. The 'sharing FAQ' functionality allows any unauthenticated actor to misuse the phpMyFAQ application to send arbitrary emails to a large …
- CVE-2024-2231MEDIUMCVSS 6.5EG 6.52024-07-03
The allows any authenticated user to join a private group due to a missing authorization check on a function
- CVE-2024-22316MEDIUMCVSS 4.3EG 4.32025-01-27
IBM Sterling File Gateway 6.0.0.0 through 6.1.2.5 and 6.2.0.0 through 6.2.0.1 could allow an authenticated user to perform unauthorized actions to another user's data due to improper access controls.
- CVE-2024-22412LOWCVSS 2.4EG 2.42024-03-18
ClickHouse is an open-source column-oriented database management system. A bug exists in the cloud ClickHouse offering prior to version 24.0.2.54535 and in github.com/clickhouse/clickhouse version 23.1. Query caching bypasses the role base…
- CVE-2024-22938HIGHCVSS 7.8EG 7.82024-01-30
Insecure Permissions vulnerability in BossCMS v.1.3.0 allows a local attacker to execute arbitrary code and escalate privileges via the init function in admin.class.php component.
- CVE-2024-2321MEDIUMCVSS 5.6EG 5.62025-02-27
An incorrect authorization vulnerability exists in multiple WSO2 products, allowing protected APIs to be accessed directly using a refresh token instead of the expected access token. Due to improper authorization checks and token mapping, …
- CVE-2024-23250MEDIUMCVSS 5.5EG 5.52024-03-08
An access issue was addressed with improved access restrictions. This issue is fixed in iOS 17.4 and iPadOS 17.4, macOS Sonoma 14.4, tvOS 17.4, watchOS 10.4. An app may be able to access Bluetooth-connected microphones without user permiss…
- CVE-2024-23255LOWCVSS 2.4EG 9.12024-03-08
An authentication issue was addressed with improved state management. This issue is fixed in iOS 17.4 and iPadOS 17.4, macOS Sonoma 14.4. Photos in the Hidden Photos Album may be viewed without authentication.
- CVE-2024-23262LOWCVSS 3.3EG 3.32024-03-08
This issue was addressed with additional entitlement checks. This issue is fixed in iOS 16.7.6 and iPadOS 16.7.6, iOS 17.4 and iPadOS 17.4, visionOS 1.1. An app may be able to spoof system notifications and UI.
- CVE-2024-23329LOWCVSS 3.7EG 3.72024-01-19
changedetection.io is an open source tool designed to monitor websites for content changes. In affected versions the API endpoint `/api/v1/watch/<uuid>/history` can be accessed by any unauthorized user. As a result any unauthorized user c…
- CVE-2024-23451MEDIUMCVSS 4.4EG 4.42024-03-27
Incorrect Authorization issue exists in the API key based security model for Remote Cluster Security, which is currently in Beta, in Elasticsearch 8.10.0 and before 8.13.0. This allows a malicious user with a valid API key for a remote cl…
- CVE-2024-23629CRITICALCVSS 9.6EG 9.62024-01-26
An authentication bypass vulnerability exists in the web component of the Motorola MR2600. An attacker can exploit this vulnerability to access protected URLs and retrieve sensitive information.
- CVE-2024-23653CRITICALCVSS 9.8EG 9.82024-01-31
BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. In addition to running containers as build steps, BuildKit also provides APIs for running interactive containers based o…
- CVE-2024-23669HIGHCVSS 8.8EG 6.52024-06-05
An improper authorization in Fortinet FortiWebManager 7.2.0, FortiWebManager 7.0.0 through 7.0.4, FortiWebManager 6.3.0, FortiWebManager 6.2.3 through 6.2.4, FortiWebManager 6.0.2 allows attacker to execute unauthorized code or commands vi…
- CVE-2024-23675MEDIUMCVSS 6.5EG 6.52024-01-22
In Splunk Enterprise versions below 9.0.8 and 9.1.3, Splunk app key value store (KV Store) improperly handles permissions for users that use the REST application programming interface (API). This can potentially result in the deletion of K…
- CVE-2024-2378HIGHCVSS 8.0EG 8.02024-04-30
A vulnerability exists in the web-authentication component of the SDM600. If exploited an attacker could escalate privileges on af-fected installations.
- CVE-2024-23823MEDIUMCVSS 4.2EG 4.22024-03-14
vantage6 is an open source framework built to enable, manage and deploy privacy enhancing technologies like Federated Learning and Multi-Party Computation. The vantage6 server has no restrictions on CORS settings. It should be possible for…
- CVE-2024-23833HIGHCVSS 7.5EG 7.52024-02-12
OpenRefine is a free, open source power tool for working with messy data and improving it. A jdbc attack vulnerability exists in OpenRefine(version<=3.7.7) where an attacker may construct a JDBC query which may read files on the host files…
- CVE-2024-23921HIGHCVSS 8.8EG 8.82025-01-31
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of ChargePoint Home Flex charging stations. Authentication is not required to exploit this vulnerability. The specific flaw exists wi…
- CVE-2024-23928MEDIUMCVSS 6.5EG 8.12025-01-31
This vulnerability allows network-adjacent attackers to compromise the integrity of downloaded information on affected installations of Pioneer DMH-WT7600NEX devices. Authentication is not required to exploit this vulnerability. The speci…
- CVE-2024-23929HIGHCVSS 7.3EG 8.02025-01-31
This vulnerability allows network-adjacent attackers to create arbitrary files on affected installations of Pioneer DMH-WT7600NEX devices. Although authentication is required to exploit this vulnerability, the existing authentication mecha…
- CVE-2024-23937MEDIUMCVSS 4.3EG 6.52025-01-31
This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of Silicon Labs Gecko OS. Authentication is not required to exploit this vulnerability. The specific flaw exists within the d…
- CVE-2024-23963HIGHCVSS 8.0EG 8.82025-01-31
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Alpine Halo9 devices. An attacker must first obtain the ability to pair a malicious Bluetooth device with the target system in orde…
- CVE-2024-24573HIGHCVSS 8.8EG 8.82024-01-31
facileManager is a modular suite of web apps built with the sysadmin in mind. In versions 4.5.0 and earlier, when a user updates their profile, a POST request containing user information is sent to the endpoint server/fm-modules/facileMana…
- CVE-2024-2473MEDIUMCVSS 5.3EG 5.32024-06-11
The WPS Hide Login plugin for WordPress is vulnerable to Login Page Disclosure in all versions up to, and including, 1.9.15.2. This is due to a bypass that is created when the 'action=postpass' parameter is supplied. This makes it possible…
- CVE-2024-24751MEDIUMCVSS 4.3EG 4.32024-02-13
sf_event_mgt is an event management and registration extension for the TYPO3 CMS based on ExtBase and Fluid. In affected versions the existing access control check for events in the backend module got broken during the update of the extens…
- CVE-2024-24761HIGHCVSS 7.5EG 7.52024-03-06
Galette is a membership management web application for non profit organizations. Starting in version 1.0.0 and prior to version 1.0.2, public pages are per default restricted to only administrators and staff members. From configuration, it…
- CVE-2024-24773MEDIUMCVSS 4.9EG 4.92024-02-28
Improper parsing of nested SQL statements on SQLLab would allow authenticated users to surpass their data authorization scope. This issue affects Apache Superset: before 3.0.4, from 3.1.0 before 3.1.1. Users are recommended to upgrade to …
- CVE-2024-24774LOWCVSS 3.4EG 3.42024-02-09
Mattermost Jira Plugin handling subscriptions fails to check the security level of an incoming issue or limit it based on the user who created the subscription resulting in registered users on Jira being able to create webhooks that give …
- CVE-2024-24779MEDIUMCVSS 5.0EG 5.02024-02-28
Apache Superset with custom roles that include `can write on dataset` and without all data access permissions, allows for users to create virtual datasets to data they don't have access to. These users could then use those virtual datasets…
- CVE-2024-24824HIGHCVSS 8.8EG 8.82024-02-07
Graylog is a free and open log management platform. Starting in version 2.0.0 and prior to versions 5.1.11 and 5.2.4, arbitrary classes can be loaded and instantiated using a HTTP PUT request to the `/api/system/cluster_config/` endpoint. …
- CVE-2024-24966MEDIUMCVSS 6.2EG 6.22024-02-14
When LDAP remote authentication is configured on F5OS, a remote user without an assigned role will be incorrectly authorized. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
- CVE-2024-25108CRITICALCVSS 9.9EG 9.92024-02-12
Pixelfed is an open source photo sharing platform. When processing requests authorization was improperly and insufficiently checked, allowing attackers to access far more functionality than users intended, including to the administrative a…
- CVE-2024-25149MEDIUMCVSS 5.4EG 5.42024-02-20
Liferay Portal 7.2.0 through 7.4.1, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 15, and older unsupported versions does not properly restrict membership of a child site when the "Limit mem…
- CVE-2024-25170CRITICALCVSS 9.1EG 9.12024-02-28
An issue in Mezzanine v6.0.0 allows attackers to bypass access controls via manipulating the Host header.
- CVE-2024-2557MEDIUMCVSS 5.3EG 5.32024-03-17
A vulnerability was found in kishor-23 Food Waste Management System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /admin/admin.php. The manipulation leads to improper authorization. The attack c…
- CVE-2024-25604MEDIUMCVSS 6.5EG 6.52024-02-20
Liferay Portal 7.2.0 through 7.4.3.4, and older unsupported versions, and Liferay DXP 7.4.13, 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported versions does not properly check user permissions, which allows remote a…
- CVE-2024-25652HIGHCVSS 7.6EG 9.82024-03-14
In Delinea PAM Secret Server 11.4, it is possible for a user assigned "Administer Reports" permission and/or with access to Report functionality via UNLIMITED ADMIN MODE (with access to the Report functionality) to gain unauthorized access…
- CVE-2024-26016MEDIUMCVSS 4.3EG 4.32024-02-28
A low privilege authenticated user could import an existing dashboard or chart that they do not have access to and then modify its metadata, thereby gaining ownership of the object. However, it's important to note that access to the analyt…
- CVE-2024-26145MEDIUMCVSS 6.5EG 6.52024-02-21
Discourse Calendar adds the ability to create a dynamic calendar in the first post of a topic on Discourse. Uninvited users are able to gain access to private events by crafting a request to update their attendance. This problem is resolve…
Map vulnerabilities like CWE-863 to your infrastructure
EchelonGraph correlates every CVE — across CWE-863 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →