CWE-863— Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.— MITRE CWE catalog
3,807 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-863page 49 of 77
- CVE-2024-2698HIGHCVSS 8.8EG 7.12024-06-12
A vulnerability was found in FreeIPA in how the initial implementation of MS-SFU by MIT Kerberos was missing a condition for granting the "forwardable" flag on S4U2Self tickets. Fixing this mistake required adding a special case for the ch…
- CVE-2024-27086LOWCVSS 3.9EG 3.92024-04-16
The MSAL library enabled acquisition of security tokens to call protected APIs. MSAL.NET applications targeting Xamarin Android and .NET Android (e.g., MAUI) using the library from versions 4.48.0 to 4.60.0 are impacted by a low severity v…
- CVE-2024-27105HIGHCVSS 8.1EG 8.12024-03-21
Frappe is a full-stack web application framework. Prior to versions 14.66.3 and 15.16.0, file permission can be bypassed using certain endpoints, granting less privileged users permission to delete or clone a file. Versions 14.66.3 and 15.…
- CVE-2024-27138HIGHCVSS 7.5EG 7.52024-03-01
** UNSUPPORTED WHEN ASSIGNED ** Incorrect Authorization vulnerability in Apache Archiva. Apache Archiva has a setting to disable user registration, however this restriction can be bypassed. As Apache Archiva has been retired, we do not ex…
- CVE-2024-27139HIGHCVSS 7.5EG 7.52024-03-01
** UNSUPPORTED WHEN ASSIGNED ** Incorrect Authorization vulnerability in Apache Archiva: a vulnerability in Apache Archiva allows an unauthenticated attacker to modify account data, potentially leading to account takeover. This issue aff…
- CVE-2024-27288MEDIUMCVSS 6.3EG 6.32024-03-06
1Panel is an open source Linux server operation and maintenance management panel. Prior to version 1.10.1-lts, users can use Burp to obtain unauthorized access to the console page. The vulnerability has been fixed in v1.10.1-lts. There are…
- CVE-2024-27309HIGHCVSS 7.4EG 7.42024-04-12
While an Apache Kafka cluster is being migrated from ZooKeeper mode to KRaft mode, in some cases ACLs will not be correctly enforced. Two preconditions are needed to trigger the bug: 1. The administrator decides to remove an ACL 2. The re…
- CVE-2024-27312HIGHCVSS 8.1EG 8.12024-05-20
Zohocorp ManageEngine PAM360 version 6601 is vulnerable to authorization vulnerability which allows a low-privileged user to perform admin actions. Note: This vulnerability affects only the PAM360 6600 version. No other versions are appli…
- CVE-2024-2743MEDIUMCVSS 5.3EG 5.32024-09-12
An issue was discovered in GitLab-EE starting with version 13.3 before 17.1.7, 17.2 before 17.2.5, and 17.3 before 17.3.2 that would allow an attacker to modify an on-demand DAST scan without permissions and leak variables.
- CVE-2024-27798HIGHCVSS 7.8EG 7.82024-05-14
An authorization issue was addressed with improved state management. This issue is fixed in macOS Monterey 12.7.5, macOS Sonoma 14.5, macOS Ventura 13.6.7. An attacker may be able to elevate privileges.
- CVE-2024-27848HIGHCVSS 7.8EG 7.82024-06-10
This issue was addressed with improved permissions checking. This issue is fixed in iOS 17.5 and iPadOS 17.5, macOS Sonoma 14.5. A malicious app may be able to gain root privileges.
- CVE-2024-27915MEDIUMCVSS 6.8EG 6.82024-03-06
Sulu is a PHP content management system. Starting in verson 2.2.0 and prior to version 2.4.17 and 2.5.13, access to pages is granted regardless of role permissions for webspaces which have a security system configured and permission check …
- CVE-2024-27933HIGHCVSS 8.2EG 8.22024-03-21
Deno is a JavaScript, TypeScript, and WebAssembly runtime. In version 1.39.0, use of raw file descriptors in `op_node_ipc_pipe()` leads to premature close of arbitrary file descriptors, allowing standard input to be re-opened as a differen…
- CVE-2024-28098MEDIUMCVSS 6.4EG 6.42024-03-12
The vulnerability allows authenticated users with only produce or consume permissions to modify topic-level policies, such as retention, TTL, and offloading settings. These management operations should be restricted to users with the tenan…
- CVE-2024-28148MEDIUMCVSS 4.3EG 4.32024-05-07
An authenticated user could potentially access metadata for a datasource they are not authorized to view by submitting a targeted REST API request.This issue affects Apache Superset: before 3.1.2. Users are recommended to upgrade to versi…
- CVE-2024-28174MEDIUMCVSS 5.8EG 5.82024-03-06
In JetBrains TeamCity before 2023.11.4 presigned URL generation requests in S3 Artifact Storage plugin were authorized improperly
- CVE-2024-28229MEDIUMCVSS 6.5EG 6.52024-03-07
In JetBrains YouTrack before 2024.1.25893 user without appropriate permissions could restore issues and articles
- CVE-2024-28394CRITICALCVSS 9.8EG 9.82024-03-19
An issue in Advanced Plugins reportsstatistics v1.3.20 and before allows a remote attacker to execute arbitrary code via the Sales Reports, Statistics, Custom Fields & Export module.
- CVE-2024-28627HIGHCVSS 7.5EG 7.52024-04-23
An issue in Flipsnack v.18/03/2024 allows a local attacker to obtain sensitive information via the reader.gz.js file.
- CVE-2024-2915HIGHCVSS 8.8EG 8.82024-03-26
Improper access control in PAM JIT elevation in Devolutions Server 2024.1.6 and earlier allows an attacker with access to the PAM JIT elevation feature to elevate themselves to unauthorized groups via a specially crafted request.
- CVE-2024-29213HIGHCVSS 7.8EG 7.82024-10-18
Ivanti DSM < version 2024.2 allows authenticated users on the local machine to run code with elevated privileges due to insecure ACL via unspecified attack vector.
- CVE-2024-29821HIGHCVSS 7.8EG 7.82024-10-18
Ivanti DSM < version 2024.2 allows authenticated users on the local machine to run code with elevated privileges due to insecure ACL via unspecified attack vector.
- CVE-2024-29834MEDIUMCVSS 6.4EG 6.42024-04-02
This vulnerability allows authenticated users with produce or consume permissions to perform unauthorized operations on partitioned topics, such as unloading topics and triggering compaction. These management operations should be restricte…
- CVE-2024-29892MEDIUMCVSS 6.1EG 6.12024-03-27
ZITADEL, open source authentication management software, uses Go templates to render the login UI. Under certain circumstances an action could set reserved claims managed by ZITADEL. For example it would be possible to set the claim `urn:z…
- CVE-2024-30260LOWCVSS 3.9EG 3.92024-04-04
Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici cleared Authorization and Proxy-Authorization headers for `fetch()`, but did not clear them for `undici.request()`. This vulnerability was patched in version(s) 5.28.4 …
- CVE-2024-3033CRITICALCVSS 9.4EG 9.12024-06-06
An improper authorization vulnerability exists in the mintplex-labs/anything-llm application, specifically within the '/api/v/' endpoint and its sub-routes. This flaw allows unauthenticated users to perform destructive actions on the Vecto…
- CVE-2024-30616HIGHCVSS 8.8EG 8.82024-11-04
Chamilo LMS 1.11.26 is vulnerable to Incorrect Access Control via main/auth/profile. Non-admin users can manipulate sensitive profiles information, posing a significant risk to data integrity.
- CVE-2024-31134MEDIUMCVSS 6.5EG 6.52024-03-28
In JetBrains TeamCity before 2024.03 authenticated users without administrative permissions could register other users when self-registration was disabled
- CVE-2024-3127MEDIUMCVSS 4.3EG 4.32024-08-22
An issue has been discovered in GitLab EE affecting all versions starting from 12.5 before 17.1.6, all versions starting from 17.2 before 17.2.4, all versions starting from 17.3 before 17.3.1. Under certain conditions it may be possible to…
- CVE-2024-31402MEDIUMCVSS 4.3EG 4.32024-06-11
Incorrect authorization vulnerability in Cybozu Garoon 5.0.0 to 5.15.2 allows a remote authenticated attacker to delete the data of Shared To-Dos.
- CVE-2024-31403MEDIUMCVSS 5.4EG 5.42024-06-11
Incorrect authorization vulnerability in Cybozu Garoon 5.0.0 to 6.0.0 allows a remote authenticated attacker to alter and/or obtain the data of Memo.
- CVE-2024-31409MEDIUMCVSS 6.5EG 6.52024-05-15
Certain MQTT wildcards are not blocked on the CyberPower PowerPanel system, which might result in an attacker obtaining data from throughout the system after gaining access to any device.
- CVE-2024-31441HIGHCVSS 7.5EG 7.52024-05-14
DataEase is an open source data visualization analysis tool. Due to the lack of restrictions on the connection parameters for the ClickHouse data source, it is possible to exploit certain malicious parameters to achieve arbitrary file read…
- CVE-2024-31452HIGHCVSS 8.1EG 8.12024-04-16
OpenFGA is a high-performance and flexible authorization/permission engine. Some end users of OpenFGA v1.5.0 or later are vulnerable to authorization bypass when calling Check or ListObjects APIs. You are very likely affected if your model…
- CVE-2024-31682CRITICALCVSS 9.8EG 9.82024-06-03
Incorrect access control in the fingerprint authentication mechanism of Phone Cleaner: Boost & Clean v2.2.0 allows attackers to bypass fingerprint authentication due to the use of a deprecated API.
- CVE-2024-31695CRITICALCVSS 9.8EG 9.82024-11-14
A misconfiguration in the fingerprint authentication mechanism of Binance: BTC, Crypto and NFTS v2.85.4, allows attackers to bypass authentication when adding a new fingerprint.
- CVE-2024-31842HIGHCVSS 8.8EG 8.82024-08-20
An issue was discovered in Italtel Embrace 1.6.4. The web application inserts the access token of an authenticated user inside GET requests. The query string for the URL could be saved in the browser's history, passed through Referers to o…
- CVE-2024-31970HIGHCVSS 8.8EG 8.82024-07-24
AdTran SRG 834-5 HDC17600021F1 devices (with SmartOS 11.1.1.1 and fixed in Version 12.1.3.1) have SSH enabled by default, accessible both over the LAN and the Internet. During a window of time when the device is being set up, it uses a def…
- CVE-2024-31990MEDIUMCVSS 4.8EG 4.82024-04-15
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The API server does not enforce project sourceNamespaces which allows attackers to use the UI to edit resources which should only be mutable via gitops. This vulenra…
- CVE-2024-32470MEDIUMCVSS 6.5EG 6.52024-04-18
Tolgee is an open-source localization platform. When API key created by admin user is used it bypasses the permission check at all. This error was introduced in v3.57.2 and immediately fixed in v3.57.4.
- CVE-2024-32643HIGHCVSS 7.5EG 7.52025-12-03
Masa CMS is an open source Enterprise Content Management platform. Prior to 7.2.8, 7.3.13, and 7.4.6, if the URL to the page is modified to include a /tag/ declaration, the CMS will render the page regardless of group restrictions. This vu…
- CVE-2024-32983HIGHCVSS 8.2EG 8.22024-06-03
Misskey is an open source, decentralized microblogging platform. Misskey doesn't perform proper normalization on the JSON structures of incoming signed ActivityPub activity objects before processing them, allowing threat actors to spoof th…
- CVE-2024-3331MEDIUMCVSS 6.8EG 6.82024-06-27
Vulnerability in Spotfire Spotfire Enterprise Runtime for R - Server Edition, Spotfire Spotfire Statistics Services, Spotfire Spotfire Analyst, Spotfire Spotfire Desktop, Spotfire Spotfire Server allows The impact of this vulnerability dep…
- CVE-2024-3379HIGHCVSS 8.1EG 9.62024-11-14
In lunary-ai/lunary versions 1.2.2 through 1.2.6, an incorrect authorization vulnerability allows unprivileged users to re-generate the private key for projects they do not have access to. Specifically, a user with a 'Member' role can issu…
- CVE-2024-3388MEDIUMCVSS 4.1EG 4.12024-04-10
A vulnerability in the GlobalProtect Gateway in Palo Alto Networks PAN-OS software enables an authenticated attacker to impersonate another user and send network packets to internal assets. However, this vulnerability does not allow the at…
- CVE-2024-3404MEDIUMCVSS 6.5EG 6.52024-06-06
In gaizhenbiao/chuanhuchatgpt, specifically the version tagged as 20240121, there exists a vulnerability due to improper access control mechanisms. This flaw allows an authenticated attacker to bypass intended access restrictions and read …
- CVE-2024-34106MEDIUMCVSS 5.3EG 5.32024-06-13
Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. An attacker could exploit this vulnerability to gain unauthori…
- CVE-2024-34130MEDIUMCVSS 5.5EG 5.52024-06-13
Acrobat Mobile Sign Android versions 24.4.2.33155 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. An attacker could exploit this vulnerability to access confidential info…
- CVE-2024-34146MEDIUMCVSS 6.5EG 6.52024-05-02
Jenkins Git server Plugin 114.v068a_c7cc2574 and earlier does not perform a permission check for read access to a Git repository over SSH, allowing attackers with a previously configured SSH public key but lacking Overall/Read permission t…
- CVE-2024-34346HIGHCVSS 8.4EG 8.42024-05-07
Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. The Deno sandbox may be unexpectedly weakened by allowing file read/write access to privileged files in various locations on Unix and Windows platforms. For ex…
Map vulnerabilities like CWE-863 to your infrastructure
EchelonGraph correlates every CVE — across CWE-863 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →