CWE-863— Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.— MITRE CWE catalog
3,807 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-863page 50 of 77
- CVE-2024-34434MEDIUMCVSS 6.5EG 6.52024-05-17
Incorrect Authorization vulnerability in realmag777 WordPress Meta Data and Taxonomies Filter (MDTF) allows Code Inclusion, Functionality Misuse.This issue affects WordPress Meta Data and Taxonomies Filter (MDTF): from n/a through 1.3.3.2.
- CVE-2024-34642MEDIUMCVSS 4.6EG 4.62024-09-04
Improper authorization in One UI Home prior to SMR Sep-2024 Release 1 allows physical attackers to temporarily access sensitive information.
- CVE-2024-34650MEDIUMCVSS 4.0EG 4.02024-09-04
Incorrect authorization in CocktailbarService prior to SMR Sep-2024 Release 1 allows local attackers to access privileged APIs related to Edge panel.
- CVE-2024-34651MEDIUMCVSS 6.2EG 6.22024-09-04
Improper authorization in My Files prior to SMR Sep-2024 Release 1 allows local attackers to access restricted data in My Files.
- CVE-2024-34652MEDIUMCVSS 4.0EG 4.02024-09-04
Incorrect authorization in kperfmon prior to SMR Sep-2024 Release 1 allows local attackers to access information related to performance including app usage.
- CVE-2024-34701MEDIUMCVSS 5.9EG 5.92024-05-14
CreateWiki is Miraheze's MediaWiki extension for requesting & creating wikis. It is possible for users to be considered as the requester of a specific wiki request if their local user ID on any wiki in a wiki farm matches the local ID of t…
- CVE-2024-3504MEDIUMCVSS 6.5EG 8.12024-06-06
An improper access control vulnerability exists in lunary-ai/lunary versions up to and including 1.2.2, where an admin can update any organization user to the organization owner. This vulnerability allows the elevated user to delete projec…
- CVE-2024-3511MEDIUMCVSS 4.3EG 4.32025-06-23
An incorrect authorization vulnerability exists in multiple WSO2 products that allows unauthorized access to versioned files stored in the registry. Due to flawed authorization logic, a malicious actor with access to the management console…
- CVE-2024-35187CRITICALCVSS 9.1EG 9.12024-05-16
Stalwart Mail Server is an open-source mail server. Prior to version 0.8.0, attackers who achieved Arbitrary Code Execution as the stalwart-mail user (including web interface admins) can gain complete root access to the system. Usually, sy…
- CVE-2024-35353CRITICALCVSS 9.8EG 9.82024-05-30
A vulnerability has been discovered in Diño Physics School Assistant version 2.3. The vulnerability impacts an unidentified code within the file /classes/Users.php?f=save. Manipulating the argument id can result in improper authorization.
- CVE-2024-36037MEDIUMCVSS 5.5EG 5.52024-05-27
Zoho ManageEngine ADAudit Plus versions 7260 and below allows unauthorized local agent machine users to view the session recordings.
- CVE-2024-36055MEDIUMCVSS 5.5EG 5.52024-05-26
Hw64.sys in Marvin Test HW.exe before 5.0.5.0 allows unprivileged user-mode processes to arbitrarily map physical memory with read/write access via the MmMapIoSpace API (IOCTL 0x9c40a4f8, 0x9c40a4e8, 0x9c40a4c0, 0x9c40a4c4, 0x9c40a4ec, and…
- CVE-2024-36265CRITICALCVSS 9.8EG 9.12024-06-12
** UNSUPPORTED WHEN ASSIGNED ** Incorrect Authorization vulnerability in Apache Submarine Server Core. This issue affects Apache Submarine Server Core: from 0.8.0. As this project is retired, we do not plan to release a version that fixe…
- CVE-2024-36364MEDIUMCVSS 6.5EG 6.52024-05-29
In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 improper access control in Pull Requests and Commit status publisher build features was possible
- CVE-2024-36365MEDIUMCVSS 6.8EG 6.82024-05-29
In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5, 2024.03.2 a third-party agent could impersonate a cloud agent
- CVE-2024-36376MEDIUMCVSS 6.5EG 6.52024-05-29
In JetBrains TeamCity before 2024.03.2 users could perform actions that should not be available to them based on their permissions
- CVE-2024-36377MEDIUMCVSS 6.5EG 6.52024-05-29
In JetBrains TeamCity before 2024.03.2 certain TeamCity API endpoints did not check user permissions
- CVE-2024-36536CRITICALCVSS 9.8EG 7.42024-07-24
Insecure permissions in fabedge v0.8.1 allows attackers to access sensitive data and escalate privileges by obtaining the service account's token.
- CVE-2024-36611HIGHCVSS 7.5EG 7.52024-11-29
In Symfony v7.07, a security vulnerability was identified in the FormLoginAuthenticator component, where it failed to adequately handle cases where the username or password field of a login request is empty. This flaw could lead to various…
- CVE-2024-36963HIGHCVSS 7.8EG 7.82024-06-03
In the Linux kernel, the following vulnerability has been resolved: tracefs: Reset permissions on remount if permissions are options There's an inconsistency with the way permissions are handled in tracefs. Because the permissions are ge…
- CVE-2024-37002HIGHCVSS 7.8EG 7.82024-06-25
A maliciously crafted MODEL file, when parsed in ASMkern229A.dllthrough Autodesk applications, can be used to uninitialized variables. This vulnerability, along with other vulnerabilities, could lead to code execution in the current proces…
- CVE-2024-37154MEDIUMCVSS 5.3EG 5.32024-06-06
Evmos is the Ethereum Virtual Machine (EVM) Hub on the Cosmos Network. Users are able to delegate tokens that have not yet been vested. This affects employees and grantees who have funds managed via `ClawbackVestingAccount`. This affects 1…
- CVE-2024-3722MEDIUMCVSS 5.4EG 5.42024-05-14
The Swift Performance Lite plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the ajax_handler() function in all versions up to, and including, 2.3.6.18. This makes it possible for authenticated …
- CVE-2024-37300HIGHCVSS 8.1EG 8.12024-06-12
OAuthenticator is software that allows OAuth2 identity providers to be plugged in and used with JupyterHub. JupyterHub < 5.0, when used with `GlobusOAuthenticator`, could be configured to allow all users from a particular institution only.…
- CVE-2024-3745HIGHCVSS 7.8EG 7.82024-05-18
MSI Afterburner v4.6.6.16381 Beta 3 is vulnerable to an ACL Bypass vulnerability in the RTCore64.sys driver, which leads to triggering vulnerabilities like CVE-2024-1443 and CVE-2024-1460 from a low privileged user.
- CVE-2024-37775HIGHCVSS 7.5EG 7.52024-12-16
Incorrect access control in Sunbird DCIM dcTrack v9.1.2 allows attackers to create or update a ticket with a location which bypasses an RBAC check.
- CVE-2024-37905HIGHCVSS 8.8EG 8.82024-06-28
authentik is an open-source Identity Provider that emphasizes flexibility and versatility. Authentik API-Access-Token mechanism can be exploited to gain admin user privileges. A successful exploit of the issue will result in a user gaining…
- CVE-2024-38002CRITICALCVSS 9.0EG 9.02024-10-22
The workflow component in Liferay Portal 7.3.2 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92 and 7.3 GA through update 36 does not properly check user permissions befo…
- CVE-2024-38329HIGHCVSS 7.7EG 7.72024-06-19
IBM Storage Protect for Virtual Environments: Data Protection for VMware 8.1.0.0 through 8.1.22.0 could allow a remote authenticated attacker to bypass security restrictions, caused by improper validation of user permission. By sending a s…
- CVE-2024-38369CRITICALCVSS 9.9EG 9.92024-06-24
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. The content of a document included using `{{include reference="targetdocument"/}}` is executed with the right of the includer and not …
- CVE-2024-38392CRITICALCVSS 9.1EG 9.12025-04-02
Pexip Infinity Connect before 1.13.0 lacks sufficient authenticity checks during the loading of resources, and thus remote attackers can cause the application to run untrusted code.
- CVE-2024-38425MEDIUMCVSS 6.1EG 6.12024-10-07
Information disclosure while sending implicit broadcast containing APP launch information.
- CVE-2024-38856CRITICALCVSS 9.8EG 9.8⚠ KEV2024-08-05
Incorrect Authorization vulnerability in Apache OFBiz. This issue affects Apache OFBiz: through 18.12.14. Users are recommended to upgrade to version 18.12.15, which fixes the issue. Unauthenticated endpoints could allow execution of sc…
- CVE-2024-38868HIGHCVSS 7.6EG 7.62024-08-30
Zohocorp ManageEngine Endpoint Central affected by Incorrect authorization vulnerability while isolating the devices.This issue affects Endpoint Central: before 11.3.2406.08 and before 11.3.2400.15
- CVE-2024-38869HIGHCVSS 8.3EG 6.32024-08-23
Zohocorp ManageEngine Endpoint Central affected by Incorrect authorization vulnerability in remote office deploy configurations.This issue affects Endpoint Central: before 11.3.2416.04 and before 11.3.2400.25.
- CVE-2024-38884HIGHCVSS 7.8EG 7.82024-08-02
An issue in Horizon Business Services Inc. Caterease 16.0.1.1663 through 24.0.1.2405 and possibly later versions, allows a local attacker to perform an Authentication Bypass attack due to improperly implemented security checks for standard…
- CVE-2024-39025HIGHCVSS 7.5EG 7.52024-12-27
Incorrect access control in the /users endpoint of Cpacker MemGPT v0.3.17 allows attackers to access sensitive data.
- CVE-2024-39322MEDIUMCVSS 5.5EG 5.52024-07-02
aimeos/ai-admin-jsonadm is the Aimeos e-commerce JSON API for administrative tasks. In versions prior to 2020.10.13, 2021.10.6, 2022.10.3, 2023.10.4, and 2024.4.2, improper access control allows editors to remove admin group and locale con…
- CVE-2024-39323HIGHCVSS 7.1EG 7.12024-07-02
aimeos/ai-admin-graphql is the Aimeos GraphQL API admin interface. Starting in version 2022.04.01 and prior to versions 2022.10.10, 2023.10.6, and 2024.04.6, an improper access control vulnerability allows an editor to modify and take over…
- CVE-2024-39324LOWCVSS 3.8EG 3.82024-07-02
aimeos/ai-admin-graphql is the Aimeos GraphQL API admin interface. Starting in version 2022.04.1 and prior to versions 2022.10.10, 2023.10.6, and 2024.4.2, improper access control allows a editors to manage own services via GraphQL API whi…
- CVE-2024-39328MEDIUMCVSS 6.8EG 6.82025-02-18
Insecure Permissions in Atos Eviden IDRA and IDCA before 2.7.0. A highly trusted role (Config Admin) could exceed their configuration privileges in a multi-partition environment and access some confidential data. Data integrity and availab…
- CVE-2024-39352MEDIUMCVSS 4.9EG 4.92024-06-28
A vulnerability regarding incorrect authorization is found in the firmware upgrade functionality. This allows remote authenticated users with administrator privileges to bypass firmware integrity check via unspecified vectors. The followin…
- CVE-2024-3957MEDIUMCVSS 6.5EG 6.52024-05-02
The Booster for WooCommerce plugin is vulnerable to Unauthenticated Arbitrary Shortcode Execution in versions up to, and including, 7.1.8. This allows unauthenticated attackers to execute arbitrary shortcodes. The severity and exploitabili…
- CVE-2024-39690HIGHCVSS 8.4EG 8.42024-08-20
Capsule is a multi-tenancy and policy-based framework for Kubernetes. In Capsule v0.7.0 and earlier, the tenant-owner can patch any arbitrary namespace that has not been taken over by a tenant (i.e., namespaces without the ownerReference f…
- CVE-2024-39696HIGHCVSS 8.8EG 8.82024-07-05
Evmos is a decentralized Ethereum Virtual Machine chain on the Cosmos Network. Prior to version 19.0.0, a user can create a vesting account with a 3rd party account (EOA or contract) as funder. Then, this user can create an authorization f…
- CVE-2024-39871MEDIUMCVSS 6.3EG 6.32024-07-09
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2 SP1). Affected applications do not properly separate the rights to edit device settings and to edit settings for communication relations. This could a…
- CVE-2024-39905MEDIUMCVSS 5.3EG 5.32024-07-11
Red is a fully modular Discord bot. Due to a bug in Red's Core API, 3rd-party cogs using the `@commands.can_manage_channel()` command permission check without additional permission controls may authorize a user to run a command even when t…
- CVE-2024-4006MEDIUMCVSS 4.3EG 4.32024-04-25
An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.7 before 16.9.6, all versions starting from 16.10 before 16.10.4, all versions starting from 16.11 before 16.11.1 where personal access scopes were not ho…
- CVE-2024-4011LOWCVSS 3.1EG 3.12024-06-27
An issue was discovered in GitLab CE/EE affecting all versions starting from 16.1 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows non-project member to promote key results to objec…
- CVE-2024-40530HIGHCVSS 7.5EG 9.82024-08-05
A vulnerability in Pantera CRM versions 401.152 and 402.072 allows unauthorized attackers to bypass IP-based access controls by manipulating the X-Forwarded-For header.
Map vulnerabilities like CWE-863 to your infrastructure
EchelonGraph correlates every CVE — across CWE-863 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →