CWE-863— Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.— MITRE CWE catalog
3,807 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-863page 51 of 77
- CVE-2024-40770HIGHCVSS 7.5EG 7.52024-09-17
A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15. A non-privileged user may be able to modify restricted network settings.
- CVE-2024-40771HIGHCVSS 7.8EG 8.42025-01-15
The issue was addressed with improved memory handling. This issue is fixed in iOS 16.7.8 and iPadOS 16.7.8, iOS 17.5 and iPadOS 17.5, macOS Monterey 12.7.5, macOS Sonoma 14.5, macOS Ventura 13.6.7, tvOS 17.5, visionOS 1.2, watchOS 10.5. An…
- CVE-2024-40843MEDIUMCVSS 5.5EG 5.52024-09-17
The issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15. An app may be able to modify protected parts of the file system.
- CVE-2024-40855MEDIUMCVSS 5.5EG 5.52024-10-28
The issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15, macOS Sonoma 14.7.1, macOS Ventura 13.7.1, visionOS 2. A sandboxed app may be able to access sensitive user data.
- CVE-2024-41110CRITICALCVSS 9.9EG 9.92024-07-24
Moby is an open-source project created by Docker for software containerization. A security vulnerability has been detected in certain versions of Docker Engine, which could allow an attacker to bypass authorization plugins (AuthZ) under sp…
- CVE-2024-41140HIGHCVSS 8.1EG 8.12025-01-29
Zohocorp ManageEngine Applications Manager versions 174000 and prior are vulnerable to the incorrect authorization in the update user function.
- CVE-2024-4146CRITICALCVSS 9.8EG 9.82024-06-08
In lunary-ai/lunary version v1.2.13, an incorrect authorization vulnerability exists that allows unauthorized users to access and manipulate projects within an organization they should not have access to. Specifically, the vulnerability is…
- CVE-2024-41617CRITICALCVSS 9.8EG 9.82024-10-24
Money Manager EX WebApp (web-money-manager-ex) 1.2.2 is vulnerable to Incorrect Access Control. The `redirect_if_not_loggedin` function in `functions_security.php` fails to terminate script execution after redirecting unauthenticated users…
- CVE-2024-41670HIGHCVSS 7.5EG 7.52024-07-26
In the module "PayPal Official" for PrestaShop 7+ releases prior to version 6.4.2 and for PrestaShop 1.6 releases prior to version 3.18.1, a malicious customer can confirm an order even if payment is finally declined by PayPal. A logical w…
- CVE-2024-41939HIGHCVSS 8.8EG 8.82024-08-13
A vulnerability has been identified in SINEC NMS (All versions < V3.0). The affected application does not properly enforce authorization checks. This could allow an authenticated attacker to bypass the checks and elevate their privileges o…
- CVE-2024-41941MEDIUMCVSS 4.3EG 4.32024-08-13
A vulnerability has been identified in SINEC NMS (All versions < V3.0). The affected application does not properly enforce authorization checks. This could allow an authenticated attacker to bypass the checks and modify settings in the app…
- CVE-2024-41964HIGHCVSS 8.1EG 8.12024-08-29
Kirby is a CMS targeting designers and editors. Kirby allows to restrict the permissions of specific user roles. Users of that role can only perform permitted actions. Permissions for creating and deleting languages have already existed an…
- CVE-2024-41979HIGHCVSS 7.1EG 7.12025-08-12
A vulnerability has been identified in SmartClient modules Opcenter QL Home (SC) (All versions >= V13.2 < V2506), SOA Audit (All versions >= V13.2 < V2506), SOA Cockpit (All versions >= V13.2 < V2506). The affected application does not enf…
- CVE-2024-42000LOWCVSS 2.7EG 2.72024-11-09
Mattermost versions 9.10.x <= 9.10.2, 9.11.x <= 9.11.1, 9.5.x <= 9.5.9 and 10.0.x <= 10.0.0 fail to properly authorize the requests to /api/v4/channels which allows a User or System Manager, with "Read Groups" permission but with no ac…
- CVE-2024-42013MEDIUMCVSS 6.4EG 6.42025-01-22
In GRAU DATA Blocky before 3.1, Blocky-Gui has a Client-Side Enforcement of Server-Side Security vulnerability. An attacker with Windows administrative or debugging privileges can patch a binary in memory or on disk to bypass the password …
- CVE-2024-42062HIGHCVSS 7.2EG 8.82024-08-07
CloudStack account-users by default use username and password based authentication for API and UI access. Account-users can generate and register randomised API and secret keys and use them for the purpose of API-based automation and inte…
- CVE-2024-42423MEDIUMCVSS 6.1EG 6.12024-09-10
Citrix Workspace App version 23.9.0.24.4 on Dell ThinOS 2311 contains an Incorrect Authorization vulnerability when Citrix CEB is enabled for WebLogin. A local unauthenticated user with low privileges may potentially exploit this vulnerabi…
- CVE-2024-42451MEDIUMCVSS 6.5EG 7.72024-12-04
A vulnerability in Veeam Backup & Replication allows low-privileged users to leak all saved credentials in plaintext. This is achieved by calling a series of methods over an external protocol, ultimately retrieving the credentials using a …
- CVE-2024-42452HIGHCVSS 8.8EG 8.82024-12-04
A vulnerability in Veeam Backup & Replication allows a low-privileged user to start an agent remotely in server mode and obtain credentials, effectively escalating privileges to system-level access. This allows the attacker to upload files…
- CVE-2024-42473HIGHCVSS 7.5EG 7.52024-08-12
OpenFGA is an authorization/permission engine. OpenFGA v1.5.7 and v1.5.8 are vulnerable to authorization bypass when calling Check API with a model that uses `but not` and `from` expressions and a userset. Users should downgrade to v1.5.6 …
- CVE-2024-42773CRITICALCVSS 9.1EG 9.12024-08-22
An Incorrect Access Control vulnerability was found in /admin/edit_room_controller.php in Kashipara Hotel Management System v1.0, which allows an unauthenticated attacker to edit the valid hotel room entries in the administrator section.
- CVE-2024-42966CRITICALCVSS 9.8EG 9.82024-08-15
Incorrect access control in TOTOLINK N350RT V9.3.5u.6139_B20201216 allows attackers to obtain the apmib configuration file, which contains the username and the password, via a crafted request to /cgi-bin/ExportSettings.sh.
- CVE-2024-43131HIGHCVSS 7.5EG 7.52024-08-13
Incorrect Authorization vulnerability in WPWeb Docket (WooCommerce Collections / Wishlist / Watchlist) allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Docket (WooCommerce Collections / Wishlist / Watchlis…
- CVE-2024-43250HIGHCVSS 7.1EG 7.12024-08-19
Incorrect Authorization vulnerability in Bit Apps Bit Form Pro bitformpro allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Bit Form Pro: from n/a through 2.6.4.
- CVE-2024-43433MEDIUMCVSS 5.3EG 5.32024-11-11
A flaw was found in moodle. Matrix room membership and power levels are incorrectly applied and revoked for suspended Moodle users.
- CVE-2024-4390MEDIUMCVSS 6.5EG 6.52024-06-20
The Slider and Carousel slider by Depicter plugin for WordPress is vulnerable to Arbitrary Nonce Generation in all versions up to, and including, 3.0.2. This makes it possible for authenticated attackers with contributor access and above, …
- CVE-2024-43954MEDIUMCVSS 6.3EG 6.32024-08-29
Incorrect Authorization vulnerability in Themeum Droip allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Droip: from n/a through 1.1.1.
- CVE-2024-44099MEDIUMCVSS 5.5EG 5.52024-10-25
There is a possible Local bypass of user interaction due to an insecure default value. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
- CVE-2024-44114LOWCVSS 2.0EG 2.02024-09-10
SAP NetWeaver Application Server for ABAP and ABAP Platform allow users with high privileges to execute a program that reveals data over the network. This results in a minimal impact on confidentiality of the application.
- CVE-2024-44136MEDIUMCVSS 4.6EG 9.12025-01-15
This issue was addressed through improved state management. This issue is fixed in iOS 17.5 and iPadOS 17.5. An attacker with physical access to a device may be able to disable Stolen Device Protection.
- CVE-2024-44137MEDIUMCVSS 4.6EG 4.62024-10-28
The issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15, macOS Sonoma 14.7.1, macOS Ventura 13.7.1. An attacker with physical access may be able to share items from the lock screen.
- CVE-2024-44162HIGHCVSS 7.8EG 7.82024-09-17
This issue was addressed by enabling hardened runtime. This issue is fixed in Xcode 16. A malicious application may gain access to a user's Keychain items.
- CVE-2024-44172LOWCVSS 3.3EG 3.32025-01-27
A privacy issue was addressed with improved private data redaction for log entries. This issue is fixed in macOS Sequoia 15, macOS Sonoma 14.7.3, macOS Ventura 13.7.3. An app may be able to access contacts.
- CVE-2024-44196MEDIUMCVSS 5.5EG 7.52024-10-28
A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15.1, macOS Sonoma 14.7.1, macOS Ventura 13.7.1. An app may be able to modify protected parts of the file system.
- CVE-2024-44217CRITICALCVSS 9.1EG 9.12024-10-28
A permissions issue was addressed by removing vulnerable code and adding additional checks. This issue is fixed in iOS 18 and iPadOS 18. Password autofill may fill in passwords after failing authentication.
- CVE-2024-44247MEDIUMCVSS 5.5EG 5.52024-10-28
The issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.1, macOS Sonoma 14.7.1, macOS Ventura 13.7.1. A malicious application may be able to modify protected parts of the file system.
- CVE-2024-44253MEDIUMCVSS 5.5EG 5.52024-10-28
The issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.1, macOS Sonoma 14.7.1, macOS Ventura 13.7.1. An app may be able to modify protected parts of the file system.
- CVE-2024-44270HIGHCVSS 8.6EG 7.52024-10-28
A logic issue was addressed with improved validation. This issue is fixed in macOS Sequoia 15.1, macOS Sonoma 14.7.1, macOS Ventura 13.7.1. A sandboxed process may be able to circumvent sandbox restrictions.
- CVE-2024-44287MEDIUMCVSS 5.5EG 5.52024-10-28
The issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.1, macOS Sonoma 14.7.1, macOS Ventura 13.7.1. A malicious application may be able to modify protected parts of the file system.
- CVE-2024-44289HIGHCVSS 7.5EG 7.52024-10-28
A privacy issue was addressed with improved private data redaction for log entries. This issue is fixed in macOS Sequoia 15.1, macOS Sonoma 14.7.1, macOS Ventura 13.7.1. An app may be able to read sensitive location information.
- CVE-2024-44301MEDIUMCVSS 5.5EG 5.52024-10-28
The issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.1, macOS Sonoma 14.7.1, macOS Ventura 13.7.1. A malicious application may be able to modify protected parts of the file system.
- CVE-2024-44305HIGHCVSS 7.8EG 7.82025-03-21
This issue was addressed by removing the vulnerable code. This issue is fixed in macOS Sonoma 14.6. An app may be able to gain root privileges.
- CVE-2024-4447CRITICALCVSS 9.9EG 4.92024-07-26
In the System → Maintenance tool, the Logged Users tab surfaces sessionId data for all users via the Direct Web Remoting API (UserSessionAjax.getSessionList.dwr) calls. While this is information that would and should be available to admi…
- CVE-2024-4465MEDIUMCVSS 6.0EG 6.02024-09-11
An access control vulnerability was discovered in the Reports section due to a specific access restriction not being properly enforced for users with limited privileges. If a logged-in user with reporting privileges learns how to create…
- CVE-2024-44667HIGHCVSS 8.0EG 8.02024-09-10
Shenzhen Haichangxing Technology Co., Ltd HCX H822 4G LTE Router M7628NNxISPxUIv2_v1.0.1557.15.35_P0 is vulnerable to Incorrect Access Control. Unauthenticated factory mode reset and command injection leads to information exposure and root…
- CVE-2024-44765MEDIUMCVSS 6.5EG 6.52024-11-08
An Improper Authorization (Access Control Misconfiguration) vulnerability in MGT-COMMERCE GmbH CloudPanel v2.0.0 to v2.4.2 allows low-privilege users to bypass access controls and gain unauthorized access to sensitive configuration files a…
- CVE-2024-45037MEDIUMCVSS 6.4EG 6.42024-08-27
The AWS Cloud Development Kit (CDK) is an open-source framework for defining cloud infrastructure using code. Customers use it to create their own applications which are converted to AWS CloudFormation templates during deployment to a cust…
- CVE-2024-45043MEDIUMCVSS 5.3EG 5.32024-08-28
The OpenTelemetry Collector module AWS firehose receiver is for ingesting AWS Kinesis Data Firehose delivery stream messages and parsing the records received based on the configured record type. `awsfirehosereceiver` allows unauthenticated…
- CVE-2024-45081MEDIUMCVSS 6.5EG 6.52025-02-19
IBM Cognos Controller 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0 could allow an authenticated user to modify restricted content due to incorrect authorization checks.
- CVE-2024-45106HIGHCVSS 8.1EG 8.12024-12-03
Improper authentication of an HTTP endpoint in the S3 Gateway of Apache Ozone 1.4.0 allows any authenticated Kerberos user to revoke and regenerate the S3 secrets of any other user. This is only possible if: * ozone.s3g.secret.http.enab…
Map vulnerabilities like CWE-863 to your infrastructure
EchelonGraph correlates every CVE — across CWE-863 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →