CWE-863— Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.— MITRE CWE catalog
3,807 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-863page 52 of 77
- CVE-2024-45125MEDIUMCVSS 4.3EG 4.32024-10-10
Adobe Commerce versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. A low-privileged attacker could exploit this vulnerability…
- CVE-2024-45128MEDIUMCVSS 5.4EG 5.42024-10-10
Adobe Commerce versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by an Improper Authorization vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability…
- CVE-2024-45131MEDIUMCVSS 5.4EG 5.42024-10-10
Adobe Commerce versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by an Improper Authorization vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability…
- CVE-2024-45132MEDIUMCVSS 6.5EG 6.52024-10-10
Adobe Commerce versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by an Improper Authorization vulnerability that could result in Privilege escalation. A low-privileged attacker could leverage this vulnerability to b…
- CVE-2024-45160CRITICALCVSS 9.1EG 9.12024-10-09
Incorrect credential validation in LemonLDAP::NG 2.18.x and 2.19.x before 2.19.2 allows attackers to bypass OAuth2 client authentication via an empty client_password parameter (client secret).
- CVE-2024-45164HIGHCVSS 7.1EG 7.12024-11-04
Akamai SIA (Secure Internet Access Enterprise) ThreatAvert, in SPS (Security and Personalization Services) before the latest 19.2.0 patch and Apps Portal before 19.2.0.3 or 19.2.0.20240814, has incorrect authorization controls for the Admi…
- CVE-2024-45204MEDIUMCVSS 4.3EG 7.72024-12-04
A vulnerability exists where a low-privileged user can exploit insufficient permissions in credential handling to leak NTLM hashes of saved credentials. The exploitation involves using retrieved credentials to expose sensitive NTLM hashes,…
- CVE-2024-45216CRITICALCVSS 9.8EG 9.82024-10-16
Improper Authentication vulnerability in Apache Solr. Solr instances using the PKIAuthenticationPlugin, which is enabled by default when Solr Authentication is used, are vulnerable to Authentication bypass. A fake ending at the end of any…
- CVE-2024-45260HIGHCVSS 8.0EG 8.02024-10-24
An issue was discovered on certain GL-iNet devices, including MT6000, MT3000, MT2500, AXT1800, and AX1800 4.6.2. Users who belong to unauthorized groups can invoke any interface of the device, thereby gaining complete control over it.
- CVE-2024-45261HIGHCVSS 8.0EG 8.02024-10-24
An issue was discovered on certain GL-iNet devices, including MT6000, MT3000, MT2500, AXT1800, and AX1800 4.6.2. The SID generated for a specific user is not tied to that user itself, which allows other users to potentially use it for auth…
- CVE-2024-45328HIGHCVSS 7.8EG 7.82025-03-11
An incorrect authorization vulnerability [CWE-863] in FortiSandbox 4.4.0 through 4.4.6 may allow a low priviledged administrator to execute elevated CLI commands via the GUI console menu.
- CVE-2024-45509MEDIUMCVSS 6.5EG 9.82024-09-01
In MISP through 2.4.196, app/Controller/BookmarksController.php does not properly restrict access to bookmarks data in the case where the user is not an org admin.
- CVE-2024-45519CRITICALCVSS 10.0EG 10.0⚠ KEV2024-10-02
The postjournal service in Zimbra Collaboration (ZCS) before 8.8.15 Patch 46, 9 before 9.0.0 Patch 41, 10 before 10.0.9, and 10.1 before 10.1.1 sometimes allows unauthenticated users to execute commands.
- CVE-2024-45586HIGHCVSS 8.8EG 8.82024-09-03
This vulnerability exists due to improper access controls on APIs in the Authentication module of Symphony XTS Web Trading and Mobile Trading platforms (version 2.0.0.1_P160). An authenticated remote attacker could exploit this vulnerabili…
- CVE-2024-45587HIGHCVSS 8.8EG 8.82024-09-03
This vulnerability exists in Symphony XTS Web Trading platform version 2.0.0.1_P160 due to improper access controls on APIs in the Transaction module of vulnerable application. An authenticated remote attacker could exploit this vulnerabil…
- CVE-2024-45588HIGHCVSS 8.1EG 8.12024-09-03
This vulnerability exists in Symphony XTS Web Trading platform version 2.0.0.1_P160 due to improper access controls on APIs in the Preference module of the application. An authenticated remote attacker could exploit this vulnerability by m…
- CVE-2024-45877MEDIUMCVSS 6.5EG 6.52024-11-13
baltic-it TOPqw Webportal v1.35.283.2 is vulnerable to Incorrect Access Control in the User Management function in /Apps/TOPqw/BenutzerManagement.aspx. This allows a low privileged user to access all modules in the web portal, view and man…
- CVE-2024-46918MEDIUMCVSS 4.9EG 9.82024-09-15
app/Controller/UserLoginProfilesController.php in MISP before 2.4.198 does not prevent an org admin from viewing sensitive login fields of another org admin in the same org.
- CVE-2024-47025MEDIUMCVSS 5.5EG 5.12024-10-25
In ppmp_protect_buf of drm_fw.c, there is a possible information disclosure due to a logic error in the code. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed fo…
- CVE-2024-47060MEDIUMCVSS 4.3EG 4.32024-09-20
Zitadel is an open source identity management platform. In Zitadel, even after an organization is deactivated, associated projects, respectively their applications remain active. Users across other organizations can still log in and access…
- CVE-2024-47077MEDIUMCVSS 6.5EG 6.52024-09-27
authentik is an open-source identity provider. Prior to versions 2024.8.3 and 2024.6.5, access tokens issued to one application can be stolen by that application and used to impersonate the user against any other proxy provider. Also, a us…
- CVE-2024-47078HIGHCVSS 8.1EG 8.12024-09-25
Meshtastic is an open source, off-grid, decentralized, mesh network. Meshtastic uses MQTT to communicate over an internet connection to a shared or private MQTT Server. Nodes can communicate directly via an internet connection or proxied t…
- CVE-2024-47102MEDIUMCVSS 5.5EG 5.52024-12-25
IBM AIX 7.2, 7.3, VIOS 3.1, and 4.1 could allow a non-privileged local user to exploit a vulnerability in the AIX perfstat kernel extension to cause a denial of service.
- CVE-2024-47148MEDIUMCVSS 4.0EG 4.02024-12-26
Some Honor products are affected by incorrect privilege assignment vulnerability, successful exploitation could cause device service exceptions.
- CVE-2024-47157LOWCVSS 2.9EG 2.92024-12-26
Some Honor products are affected by incorrect privilege assignment vulnerability, successful exploitation could cause device service exceptions.
- CVE-2024-47159MEDIUMCVSS 4.3EG 4.32024-09-19
In JetBrains YouTrack before 2024.3.44799 user without appropriate permissions could restore workflows attached to a project
- CVE-2024-47160MEDIUMCVSS 4.3EG 4.32024-09-19
In JetBrains YouTrack before 2024.3.44799 access to global app config data without appropriate permissions was possible
- CVE-2024-47172MEDIUMCVSS 5.4EG 5.42024-09-30
Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for computer vision. An attacker with a CVAT account may retrieve certain information about any project, task, job or membership resource on the CVAT …
- CVE-2024-47183HIGHCVSS 8.1EG 8.12024-10-04
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. If the Parse Server option allowCustomObjectId: true is set, an attacker that is allowed to create a new user can set a custom object I…
- CVE-2024-47272LOWCVSS 2.7EG 2.72026-05-27
Incorrect authorization vulnerability in IO Module functionality in Synology Surveillance Station before 9.2.2-11575 and 9.2.2-9575 allows remote authenticated users with administrator privileges to limited file write via unspecified vecto…
- CVE-2024-47560HIGHCVSS 7.8EG 7.82024-10-01
RevoWorks Cloud Client 3.0.91 and earlier contains an incorrect authorization vulnerability. If this vulnerability is exploited, unintended processes may be executed in the sandbox environment. Even if malware is executed in the sandbox en…
- CVE-2024-47616MEDIUMCVSS 6.8EG 6.82024-10-02
Pomerium is an identity and context-aware access proxy. The Pomerium databroker service is responsible for managing all persistent Pomerium application state. Requests to the databroker service API are authorized by the presence of a JSON …
- CVE-2024-47780LOWCVSS 3.1EG 3.12024-10-08
TYPO3 is a free and open source Content Management Framework. Backend users could see items in the backend page tree without having access if the mounts pointed to pages restricted for their user/group, or if no mounts were configured but …
- CVE-2024-47876HIGHCVSS 8.8EG 8.82024-10-15
Sakai is a Collaboration and Learning Environment. Starting in version 23.0 and prior to version 23.2, kernel users created with type roleview can log in as a normal user. This can result in illegal access being granted to the system. Vers…
- CVE-2024-4811LOWCVSS 2.2EG 2.22024-07-25
In affected versions of Octopus Server under certain conditions, a user with specific role assignments can access restricted project artifacts.
- CVE-2024-48176CRITICALCVSS 9.8EG 9.82024-11-05
Lylme Spage v1.9.5 is vulnerable to Incorrect Access Control. There is no limit on the number of login attempts, and the verification code will not be refreshed after a failed login, which allows attackers to blast the username and passwor…
- CVE-2024-48237CRITICALCVSS 9.8EG 9.82024-10-25
WTCMS 1.0 is vulnerable to Incorrect Access Control in \Common\Controller\HomebaseController.class.php.
- CVE-2024-48540MEDIUMCVSS 6.2EG 6.22024-10-24
Incorrect access control in XIAO HE Smart 4.3.1 allows attackers to access sensitive information by analyzing the code and data within the APK file.
- CVE-2024-48541HIGHCVSS 8.4EG 8.42024-10-24
Incorrect access control in the firmware update and download processes of Ruochan Smart v4.4.7 allows attackers to access sensitive information by analyzing the code and data within the APK file.
- CVE-2024-48542HIGHCVSS 8.4EG 8.42024-10-24
Incorrect access control in the firmware update and download processes of Yamaha Headphones Controller v1.6.7 allows attackers to access sensitive information by analyzing the code and data within the APK file.
- CVE-2024-48544HIGHCVSS 8.4EG 8.42024-10-24
Incorrect access control in the firmware update and download processes of Sylvania Smart Home v3.0.3 allows attackers to access sensitive information by analyzing the code and data within the APK file.
- CVE-2024-48545HIGHCVSS 8.4EG 8.42024-10-24
Incorrect access control in the firmware update and download processes of IVY Smart v4.5.0 allows attackers to access sensitive information by analyzing the code and data within the APK file.
- CVE-2024-48546HIGHCVSS 8.4EG 8.42024-10-24
Incorrect access control in the firmware update and download processes of Wear Sync v1.2.0 allows attackers to access sensitive information by analyzing the code and data within the APK file.
- CVE-2024-48547HIGHCVSS 8.4EG 8.42024-10-24
Incorrect access control in the firmware update and download processes of DreamCatcher Life v1.8.7 allows attackers to access sensitive information by analyzing the code and data within the APK file.
- CVE-2024-48548CRITICALCVSS 9.3EG 9.32024-10-24
The APK file in Cloud Smart Lock v2.0.1 has a leaked a URL that can call an API for binding physical devices. This vulnerability allows attackers to arbitrarily construct a request to use the app to bind to unknown devices by finding a val…
- CVE-2024-48651HIGHCVSS 7.5EG 7.52024-11-29
In ProFTPD through 1.3.8b before cec01cc, supplemental group inheritance grants unintended access to GID 0 because of the lack of supplemental groups from mod_sql.
- CVE-2024-48769CRITICALCVSS 9.1EG 9.12024-10-11
An issue in BURG-WCHTER KG de.burgwachter.keyapp.app 4.5.0 allows a remote attacker to obtain sensitve information via the firmware update process.
- CVE-2024-48772CRITICALCVSS 9.1EG 9.12024-10-11
An issue in C-CHIP (com.cchip.cchipamaota) v.1.2.8 allows a remote attacker to obtain sensitive information via the firmware update process.
- CVE-2024-48778CRITICALCVSS 9.1EG 9.12024-10-11
An issue in GIANT MANUFACTURING CO., LTD RideLink (tw.giant.ridelink) 2.0.7 allows a remote attacker to obtain sensitive information via the firmware update process.
- CVE-2024-48784CRITICALCVSS 9.8EG 9.82024-10-11
An Incorrect Access Control issue in SAMPMAX com.sampmax.homemax 2.1.2.7 allows a remote attacker to obtain sensitive information via the firmware update process.
Map vulnerabilities like CWE-863 to your infrastructure
EchelonGraph correlates every CVE — across CWE-863 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →