CWE-863— Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.— MITRE CWE catalog
3,807 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-863page 53 of 77
- CVE-2024-48786CRITICALCVSS 9.1EG 9.12024-10-11
An issue in SWITCHBOT INC SwitchBot (com.theswitchbot.switchbot) 5.0.4 allows a remote attacker to obtain sensitive information via the firmware update process.
- CVE-2024-48787CRITICALCVSS 9.1EG 9.12024-10-11
An issue in Revic Optics Revic Ops (us.revic.revicops) 1.12.5 allows a remote attacker to obtain sensitive information via the firmware update process.
- CVE-2024-48792HIGHCVSS 7.5EG 7.52024-10-14
An issue in Hideez com.hideez 2.7.8.3 allows a remote attacker to obtain sensitive information via the firmware update process.
- CVE-2024-48897MEDIUMCVSS 4.3EG 4.32024-11-18
A vulnerability was found in Moodle. Additional checks are required to ensure users can only edit or delete RSS feeds that they have permission to modify.
- CVE-2024-48901MEDIUMCVSS 4.3EG 4.32024-11-18
A vulnerability was found in Moodle. Additional checks are required to ensure users can only access the schedule of a report if they have permission to edit that report.
- CVE-2024-48911HIGHCVSS 7.8EG 7.82024-10-14
OpenCanary, a multi-protocol network honeypot, directly executed commands taken from its config file. Prior to version 0.9.4, where the config file is stored in an unprivileged user directory but the daemon is executed by root, it’s poss…
- CVE-2024-48921LOWCVSS 2.7EG 2.72024-10-29
Kyverno is a policy engine designed for Kubernetes. A kyverno ClusterPolicy, ie. "disallow-privileged-containers," can be overridden by the creation of a PolicyException in a random namespace. By design, PolicyExceptions are consumed from …
- CVE-2024-48925NONECVSS 0.0EG 0.02024-10-22
Umbraco, a free and open source .NET content management system, has an improper access control issue starting in version 14.0.0 and prior to version 14.3.0. The issue allows low-privilege users to access the webhook API and retrieve inform…
- CVE-2024-48936MEDIUMCVSS 5.0EG 5.02024-10-28
SchedMD Slurm before 24.05.4 has Incorrect Authorization. A mistake in authentication handling in stepmgr could permit an attacker to execute processes under other users' jobs. This is limited to jobs explicitly running with --stepmgr, or …
- CVE-2024-49208MEDIUMCVSS 5.9EG 5.92024-10-22
Archer Platform 2024.03 before version 2024.08 is affected by an authorization bypass vulnerability related to supporting application files. A remote unprivileged attacker could potentially exploit this vulnerability to elevate their privi…
- CVE-2024-49209MEDIUMCVSS 6.5EG 6.52024-10-22
Archer Platform 2024.03 before version 2024.09 is affected by an API authorization bypass vulnerability related to supporting application files. A remote unprivileged attacker could potentially exploit this vulnerability to elevate their p…
- CVE-2024-49256MEDIUMCVSS 5.4EG 5.42024-11-01
Incorrect Authorization vulnerability in WP Chill Htaccess File Editor htaccess-file-editor allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Htaccess File Editor: from n/a through <= 1.0.18.
- CVE-2024-49376HIGHCVSS 8.8EG 8.82024-10-25
Autolab, a course management service that enables auto-graded programming assignments, has misconfigured reset password permissions in version 3.0.0. For email-based accounts, users with insufficient privileges could reset and theoreticall…
- CVE-2024-49501MEDIUMCVSS 5.7EG 5.72024-11-01
Sysmac Studio provided by OMRON Corporation contains an incorrect authorization vulnerability. If this vulnerability is exploited, an attacker may access the program which is protected by Data Protection function.
- CVE-2024-49808MEDIUMCVSS 6.3EG 6.32025-04-18
IBM Sterling Connect:Direct Web Services 6.1.0, 6.2.0, and 6.3.0 could allow an authenticated user to spoof the identity of another user due to improper authorization which could allow the user to bypass access restrictions.
- CVE-2024-50310HIGHCVSS 7.5EG 7.52024-11-12
A vulnerability has been identified in SIMATIC CP 1543-1 V4.0 (6GK7543-1AX10-0XE0) (All versions >= V4.0.44 < V4.0.50). Affected devices do not properly handle authorization. This could allow an unauthenticated remote attacker to gain acce…
- CVE-2024-50419MEDIUMCVSS 5.4EG 5.42024-10-30
Incorrect Authorization vulnerability in wpsoul Greenshift greenshift-animation-and-page-builder-blocks allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Greenshift: from n/a through <= 9.7.
- CVE-2024-50647HIGHCVSS 7.5EG 7.52024-11-15
The python_food ordering system V1.0 has an unauthorized vulnerability that leads to the leakage of sensitive user information. Attackers can access it through https://ip:port/api/myapp/index/user/info?id=1 And modify the ID value to obtai…
- CVE-2024-50650HIGHCVSS 7.5EG 7.52024-11-15
python_book V1.0 is vulnerable to Incorrect Access Control, which allows attackers to obtain sensitive information of users with different IDs by modifying the ID parameter.
- CVE-2024-50671MEDIUMCVSS 4.3EG 4.32024-11-25
Incorrect access control in Adapt Learning Adapt Authoring Tool <= 0.11.3 allows attackers with Authenticated User roles to obtain email addresses via the "Get users" feature. The vulnerability occurs due to a flaw in permission verificati…
- CVE-2024-5071MEDIUMCVSS 6.5EG 6.52024-06-26
The Bookster WordPress plugin through 1.1.0 allows adding sensitive parameters when validating appointments allowing attackers to manipulate the data sent when booking an appointment (the request body) to change its status from pending to…
- CVE-2024-5130HIGHCVSS 7.5EG 7.52024-06-06
An Incorrect Authorization vulnerability exists in lunary-ai/lunary versions up to and including 1.2.2, which allows unauthenticated users to delete any dataset. The vulnerability is due to the lack of proper authorization checks in the da…
- CVE-2024-51417MEDIUMCVSS 6.4EG 6.42025-01-21
An issue in System.Linq.Dynamic.Core before 1.6.0 allows remote access to properties on reflection types and static properties/fields.
- CVE-2024-51425HIGHCVSS 8.8EG 8.82024-10-30
An issue in the WaterToken smart contract (which can be run on the Ethereum blockchain) allows remote attackers to have an unspecified impact. NOTE: this is disputed by third parties because the impact is limited to function calls.
- CVE-2024-51426HIGHCVSS 8.8EG 8.82024-10-30
An issue in the PepeGxng smart contract (which can be run on the Ethereum blockchain) allows remote attackers to have an unspecified impact via the _transfer function. NOTE: this is disputed by third parties because the impact is limited t…
- CVE-2024-51479HIGHCVSS 7.5EG 7.52024-12-17
Next.js is a React framework for building full-stack web applications. In affected versions if a Next.js application is performing authorization in middleware based on pathname, it was possible for this authorization to be bypassed for pag…
- CVE-2024-52312MEDIUMCVSS 5.4EG 5.42024-11-09
Due to inconsistent authorization permissions, data.all may allow an external actor with an authenticated account to perform restricted operations against DataSets and Environments.
- CVE-2024-52314MEDIUMCVSS 4.9EG 4.92024-11-09
A data.all admin team member who has access to the customer-owned AWS Account where data.all is deployed may be able to extract user data from data.all application logs in data.all via CloudWatch log scanning for particular operations that…
- CVE-2024-52518MEDIUMCVSS 4.4EG 4.42024-11-15
Nextcloud Server is a self hosted personal cloud system. After an attacker got access to the session of a user or administrator, the attacker would be able to create, change or delete external storages without having to confirm the passwor…
- CVE-2024-5258MEDIUMCVSS 4.4EG 4.42024-05-23
An authorization vulnerability exists within GitLab from versions 16.10 before 16.10.6, 16.11 before 16.11.3, and 17.0 before 17.0.1 where an authenticated attacker could utilize a crafted naming convention to bypass pipeline authorization…
- CVE-2024-52584MEDIUMCVSS 5.4EG 5.42024-11-18
Autolab is a course management service that enables auto-graded programming assignments. There is a vulnerability in version 3.0.1 where CAs can view or edit the grade for any submission ID, even if they are not a CA for the class that has…
- CVE-2024-52732CRITICALCVSS 9.1EG 9.12024-12-02
Incorrect access control in wms-Warehouse management system-zeqp v2.20.9.1 due to the token value of the zeqp system being reused.
- CVE-2024-5324HIGHCVSS 8.8EG 8.82024-06-06
Multiple plugins for WordPress utilizing the XootiX Framework are vulnerable to unauthorized modification of data due to a missing capability check on the 'import_settings' function in various versions. This makes it possible for authentic…
- CVE-2024-53553CRITICALCVSS 9.1EG 9.12025-01-16
An issue in OPEXUS FOIAXPRESS PUBLIC ACCESS LINK v11.1.0 allows attackers to bypass authentication via crafted web requests.
- CVE-2024-53937HIGHCVSS 8.8EG 8.82024-12-02
An issue was discovered on Victure RX1800 WiFi 6 Router (software EN_V1.0.0_r12_110933, hardware 1.0) devices. The TELNET service is enabled by default with admin/admin as default credentials and is exposed over the LAN. The allows attacke…
- CVE-2024-53941HIGHCVSS 8.8EG 8.82024-12-02
An issue was discovered in Victure RX1800 WiFi 6 Router (software EN_V1.0.0_r12_110933, hardware 1.0) devices. A remote attacker (in proximity to a Wi-Fi network) can derive the default Wi-Fi PSK value via the last 4 octets of the BSSID.
- CVE-2024-53949MEDIUMCVSS 6.5EG 6.52024-12-09
Improper Authorization vulnerability in Apache Superset when FAB_ADD_SECURITY_API is enabled (disabled by default). Allows for lower privilege users to use this API. issue affects Apache Superset: from 2.0.0 before 4.1.0. Users are re…
- CVE-2024-54010LOWCVSS 3.4EG 3.42025-01-08
A vulnerability in the firewall component of HPE Aruba Networking CX 10000 Series Switches exists. It could allow an unauthenticated adjacent attacker to conduct a packet forwarding attack against the ICMP and UDP protocol. For this atta…
- CVE-2024-54124HIGHCVSS 8.8EG 8.82024-11-29
In Click Studios Passwordstate before build 9920, there is a potential permission escalation on the edit folder screen.
- CVE-2024-54488MEDIUMCVSS 5.3EG 5.32025-01-27
A logic issue was addressed with improved file handling. This issue is fixed in iOS 18.2 and iPadOS 18.2, iPadOS 17.7.3, macOS Sequoia 15.2, macOS Sonoma 14.7.2, macOS Ventura 13.7.2. Photos in the Hidden Photos Album may be viewed without…
- CVE-2024-54495MEDIUMCVSS 5.5EG 5.52024-12-12
The issue was addressed with improved permissions logic. This issue is fixed in macOS Sequoia 15.2, macOS Sonoma 14.7.2. An app may be able to modify protected parts of the file system.
- CVE-2024-54512CRITICALCVSS 9.1EG 9.12025-01-27
The issue was addressed by removing the relevant flags. This issue is fixed in iOS 18.2 and iPadOS 18.2, watchOS 11.2. A system binary could be used to fingerprint a user's Apple Account.
- CVE-2024-54530CRITICALCVSS 9.1EG 9.12025-01-27
The issue was addressed with improved checks. This issue is fixed in iOS 18.2 and iPadOS 18.2, macOS Sequoia 15.2, visionOS 2.2, watchOS 11.2. Password autofill may fill in passwords after failing authentication.
- CVE-2024-54662CRITICALCVSS 9.1EG 9.12024-12-17
Dante 1.4.0 through 1.4.3 (fixed in 1.4.4) has incorrect access control for some sockd.conf configurations involving socksmethod.
- CVE-2024-54916MEDIUMCVSS 6.8EG 6.82025-02-11
An issue in the SharedConfig class of Telegram Android APK v.11.7.0 allows a physically proximate attacker to bypass authentication and escalate privileges by manipulating the return value of the checkPasscode method.
- CVE-2024-5539CRITICALCVSS 9.2EG 9.22025-11-27
The Access Control Bypass vulnerability found in ALC WebCTRL and Carrier i-Vu in versions up to and including 8.5 allows a malicious actor to bypass intended access restrictions and expose sensitive information via the web based building…
- CVE-2024-55579HIGHCVSS 8.8EG 8.82024-12-09
An issue was discovered in Qlik Sense Enterprise for Windows before November 2024 IR. An unprivileged user with network access may be able to create connection objects that trigger execution of arbitrary EXE files. This is fixed in Novembe…
- CVE-2024-55592LOWCVSS 3.8EG 3.82025-03-11
An incorrect authorization vulnerability [CWE-863] in FortiSIEM 7.2 all versions, 7.1 all versions, 7.0 all versions, 6.7 all versions, 6.6 all versions, 6.5 all versions, 6.4 all versions, 6.3 all versions, 6.2 all versions, 6.1 all versi…
- CVE-2024-55633MEDIUMCVSS 6.5EG 6.52024-12-12
Improper Authorization vulnerability in Apache Superset. On Postgres analytic databases an attacker with SQLLab access can craft a specially designed SQL DML statement that is Incorrectly identified as a read-only query, enabling its exe…
- CVE-2024-55662CRITICALCVSS 9.9EG 9.92024-12-12
XWiki Platform is a generic wiki platform. Starting in version 3.3-milestone-1 and prior to versions 15.10.9 and 16.3.0, on instances where `Extension Repository Application` is installed, any user can execute any code requiring `programmi…
Map vulnerabilities like CWE-863 to your infrastructure
EchelonGraph correlates every CVE — across CWE-863 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →