CWE-863— Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.— MITRE CWE catalog
3,791 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-863page 8 of 76
- CVE-2020-10786HIGHCVSS 8.8EG 8.82020-04-21
A remote command execution in Vesta Control Panel through 0.9.8-26 allows any authenticated user to execute arbitrary commands on the system via cron jobs.
- CVE-2020-10839MEDIUMCVSS 6.8EG 6.82020-03-24
An issue was discovered on Samsung mobile devices with O(8.x), P(9.0), and Q(10.0) software. Attackers can bypass Factory Reset Protection (FRP) via a SIM card. The Samsung ID is SVE-2019-16193 (February 2020).
- CVE-2020-10952MEDIUMCVSS 6.5EG 6.52020-03-27
GitLab EE/CE 8.11 through 12.9.1 allows blocked users to pull/push docker images.
- CVE-2020-11209MEDIUMCVSS 5.5EG 5.52020-11-12
Improper authorization in DSP process could allow unauthorized users to downgrade the library versions in SD820, SD821, SD820, QCS603, QCS605, SDA855, SA6155P, SA6145P, SA6155, SA6155P, SD855, SD 675, SD660, SD429, SD439
- CVE-2020-11282HIGHCVSS 7.8EG 7.82021-02-22
Improper access control when using mmap with the kgsl driver with a special offset value that can be provided to map the memstore of the GPU to user space in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer…
- CVE-2020-11628MEDIUMCVSS 5.3EG 5.32020-04-08
An issue was discovered in EJBCA before 6.15.2.6 and 7.x before 7.3.1.2. It is intended to support restriction of available remote protocols (CMP, ACME, REST, etc.) through the system configuration. These restrictions can be bypassed by mo…
- CVE-2020-11680MEDIUMCVSS 6.5EG 6.52020-06-04
Castel NextGen DVR v1.0.0 is vulnerable to authorization bypass on all administrator functionality. The application fails to check that a request was submitted by an administrator. Consequently, a normal user can perform actions including,…
- CVE-2020-11707HIGHCVSS 8.8EG 8.82020-04-12
An issue was discovered in ProVide (formerly zFTPServer) through 13.1. It doesn't enforce permission over Windows Symlinks or Junctions. As a result, a low-privileged user (non-admin) can craft a Junction Link in a directory he has full co…
- CVE-2020-11753HIGHCVSS 8.8EG 8.82020-04-20
An issue was discovered in Sonatype Nexus Repository Manager in versions 3.21.1 and 3.22.0. It is possible for a user with appropriate privileges to create, modify, and execute scripting tasks without use of the UI or API. NOTE: in 3.22.0,…
- CVE-2020-11844CRITICALCVSS 10.0EG 10.02020-05-29
Incorrect Authorization vulnerability in Micro Focus Container Deployment Foundation component affects products: - Hybrid Cloud Management. Versions 2018.05 to 2019.11. - ArcSight Investigate. versions 2.4.0, 3.0.0 and 3.1.0. - ArcSight Tr…
- CVE-2020-11855HIGHCVSS 7.8EG 7.82020-09-22
An Authorization Bypass vulnerability on Micro Focus Operation Bridge Reporter, affecting version 10.40 and earlier. The vulnerability could allow local attackers on the OBR host to execute code with escalated privileges.
- CVE-2020-11889MEDIUMCVSS 5.3EG 5.32020-04-21
An issue was discovered in Joomla! before 3.9.17. Incorrect ACL checks in the access level section of com_users allow the unauthorized deletion of usergroups.
- CVE-2020-11891MEDIUMCVSS 5.3EG 5.32020-04-21
An issue was discovered in Joomla! before 3.9.17. Incorrect ACL checks in the access level section of com_users allow the unauthorized editing of usergroups.
- CVE-2020-12030CRITICALCVSS 10.0EG 10.02021-09-29
There is a flaw in the code used to configure the internal gateway firewall when the gateway's VLAN feature is enabled. If a user enables the VLAN setting, the internal gateway firewall becomes disabled resulting in exposure of all ports u…
- CVE-2020-12053CRITICALCVSS 9.8EG 9.82020-06-22
In Unisys Stealth 3.4.x, 4.x and 5.x before 5.0.026, if certificate-based authorization is used without HTTPS, an endpoint could be authorized without a private key.
- CVE-2020-12391HIGHCVSS 7.5EG 7.52020-05-26
Documents formed using data: URLs in an OBJECT element failed to inherit the CSP of the creating context. This allowed the execution of scripts that should have been blocked, albeit with a unique opaque origin. This vulnerability affects F…
- CVE-2020-12477HIGHCVSS 7.5EG 7.52020-04-29
The REST API functions in TeamPass 2.1.27.36 allow any user with a valid API token to bypass IP address whitelist restrictions via an X-Forwarded-For client HTTP header to the getIp function.
- CVE-2020-12500CRITICALCVSS 9.8EG 9.82020-10-15
Improper Authorization vulnerability of Pepperl+Fuchs P+F Comtrol RocketLinx ES7510-XT, ES8509-XT, ES8510-XT, ES9528-XTv2, ES7506, ES7510, ES7528, ES8508, ES8508F, ES8510, ES8510-XTE, ES9528/ES9528-XT (all versions) allows unauthenticated …
- CVE-2020-12503HIGHCVSS 7.2EG 7.22020-10-15
Improper Authorization vulnerability of Pepperl+Fuchs P+F Comtrol RocketLinx ES7510-XT, ES8509-XT, ES8510-XT, ES9528-XTv2, ES7506, ES7510, ES7528, ES8508, ES8508F, ES8510, ES8510-XTE, ES9528/ES9528-XT (all versions) and ICRL-M-8RJ45/4SFP-G…
- CVE-2020-12504CRITICALCVSS 9.8EG 9.82020-10-15
Improper Authorization vulnerability of Pepperl+Fuchs P+F Comtrol RocketLinx ES7510-XT, ES8509-XT, ES8510-XT, ES9528-XTv2, ES7506, ES7510, ES7528, ES8508, ES8508F, ES8510, ES8510-XTE, ES9528/ES9528-XT (all versions) and ICRL-M-8RJ45/4SFP-G…
- CVE-2020-12621MEDIUMCVSS 6.1EG 6.12020-09-02
The Teamwire application 5.3.0 for Android allows physically proximate attackers to exploit a flaw related to the pass-code component.
- CVE-2020-12643MEDIUMCVSS 4.3EG 4.32020-08-31
OX App Suite 7.10.3 and earlier has Incorrect Access Control via an /api/subscriptions request for a snippet containing an email address.
- CVE-2020-12668MEDIUMCVSS 6.5EG 6.52021-02-19
Jinjava before 2.5.4 allow access to arbitrary classes by calling Java methods on objects passed into a Jinjava context. This could allow for abuse of the application class loader, including Arbitrary File Disclosure.
- CVE-2020-12691HIGHCVSS 8.8EG 8.82020-05-07
An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. Any authenticated user can create an EC2 credential for themselves for a project that they have a specified role on, and then perform an update to the credential user…
- CVE-2020-12720CRITICALCVSS 9.8EG 9.82020-05-08
vBulletin before 5.5.6pl1, 5.6.0 before 5.6.0pl1, and 5.6.1 before 5.6.1pl1 has incorrect access control.
- CVE-2020-12733HIGHCVSS 7.5EG 7.52021-07-15
Certain Shenzhen PENGLIXIN components on DEPSTECH WiFi Digital Microscope 3, as used by Shekar Endoscope, allow a TELNET connection with the molinkadmin password for the molink account.
- CVE-2020-12745HIGHCVSS 7.5EG 7.52020-05-11
An issue was discovered on Samsung mobile devices with Q(10.0) software. Attackers can bypass the locked-state protection mechanism and access clipboard content via USSD. The Samsung ID is SVE-2019-16556 (May 2020).
- CVE-2020-12776MEDIUMCVSS 6.6EG 6.62020-09-01
Openfind Mail2000 contains Broken Access Control vulnerability, which can be used to execute unauthorized commands after attackers obtain the administrator access token or cookie.
- CVE-2020-12780HIGHCVSS 7.5EG 7.52020-08-10
A security misconfiguration exists in Combodo iTop, which can expose sensitive information.
- CVE-2020-12874CRITICALCVSS 9.8EG 9.82020-05-14
Veritas APTARE versions prior to 10.4 included code that bypassed the normal login process when specific authentication credentials were provided to the server.
- CVE-2020-12875MEDIUMCVSS 6.3EG 6.32020-05-14
Veritas APTARE versions prior to 10.4 did not perform adequate authorization checks. An authenticated user could gain unauthorized access to sensitive information or functionality by manipulating specific parameters within the application.
- CVE-2020-12876HIGHCVSS 7.5EG 7.52020-05-14
Veritas APTARE versions prior to 10.4 allowed remote users to access several unintended files on the server. This vulnerability only impacts Windows server deployments.
- CVE-2020-12954MEDIUMCVSS 5.5EG 5.52021-11-16
A side effect of an integrated chipset option may be able to be used by an attacker to bypass SPI ROM protections, allowing unauthorized SPI ROM modification.
- CVE-2020-13263HIGHCVSS 7.5EG 7.52020-06-19
An authorization issue relating to project maintainer impersonation was identified in GitLab EE 9.5 and later through 13.0.1 that could allow unauthorized users to impersonate as a maintainer to perform limited actions.
- CVE-2020-13272HIGHCVSS 7.5EG 7.52020-06-19
OAuth flow missing verification checks CE/EE 12.3 and later through 13.0.1 allows unverified user to use OAuth authorization code flow
- CVE-2020-13275HIGHCVSS 8.0EG 8.02020-06-19
A user with an unverified email address could request an access to domain restricted groups in GitLab EE 12.2 and later through 13.0.1
- CVE-2020-13276HIGHCVSS 7.4EG 7.42020-06-19
User is allowed to set an email as a notification email even without verifying the new email in all previous GitLab CE/EE versions through 13.0.1
- CVE-2020-13277MEDIUMCVSS 6.3EG 6.32020-06-19
An authorization issue in the mirroring logic allowed read access to private repositories in GitLab CE/EE 10.6 and later through 13.0.5
- CVE-2020-13284MEDIUMCVSS 6.5EG 6.52020-09-14
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. API Authorization Using Outdated CI Job Token
- CVE-2020-13300HIGHCVSS 8.0EG 10.02020-09-14
GitLab CE/EE version 13.3 prior to 13.3.4 was vulnerable to an OAuth authorization scope change without user consent in the middle of the authorization flow.
- CVE-2020-13303HIGHCVSS 7.1EG 7.12020-09-15
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. Due to improper verification of permissions, an unauthorized user can access a private repository within a public project.
- CVE-2020-13313MEDIUMCVSS 4.3EG 4.32020-09-14
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. An unauthorized project maintainer could edit the subgroup badges due to the lack of authorization control.
- CVE-2020-13318MEDIUMCVSS 6.4EG 6.42020-09-14
A vulnerability was discovered in GitLab versions before 13.0.12, 13.1.10, 13.2.8 and 13.3.4. GitLabs EKS integration was vulnerable to a cross-account assume role attack.
- CVE-2020-13320MEDIUMCVSS 6.5EG 6.52020-09-30
An issue has been discovered in GitLab before version 12.10.13 that allowed a project member with limited permissions to view the project security dashboard.
- CVE-2020-13322HIGHCVSS 7.2EG 7.22020-09-30
A vulnerability was discovered in GitLab versions after 12.9. Due to improper verification of permissions, an unauthorized user can create and delete deploy tokens.
- CVE-2020-13323HIGHCVSS 7.7EG 7.72020-09-30
A vulnerability was discovered in GitLab versions prior 13.1. Under certain conditions private merge requests could be read via Todos
- CVE-2020-13334MEDIUMCVSS 5.9EG 5.92020-10-07
In GitLab versions prior to 13.2.10, 13.3.7 and 13.4.2, improper authorization checks allow a non-member of a project/group to change the confidentiality attribute of issue via mutation GraphQL query
- CVE-2020-13335MEDIUMCVSS 4.3EG 4.32020-10-07
Improper group membership validation when deleting a user account in GitLab >=7.12 allows a user to delete own account without deleting/transferring their group.
- CVE-2020-13358MEDIUMCVSS 4.7EG 4.72020-11-17
A vulnerability in the internal Kubernetes agent api in GitLab CE/EE version 13.3 and above allows unauthorized access to private projects. Affected versions are: >=13.4, <13.4.5,>=13.3, <13.3.9,>=13.5, <13.5.2.
- CVE-2020-13593HIGHCVSS 8.8EG 8.82020-08-31
The Bluetooth Low Energy Secure Manager Protocol (SMP) implementation in Texas Instruments SimpleLink SIMPLELINK-CC2640R2-SDK through 2.2.3 allows the Diffie-Hellman check during the Secure Connection pairing to be skipped if the Link Laye…
Map vulnerabilities like CWE-863 to your infrastructure
EchelonGraph correlates every CVE — across CWE-863 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →