CWE-863— Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.— MITRE CWE catalog
3,791 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-863page 9 of 76
- CVE-2020-13676MEDIUMCVSS 6.5EG 6.52022-02-11
The QuickEdit module does not properly check access to fields in some circumstances, which can lead to unintended disclosure of field data. Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installe…
- CVE-2020-13696MEDIUMCVSS 4.4EG 4.42020-06-08
An issue was discovered in LinuxTV xawtv before 3.107. The function dev_open() in v4l-conf.c does not perform sufficient checks to prevent an unprivileged caller of the program from opening unintended filesystem paths. This allows a local …
- CVE-2020-13834HIGHCVSS 7.5EG 7.52020-06-04
An issue was discovered on Samsung mobile devices with O(8.x), P(9.0), and Q(10.0) (with TEEGRIS) software. Secure Folder does not properly restrict use of Android Debug Bridge (adb) for arbitrary installations. The Samsung ID is SVE-2020-…
- CVE-2020-13957CRITICALCVSS 9.8EG 9.82020-10-13
Apache Solr versions 6.6.0 to 6.6.6, 7.0.0 to 7.7.3 and 8.0.0 to 8.6.2 prevents some features considered dangerous (which could be used for remote code execution) to be configured in a ConfigSet that's uploaded via API without authenticati…
- CVE-2020-14011CRITICALCVSS 9.8EG 9.82020-06-15
Lansweeper 6.0.x through 7.2.x has a default installation in which the admin password is configured for the admin account, unless "Built-in admin" is manually unchecked. This allows command execution via the Add New Package and Scheduled D…
- CVE-2020-14106MEDIUMCVSS 5.5EG 5.52021-04-08
The application in the mobile phone can unauthorized access to the list of running processes in the mobile phone, Xiaomi Mobile Phone MIUI < 2021.01.26.
- CVE-2020-14110HIGHCVSS 7.8EG 7.82022-01-18
AX3600 router sensitive information leaked.There is an unauthorized interface through luci to obtain sensitive information and log in to the web background.
- CVE-2020-14121MEDIUMCVSS 5.5EG 5.52022-04-21
A business logic vulnerability exists in Mi App Store. The vulnerability is caused by incomplete permission checks of the products being bypassed, and an attacker can exploit the vulnerability to perform a local silent installation.
- CVE-2020-14165MEDIUMCVSS 5.3EG 5.32020-07-01
The UniversalAvatarResource.getAvatars resource in Jira Server and Data Center before version 8.9.0 allows remote attackers to obtain information about custom project avatars names via an Improper authorization vulnerability.
- CVE-2020-14196MEDIUMCVSS 5.3EG 5.32020-07-01
In PowerDNS Recursor versions up to and including 4.3.1, 4.2.2 and 4.1.16, the ACL restricting access to the internal web server is not properly enforced.
- CVE-2020-14214MEDIUMCVSS 6.5EG 6.52020-06-16
Zammad before 3.3.1, when Domain Based Assignment is enabled, relies on a claimed e-mail address for authorization decisions. An attacker can register a new account that will have access to all tickets of an arbitrary Organization.
- CVE-2020-14215HIGHCVSS 7.5EG 7.52020-08-21
Zulip Server before 2.1.5 has Incorrect Access Control because 0198_preregistrationuser_invited_as adds the administrator role to invitations.
- CVE-2020-14292MEDIUMCVSS 5.7EG 5.72020-09-09
In the COVIDSafe application through 1.0.21 for Android, unsafe use of the Bluetooth transport option in the GATT connection allows attackers to trick the application into establishing a connection over Bluetooth BR/EDR transport, which re…
- CVE-2020-14321HIGHCVSS 8.8EG 8.82022-08-16
In Moodle before 3.9.1, 3.8.4, 3.7.7 and 3.5.13, teachers of a course were able to assign themselves the manager role within that course.
- CVE-2020-14486MEDIUMCVSS 6.3EG 6.32020-07-29
An attacker may bypass permission/authorization checks in OpenClinic GA 5.09.02 and 5.89.05b by ignoring the redirect of a permission failure, which may allow unauthorized execution of commands.
- CVE-2020-14944CRITICALCVSS 9.8EG 9.82020-06-22
Global RADAR BSA Radar 1.6.7234.24750 and earlier lacks valid authorization controls in multiple functions. This can allow for manipulation and takeover of user accounts if successfully exploited. The following vulnerable functions are exp…
- CVE-2020-15084HIGHCVSS 7.7EG 7.72020-06-30
In express-jwt (NPM package) up and including version 5.3.3, the algorithms entry to be specified in the configuration is not being enforced. When algorithms is not specified in the configuration, with the combination of jwks-rsa, it may l…
- CVE-2020-15110MEDIUMCVSS 6.8EG 6.82020-07-17
In jupyterhub-kubespawner before 0.12, certain usernames will be able to craft particular server names which will grant them access to the default server of other users who have matching usernames. This has been fixed in 0.12.
- CVE-2020-15120MEDIUMCVSS 4.9EG 4.92020-07-27
In "I hate money" before version 4.1.5, an authenticated member of one project can modify and delete members of another project, without knowledge of this other project's private code. This can be further exploited to access all bills of a…
- CVE-2020-15126MEDIUMCVSS 6.5EG 6.52020-07-22
In parser-server from version 3.5.0 and before 4.3.0, an authenticated user using the viewer GraphQL query can by pass all read security on his User object and can also by pass all objects linked via relation or Pointer on his User object.
- CVE-2020-15163HIGHCVSS 8.7EG 8.72020-09-09
Python TUF (The Update Framework) reference implementation before version 0.12 it will incorrectly trust a previously downloaded root metadata file which failed verification at download time. This allows an attacker who is able to serve mu…
- CVE-2020-15246HIGHCVSS 7.5EG 7.52020-11-23
October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS from version 1.0.421 and before version 1.0.469, an attacker can read local files on an October CMS server via a specially crafted …
- CVE-2020-15248MEDIUMCVSS 4.0EG 4.02020-11-23
October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS from version 1.0.319 and before version 1.0.470, backend users with the default "Publisher" system role have access to create & man…
- CVE-2020-15251HIGHCVSS 7.7EG 7.72020-10-13
In the Channelmgnt plug-in for Sopel (a Python IRC bot) before version 1.0.3, malicious users are able to op/voice and take over a channel. This is an ACL bypass vulnerability. This plugin is bundled with MirahezeBot-Plugins with versions …
- CVE-2020-15278HIGHCVSS 7.7EG 7.72020-10-28
Red Discord Bot before version 3.4.1 has an unauthorized privilege escalation exploit in the Mod module. This exploit allows Discord users with a high privilege level within the guild to bypass hierarchy checks when the application is in a…
- CVE-2020-15279MEDIUMCVSS 4.0EG 3.32021-05-18
An Improper Access Control vulnerability in the logging component of Bitdefender Endpoint Security Tools for Windows versions prior to 6.6.23.320 allows a regular user to learn the scanning exclusion paths. This issue was discovered during…
- CVE-2020-15376MEDIUMCVSS 4.3EG 4.32020-12-11
Brocade Fabric OS versions before v9.0.0 and after version v8.1.0, configured in Virtual Fabric mode contain a weakness in the ldap implementation that could allow a remote ldap user to login in the Brocade Fibre Channel SAN switch with "u…
- CVE-2020-15513MEDIUMCVSS 5.3EG 5.32020-07-07
The typo3_forum extension before 1.2.1 for TYPO3 has Incorrect Access Control.
- CVE-2020-15590HIGHCVSS 7.5EG 7.52020-09-14
A vulnerability in the Private Internet Access (PIA) VPN Client for Linux 1.5 through 2.3+ allows remote attackers to bypass an intended VPN kill switch mechanism and read sensitive information via intercepting network traffic. Since 1.5, …
- CVE-2020-15664MEDIUMCVSS 6.5EG 6.52020-10-01
By holding a reference to the eval() function from an about:blank window, a malicious webpage could have gained access to the InstallTrigger object which would allow them to prompt the user to install an extension. Combined with user confu…
- CVE-2020-15780MEDIUMCVSS 6.7EG 6.72020-07-15
An issue was discovered in drivers/acpi/acpi_configfs.c in the Linux kernel before 5.7.7. Injection of malicious ACPI tables via configfs could be used by attackers to bypass lockdown and secure boot restrictions, aka CID-75b0cea7bf30.
- CVE-2020-15801CRITICALCVSS 9.8EG 9.82020-07-17
In Python 3.8.4, sys.path restrictions specified in a python38._pth file are ignored, allowing code to be loaded from arbitrary locations. The <executable-name>._pth file (e.g., the python._pth file) is not affected.
- CVE-2020-15826MEDIUMCVSS 4.3EG 4.32020-08-08
In JetBrains TeamCity before 2020.1, users are able to assign more permissions than they have.
- CVE-2020-15868HIGHCVSS 7.5EG 7.52020-08-12
Sonatype Nexus Repository Manager OSS/Pro before 3.26.0 has Incorrect Access Control.
- CVE-2020-15939MEDIUMCVSS 4.3EG 4.32021-09-06
An improper access control vulnerability (CWE-284) in FortiSandbox versions 3.2.1 and below and 3.1.4 and below may allow an authenticated, unprivileged attacker to download the device configuration file via the recovery URL.
- CVE-2020-16241MEDIUMCVSS 6.3EG 2.12020-08-21
Philips SureSigns VS4, A.07.107 and prior does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
- CVE-2020-16630MEDIUMCVSS 6.8EG 6.82021-09-20
TI’s BLE stack caches and reuses the LTK’s property for a bonded mobile. A LTK can be an unauthenticated-and-no-MITM-protection key created by Just Works or an authenticated-and-MITM-protection key created by Passkey Entry, Numeric Com…
- CVE-2020-16904MEDIUMCVSS 5.3EG 5.32020-10-16
<p>An elevation of privilege vulnerability exists in the way Azure Functions validate access keys.</p> <p>An unauthenticated attacker who successfully exploited this vulnerability could invoke an HTTP Function without proper authorization.…
- CVE-2020-16943MEDIUMCVSS 6.5EG 6.52020-10-16
<p>An elevation of privilege vulnerability exists in Microsoft Dynamics 365 Commerce. An unauthenticated attacker who successfully exploited this vulnerability could update data without proper authorization.</p> <p>To exploit the vulnerabi…
- CVE-2020-17049MEDIUMCVSS 6.6EG 7.22020-11-11
A security feature bypass vulnerability exists in the way Key Distribution Center (KDC) determines if a service ticket can be used for delegation via Kerberos Constrained Delegation (KCD). To exploit the vulnerability, a compromised servic…
- CVE-2020-1725MEDIUMCVSS 5.4EG 5.42021-01-28
A flaw was found in keycloak before version 13.0.0. In some scenarios a user still has access to a resource after changing the role mappings in Keycloak and after expiration of the previous access token.
- CVE-2020-1729MEDIUMCVSS 4.4EG 4.42021-05-28
A flaw was found in SmallRye's API through version 1.6.1. The API can allow other code running within the application server to potentially obtain the ClassLoader, bypassing any permissions checks that should have been applied. The largest…
- CVE-2020-17354HIGHCVSS 8.6EG 8.62023-04-15
LilyPond before 2.24 allows attackers to bypass the -dsafe protection mechanism via output-def-lookup or output-def-scope, as demonstrated by dangerous Scheme code in a .ly file that causes arbitrary code execution during conversion to a d…
- CVE-2020-17448HIGHCVSS 7.8EG 7.82020-08-11
Telegram Desktop through 2.1.13 allows a spoofed file type to bypass the Dangerous File Type Execution protection mechanism, as demonstrated by use of the chat window with a filename that lacks an extension.
- CVE-2020-1791LOWCVSS 2.4EG 2.42020-02-18
HUAWEI Mate 20 smartphones with versions earlier than 10.0.0.185(C00E74R3P8) have an improper authorization vulnerability. The system has a logic judging error under certain scenario, successful exploit could allow the attacker to switch t…
- CVE-2020-1796MEDIUMCVSS 6.6EG 6.62020-03-20
There is an improper authorization vulnerability in several smartphones. The software incorrectly performs an authorization to certain user, successful exploit could allow a low privilege user to do certain operation which the user are sup…
- CVE-2020-1797LOWCVSS 2.4EG 2.42020-05-29
HUAWEI Mate 20 smartphones with versions earlier than 10.0.0.185(C00E74R3P8) have an improper authorization vulnerability. The system does not properly restrict certain operation in ADB mode, successful exploit could allow certain user bre…
- CVE-2020-1800HIGHCVSS 7.8EG 7.82020-03-26
HUAWEI smartphones P30 with versions earlier than 10.0.0.185(C00E85R1P11) have an improper access control vulnerability. The software incorrectly restricts access to a function interface from an unauthorized actor, the attacker tricks the …
- CVE-2020-1807LOWCVSS 3.5EG 3.52020-04-27
HUAWEI Mate 20 smartphones with versions earlier than 10.0.0.188(C00E74R3P8) have an improper authorization vulnerability. The software does not properly restrict certain user's modification of certain configuration file, successful exploi…
- CVE-2020-1831LOWCVSS 2.4EG 2.42020-05-29
HUAWEI Mate 20 smartphones with versions earlier than 10.0.0.195(SP31C00E74R3P8) have an improper authorization vulnerability. The digital balance function does not sufficiently restrict the using time of certain user, successful exploit c…
Map vulnerabilities like CWE-863 to your infrastructure
EchelonGraph correlates every CVE — across CWE-863 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →