VYPR

CWE-280

Improper Handling of Insufficient Permissions or Privileges

BaseDraft

Description

The product does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. This may cause it to follow unexpected code paths that may leave the product in an invalid state.

Hierarchy (View 1000)

Parents

Children

none

CVEs mapped to this weakness (57)

page 3 of 3
  • CVE-2024-32000MedApr 12, 2024
    risk 0.21cvss 4.3epss 0.00

    matrix-appservice-irc is a Node.js IRC bridge for the Matrix messaging protocol. matrix-appservice-irc before version 2.0.0 can be exploited to leak the truncated body of a message if a malicious user sends a Matrix reply to an event ID they don't have access to. As a…

  • CVE-2024-42194LowDec 17, 2024
    risk 0.20cvss 3.1epss 0.00

    An improper handling of insufficient permissions or privileges affects HCL BigFix Inventory. An attacker having access via a read-only account can possibly change certain configuration parameters by crafting a specific REST API call.

  • CVE-2026-11764LowJun 9, 2026
    risk 0.16cvss epss 0.00

    When creating an export of all reusable media, the secrets of connected gift cards were included in the export even if the user creating the export does not have permission to view gift cards. This is inconsistent with the UI and API where only the first letters of the gift…

  • CVE-2024-32882LowMay 2, 2024
    risk 0.11cvss 2.7epss 0.00

    Wagtail is an open source content management system built on Django. In affected versions if a model has been made available for editing through the `wagtail.contrib.settings` module or `ModelViewSet`, and the `permission` argument on `FieldPanel` has been used to further…

  • CVE-2025-67848Feb 3, 2026
    risk 0.00cvss epss 0.00

    A flaw was found in Moodle. This authentication bypass vulnerability allows suspended users to authenticate through the Learning Tools Interoperability (LTI) Provider. The issue arises from the LTI authentication handlers failing to enforce the user's suspension status, enabling…

  • CVE-2025-58457Sep 24, 2025
    risk 0.00cvss epss 0.00

    Improper permission check in ZooKeeper AdminServer lets authorized clients to run snapshot and restore command with insufficient permissions. This issue affects Apache ZooKeeper: from 3.9.0 before 3.9.4. Users are recommended to upgrade to version 3.9.4, which fixes the issue.…

  • CVE-2022-25776Sep 18, 2024
    risk 0.00cvss epss 0.00

    Prior to the patched version, logged in users of Mautic are able to access areas of the application that they should be prevented from accessing. Users could potentially access sensitive data such as names and surnames, company names and stage names.

  • CVE-2024-36112May 28, 2024
    risk 0.00cvss epss 0.00

    Nautobot is a Network Source of Truth and Network Automation Platform. A user with permissions to view Dynamic Group records (`extras.view_dynamicgroup` permission) can use the Dynamic Group detail UI view (`/extras/dynamic-groups//`) and/or the members REST API view…

  • CVE-2024-25108Feb 12, 2024
    risk 0.00cvss epss 0.01

    Pixelfed is an open source photo sharing platform. When processing requests authorization was improperly and insufficiently checked, allowing attackers to access far more functionality than users intended, including to the administrative and moderator functionality of the…

  • CVE-2023-6267Jan 25, 2024
    risk 0.00cvss epss 0.01

    A flaw was found in the json payload. If annotation based security is used to secure a REST resource, the JSON body that the resource may consume is being processed (deserialized) prior to the security constraints being evaluated and applied. This does not happen with…

  • CVE-2023-28640Mar 27, 2023
    risk 0.00cvss epss 0.00

    Apiman is a flexible and open source API Management platform. Due to a missing permissions check, an attacker with an authenticated Apiman Manager account may be able to gain access to API keys they do not have permission for if they correctly guess the URL, which includes…

  • CVE-2023-28114Mar 22, 2023
    risk 0.00cvss epss 0.00

    `cilium-cli` is the command line interface to install, manage, and troubleshoot Kubernetes clusters running Cilium. Prior to version 0.13.2,`cilium-cli`, when used to configure cluster mesh functionality, can remove the enforcement of user permissions on the `etcd` store used to…

  • CVE-2023-27087Mar 21, 2023
    risk 0.00cvss epss 0.01

    Permissions vulnerabiltiy found in Xuxueli xxl-job v2.2.0, v 2.3.0 and v.2.3.1 allows attacker to obtain sensitive information via the pageList parameter.

  • CVE-2022-4863Dec 30, 2022
    risk 0.00cvss epss 0.01

    Improper Handling of Insufficient Permissions or Privileges in GitHub repository usememos/memos prior to 0.9.1.

  • CVE-2022-42126Nov 15, 2022
    risk 0.00cvss epss 0.01

    The Asset Libraries module in Liferay Portal 7.3.5 through 7.4.3.28, and Liferay DXP 7.3 before update 8, and DXP 7.4 before update 29 does not properly check permissions of asset libraries, which allows remote authenticated users to view asset libraries via the UI.

  • CVE-2022-21363Jan 19, 2022
    risk 0.00cvss epss 0.01

    Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL…

  • CVE-2020-17533Dec 29, 2020
    risk 0.00cvss epss 0.04

    Apache Accumulo versions 1.5.0 through 1.10.0 and version 2.0.0 do not properly check the return value of some policy enforcement functions before permitting an authenticated user to perform certain administrative operations. Specifically, the return values of the 'canFlush' and…