VYPR

CWE-285

Improper Authorization

ClassDraftLikelihood: High

Description

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-1 · CAPEC-104 · CAPEC-127 · CAPEC-13 · CAPEC-17 · CAPEC-39 · CAPEC-402 · CAPEC-45 · CAPEC-5 · CAPEC-51 · CAPEC-59 · CAPEC-60 · CAPEC-647 · CAPEC-668 · CAPEC-76 · CAPEC-77 · CAPEC-87

CVEs mapped to this weakness (812)

page 14 of 41
  • CVE-2025-10086MedSep 8, 2025
    risk 0.41cvss 6.3epss 0.00

    A weakness has been identified in fuyang_lipengjun platform 1.0.0. This issue affects the function queryAll of the file /adposition/queryAll of the component AdPositionController. This manipulation causes improper authorization. The attack can be initiated remotely. The exploit…

  • CVE-2025-9760MedSep 1, 2025
    risk 0.41cvss 6.3epss 0.00

    A weakness has been identified in Portabilis i-Educar up to 2.10. This affects an unknown part of the file /module/Api/matricula of the component Matricula API. Executing manipulation can lead to improper authorization. It is possible to launch the attack remotely. The exploit…

  • CVE-2025-9687MedAug 30, 2025
    risk 0.41cvss 6.3epss 0.00

    A weakness has been identified in Portabilis i-Educar up to 2.10. Impacted is an unknown function of the file /module/HistoricoEscolar/processamentoApi. Executing manipulation can lead to improper authorization. The attack may be performed from a remote location. The exploit has…

  • CVE-2025-9609MedAug 29, 2025
    risk 0.41cvss 6.3epss 0.00

    A vulnerability was found in Portabilis i-Educar up to 2.10. This vulnerability affects unknown code of the file /educacenso/consulta. The manipulation results in improper authorization. The attack can be executed remotely. The exploit has been made public and could be used.

  • CVE-2025-9602MedAug 29, 2025
    risk 0.41cvss 6.3epss 0.00

    A vulnerability was found in Xinhu RockOA up to 2.6.9. Impacted is the function publicsaveAjax of the file /index.php. Performing manipulation results in improper authorization. The attack is possible to be carried out remotely. The exploit has been made public and could be used.

  • CVE-2025-9151MedAug 19, 2025
    risk 0.41cvss 6.3epss 0.00

    A security flaw has been discovered in LiuYuYang01 ThriveX-Blog up to 3.1.7. Affected by this vulnerability is the function updateJsonValueByName of the file /web_config/json/name/web. Performing manipulation results in improper authorization. It is possible to initiate the…

  • CVE-2025-8839MedAug 11, 2025
    risk 0.41cvss 6.3epss 0.00

    A vulnerability was found in jshERP up to 3.5. This issue affects some unknown processing of the file /jshERP-boot/user/addUser of the component Endpoint. The manipulation leads to improper authorization. The attack may be initiated remotely. The exploit has been disclosed to…

  • CVE-2025-8791MedAug 10, 2025
    risk 0.41cvss 6.3epss 0.00

    A vulnerability was found in LitmusChaos Litmus up to 3.19.0. It has been rated as critical. This issue affects some unknown processing of the file /auth/list_projects. The manipulation of the argument role leads to improper authorization. The attack may be initiated remotely.…

  • CVE-2025-8756MedAug 9, 2025
    risk 0.41cvss 6.3epss 0.00

    A vulnerability has been found in TDuckCloud tduck-platform up to 5.1 and classified as critical. Affected by this vulnerability is the function preHandle of the file /manage/ of the component com.tduck.cloud.api.web.interceptor.AuthorizationInterceptor. The manipulation leads…

  • CVE-2025-6736MedJun 27, 2025
    risk 0.41cvss 6.3epss 0.00

    A vulnerability classified as critical was found in juzaweb CMS 3.4.2. Affected by this vulnerability is an unknown functionality of the file /admin-cp/theme/install of the component Add New Themes Page. The manipulation leads to improper authorization. The attack can be…

  • CVE-2025-6735MedJun 27, 2025
    risk 0.41cvss 6.3epss 0.00

    A vulnerability classified as critical has been found in juzaweb CMS 3.4.2. Affected is an unknown function of the file /admin-cp/imports of the component Import Page. The manipulation leads to improper authorization. It is possible to launch the attack remotely. The exploit has…

  • CVE-2025-4210HigMay 2, 2025
    risk 0.41cvss 7.3epss 0.02

    A vulnerability classified as critical was found in Casdoor up to 1.811.0. This vulnerability affects the function HandleScim of the file controllers/scim.go of the component SCIM User Creation Endpoint. The manipulation leads to authorization bypass. The attack can be initiated…

  • CVE-2024-8676HigNov 26, 2024
    risk 0.41cvss 7.4epss 0.01

    A vulnerability was found in CRI-O, where it can be requested to take a checkpoint archive of a container and later be asked to restore it. When it does that restoration, it attempts to restore the mounts from the restore archive instead of the pod request. As a result, the…

  • CVE-2024-3013MedMar 28, 2024
    risk 0.41cvss 6.3epss 0.23

    A flaw has been found in Teledyne FLIR AX8 up to 1.46.16. The impacted element is an unknown function of the file /tools/test_login.php?action=register of the component User Registration. Executing manipulation can lead to improper authorization. The attack may be performed from…

  • CVE-2021-4335MedOct 20, 2023
    risk 0.41cvss 6.3epss 0.00

    The Fancy Product Designer plugin for WordPress is vulnerable to unauthorized access to data and modification of plugin settings due to a missing capability check on multiple AJAX functions in versions up to, and including, 4.6.9. This makes it possible for authenticated…

  • CVE-2016-9575MedMar 13, 2018
    risk 0.41cvss 6.3epss 0.01

    Ipa versions 4.2.x, 4.3.x before 4.3.3 and 4.4.x before 4.4.3 did not properly check the user's permissions while modifying certificate profiles in IdM's certprofile-mod command. An authenticated, unprivileged attacker could use this flaw to modify profiles to issue certificates…

  • CVE-2026-11462HigJun 7, 2026
    risk 0.40cvss 7.3epss 0.00

    A vulnerability was found in Chengdu Everbrite Network Technology BeikeShop up to 1.6.0.22. This impacts the function callback of the file plugins/Stripe/Controllers/StripeController.php of the component Stripe Plugin. Performing a manipulation of the argument Request results in…

  • CVE-2026-7505HigApr 30, 2026
    risk 0.40cvss 7.3epss 0.00

    A flaw has been found in nextlevelbuilder GoClaw and GoClaw Lite up to 3.8.5. This affects an unknown function of the component RPC Handler. This manipulation causes improper authorization. The attack may be initiated remotely. The exploit has been published and may be used.…

  • CVE-2026-35476HigApr 8, 2026
    risk 0.40cvss 7.2epss 0.00

    InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, a non-staff authenticated user can elevate their account to a staff level via a POST request against their user account endpoint. The write permissions on the API endpoint are improperly…

  • CVE-2025-61524HigOct 8, 2025
    risk 0.40cvss 7.2epss 0.01

    An issue in the permission verification module and organization/application editing interface in Casdoor v2.26.0 and before, and fixed in v.2.63.0, allows remote authenticated administrators of any organization within the system to bypass the system's permission verification…