VYPR

CWE-285

Improper Authorization

ClassDraftLikelihood: High

Description

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-1 · CAPEC-104 · CAPEC-127 · CAPEC-13 · CAPEC-17 · CAPEC-39 · CAPEC-402 · CAPEC-45 · CAPEC-5 · CAPEC-51 · CAPEC-59 · CAPEC-60 · CAPEC-647 · CAPEC-668 · CAPEC-76 · CAPEC-77 · CAPEC-87

CVEs mapped to this weakness (812)

page 15 of 41
  • CVE-2023-41819MedMay 3, 2024
    risk 0.40cvss 6.1epss 0.00

    A PendingIntent hijacking vulnerability was reported in the Motorola Face Unlock application that could allow a local attacker to access unauthorized content providers. 

  • CVE-2026-48089higJun 11, 2026
    risk 0.39cvss epss 0.00

    ### Impact On a DevGuard API instance with one or more **public assets**, any authenticated user — including users from a different organization with no membership or role in the affected org/project — can create, update, reapply, and delete **VEX rules** on those public…

  • CVE-2026-47726higJun 8, 2026
    risk 0.39cvss epss 0.00

    `internal/api/audit.go:12` — `handleGetAuditLog` does no admin check. The route is bearer-auth gated only; any operator API key returns the full audit log via `store.ListAuditEntries` (up to limit=1000). This includes cross-tenant actor names, host/CA/operator IDs, action…

  • CVE-2026-44208MedJun 12, 2026
    risk 0.38cvss epss 0.00

    Frappe is a full-stack web application framework. Prior to versions 15.107.0 and 16.17.0, lack of validations in the "submit_discussion()" endpoint allows for unauthorized access to resources. This issue has been patched in versions 15.107.0 and 16.17.0.

  • CVE-2026-45337higJun 4, 2026
    risk 0.38cvss epss 0.00

    ### Am I affected? You are affected if all of the following are true: - You use `better-auth` at a version `>= 1.6.0, < 1.6.11`. - The `deviceAuthorization` plugin is enabled in your auth config (`deviceAuthorization()` in your `plugins` array). - A third party can observe a…

  • CVE-2025-59100MedJan 26, 2026
    risk 0.38cvss epss 0.01

    The web interface offers a functionality to export the internal SQLite database. After executing the database export, an automatic download is started and the device reboots. After rebooting, the exported database is deleted and cannot be accessed anymore. However, it was…

  • CVE-2018-10906MedJul 24, 2018
    risk 0.38cvss 5.3epss 0.01

    In fuse before versions 2.9.8 and 3.x before 3.2.5, fusermount is vulnerable to a restriction bypass when SELinux is active. This allows non-root users to mount a FUSE file system with the 'allow_other' mount option regardless of whether 'user_allow_other' is set in the fuse…

  • CVE-2016-5063MedMay 2, 2017
    risk 0.38cvss 5.3epss 0.08

    The RSCD agent in BMC Server Automation before 8.6 SP1 Patch 2 and 8.7 before Patch 3 on Windows might allow remote attackers to bypass authorization checks and make an RPC call via unspecified vectors.

  • CVE-2025-68712MedMay 27, 2026
    risk 0.36cvss 5.5epss 0.00

    SpSoft AppLock (com.sp.protector.free) 7.9.40 for Android allows a local attacker with physical access to bypass fingerprint or PIN authentication. Although the app integrates Android's biometric mechanisms, the lock is implemented with a custom overlay that fails to…

  • CVE-2025-43289MedMay 26, 2026
    risk 0.36cvss 5.5epss 0.00

    A logic issue was addressed with improved validation. This issue is fixed in macOS Sequoia 15.7, macOS Sonoma 14.8, macOS Tahoe 26. A malicious app may be able to access sensitive user data.

  • CVE-2026-7292MedApr 28, 2026
    risk 0.36cvss 5.6epss 0.00

    A security vulnerability has been detected in o2oa up to 10.0. This impacts the function syncFile of the file NodeAgent.java of the component NodeAgent. The manipulation leads to improper authorization. The attack can be initiated remotely. The complexity of an attack is rather…

  • CVE-2026-6572MedApr 19, 2026
    risk 0.36cvss 5.6epss 0.00

    A security vulnerability has been detected in Collabora KodExplorer up to 4.52. Affected by this issue is some unknown functionality of the file /app/controller/share.class.php of the component fileUpload Endpoint. The manipulation of the argument fileUpload leads to improper…

  • CVE-2026-35479MedApr 8, 2026
    risk 0.36cvss 6.6epss 0.00

    InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, any users who have staff access permissions can install plugins via the API, without requiring "superuser" account access. This level of permission requirement is out of alignment with other…

  • CVE-2025-43403MedFeb 11, 2026
    risk 0.36cvss 5.5epss 0.00

    An authorization issue was addressed with improved state management. This issue is fixed in macOS Sequoia 15.7.4, macOS Sonoma 14.8.4, macOS Tahoe 26. An app may be able to access sensitive user data.

  • CVE-2025-46289MedDec 12, 2025
    risk 0.36cvss 5.5epss 0.00

    A logic issue was addressed with improved file handling. This issue is fixed in macOS Sequoia 15.7.3, macOS Sonoma 14.8.3, macOS Tahoe 26.2. An app may be able to access protected user data.

  • CVE-2025-0580MedJan 20, 2025
    risk 0.36cvss 5.6epss 0.00

    A vulnerability was found in Shiprocket Module 3 on OpenCart. It has been rated as critical. Affected by this issue is some unknown functionality of the file /index.php?route=extension/module/rest_api&action=getOrders of the component REST API Module. The manipulation of the…

  • CVE-2024-40807MedJul 29, 2024
    risk 0.36cvss 5.5epss 0.00

    A logic issue was addressed with improved checks. This issue is fixed in macOS Monterey 12.7.6, macOS Sonoma 14.6, macOS Ventura 13.6.8. A shortcut may be able to use sensitive data with certain actions without prompting the user.

  • CVE-2024-40783MedJul 29, 2024
    risk 0.36cvss 5.5epss 0.00

    The issue was addressed with improved restriction of data container access. This issue is fixed in macOS Monterey 12.7.6, macOS Sonoma 14.6, macOS Ventura 13.6.8. A malicious application may be able to bypass Privacy preferences.

  • CVE-2026-11533MedJun 8, 2026
    risk 0.35cvss 5.4epss 0.00

    A security vulnerability has been detected in imvks786 student_management_system up to 9599b560ad3c3b83e75d328b76bedcd489ef1f46. Affected by this vulnerability is an unknown functionality of the file /see.php of the component Student Deletion Endpoint. The manipulation of the…

  • CVE-2026-10285MedJun 1, 2026
    risk 0.35cvss 5.4epss 0.00

    A vulnerability has been found in DevaslanPHP project-management up to 2.0.0-beta1. Affected by this issue is the function KanbanScrumHelper::recordUpdated of the file app/Helpers/KanbanScrumHelper.php of the component Ticket Handler. The manipulation leads to improper…