VYPR

CWE-285

Improper Authorization

ClassDraftLikelihood: High

Description

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-1 · CAPEC-104 · CAPEC-127 · CAPEC-13 · CAPEC-17 · CAPEC-39 · CAPEC-402 · CAPEC-45 · CAPEC-5 · CAPEC-51 · CAPEC-59 · CAPEC-60 · CAPEC-647 · CAPEC-668 · CAPEC-76 · CAPEC-77 · CAPEC-87

CVEs mapped to this weakness (812)

page 17 of 41
  • CVE-2025-15582MedFeb 20, 2026
    risk 0.35cvss 5.4epss 0.00

    A security flaw has been discovered in detronetdip E-commerce 1.0.0. The impacted element is the function Delete/Update of the component Product Management Module. Performing a manipulation of the argument ID results in authorization bypass. Remote exploitation of the attack is…

  • CVE-2026-2109MedFeb 7, 2026
    risk 0.35cvss 5.4epss 0.00

    A vulnerability was identified in jsbroks COCO Annotator up to 0.11.1. Affected is an unknown function of the file /api/undo/ of the component Delete Category Handler. Such manipulation of the argument ID leads to improper authorization. The attack may be launched remotely. The…

  • CVE-2026-1112MedJan 18, 2026
    risk 0.35cvss 5.4epss 0.00

    A vulnerability was found in Sanluan PublicCMS up to 5.202506.d. Affected is the function delete of the file publiccms-trade/src/main/java/com/publiccms/controller/web/trade/TradeAddressController.java of the component Trade Address Deletion Endpoint. Performing a manipulation…

  • CVE-2026-1106MedJan 18, 2026
    risk 0.35cvss 5.4epss 0.00

    A security flaw has been discovered in Chamilo LMS up to 2.0.0 Beta 1. This issue affects the function deleteLegal of the file src/CoreBundle/Controller/SocialController.php of the component Legal Consent Handler. Performing a manipulation of the argument userId results in…

  • CVE-2025-14889MedDec 18, 2025
    risk 0.35cvss 5.4epss 0.00

    A security flaw has been discovered in Campcodes Advanced Voting Management System 1.0. The impacted element is an unknown function of the file /admin/voters_edit.php of the component Password Handler. Performing a manipulation of the argument ID results in improper…

  • CVE-2025-12505MedDec 6, 2025
    risk 0.35cvss 5.4epss 0.00

    The weDocs plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 2.1.14. This is due to the plugin not properly verifying that a user is authorized to perform an action in the create_item_permissions_check function. This makes it…

  • CVE-2025-14016MedDec 4, 2025
    risk 0.35cvss 5.4epss 0.00

    A security vulnerability has been detected in macrozheng mall-swarm up to 1.0.3. Affected is the function delete of the file /member/readHistory/delete. Such manipulation of the argument ids leads to improper authorization. The attack can be executed remotely. The exploit has…

  • CVE-2025-65963MedNov 26, 2025
    risk 0.35cvss 5.4epss 0.00

    Files is a module for managing files inside spaces and user profiles. Prior to versions 0.16.11 and 0.17.2, insufficient authorization checks allow non-member users to create new folders, up- and download files as a ZIP archive in public spaces. Private spaces are not affected.…

  • CVE-2025-13117MedNov 13, 2025
    risk 0.35cvss 5.4epss 0.00

    A security vulnerability has been detected in macrozheng mall-swarm and mall up to 1.0.3. Affected by this vulnerability is the function cancelOrder of the file /order/cancelOrder. The manipulation of the argument orderId leads to improper authorization. The attack can be…

  • CVE-2025-13116MedNov 13, 2025
    risk 0.35cvss 5.4epss 0.00

    A weakness has been identified in macrozheng mall-swarm and mall up to 1.0.3. Affected is the function cancelUserOrder of the file /order/cancelUserOrder. Executing manipulation of the argument orderId can lead to improper authorization. It is possible to launch the attack…

  • CVE-2025-6639MedOct 25, 2025
    risk 0.35cvss 5.4epss 0.00

    The Tutor LMS Pro – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.8.3 due to missing validation on a user controlled key when viewing and editing assignments through the…

  • CVE-2025-11272MedOct 4, 2025
    risk 0.35cvss 5.4epss 0.00

    A vulnerability has been found in SeriaWei ZKEACMS up to 4.3. This affects the function Delete of the file src/ZKEACMS.Redirection/Controllers/UrlRedirectionController.cs of the component POST Request Handler. The manipulation leads to improper authorization. Remote exploitation…

  • CVE-2025-10390MedSep 14, 2025
    risk 0.35cvss 5.4epss 0.00

    A weakness has been identified in CRMEB up to 5.6.1. The affected element is the function editAddress of the file app/services/user/UserAddressServices.php. Executing manipulation of the argument ID can lead to improper authorization. The attack may be launched remotely. The…

  • CVE-2025-10389MedSep 14, 2025
    risk 0.35cvss 5.4epss 0.00

    A security flaw has been discovered in CRMEB up to 5.6.1. Impacted is the function Save of the file app/services/system/admin/SystemAdminServices.php of the component Administrator Password Handler. Performing manipulation of the argument ID results in improper authorization.…

  • CVE-2025-10384MedSep 13, 2025
    risk 0.35cvss 5.4epss 0.00

    A flaw has been found in yangzongzhuan RuoYi up to 4.8.1. Affected by this vulnerability is an unknown functionality of the file /system/role/authUser/cancelAll of the component Role Handler. Executing manipulation of the argument roleId/userIds can lead to improper…

  • CVE-2025-10209MedSep 10, 2025
    risk 0.35cvss 5.4epss 0.00

    A security flaw has been discovered in Papermerge DMS up to 3.5.3. This issue affects some unknown processing of the component Authorization Token Handler. Performing manipulation results in improper authorization. The attack can be initiated remotely. The exploit has been…

  • CVE-2025-9937MedSep 4, 2025
    risk 0.35cvss 5.4epss 0.00

    A security flaw has been discovered in elunez eladmin 1.1. Impacted is the function deleteFile of the component LocalStorageController. The manipulation results in improper authorization. The attack may be performed from remote. The exploit has been released to the public and…

  • CVE-2025-8840MedAug 11, 2025
    risk 0.35cvss 5.4epss 0.00

    A vulnerability was determined in jshERP up to 3.5. Affected is an unknown function of the file /jshERP-boot/user/deleteBatch of the component Endpoint. The manipulation of the argument ids leads to improper authorization. It is possible to launch the attack remotely. The…

  • CVE-2025-7947MedJul 22, 2025
    risk 0.35cvss 5.4epss 0.00

    A vulnerability classified as critical has been found in jshERP up to 3.5. Affected is an unknown function of the file /user/delete of the component Account Handler. The manipulation of the argument ID leads to improper authorization. It is possible to launch the attack…

  • CVE-2025-53709MedJul 10, 2025
    risk 0.35cvss 5.4epss 0.00

    Secure-upload is a data submission service that validates single-use tokens when accepting submissions to channels. The service only installed on a small number of environments. Under specific circumstances, privileged users of secure-upload could have selected email templates…