VYPR

CWE-285

Improper Authorization

ClassDraftLikelihood: High

Description

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-1 · CAPEC-104 · CAPEC-127 · CAPEC-13 · CAPEC-17 · CAPEC-39 · CAPEC-402 · CAPEC-45 · CAPEC-5 · CAPEC-51 · CAPEC-59 · CAPEC-60 · CAPEC-647 · CAPEC-668 · CAPEC-76 · CAPEC-77 · CAPEC-87

CVEs mapped to this weakness (812)

page 20 of 41
  • CVE-2025-14546MedDec 19, 2025
    risk 0.34cvss 6.3epss 0.00

    Versions of the package fastapi-sso before 0.19.0 are vulnerable to Cross-site Request Forgery (CSRF) due to the improper validation of the OAuth state parameter during the authentication callback. While the get_login_url method allows for state generation, it does not persist…

  • CVE-2025-12814MedNov 19, 2025
    risk 0.34cvss 5.3epss 0.00

    The SiteSEO – SEO Simplified plugin for WordPress is vulnerable to unauthorized modification of data due to n incorrect capability check on the siteseo_reset_settings function in all versions up to, and including, 1.3.2. This makes it possible for authenticated attackers, who…

  • CVE-2025-12777MedNov 19, 2025
    risk 0.34cvss 5.3epss 0.00

    The YITH WooCommerce Wishlist plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.10.0. This is due to the plugin not properly verifying that a user is authorized to perform actions on the REST API /wp-json/yith/wishlist/v1/lists…

  • CVE-2025-11256MedOct 18, 2025
    risk 0.34cvss 5.3epss 0.00

    The Kognetiks Chatbot plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several functions in all versions up to, and including, 2.3.5. This makes it possible for unauthenticated attackers to upload limited safe files and…

  • CVE-2025-10992MedSep 26, 2025
    risk 0.34cvss 5.3epss 0.00

    A vulnerability was determined in roncoo roncoo-pay up to 9428382af21cd5568319eae7429b7e1d0332ff40. Affected is an unknown function of the file /user/info/lookupList. Executing manipulation can lead to improper authorization. The attack may be performed from remote. The exploit…

  • CVE-2025-10947MedSep 25, 2025
    risk 0.34cvss 5.3epss 0.00

    A flaw has been found in Sistemas Pleno Gestão de Locação up to 2025.7.x. The impacted element is an unknown function of the file /api/areacliente/pessoa/validarCpf of the component CPF Handler. Executing a manipulation of the argument pes_cpf can lead to authorization…

  • CVE-2025-8794MedAug 10, 2025
    risk 0.34cvss 5.3epss 0.00

    A vulnerability, which was classified as problematic, has been found in LitmusChaos Litmus up to 3.19.0. Affected by this issue is some unknown functionality of the component LocalStorage Handler. The manipulation of the argument projectID leads to authorization bypass. Local…

  • CVE-2025-6099MedJun 16, 2025
    risk 0.34cvss 5.3epss 0.00

    A vulnerability was found in szluyu99 gin-vue-blog up to 61dd11ccd296e8642a318ada3ef7b3f7776d2410. It has been declared as critical. This vulnerability affects unknown code of the file gin-blog-server/internal/manager.go of the component PATCH Request Handler. The manipulation…

  • CVE-2025-3924MedMay 7, 2025
    risk 0.34cvss 5.3epss 0.00

    The PeproDev Ultimate Profile Solutions plugin for WordPress is vulnerable to unauthorized access of data via its publicly exposed reset-password endpoint. The plugin looks up the 'valid_email' value based solely on a supplied username parameter, without verifying that the…

  • CVE-2025-1078MedFeb 6, 2025
    risk 0.34cvss 5.3epss 0.00

    A vulnerability has been found in AppHouseKitchen AlDente Charge Limiter up to 1.29 on macOS and classified as critical. This vulnerability affects the function shouldAcceptNewConnection of the file com.apphousekitchen.aldente-pro.helper of the component XPC Service. The…

  • CVE-2024-11306MedNov 18, 2024
    risk 0.34cvss 5.3epss 0.01

    A vulnerability, which was classified as critical, has been found in Altenergy Power Control Software up to 20241108. This issue affects some unknown processing of the file /index.php/display/database/. The manipulation leads to improper authorization. The attack may be…

  • CVE-2020-36841MedOct 16, 2024
    risk 0.34cvss 5.3epss 0.00

    The WooCommerce Smart Coupons plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the woocommerce_coupon_admin_init function in versions up to, and including, 4.6.0. This makes it possible for unauthenticated attackers to send…

  • CVE-2023-6496MedJan 11, 2024
    risk 0.34cvss 5.3epss 0.00

    The Manage Notification E-mails plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.8.5 via the card_famne_export_settings function. This makes it possible for unauthenticated attackers to obtain plugin settings.

  • CVE-2016-7651MedFeb 20, 2017
    risk 0.34cvss 5.3epss 0.00

    An issue was discovered in certain Apple products. iOS before 10.2 is affected. watchOS before 3.1.1 is affected. The issue involves the "Accounts" component, which allows local users to bypass intended authorization restrictions by leveraging the mishandling of an app uninstall.

  • CVE-2025-67603MedJan 8, 2026
    risk 0.33cvss epss 0.00

    A Improper Authorization vulnerability in Foomuuri llows arbitrary users to influence the firewall configuration.This issue affects Foomuuri: from ? before 0.31.

  • CVE-2024-34463MedSep 3, 2024
    risk 0.33cvss 5.1epss 0.01

    BPL Personal Weighing Scale PWS-01BT IND/09/18/599 devices send sensitive information in unencrypted BLE packets. (The packet data also lacks authentication and integrity protection.)

  • CVE-2017-2632MedJul 27, 2018
    risk 0.32cvss 4.9epss 0.01

    A logic error in valid_role() in CloudForms role validation before 5.7.1.3 could allow a tenant administrator to create groups with a higher privilege level than the tenant administrator should have. This would allow an attacker with tenant administration access to elevate…

  • CVE-2026-10070MedMay 29, 2026
    risk 0.31cvss 4.7epss 0.00

    A vulnerability was found in macrozheng mall up to 1.0.3. This affects an unknown function of the file /admin/update/ of the component Super Admin Password Handler. Performing a manipulation results in improper authorization. Remote exploitation of the attack is possible. The…

  • CVE-2026-34321MedApr 21, 2026
    risk 0.31cvss 4.8epss 0.00

    Vulnerability in the Oracle Financial Services Analytical Applications Infrastructure product of Oracle Financial Services Applications (component: User Interface). Supported versions that are affected are 8.0.7.9, 8.0.8.7 and 8.1.2.5. Difficult to exploit vulnerability allows…

  • CVE-2024-13058MedDec 30, 2024
    risk 0.31cvss epss 0.00

    An issue exists in SoftIron HyperCloud where authenticated, but non-admin users can create data pools, which could potentially impact the performance and availability of the backend software-defined storage subsystem. This issue only impacts SoftIron HyperCloud and related…