VYPR

CWE-285

Improper Authorization

ClassDraftLikelihood: High

Description

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-1 · CAPEC-104 · CAPEC-127 · CAPEC-13 · CAPEC-17 · CAPEC-39 · CAPEC-402 · CAPEC-45 · CAPEC-5 · CAPEC-51 · CAPEC-59 · CAPEC-60 · CAPEC-647 · CAPEC-668 · CAPEC-76 · CAPEC-77 · CAPEC-87

CVEs mapped to this weakness (812)

page 28 of 41
  • CVE-2025-15122LowDec 28, 2025
    risk 0.20cvss 3.1epss 0.00

    A vulnerability was found in JeecgBoot up to 3.9.0. The impacted element is the function loadDatarule of the file /sys/sysDepartRole/datarule/. Performing manipulation of the argument departId/roleId results in improper authorization. It is possible to initiate the attack…

  • CVE-2025-15120LowDec 28, 2025
    risk 0.20cvss 3.1epss 0.00

    A flaw has been found in JeecgBoot up to 3.9.0. Impacted is the function getDeptRoleList of the file /sys/sysDepartRole/getDeptRoleList. This manipulation of the argument departId causes improper authorization. The attack is possible to be carried out remotely. A high degree of…

  • CVE-2025-15119LowDec 28, 2025
    risk 0.20cvss 3.1epss 0.00

    A vulnerability was detected in JeecgBoot up to 3.9.0. This issue affects the function queryPageList of the file /sys/sysDepartRole/list. The manipulation of the argument deptId results in improper authorization. The attack can be executed remotely. A high complexity level is…

  • CVE-2025-12623LowNov 3, 2025
    risk 0.20cvss 3.1epss 0.00

    A vulnerability was identified in fushengqian fuint up to 41e26be8a2c609413a0feaa69bdad33a71ae8032. Affected by this issue is some unknown functionality of the file fuint-application/src/main/java/com/fuint/module/clientApi/controller/ClientSignController.java of the component…

  • CVE-2025-10977LowSep 25, 2025
    risk 0.20cvss 3.1epss 0.00

    A vulnerability was identified in JeecgBoot up to 3.8.2. Impacted is an unknown function of the file /sys/tenant/deleteBatch. The manipulation of the argument ids leads to improper authorization. The attack is possible to be carried out remotely. The complexity of an attack is…

  • CVE-2025-10976LowSep 25, 2025
    risk 0.20cvss 3.1epss 0.00

    A vulnerability was determined in JeecgBoot up to 3.8.2. This issue affects some unknown processing of the file /api/getDepartUserList. Executing manipulation of the argument departId can lead to improper authorization. The attack can be executed remotely. This attack is…

  • CVE-2025-10014LowSep 5, 2025
    risk 0.20cvss 3.1epss 0.00

    A flaw has been found in elunez eladmin up to 2.7. This impacts the function updateUserEmail of the file /api/users/updateEmail/ of the component Email Address Handler. Executing manipulation of the argument id/email can lead to improper authorization. The attack may be…

  • CVE-2016-0373LowAug 30, 2018
    risk 0.20cvss 3.1epss 0.01

    IBM UrbanCode Deploy 6.0 through 6.2.2.1 could allow an authenticated user to read sensitive information due to UCD REST endpoints not properly authorizing users when determining who can read data. IBM X-Force ID: 112119.

  • CVE-2026-6570LowApr 19, 2026
    risk 0.18cvss 2.7epss 0.00

    A security flaw has been discovered in kodcloud KodExplorer up to 4.52. Affected is the function initInstall of the file /app/controller/systemMember.class.php. Performing a manipulation of the argument path results in authorization bypass. The attack may be initiated remotely.…

  • CVE-2026-2733LowFeb 19, 2026
    risk 0.18cvss 3.8epss 0.00

    A flaw was identified in the Docker v2 authentication endpoint of Keycloak, where tokens continue to be issued even after a Docker registry client has been administratively disabled. This means that turning the client “Enabled” setting to OFF does not fully prevent access.…

  • CVE-2025-12958LowJan 7, 2026
    risk 0.18cvss 2.7epss 0.00

    The Rankology SEO and Analytics Tool plugin for WordPress is vulnerable to unauthorized modification of data due to an incorrect capability check on the 'rankology_code_block' page in all versions up to, and including, 2.0. This makes it possible for authenticated attackers,…

  • CVE-2026-9306LowMay 23, 2026
    risk 0.17cvss 3.7epss 0.00

    A security vulnerability has been detected in QuantumNous new-api up to 0.12.1. This affects the function RelayMidjourneyImage/GetByOnlyMJId of the file router/relay-router.go of the component Midjourney Image Relay Endpoint. Such manipulation leads to authorization bypass. The…

  • CVE-2025-2397LowMar 17, 2025
    risk 0.16cvss 2.4epss 0.00

    A vulnerability was found in China Mobile P22g-CIac, ZXWT-MIG-P4G4V, ZXWT-MIG-P8G8V, GT3200-4G4P and GT3200-8G8P up to 20250305. It has been declared as problematic. This vulnerability affects unknown code of the component Telnet Service. The manipulation leads to improper…

  • CVE-2014-6049LowAug 28, 2018
    risk 0.14cvss 2.7epss 0.03

    phpMyFAQ before 2.8.13 allows remote authenticated users with admin privileges to bypass authorization via a crafted instance ID parameter.

  • CVE-2026-40963LowJun 1, 2026
    risk 0.13cvss 3.1epss 0.00

    The structure_data endpoint in the Airflow UI returned external dependency graph nodes for linked Dags without checking whether the caller had read permission on those linked Dags. An authenticated UI/API user authorized for one Dag could enumerate linked Dag IDs and dependency…

  • CVE-2026-12065LowJun 12, 2026
    risk 0.12cvss 1.8epss 0.00

    A vulnerability was identified in Groww Stock, Mutual Fund, Gold App up to 20260805 on Android. This affects an unknown part of the component WebView URL Handler. The manipulation leads to improper authorization in handler for custom url scheme. It is possible to launch the…

  • CVE-2026-39347LowApr 7, 2026
    risk 0.11cvss 2.7epss 0.00

    OrangeHRM is a comprehensive human resource management (HRM) system. From 5.0 to 5.8, OrangeHRM Open Source accepts changes to self-appraisal submissions for administrator users after those submissions have been marked completed, breaking integrity of finalized appraisal…

  • CVE-2026-2974LowFeb 23, 2026
    risk 0.09cvss 2.5epss 0.00

    A vulnerability was identified in AliasVault App up to 0.25.3 on Android/iOS. This vulnerability affects unknown code of the file shared_prefs/aliasvault.xml of the component Backup Handler. The manipulation of the argument accessToken/refreshToken/metadata/key_derivation_params/…

  • CVE-2019-16328Oct 3, 2019
    risk 0.09cvss epss 0.13

    In RPyC 4.1.x through 4.1.1, a remote attacker can dynamically modify object attributes to construct a remote procedure call that executes code for an RPyC service with default configuration settings.

  • CVE-2026-46668LowJun 10, 2026
    risk 0.08cvss epss 0.00

    SpiceDB is an open source database system for creating and managing security-critical application permissions. From version 1.15.0 to before version 1.52.0, caveat structures with nested lists can result in improper cache reuse. This issue has been patched in version 1.52.0.