VYPR

CWE-285

Improper Authorization

ClassDraftLikelihood: High

Description

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-1 · CAPEC-104 · CAPEC-127 · CAPEC-13 · CAPEC-17 · CAPEC-39 · CAPEC-402 · CAPEC-45 · CAPEC-5 · CAPEC-51 · CAPEC-59 · CAPEC-60 · CAPEC-647 · CAPEC-668 · CAPEC-76 · CAPEC-77 · CAPEC-87

CVEs mapped to this weakness (812)

page 32 of 41
  • CVE-2025-29778Mar 24, 2025
    risk 0.00cvss epss 0.00

    Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to version 1.14.0-alpha.1, Kyverno ignores subjectRegExp and IssuerRegExp while verifying artifact's sign with keyless mode. It allows the attacker to deploy kubernetes resources with the…

  • CVE-2025-29926Mar 19, 2025
    risk 0.00cvss epss 0.01

    XWiki Platform is a generic wiki platform. Prior to 15.10.15, 16.4.6, and 16.10.0, any user can exploit the WikiManager REST API to create a new wiki, where the user could become an administrator and so performs other attacks on the farm. Note that this REST API is not bundled…

  • CVE-2024-44314Mar 18, 2025
    risk 0.00cvss epss 0.00

    TastyIgniter 3.7.6 contains an Incorrect Access Control vulnerability in the Orders Management System, allowing unauthorized users to update order statuses. The issue occurs in the index_onUpdateStatus() function within Orders.php, which fails to verify if the user has…

  • CVE-2025-27602Mar 11, 2025
    risk 0.00cvss epss 0.00

    Umbraco is a free and open source .NET content management system. In versions of Umbraco's web backoffice program prior to versions 10.8.9 and 13.7.1, via manipulation of backoffice API URLs, it's possible for authenticated backoffice users to retrieve or delete content or media…

  • CVE-2025-27601Mar 11, 2025
    risk 0.00cvss epss 0.00

    Umbraco is a free and open source .NET content management system. An improper API access control issue has been identified Umbraco's API management package prior to versions 15.2.3 and 14.3.3, allowing low-privilege, authenticated users to create and update data type information…

  • CVE-2024-47053Feb 26, 2025
    risk 0.00cvss epss 0.01

    This advisory addresses an authorization vulnerability in Mautic's HTTP Basic Authentication implementation. This flaw could allow unauthorized access to sensitive report data. * Improper Authorization: An authorization flaw exists in Mautic's API Authorization…

  • CVE-2025-25196Feb 19, 2025
    risk 0.00cvss epss 0.00

    OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA < v1.8.4 (Helm chart < openfga-0.2.22, docker < v.1.8.4) are vulnerable to authorization bypass when certain Check and ListObject calls are…

  • CVE-2025-24434Feb 11, 2025
    risk 0.00cvss epss 0.16

    Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Incorrect Authorization vulnerability that could result in Privilege escalation. An attacker could leverage this vulnerability to bypass security measures and gain…

  • CVE-2025-24409Feb 11, 2025
    risk 0.00cvss epss 0.01

    Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain…

  • CVE-2025-24397Jan 22, 2025
    risk 0.00cvss epss 0.00

    An incorrect permission check in Jenkins GitLab Plugin 1.9.6 and earlier allows attackers with global Item/Configure permission (while lacking Item/Configure permission on any particular job) to enumerate credential IDs of GitLab API token and Secret text credentials stored in…

  • CVE-2025-23042Jan 14, 2025
    risk 0.00cvss epss 0.01

    Gradio is an open-source Python package that allows quick building of demos and web application for machine learning models, API, or any arbitrary Python function. Gradio's Access Control List (ACL) for file paths can be bypassed by altering the letter case of a blocked file or…

  • CVE-2024-56323Jan 13, 2025
    risk 0.00cvss epss 0.00

    OpenFGA is an authorization/permission engine. IN OpenFGA v1.3.8 to v1.8.2 (Helm chart openfga-0.1.38 to openfga-0.2.19, docker v1.3.8 to v.1.8.2) are vulnerable to authorization bypass under the following conditions: 1. calling Check API or ListObjects with a model that uses…

  • CVE-2024-50701Dec 30, 2024
    risk 0.00cvss epss 0.00

    TeamPass before 3.1.3.1, when retrieving information about access rights for a folder, does not properly check whether a folder is in a user's allowed folders list that has been defined by an admin.

  • CVE-2024-50702Dec 30, 2024
    risk 0.00cvss epss 0.00

    TeamPass before 3.1.3.1 does not properly check whether a mail_me (aka action_mail) operation is on behalf of an administrator or manager.

  • CVE-2024-51479Dec 17, 2024
    risk 0.00cvss epss 0.04

    Next.js is a React framework for building full-stack web applications. In affected versions if a Next.js application is performing authorization in middleware based on pathname, it was possible for this authorization to be bypassed for pages directly under the application's root…

  • CVE-2024-55633Dec 12, 2024
    risk 0.00cvss epss 0.03

    Improper Authorization vulnerability in Apache Superset. On Postgres analytic databases an attacker with SQLLab access can craft a specially designed SQL DML statement that is Incorrectly identified as a read-only query, enabling its execution. Non postgres analytics database…

  • CVE-2024-53949Dec 9, 2024
    risk 0.00cvss epss 0.01

    Improper Authorization vulnerability in Apache Superset when FAB_ADD_SECURITY_API is enabled (disabled by default). Allows for lower privilege users to use this API.  issue affects Apache Superset: from 2.0.0 before 4.1.0. Users are recommended to upgrade to version 4.1.0,…

  • CVE-2024-45691Nov 20, 2024
    risk 0.00cvss epss 0.00

    A flaw was found in Moodle. When restricting access to a lesson activity with a password, certain passwords could be bypassed or less secure due to a loose comparison in the password-checking logic. This issue only affected passwords set to "magic hash" values.

  • CVE-2024-45689Nov 20, 2024
    risk 0.00cvss epss 0.00

    A flaw was found in Moodle. Dynamic tables did not enforce capability checks, which resulted in users having the ability to retrieve information they did not have permission to access.

  • CVE-2024-48901Nov 18, 2024
    risk 0.00cvss epss 0.00

    A vulnerability was found in Moodle. Additional checks are required to ensure users can only access the schedule of a report if they have permission to edit that report.