VYPR

CWE-285

Improper Authorization

ClassDraftLikelihood: High

Description

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-1 · CAPEC-104 · CAPEC-127 · CAPEC-13 · CAPEC-17 · CAPEC-39 · CAPEC-402 · CAPEC-45 · CAPEC-5 · CAPEC-51 · CAPEC-59 · CAPEC-60 · CAPEC-647 · CAPEC-668 · CAPEC-76 · CAPEC-77 · CAPEC-87

CVEs mapped to this weakness (812)

page 6 of 41
  • CVE-2017-1002151HigSep 14, 2017
    risk 0.49cvss 7.5epss 0.01

    Pagure 3.3.0 and earlier is vulnerable to loss of confidentially due to improper authorization

  • CVE-2016-1000219HigJun 16, 2017
    risk 0.49cvss 7.5epss 0.02

    Kibana before 4.5.4 and 4.1.11 when a custom output is configured for logging in, cookies and authorization headers could be written to the log files. This information could be used to hijack sessions of other users when using Kibana behind some form of authentication such as…

  • CVE-2017-7484HigMay 12, 2017
    risk 0.49cvss 7.5epss 0.03

    It was found that some selectivity estimation functions in PostgreSQL before 9.2.21, 9.3.x before 9.3.17, 9.4.x before 9.4.12, 9.5.x before 9.5.7, and 9.6.x before 9.6.3 did not check user privileges before providing information from pg_statistic, possibly leaking information.…

  • CVE-2015-1000007HigOct 6, 2016
    risk 0.49cvss 7.5epss 0.02

    Remote file download vulnerability in wptf-image-gallery v1.03

  • CVE-2020-36714HigOct 20, 2023
    risk 0.48cvss 7.4epss 0.00

    The Brizy plugin for WordPress is vulnerable to authorization bypass due to a incorrect capability check on the is_administrator() function in versions up to, and including, 1.0.125. This makes it possible for authenticated attackers to access and interact with available AJAX…

  • CVE-2016-4531HigJul 28, 2016
    risk 0.48cvss 7.3epss 0.08

    Rockwell Automation FactoryTalk EnergyMetrix before 2.20.00 does not invalidate credentials upon a logout action, which makes it easier for remote attackers to obtain access by leveraging an unattended workstation.

  • CVE-2026-12204HigJun 15, 2026
    risk 0.47cvss 7.3epss 0.00

    A vulnerability was determined in ShopXO up to 6.7.1. This vulnerability affects the function OrderClose/OrderSuccess/PayLogOrderClose/GoodsGiveIntegral of the file app/api/controller/Crontab.php of the component Scheduled Task Endpoint. Executing a manipulation can lead to…

  • CVE-2026-10236HigJun 1, 2026
    risk 0.47cvss 7.3epss 0.00

    A vulnerability has been found in SourceCodester Water Billing Management System 1.0. This issue affects some unknown processing of the file /classes/Users.php?f=save of the component User Management Endpoint. Such manipulation leads to improper authorization. The attack may be…

  • CVE-2026-45371HigMay 14, 2026
    risk 0.47cvss epss 0.00

    SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, SiYuan publish-mode Reader can mutate Conf and SQL index via 8 ungated APIs. POST /api/graph/getGraph, POST /api/graph/getLocalGraph, POST /api/sync/setSyncInterval, POST…

  • CVE-2026-7644HigMay 2, 2026
    risk 0.47cvss 7.3epss 0.00

    A vulnerability has been found in ChatGPTNextWeb NextChat up to 2.16.1. Affected is the function addMcpServer of the file app/mcp/actions.ts. The manipulation leads to improper authorization. Remote exploitation of the attack is possible. The exploit has been disclosed to the…

  • CVE-2026-6977HigApr 25, 2026
    risk 0.47cvss 7.3epss 0.00

    A security vulnerability has been detected in vanna-ai vanna up to 2.0.2. The affected element is an unknown function of the component Legacy Flask API. The manipulation leads to improper authorization. It is possible to initiate the attack remotely. The exploit has been…

  • CVE-2026-6105HigApr 11, 2026
    risk 0.47cvss 7.3epss 0.00

    A security vulnerability has been detected in perfree go-fastdfs-web up to 1.3.7. This affects an unknown part of the file src/main/java/com/perfree/controller/InstallController.java of the component doInstall Interface. The manipulation leads to improper authorization. The…

  • CVE-2026-5842HigApr 9, 2026
    risk 0.47cvss 7.3epss 0.00

    A security vulnerability has been detected in decolua 9router up to 0.3.47. The impacted element is an unknown function of the file /api of the component Administrative API Endpoint. The manipulation leads to authorization bypass. The attack is possible to be carried out…

  • CVE-2026-5642HigApr 6, 2026
    risk 0.47cvss 7.3epss 0.00

    A vulnerability was determined in Cyber-III Student-Management-System up to 1a938fa61e9f735078e9b291d2e6215b4942af3f. This affects an unknown function of the file /viva/update.php of the component HTTP POST Request Handler. This manipulation of the argument Name causes improper…

  • CVE-2026-4990HigMar 27, 2026
    risk 0.47cvss 7.3epss 0.00

    A security vulnerability has been detected in chatwoot up to 4.11.1. The affected element is an unknown function of the file /app/login of the component Signup Endpoint. Such manipulation of the argument signupEnabled with the input true leads to improper authorization. The…

  • CVE-2026-4617HigMar 24, 2026
    risk 0.47cvss 7.3epss 0.00

    A weakness has been identified in SourceCodester Patients Waiting Area Queue Management System 1.0. The impacted element is the function ValidateToken of the file /php/api_patient_checkin.php of the component Patient Check-In Module. Executing a manipulation can lead to improper…

  • CVE-2026-3764HigMar 8, 2026
    risk 0.47cvss 7.3epss 0.00

    A vulnerability was determined in SourceCodester Client Database Management System 1.0. The impacted element is an unknown function of the file /superadmin_user_update.php. This manipulation causes improper authorization. The attack can be initiated remotely. The exploit has…

  • CVE-2026-3762HigMar 8, 2026
    risk 0.47cvss 7.3epss 0.01

    A vulnerability has been found in SourceCodester Client Database Management System 1.0/3.1. Impacted is an unknown function of the file /superadmin_delete_manager.php of the component Endpoint. The manipulation of the argument manager_id leads to improper authorization. It is…

  • CVE-2026-3734HigMar 8, 2026
    risk 0.47cvss 7.3epss 0.00

    A flaw has been found in SourceCodester Client Database Management System 1.0. Affected is an unknown function of the file /fetch_manager_details.php of the component Endpoint. This manipulation of the argument manager_id causes improper authorization. The attack can be…

  • CVE-2026-2896HigFeb 22, 2026
    risk 0.47cvss 7.3epss 0.00

    A weakness has been identified in funadmin up to 7.1.0-rc4. This affects the function setConfig of the file app/backend/controller/Ajax.php of the component Configuration Handler. Executing a manipulation can lead to improper authorization. The attack can be executed remotely.…