VYPR

CWE-862

Missing Authorization

ClassIncompleteLikelihood: High

Description

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-665

CVEs mapped to this weakness (5,549)

page 15 of 278
  • CVE-2018-8028HigAug 23, 2018
    risk 0.57cvss 8.8epss 0.01

    An authenticated user can execute ALTER TABLE EXCHANGE PARTITIONS without being authorized by Apache Sentry before 2.0.1. This can allow an attacker unauthorized access to the partitioned data of a Sentry protected table and can allow an attacker to remove data from a Sentry…

  • CVE-2017-2652HigJul 27, 2018
    risk 0.57cvss 8.8epss 0.01

    It was found that there were no permission checks performed in the Distributed Fork plugin before and including 1.5.0 for Jenkins that provides the dist-fork CLI command beyond the basic check for Overall/Read permission, allowing anyone with that permission to run arbitrary…

  • CVE-2017-7530HigJul 26, 2018
    risk 0.57cvss 8.8epss 0.02

    In CloudForms Management Engine (cfme) before 5.7.3 and 5.8.x before 5.8.1, it was found that privilege check is missing when invoking arbitrary methods via filtering on VMs that MiqExpression will execute that is triggerable by API users. An attacker could use this to execute…

  • CVE-2018-2436HigJul 10, 2018
    risk 0.57cvss 8.8epss 0.01

    Executing transaction WRCK in SAP R/3 Enterprise Retail (EHP6) does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.

  • CVE-2018-0336HigJun 7, 2018
    risk 0.57cvss 8.8epss 0.02

    A vulnerability in the batch provisioning feature of Cisco Prime Collaboration Provisioning could allow an authenticated, remote attacker to escalate privileges to the Administrator level. The vulnerability is due to insufficient authorization enforcement on batch processing. An…

  • CVE-2018-0322HigJun 7, 2018
    risk 0.57cvss 8.8epss 0.03

    A vulnerability in the web management interface of Cisco Prime Collaboration Provisioning (PCP) could allow an authenticated, remote attacker to modify sensitive data that is associated with arbitrary accounts on an affected device. The vulnerability is due to a failure to…

  • CVE-2018-0317HigJun 7, 2018
    risk 0.57cvss 8.8epss 0.03

    A vulnerability in the web interface of Cisco Prime Collaboration Provisioning (PCP) could allow an authenticated, remote attacker to escalate their privileges. The vulnerability is due to insufficient web portal access control checks. An attacker could exploit this…

  • CVE-2018-2381HigFeb 14, 2018
    risk 0.57cvss 8.8epss 0.01

    SAP ERP Financials Information System (SAP_APPL 6.00, 6.02, 6.03, 6.04, 6.05, 6.06, 6.16; SAP_FIN 6.17, 6.18, 7.00, 7.20, 7.30 S4CORE 1.00, 1.01, 1.02) does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.

  • CVE-2017-17665HigDec 13, 2017
    risk 0.57cvss 8.8epss 0.01

    In Octopus Deploy before 4.1.3, the machine update process doesn't check that the user has access to all environments. This allows an access-control bypass because the set of environments to which a machine is scoped may include environments in which the user lacks access.

  • CVE-2017-1000056CriJul 17, 2017
    risk 0.57cvss 9.8epss 0.02

    Kubernetes version 1.5.0-1.5.4 is vulnerable to a privilege escalation in the PodSecurityPolicy admission plugin resulting in the ability to make use of any existing PodSecurityPolicy object.

  • CVE-2017-6565HigMay 1, 2017
    risk 0.57cvss 8.8epss 0.01

    On Franklin Fueling Systems TS-550 evo 2.3.0.7332 devices, the roleDiag user, which can be obtained by exploiting CVE-2013-7247, has the ability to upload files to the server hosting the web service. As no sanitization checks are in place, an attacker can upload a malicious…

  • CVE-2017-7622HigApr 10, 2017
    risk 0.57cvss 8.8epss 0.01

    dde-daemon, the daemon process of DDE (Deepin Desktop Environment) 15.0 through 15.3, runs with root privileges and hardly does anything to identify the user who calls the function through D-Bus. Anybody can change the grub config, even to append some arguments to make a…

  • CVE-2017-6369HigMar 24, 2017
    risk 0.57cvss 8.8epss 0.03

    Insufficient checks in the UDF subsystem in Firebird 2.5.x before 2.5.7 and 3.0.x before 3.0.2 allow remote authenticated users to execute code by using a 'system' entrypoint from fbudf.so.

  • CVE-2015-8840HigApr 8, 2016
    risk 0.57cvss 8.8epss 0.01

    The XML Data Archiving Service (XML DAS) in SAP NetWeaver AS Java does not check authorization, which allows remote authenticated users to obtain sensitive information, gain privileges, or possibly have unspecified other impact via requests to (1) webcontent/cas/cas_enter.jsp,…

  • CVE-2026-34024HigJun 15, 2026
    risk 0.56cvss epss 0.00

    The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, contains missing authorization checks on multiple web application endpoints. An authenticated attacker with minimal privileges can access endpoints that are not visible in the frontend but remain directly…

  • CVE-2026-8077HigMay 8, 2026
    risk 0.56cvss epss 0.00

    Lack of proper authorization implementation in the CashDro 3 web administration panel, version 24.01.00.26. The backend lacks authorization controls, leaving security entirely to the frontend. By modifying the binary string in the ‘Permissions’ field of the JSON response, an…

  • CVE-2025-69063HigFeb 20, 2026
    risk 0.56cvss 8.6epss 0.00

    Missing Authorization vulnerability in Saad Iqbal New User Approve new-user-approve allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects New User Approve: from n/a through <= 3.2.0.

  • CVE-2025-12061HigNov 26, 2025
    risk 0.56cvss 8.6epss 0.00

    The TAX SERVICE Electronic HDM WordPress plugin before 1.2.1 does not authorization and CSRF checks in an AJAX action, allowing unauthenticated users to import and execute arbitrary SQL statements

  • CVE-2025-12384HigNov 5, 2025
    risk 0.56cvss 8.6epss 0.00

    The Document Embedder – Embed PDFs, Word, Excel, and Other Files plugin for WordPress is vulnerable to unauthorized access/modification/loss of data in all versions up to, and including, 2.0.0. This is due to the plugin not properly verifying that a user is authorized to…

  • CVE-2025-49916HigOct 22, 2025
    risk 0.56cvss 8.6epss 0.00

    Missing Authorization vulnerability in MultiVendorX MultiVendorX dc-woocommerce-multi-vendor allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects MultiVendorX: from n/a through <= 4.2.23.