CWE-862
Missing Authorization
ClassIncompleteLikelihood: High
Description
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-665
CVEs mapped to this weakness (4,394)
page 220 of 220| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-30877 | Low | 0.18 | 2.7 | 0.00 | Mar 27, 2025 | Missing Authorization vulnerability in fatcatapps Quiz Cat quiz-cat allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Quiz Cat: from n/a through <= 3.0.8. | |
| CVE-2024-51671 | Low | 0.18 | 2.7 | 0.00 | Nov 19, 2024 | Missing Authorization vulnerability in Themeisle Otter - Gutenberg Block otter-blocks allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Otter - Gutenberg Block: from n/a through <= 3.0.3. | |
| CVE-2026-23522 | Low | 0.17 | 3.7 | 0.00 | Jan 19, 2026 | LobeChat is an open source chat application platform. Prior to version 2.0.0-next.193, `knowledgeBase.removeFilesFromKnowledgeBase` tRPC ep allows authenticated users to delete files from any knowledge base without verifying ownership. `userId` filter in the database query is commented out, so it's enabling attackers to delete other users' KB files if they know the knowledge base ID and file ID. While the vulnerability is confirmed, practical exploitation requires knowing target's KB ID and target's file ID. These IDs are random and not easily enumerable. However, IDs may leak through shared links, logs, referrer headers and so on. Missing authorization check is a critical security flaw regardless. Users should upgrade to version 2.0.0-next.193 to receive a patch. | |
| CVE-2025-27432 | Low | 0.16 | 2.4 | 0.00 | Mar 11, 2025 | The eDocument Cockpit (Inbound NF-e) in SAP Electronic Invoicing for Brazil allows an authenticated attacker with certain privileges to gain unauthorized access to each transaction. By executing the specific ABAP method within the ABAP system, an unauthorized attacker could call each transaction and view the inbound delivery details. This vulnerability has a low impact on the confidentiality with no effect on the integrity and the availability of the application. | |
| CVE-2022-45819 | Low | 0.16 | 3.5 | 0.00 | Dec 13, 2024 | Missing Authorization vulnerability in Popup Maker Popup Maker allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Popup Maker: from n/a through 1.17.1. | |
| CVE-2024-44265 | Low | 0.16 | 2.4 | 0.00 | Oct 28, 2024 | The issue was addressed by restricting options offered on a locked device. This issue is fixed in macOS Sequoia 15.1, macOS Sonoma 14.7.1, macOS Ventura 13.7.1. An attacker with physical access can input Game Controller events to apps running on a locked device. | |
| CVE-2024-45284 | Low | 0.16 | 2.4 | 0.00 | Sep 10, 2024 | An authenticated attacker with high privilege can use functions of SLCM transactions to which access should be restricted. This may result in an escalation of privileges causing low impact on integrity of the application. | |
| CVE-2026-32270 | Low | 0.04 | — | 0.00 | Apr 13, 2026 | Craft Commerce is an ecommerce platform for Craft CMS. In versions 4.0.0 through 4.10.2 and 5.0.0 through 5.5.4, the PaymentsController::actionPay discloses some order data to unauthenticated users when an order number is provided and the email check fails during an anonymous payment. The JSON error response includes the serialized order object (order), which contains some sensitive fields such as customer email, shipping address, and billing address. The frontend payment flow's actionPay() retrieves orders by number before authorization is fully enforcedLoad order by number. This issue has been fixed in versions 4.11.0 and 5.6.0. | |
| CVE-2012-4245 | 0.00 | — | 0.01 | Aug 31, 2012 | The scriptfu network server in GIMP 2.6 does not require authentication, which allows remote attackers to execute arbitrary commands via the python-fu-eval command. | ||
| CVE-2009-3781 | 0.00 | — | 0.01 | Oct 26, 2009 | The filefield_file_download function in FileField 6.x-3.1, a module for Drupal, does not properly check node-access permissions for Drupal core private files, which allows remote attackers to access unauthorized files via unspecified vectors. | ||
| CVE-2009-2282 | 0.00 | — | 0.00 | Jul 1, 2009 | The Virtual Network Terminal Server daemon (vntsd) for Logical Domains (aka LDoms) in Sun Solaris 10, and OpenSolaris snv_41 through snv_108, on SPARC platforms does not check authorization for guest console access, which allows local control-domain users to gain guest-domain privileges via unknown vectors. | ||
| CVE-2008-6548 | 0.00 | — | 0.00 | Mar 30, 2009 | The rst parser (parser/text_rst.py) in MoinMoin 1.6.1 does not check the ACL of an included page, which allows attackers to read unauthorized include files via unknown vectors. | ||
| CVE-2006-4483 | 0.00 | — | 0.01 | Aug 31, 2006 | The cURL extension files (1) ext/curl/interface.c and (2) ext/curl/streams.c in PHP before 5.1.5 permit the CURLOPT_FOLLOWLOCATION option when open_basedir or safe_mode is enabled, which allows attackers to perform unauthorized actions, possibly related to the realpath cache. | ||
| CVE-2005-3623 | 0.00 | — | 0.01 | Dec 31, 2005 | nfs2acl.c in the Linux kernel 2.6.14.4 does not check for MAY_SATTR privilege before setting access controls (ACL) on files on exported NFS filesystems, which allows remote attackers to bypass ACLs for readonly mounted NFS filesystems. |