VYPR

CWE-862

Missing Authorization

ClassIncompleteLikelihood: High

Description

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-665

CVEs mapped to this weakness (5,549)

page 40 of 278
  • CVE-2020-36696HigJun 7, 2023
    risk 0.49cvss 7.5epss 0.01

    The Product Input Fields for WooCommerce plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the handle_downloads() function in versions up to, and including, 1.2.6. This makes it possible for unauthenticated attackers to download…

  • CVE-2023-33252HigMay 21, 2023
    risk 0.49cvss 7.5epss 0.01

    iden3 snarkjs through 0.6.11 allows double spending because there is no validation that the publicSignals length is less than the field modulus.

  • CVE-2022-36091HigSep 8, 2022
    risk 0.49cvss 7.5epss 0.01

    XWiki Platform Web Templates are templates for XWiki Platform, a generic wiki platform. Through the suggestion feature, string and list properties of objects the user shouldn't have access to can be accessed in versions prior to 13.10.4 and 14.2. This includes private personal…

  • CVE-2022-38370HigSep 5, 2022
    risk 0.49cvss 7.5epss 0.01

    Apache IoTDB grafana-connector version 0.13.0 contains an interface without authorization, which may expose the internal structure of database. Users should upgrade to version 0.13.1 which addresses this issue.

  • CVE-2022-26650HigMay 17, 2022
    risk 0.49cvss 7.5epss 0.02

    In Apache ShenYui, ShenYu-Bootstrap, RegexPredicateJudge.java uses Pattern.matches(conditionData.getParamValue(), realData) to make judgments, where both parameters are controllable by the user. This can cause an attacker pass in malicious regular expressions and characters…

  • CVE-2020-5228HigJan 30, 2020
    risk 0.49cvss 7.6epss 0.01

    Opencast before 8.1 and 7.6 allows unauthorized public access to all media and metadata by default via OAI-PMH. OAI-PMH is part of the default workflow and is activated by default, requiring active user intervention of users to protect media. This leads to users unknowingly…

  • CVE-2018-7792HigAug 29, 2018
    risk 0.49cvss 7.5epss 0.01

    A Permissions, Privileges, and Access Control vulnerability exists in Schneider Electric's Modicon M221 product (all references, all versions prior to firmware V1.6.2.0). The vulnerability allows unauthorized users to decode the password using rainbow table.

  • CVE-2018-5135HigJun 11, 2018
    risk 0.49cvss 7.5epss 0.02

    WebExtensions can bypass normal restrictions in some circumstances and use "browser.tabs.executeScript" to inject scripts into contexts where this should not be allowed, such as pages from other WebExtensions or unprivileged "about:" pages. This vulnerability affects Firefox <…

  • CVE-2018-5113HigJun 11, 2018
    risk 0.49cvss 7.5epss 0.02

    The "browser.identity.launchWebAuthFlow" function of WebExtensions is only allowed to load content over "https:" but this requirement was not properly enforced. This can potentially allow privileged pages to be loaded by the extension. This vulnerability affects Firefox < 58.

  • CVE-2018-8012HigMay 21, 2018
    risk 0.49cvss 7.5epss 0.09

    No authentication/authorization is enforced when a server attempts to join a quorum in Apache ZooKeeper before 3.4.10, and 3.5.0-alpha through 3.5.3-beta. As a result an arbitrary end point could join the cluster and begin propagating counterfeit changes to the leader.

  • CVE-2017-10846HigSep 15, 2017
    risk 0.49cvss 7.5epss 0.02

    Wi-Fi STATION L-02F Software version V10b and earlier allows remote attackers to bypass access restrictions to obtain information on device settings via unspecified vectors.

  • CVE-2017-1002151HigSep 14, 2017
    risk 0.49cvss 7.5epss 0.01

    Pagure 3.3.0 and earlier is vulnerable to loss of confidentially due to improper authorization

  • CVE-2017-1002007HigSep 14, 2017
    risk 0.49cvss 7.5epss 0.03

    Vulnerability in wordpress plugin DTracker v1.5, The code dtracker/save_mail.php doesn't check that the user is authorized before injecting new contacts into the wp_contact table.

  • CVE-2017-1002006HigSep 14, 2017
    risk 0.49cvss 7.5epss 0.03

    Vulnerability in wordpress plugin DTracker v1.5, The code dtracker/save_contact.php doesn't check that the user is authorized before injecting new contacts into the wp_contact table.

  • CVE-2017-7548HigAug 16, 2017
    risk 0.49cvss 7.5epss 0.04

    PostgreSQL versions before 9.4.13, 9.5.8 and 9.6.4 are vulnerable to authorization flaw allowing remote authenticated attackers with no privileges on a large object to overwrite the entire contents of the object, resulting in a denial of service.

  • CVE-2017-11135HigAug 1, 2017
    risk 0.49cvss 7.5epss 0.01

    An issue was discovered in heinekingmedia StashCat through 1.7.5 for Android, through 0.0.80w for Web, and through 0.0.86 for Desktop. The logout mechanism does not check for authorization. Therefore, an attacker only needs to know the device ID. This causes a denial of service.…

  • CVE-2017-5136HigFeb 5, 2017
    risk 0.49cvss 7.5epss 0.02

    An issue was discovered on SendQuick Entera and Avera devices before 2HF16. The application failed to check the access control of the request which could result in an attacker being able to shutdown the system.

  • CVE-2026-42439HigMay 5, 2026
    risk 0.48cvss 8.5epss 0.00

    OpenClaw before 2026.4.10 contains a server-side request forgery policy bypass vulnerability in the browser tabs action select and close routes. Attackers can bypass configured browser SSRF policy protections by exploiting the /tabs/action endpoint to perform unauthorized tab…

  • CVE-2026-35561HigApr 3, 2026
    risk 0.48cvss 7.4epss 0.00

    Insufficient authentication security controls in the browser-based authentication components in Amazon Athena ODBC driver before 2.1.0.0 might allow a threat actor to intercept or hijack authentication sessions due to insufficient protections in the browser-based authentication…

  • CVE-2025-68043HigFeb 20, 2026
    risk 0.48cvss 7.3epss 0.01

    Missing Authorization vulnerability in LottieFiles LottieFiles lottiefiles allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects LottieFiles: from n/a through <= 3.0.0.