CWE-862
Missing Authorization
Description
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-665
CVEs mapped to this weakness (5,549)
page 40 of 278| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-36696 | Hig | 0.49 | 7.5 | 0.01 | Jun 7, 2023 | The Product Input Fields for WooCommerce plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the handle_downloads() function in versions up to, and including, 1.2.6. This makes it possible for unauthenticated attackers to download… | ||
| CVE-2023-33252 | — | Hig | 0.49 | 7.5 | 0.01 | May 21, 2023 | iden3 snarkjs through 0.6.11 allows double spending because there is no validation that the publicSignals length is less than the field modulus. | |
| CVE-2022-36091 | Hig | 0.49 | 7.5 | 0.01 | Sep 8, 2022 | XWiki Platform Web Templates are templates for XWiki Platform, a generic wiki platform. Through the suggestion feature, string and list properties of objects the user shouldn't have access to can be accessed in versions prior to 13.10.4 and 14.2. This includes private personal… | ||
| CVE-2022-38370 | — | Hig | 0.49 | 7.5 | 0.01 | Sep 5, 2022 | Apache IoTDB grafana-connector version 0.13.0 contains an interface without authorization, which may expose the internal structure of database. Users should upgrade to version 0.13.1 which addresses this issue. | |
| CVE-2022-26650 | Hig | 0.49 | 7.5 | 0.02 | May 17, 2022 | In Apache ShenYui, ShenYu-Bootstrap, RegexPredicateJudge.java uses Pattern.matches(conditionData.getParamValue(), realData) to make judgments, where both parameters are controllable by the user. This can cause an attacker pass in malicious regular expressions and characters… | ||
| CVE-2020-5228 | Hig | 0.49 | 7.6 | 0.01 | Jan 30, 2020 | Opencast before 8.1 and 7.6 allows unauthorized public access to all media and metadata by default via OAI-PMH. OAI-PMH is part of the default workflow and is activated by default, requiring active user intervention of users to protect media. This leads to users unknowingly… | ||
| CVE-2018-7792 | Hig | 0.49 | 7.5 | 0.01 | Aug 29, 2018 | A Permissions, Privileges, and Access Control vulnerability exists in Schneider Electric's Modicon M221 product (all references, all versions prior to firmware V1.6.2.0). The vulnerability allows unauthorized users to decode the password using rainbow table. | ||
| CVE-2018-5135 | Hig | 0.49 | 7.5 | 0.02 | Jun 11, 2018 | WebExtensions can bypass normal restrictions in some circumstances and use "browser.tabs.executeScript" to inject scripts into contexts where this should not be allowed, such as pages from other WebExtensions or unprivileged "about:" pages. This vulnerability affects Firefox <… | ||
| CVE-2018-5113 | Hig | 0.49 | 7.5 | 0.02 | Jun 11, 2018 | The "browser.identity.launchWebAuthFlow" function of WebExtensions is only allowed to load content over "https:" but this requirement was not properly enforced. This can potentially allow privileged pages to be loaded by the extension. This vulnerability affects Firefox < 58. | ||
| CVE-2018-8012 | Hig | 0.49 | 7.5 | 0.09 | May 21, 2018 | No authentication/authorization is enforced when a server attempts to join a quorum in Apache ZooKeeper before 3.4.10, and 3.5.0-alpha through 3.5.3-beta. As a result an arbitrary end point could join the cluster and begin propagating counterfeit changes to the leader. | ||
| CVE-2017-10846 | Hig | 0.49 | 7.5 | 0.02 | Sep 15, 2017 | Wi-Fi STATION L-02F Software version V10b and earlier allows remote attackers to bypass access restrictions to obtain information on device settings via unspecified vectors. | ||
| CVE-2017-1002151 | Hig | 0.49 | 7.5 | 0.01 | Sep 14, 2017 | Pagure 3.3.0 and earlier is vulnerable to loss of confidentially due to improper authorization | ||
| CVE-2017-1002007 | Hig | 0.49 | 7.5 | 0.03 | Sep 14, 2017 | Vulnerability in wordpress plugin DTracker v1.5, The code dtracker/save_mail.php doesn't check that the user is authorized before injecting new contacts into the wp_contact table. | ||
| CVE-2017-1002006 | Hig | 0.49 | 7.5 | 0.03 | Sep 14, 2017 | Vulnerability in wordpress plugin DTracker v1.5, The code dtracker/save_contact.php doesn't check that the user is authorized before injecting new contacts into the wp_contact table. | ||
| CVE-2017-7548 | Hig | 0.49 | 7.5 | 0.04 | Aug 16, 2017 | PostgreSQL versions before 9.4.13, 9.5.8 and 9.6.4 are vulnerable to authorization flaw allowing remote authenticated attackers with no privileges on a large object to overwrite the entire contents of the object, resulting in a denial of service. | ||
| CVE-2017-11135 | Hig | 0.49 | 7.5 | 0.01 | Aug 1, 2017 | An issue was discovered in heinekingmedia StashCat through 1.7.5 for Android, through 0.0.80w for Web, and through 0.0.86 for Desktop. The logout mechanism does not check for authorization. Therefore, an attacker only needs to know the device ID. This causes a denial of service.… | ||
| CVE-2017-5136 | Hig | 0.49 | 7.5 | 0.02 | Feb 5, 2017 | An issue was discovered on SendQuick Entera and Avera devices before 2HF16. The application failed to check the access control of the request which could result in an attacker being able to shutdown the system. | ||
| CVE-2026-42439 | Hig | 0.48 | 8.5 | 0.00 | May 5, 2026 | OpenClaw before 2026.4.10 contains a server-side request forgery policy bypass vulnerability in the browser tabs action select and close routes. Attackers can bypass configured browser SSRF policy protections by exploiting the /tabs/action endpoint to perform unauthorized tab… | ||
| CVE-2026-35561 | Hig | 0.48 | 7.4 | 0.00 | Apr 3, 2026 | Insufficient authentication security controls in the browser-based authentication components in Amazon Athena ODBC driver before 2.1.0.0 might allow a threat actor to intercept or hijack authentication sessions due to insufficient protections in the browser-based authentication… | ||
| CVE-2025-68043 | Hig | 0.48 | 7.3 | 0.01 | Feb 20, 2026 | Missing Authorization vulnerability in LottieFiles LottieFiles lottiefiles allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects LottieFiles: from n/a through <= 3.0.0. |
- risk 0.49cvss 7.5epss 0.01
The Product Input Fields for WooCommerce plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the handle_downloads() function in versions up to, and including, 1.2.6. This makes it possible for unauthenticated attackers to download…
- risk 0.49cvss 7.5epss 0.01
iden3 snarkjs through 0.6.11 allows double spending because there is no validation that the publicSignals length is less than the field modulus.
- risk 0.49cvss 7.5epss 0.01
XWiki Platform Web Templates are templates for XWiki Platform, a generic wiki platform. Through the suggestion feature, string and list properties of objects the user shouldn't have access to can be accessed in versions prior to 13.10.4 and 14.2. This includes private personal…
- risk 0.49cvss 7.5epss 0.01
Apache IoTDB grafana-connector version 0.13.0 contains an interface without authorization, which may expose the internal structure of database. Users should upgrade to version 0.13.1 which addresses this issue.
- risk 0.49cvss 7.5epss 0.02
In Apache ShenYui, ShenYu-Bootstrap, RegexPredicateJudge.java uses Pattern.matches(conditionData.getParamValue(), realData) to make judgments, where both parameters are controllable by the user. This can cause an attacker pass in malicious regular expressions and characters…
- risk 0.49cvss 7.6epss 0.01
Opencast before 8.1 and 7.6 allows unauthorized public access to all media and metadata by default via OAI-PMH. OAI-PMH is part of the default workflow and is activated by default, requiring active user intervention of users to protect media. This leads to users unknowingly…
- risk 0.49cvss 7.5epss 0.01
A Permissions, Privileges, and Access Control vulnerability exists in Schneider Electric's Modicon M221 product (all references, all versions prior to firmware V1.6.2.0). The vulnerability allows unauthorized users to decode the password using rainbow table.
- risk 0.49cvss 7.5epss 0.02
WebExtensions can bypass normal restrictions in some circumstances and use "browser.tabs.executeScript" to inject scripts into contexts where this should not be allowed, such as pages from other WebExtensions or unprivileged "about:" pages. This vulnerability affects Firefox <…
- risk 0.49cvss 7.5epss 0.02
The "browser.identity.launchWebAuthFlow" function of WebExtensions is only allowed to load content over "https:" but this requirement was not properly enforced. This can potentially allow privileged pages to be loaded by the extension. This vulnerability affects Firefox < 58.
- risk 0.49cvss 7.5epss 0.09
No authentication/authorization is enforced when a server attempts to join a quorum in Apache ZooKeeper before 3.4.10, and 3.5.0-alpha through 3.5.3-beta. As a result an arbitrary end point could join the cluster and begin propagating counterfeit changes to the leader.
- risk 0.49cvss 7.5epss 0.02
Wi-Fi STATION L-02F Software version V10b and earlier allows remote attackers to bypass access restrictions to obtain information on device settings via unspecified vectors.
- risk 0.49cvss 7.5epss 0.01
Pagure 3.3.0 and earlier is vulnerable to loss of confidentially due to improper authorization
- risk 0.49cvss 7.5epss 0.03
Vulnerability in wordpress plugin DTracker v1.5, The code dtracker/save_mail.php doesn't check that the user is authorized before injecting new contacts into the wp_contact table.
- risk 0.49cvss 7.5epss 0.03
Vulnerability in wordpress plugin DTracker v1.5, The code dtracker/save_contact.php doesn't check that the user is authorized before injecting new contacts into the wp_contact table.
- risk 0.49cvss 7.5epss 0.04
PostgreSQL versions before 9.4.13, 9.5.8 and 9.6.4 are vulnerable to authorization flaw allowing remote authenticated attackers with no privileges on a large object to overwrite the entire contents of the object, resulting in a denial of service.
- risk 0.49cvss 7.5epss 0.01
An issue was discovered in heinekingmedia StashCat through 1.7.5 for Android, through 0.0.80w for Web, and through 0.0.86 for Desktop. The logout mechanism does not check for authorization. Therefore, an attacker only needs to know the device ID. This causes a denial of service.…
- risk 0.49cvss 7.5epss 0.02
An issue was discovered on SendQuick Entera and Avera devices before 2HF16. The application failed to check the access control of the request which could result in an attacker being able to shutdown the system.
- risk 0.48cvss 8.5epss 0.00
OpenClaw before 2026.4.10 contains a server-side request forgery policy bypass vulnerability in the browser tabs action select and close routes. Attackers can bypass configured browser SSRF policy protections by exploiting the /tabs/action endpoint to perform unauthorized tab…
- risk 0.48cvss 7.4epss 0.00
Insufficient authentication security controls in the browser-based authentication components in Amazon Athena ODBC driver before 2.1.0.0 might allow a threat actor to intercept or hijack authentication sessions due to insufficient protections in the browser-based authentication…
- risk 0.48cvss 7.3epss 0.01
Missing Authorization vulnerability in LottieFiles LottieFiles lottiefiles allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects LottieFiles: from n/a through <= 3.0.0.