VYPR

CWE-862

Missing Authorization

ClassIncompleteLikelihood: High

Description

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-665

CVEs mapped to this weakness (5,549)

page 48 of 278
  • CVE-2024-32705HigJun 9, 2024
    risk 0.46cvss 7.1epss 0.00

    Missing Authorization vulnerability in reputeinfosystems ARForms arforms.This issue affects ARForms: from n/a through <= 6.4.

  • CVE-2024-32704HigJun 9, 2024
    risk 0.46cvss 7.1epss 0.00

    Missing Authorization vulnerability in reputeinfosystems ARForms arforms.This issue affects ARForms: from n/a through <= 6.4.

  • CVE-2023-6966HigJun 6, 2024
    risk 0.46cvss 8.1epss 0.00

    The The Moneytizer plugin for WordPress is vulnerable to unauthorized access of data, modification of data, and loss of data due to a missing capability check on multiple AJAX functions in the /core/core_ajax.php file in all versions up to, and including, 9.6.3. This makes it…

  • CVE-2024-33912HigMay 6, 2024
    risk 0.46cvss 7.1epss 0.00

    Missing Authorization vulnerability in Academy LMS.This issue affects Academy LMS: from n/a through 1.9.16.

  • CVE-2024-1945HigMay 2, 2024
    risk 0.46cvss 7.1epss 0.00

    The Contact Form, Survey & Popup Form Plugin for WordPress – ARForms Form Builder plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'arflite_remove_preview_data' function in all versions up to, and including, 1.6.4. This…

  • CVE-2023-48684HigApr 29, 2024
    risk 0.46cvss 7.1epss 0.00

    Sensitive information disclosure and manipulation due to missing authorization. The following products are affected: Acronis Cyber Protect Cloud Agent (Linux, macOS, Windows) before build 37758, Acronis Cyber Protect 17 (Linux, macOS, Windows) before build 41186.

  • CVE-2023-48683HigApr 29, 2024
    risk 0.46cvss 7.1epss 0.00

    Sensitive information disclosure and manipulation due to missing authorization. The following products are affected: Acronis Cyber Protect Cloud Agent (Linux, macOS, Windows) before build 37758, Acronis Cyber Protect 16 (Linux, macOS, Windows) before build 39169.

  • CVE-2024-32682HigApr 22, 2024
    risk 0.46cvss 7.1epss 0.01

    Missing Authorization vulnerability in BdThemes Prime Slider – Addons For Elementor.This issue affects Prime Slider – Addons For Elementor: from n/a through 3.13.2.

  • CVE-2024-31367HigApr 9, 2024
    risk 0.46cvss 7.1epss 0.00

    Missing Authorization vulnerability in PenciDesign Soledad.This issue affects Soledad: from n/a through 8.4.2.

  • CVE-2024-31366HigApr 9, 2024
    risk 0.46cvss 7.1epss 0.00

    Missing Authorization vulnerability in Themify Post Type Builder (PTB).This issue affects Post Type Builder (PTB): from n/a through 2.0.8.

  • CVE-2024-1385HigApr 6, 2024
    risk 0.46cvss 7.1epss 0.00

    The WP-Stateless – Google Cloud Storage plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the dismiss_notices() function in all versions up to, and including, 3.4.0. This makes it possible for authenticated attackers, with…

  • CVE-2024-22257HigMar 18, 2024
    risk 0.46cvss 8.2epss 0.01

    In Spring Security, versions 5.7.x prior to 5.7.12, 5.8.x prior to 5.8.11, versions 6.0.x prior to 6.0.9, versions 6.1.x prior to 6.1.8, versions 6.2.x prior to 6.2.3, an application is possible vulnerable to broken access control when it directly uses the…

  • CVE-2024-1170HigMar 7, 2024
    risk 0.46cvss 8.2epss 0.01

    The Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) plugin for WordPress is vulnerable to unauthorized media file deletion due to a missing capability check on the handle_deleted_media function in all…

  • CVE-2024-1072HigFeb 5, 2024
    risk 0.46cvss 8.2epss 0.01

    The Website Builder by SeedProd — Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the seedprod_lite_new_lpage function in all versions up to,…

  • CVE-2023-37910HigOct 25, 2023
    risk 0.46cvss 8.1epss 0.01

    XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting with the introduction of attachment move support in version 14.0-rc-1 and prior to versions 14.4.8, 14.10.4, and 15.0-rc-1, an attacker with edit access on any…

  • CVE-2023-37965HigJul 12, 2023
    risk 0.46cvss 7.1epss 0.01

    A missing permission check in Jenkins ElasticBox CI Plugin 5.0.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

  • CVE-2023-37949HigJul 12, 2023
    risk 0.46cvss 7.1epss 0.01

    A missing permission check in Jenkins Orka by MacStadium Plugin 1.33 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in…

  • CVE-2020-36720HigJun 7, 2023
    risk 0.46cvss 7.1epss 0.01

    The Kali Forms plugin for WordPress is vulnerable to Authenticated Options Change in versions up to, and including, 2.1.1. This is due to the update_option lacking proper authentication checks. This makes it possible for any authenticated attacker to change (or delete) the…

  • CVE-2023-0555HigJan 27, 2023
    risk 0.46cvss 8.1epss 0.01

    The Quick Restaurant Menu plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on its AJAX actions in versions up to, and including, 2.0.2. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to…

  • CVE-2022-4501HigDec 14, 2022
    risk 0.46cvss 7.1epss 0.01

    The Mega Addons plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the vc_saving_data function in versions up to, and including, 4.3.0. This makes it possible for authenticated attackers, with subscriber-level permissions and above,…