VYPR

CWE-862

Missing Authorization

ClassIncompleteLikelihood: High

Description

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-665

CVEs mapped to this weakness (5,549)

page 5 of 278
  • CVE-2021-4347CriJun 7, 2023
    risk 0.64cvss 9.9epss 0.01

    The function update_shipment_status_email_status_fun in the plugin Advanced Shipment Tracking for WooCommerce in versions up to 3.2.6 is vulnerable to authenticated arbitrary options update. The function allows attackers (including those at customer level) to update any…

  • CVE-2021-4346CriJun 7, 2023
    risk 0.64cvss 9.8epss 0.01

    The uListing plugin for WordPress is vulnerable to Unauthenticated Arbitrary Account Changes in versions up to, and including, 1.6.6. This is due to missing login checks on the stm_listing_profile_edit AJAX action. This makes it possible for unauthenticated attackers to edit any…

  • CVE-2021-4343CriJun 7, 2023
    risk 0.64cvss 9.8epss 0.01

    The Unauthenticated Account Creation plugin for WordPress is vulnerable to Unauthenticated Account Creation in versions up to, and including, 1.6.6. This is due to the stm_listing_register AJAX action function being accessible and taking roles unprotected. This makes it possible…

  • CVE-2021-4341CriJun 7, 2023
    risk 0.64cvss 9.8epss 0.01

    The uListing plugin for WordPress is vulnerable to authorization bypass via Ajax due to missing capability checks, missing input validation, and a missing security nonce in the stm_update_email_data AJAX action in versions up to, and including, 1.6.6. This makes it possible for…

  • CVE-2023-1114CriMar 1, 2023
    risk 0.64cvss 9.8epss 0.01

    Missing Authorization vulnerability in Eskom e-Belediye allows Information Elicitation. This issue affects e-Belediye: from 1.0.0.95 before 1.0.0.100.

  • CVE-2023-0556CriJan 27, 2023
    risk 0.64cvss 9.8epss 0.01

    The ContentStudio plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on several functions in versions up to, and including, 1.2.5. This makes it possible for unauthenticated attackers to obtain the blog metadata (via the function…

  • CVE-2018-16591CriSep 10, 2018
    risk 0.64cvss 9.8epss 0.02

    FURUNO FELCOM 250 and 500 devices allow unauthenticated users to change the password for the Admin, Log and Service accounts, as well as the password for the protected "SMS" panel via /cgi-bin/sm_changepassword.cgi and /cgi-bin/sm_sms_changepasswd.cgi.

  • CVE-2018-11541CriJul 9, 2018
    risk 0.64cvss 9.8epss 0.02

    A root privilege escalation vulnerability in the Sonus SBC 1000 / SBC 2000 / SBC SWe Lite web interface allows unauthorised access to privileged content via an unspecified vector. It affects the 1000 and 2000 devices 6.0.x up to Build 446, 6.1.x up to Build 492, and 7.0.x up to…

  • CVE-2018-8755CriJun 25, 2018
    risk 0.64cvss 9.8epss 0.01

    NuCom WR644GACV devices before STA006 allow an attacker to download the configuration file without credentials. By downloading this file, an attacker can access the admin password, WPA key, and any config information of the device.

  • CVE-2018-10251CriMay 4, 2018
    risk 0.64cvss 9.8epss 0.04

    A vulnerability in Sierra Wireless AirLink GX400, GX440, ES440, and LS300 routers with firmware before 4.4.7 and GX450, ES450, RV50, RV50X, MP70, and MP70E routers with firmware before 4.9.3 could allow an unauthenticated remote attacker to execute arbitrary code and gain full…

  • CVE-2018-0015CriFeb 22, 2018
    risk 0.64cvss 9.8epss 0.01

    A malicious user with unrestricted access to the AppFormix application management platform may be able to access a Python debug console and execute system commands with root privilege. The AppFormix Agent exposes the debug console on a host where AppFormix Agent is executing. If…

  • CVE-2018-5377CriJan 12, 2018
    risk 0.64cvss 9.8epss 0.02

    Discuz! DiscuzX X3.4 allows remote attackers to bypass intended access restrictions via the archiver\index.php action parameter.

  • CVE-2017-12582CriAug 18, 2017
    risk 0.64cvss 9.8epss 0.01

    Unprivileged user can access all functions in the Surveillance Station component in QNAP TS212P devices with firmware 4.2.1 build 20160601. Unprivileged user cannot login at front end but with that unprivileged user SID, all function can access at Surveillance Station.

  • CVE-2017-9232CriMay 28, 2017
    risk 0.64cvss 9.8epss 0.48

    Juju before 1.25.12, 2.0.x before 2.0.4, and 2.1.x before 2.1.3 uses a UNIX domain socket without setting appropriate permissions, allowing privilege escalation by users on the system to root.

  • CVE-2018-7702CriMar 15, 2018
    risk 0.63cvss 9.1epss 0.15

    SecurEnvoy SecurMail before 9.2.501 allows remote attackers to spoof transmission of arbitrary e-mail messages, resend e-mail messages to arbitrary recipients, or modify arbitrary message bodies and attachments by leveraging missing authentication and authorization.

  • CVE-2026-50084CriJun 12, 2026
    risk 0.62cvss 9.6epss 0.00

    The Aqara Cloud Production API (open-cn.aqara.com/v3.0/open/api) would authorize any valid developer token for access to any account. This is an instance of "CWE-862: Missing Authorization" with an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N (9.6 Critical).…

  • CVE-2026-47281CriJun 9, 2026
    risk 0.62cvss 9.6epss 0.01

    Improper input validation in Visual Studio Code allows an unauthorized attacker to elevate privileges over a network.

  • CVE-2025-42989CriJun 10, 2025
    risk 0.62cvss 9.6epss 0.00

    RFC inbound processing�does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. On successful exploitation the attacker could critically impact both integrity and availability of the application.

  • CVE-2024-10629HigNov 13, 2024
    risk 0.62cvss 8.8epss 0.02

    The GPX Viewer plugin for WordPress is vulnerable to arbitrary file creation due to a missing capability check and file type validation in the gpxv_file_upload() function in all versions up to, and including, 2.2.9. This makes it possible for authenticated attackers, with…

  • CVE-2026-4764CriJun 11, 2026
    risk 0.61cvss epss 0.00

    A Missing Authorization vulnerability in the playbook import functionality in Dialogflow CX on Google Cloud Platform allows an authenticated user with specific roles to escalate privileges and potentially take over a GCP project using a maliciously crafted playbook import. …