VYPR

CWE-862

Missing Authorization

ClassIncompleteLikelihood: High

Description

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-665

CVEs mapped to this weakness (5,549)

page 50 of 278
  • CVE-2025-42993MedJun 10, 2025
    risk 0.44cvss 6.7epss 0.00

    Due to a missing authorization check vulnerability in SAP S/4HANA (Enterprise Event Enablement), an attacker with access to the Inbound Binding Configuration could create an RFC destination and assign an arbitrary high-privilege user. This allows the attacker to consume events…

  • CVE-2024-20413MedAug 28, 2024
    risk 0.44cvss 6.7epss 0.00

    A vulnerability in Cisco NX-OS Software could allow an authenticated, local attacker with privileges to access the Bash shell to elevate privileges to network-admin on an affected device. This vulnerability is due to insufficient security restrictions when executing…

  • CVE-2024-32656HigApr 22, 2024
    risk 0.44cvss 7.8epss 0.00

    Ant Media Server is live streaming engine software. A local privilege escalation vulnerability in present in versions 2.6.0 through 2.8.2 allows any unprivileged operating system user account to escalate privileges to the root user account on the system. This vulnerability…

  • CVE-2020-10684HigMar 24, 2020
    risk 0.44cvss 7.9epss 0.00

    A flaw was found in Ansible Engine, all versions 2.7.x, 2.8.x and 2.9.x prior to 2.7.17, 2.8.9 and 2.9.6 respectively, when using ansible_facts as a subkey of itself and promoting it to a variable when inject is enabled, overwriting the ansible_facts after the clean. An attacker…

  • CVE-2017-8083MedJun 6, 2017
    risk 0.44cvss 6.7epss 0.00

    CompuLab Intense PC and MintBox 2 devices with BIOS before 2017-05-21 do not use the CloseMnf protection mechanism for write protection of flash memory regions, which allows local users to install a firmware rootkit by leveraging administrative privileges.

  • CVE-2017-6598MedApr 7, 2017
    risk 0.44cvss 6.7epss 0.00

    A vulnerability in the debug plug-in functionality of the Cisco Unified Computing System (UCS) Manager, Cisco Firepower 4100 Series Next-Generation Firewall (NGFW), and Cisco Firepower 9300 Security Appliance could allow an authenticated, local attacker to execute arbitrary…

  • CVE-2026-49822HigJun 10, 2026
    risk 0.43cvss 7.7epss 0.00

    Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, a low-privilege developer who could create a KubernetesWatchTrigger (KWT) in their own namespace was able to…

  • CVE-2026-49821HigJun 10, 2026
    risk 0.43cvss 7.7epss 0.00

    Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, Fission's buildermgr controller processed Package CRDs without verifying that Package.spec.environment.namespace…

  • CVE-2026-44754MedJun 9, 2026
    risk 0.43cvss 6.6epss 0.00

    The Remote Function Call (RFC) modules of the Operational Data Provisioning Data Replication API (ODP-RFC) are missing caller identification of permitted SAP-internal applications and are being used by customer or third-party applications in ways that are not aligned with its…

  • CVE-2026-43885HigMay 11, 2026
    risk 0.43cvss epss 0.00

    WWBN AVideo is an open source video platform. In versions up to and including 29.0, an unauthenticated user can read APISecret from objects/plugins.json.php and use it to call protected API endpoints (e.g. users_list) without logging in. Commit…

  • CVE-2026-43580HigMay 6, 2026
    risk 0.43cvss 7.7epss 0.00

    OpenClaw before 2026.4.10 contains an incomplete navigation guard vulnerability that allows attackers to trigger navigation without complete SSRF policy enforcement. Browser press/type style interactions, including pressKey and type submit flows, can bypass post-action security…

  • CVE-2026-43573HigMay 5, 2026
    risk 0.43cvss 7.7epss 0.00

    OpenClaw before 2026.4.10 contains a server-side request forgery policy bypass vulnerability in existing-session browser interaction routes. Attackers can bypass SSRF navigation guards to interact with or navigate to unauthorized targets without policy enforcement.

  • CVE-2026-42436HigMay 5, 2026
    risk 0.43cvss 7.7epss 0.00

    OpenClaw before 2026.4.14 contains an improper access control vulnerability in browser snapshot, screenshot, and tab routes that fail to consistently validate the final browser target after navigation. Authenticated callers can bypass SSRF restrictions to expose internal or…

  • CVE-2025-10040HigSep 10, 2025
    risk 0.43cvss 7.7epss 0.00

    The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_ftp_details' AJAX action in all versions up to, and including, 7.27. This makes it possible for authenticated…

  • CVE-2024-11423HigJan 8, 2025
    risk 0.43cvss 7.5epss 0.01

    The Ultimate Gift Cards for WooCommerce – Create WooCommerce Gift Cards, Gift Vouchers, Redeem & Manage Digital Gift Coupons. Offer Gift Certificates, Schedule Gift Cards, and Use Advance Coupons With Personalized Templates plugin for WordPress is vulnerable to unauthorized…

  • CVE-2023-47681MedJun 19, 2024
    risk 0.43cvss 6.5epss 0.09

    Missing Authorization vulnerability in QuadLayers WooCommerce Checkout Manager.This issue affects WooCommerce Checkout Manager: from n/a through 7.3.0.

  • CVE-2023-3442HigJul 26, 2023
    risk 0.43cvss 7.7epss 0.01

    A missing authorization vulnerability exists in versions of the Jenkins Plug-in for ServiceNow DevOps prior to 1.38.1 that, if exploited successfully, could cause the unwanted exposure of sensitive information. To address this issue, apply the 1.38.1 version of the Jenkins…

  • CVE-2017-6635MedMay 22, 2017
    risk 0.43cvss 6.5epss 0.10

    A vulnerability in the web interface of Cisco Prime Collaboration Provisioning Software (prior to Release 12.1) could allow an authenticated, remote attacker to delete any file from an affected system. The vulnerability exists because the affected software does not perform…

  • CVE-2026-54190MedJun 16, 2026
    risk 0.42cvss 6.5epss 0.00

    Unauthenticated Broken Access Control in Envira Photo Gallery <= 1.12.5 versions.

  • CVE-2026-40809MedJun 16, 2026
    risk 0.42cvss 6.5epss 0.00

    Missing Authorization vulnerability in Rara Themes Metro Magazine allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Metro Magazine: from n/a through 1.4.1.