VYPR

CWE-862

Missing Authorization

ClassIncompleteLikelihood: High

Description

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-665

CVEs mapped to this weakness (5,549)

page 83 of 278
  • CVE-2019-10868MedApr 5, 2019
    risk 0.42cvss 6.5epss 0.01

    In trytond/model/modelstorage.py in Tryton 4.2 before 4.2.21, 4.4 before 4.4.19, 4.6 before 4.6.14, 4.8 before 4.8.10, and 5.0 before 5.0.6, an authenticated user can order records based on a field for which he has no access right. This may allow the user to guess values.

  • CVE-2019-10293MedApr 4, 2019
    risk 0.42cvss 6.5epss 0.01

    A missing permission check in Jenkins Kmap Plugin in KmapJenkinsBuilder.DescriptorImpl form validation methods allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server.

  • CVE-2019-10290MedApr 4, 2019
    risk 0.42cvss 6.5epss 0.02

    A missing permission check in Jenkins Netsparker Cloud Scan Plugin 1.1.5 and older in the NCScanBuilder.DescriptorImpl#doValidateAPI form validation method allowed attackers with Overall/Read permission to initiate a connection to an attacker-specified server.

  • CVE-2019-10279MedApr 4, 2019
    risk 0.42cvss 6.5epss 0.01

    A missing permission check in Jenkins jenkins-reviewbot Plugin in the ReviewboardDescriptor#doTestConnection form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server.

  • CVE-2019-1003091MedApr 4, 2019
    risk 0.42cvss 6.5epss 0.01

    A missing permission check in Jenkins SOASTA CloudTest Plugin in the CloudTestServer.DescriptorImpl#doValidate form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server.

  • CVE-2019-1003087MedApr 4, 2019
    risk 0.42cvss 6.5epss 0.02

    A missing permission check in Jenkins Chef Sinatra Plugin in the ChefBuilderConfiguration.DescriptorImpl#doTestConnection form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server.

  • CVE-2019-1003083MedApr 4, 2019
    risk 0.42cvss 6.5epss 0.01

    A missing permission check in Jenkins Gearman Plugin in the GearmanPluginConfig#doTestConnection form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server.

  • CVE-2019-1003081MedApr 4, 2019
    risk 0.42cvss 6.5epss 0.02

    A missing permission check in Jenkins OpenShift Deployer Plugin in the DeployApplication.DeployApplicationDescriptor#doCheckLogin form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server.

  • CVE-2019-1003079MedApr 4, 2019
    risk 0.42cvss 6.5epss 0.02

    A missing permission check in Jenkins VMware Lab Manager Slaves Plugin in the LabManager.DescriptorImpl#doTestConnection form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server.

  • CVE-2019-1003077MedApr 4, 2019
    risk 0.42cvss 6.5epss 0.01

    A missing permission check in Jenkins Audit to Database Plugin in the DbAuditPublisherDescriptorImpl#doTestJdbcConnection form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server.

  • CVE-2019-1003059MedApr 4, 2019
    risk 0.42cvss 6.5epss 0.01

    A missing permission check in Jenkins FTP publisher Plugin in the FTPPublisher.DescriptorImpl#doLoginCheck method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server.

  • CVE-2019-1003043HigMar 28, 2019
    risk 0.42cvss 7.5epss 0.01

    A missing permission check in Jenkins Slack Notification Plugin 2.19 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in…

  • CVE-2017-6923MedJan 22, 2019
    risk 0.42cvss 6.5epss 0.02

    In Drupal 8.x prior to 8.3.7 When creating a view, you can optionally use Ajax to update the displayed data via filter parameters. The views subsystem/module did not restrict access to the Ajax endpoint to only views configured to use Ajax. This is mitigated if you have access…

  • CVE-2018-16048MedOct 3, 2018
    risk 0.42cvss 6.5epss 0.01

    An issue was discovered in GitLab Community and Enterprise Edition before 11.0.6, 11.1.x before 11.1.5, and 11.2.x before 11.2.2. There is Missing Authorization Control for API Repository Storage.

  • CVE-2017-18101MedApr 10, 2018
    risk 0.42cvss 6.5epss 0.01

    Various administrative external system import resources in Atlassian JIRA Server (including JIRA Core) before version 7.6.5, from version 7.7.0 before version 7.7.3, from version 7.8.0 before version 7.8.3 and before version 7.9.0 allow remote attackers to run import operations…

  • CVE-2018-9039MedMar 27, 2018
    risk 0.42cvss 6.5epss 0.01

    In Octopus Deploy 2.0 and later before 2018.3.7, an authenticated user, with variable edit permissions, can scope some variables to targets greater than their permissions should allow. In other words, they can see machines beyond their team's scoped environments.

  • CVE-2017-0896MedJun 2, 2017
    risk 0.42cvss 6.5epss 0.01

    Zulip Server 1.5.1 and below suffer from an error in the implementation of the invite_by_admins_only setting in the Zulip group chat application server that allowed an authenticated user to invite other users to join a Zulip organization even if the organization was configured…

  • CVE-2017-6564MedMay 1, 2017
    risk 0.42cvss 6.5epss 0.01

    On Franklin Fueling Systems TS-550 evo 2.3.0.7332 devices, the Guest user, which contains the lowest privileges, can post to the idSourceFileName parameter found within the /download directory. This ability allows for an attacker to download sensitive system files from the host…

  • CVE-2026-42651MedJun 15, 2026
    risk 0.41cvss 6.3epss 0.00

    Subscriber Broken Access Control in Classified Listing <= 5.3.9 versions.

  • CVE-2025-68049MedJun 15, 2026
    risk 0.41cvss 6.3epss 0.00

    Subscriber Broken Access Control in bunny.net <= 2.3.6 versions.