CWE-862
Missing Authorization
Description
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-665
CVEs mapped to this weakness (5,549)
page 83 of 278| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2019-10868 | Med | 0.42 | 6.5 | 0.01 | Apr 5, 2019 | In trytond/model/modelstorage.py in Tryton 4.2 before 4.2.21, 4.4 before 4.4.19, 4.6 before 4.6.14, 4.8 before 4.8.10, and 5.0 before 5.0.6, an authenticated user can order records based on a field for which he has no access right. This may allow the user to guess values. | ||
| CVE-2019-10293 | Med | 0.42 | 6.5 | 0.01 | Apr 4, 2019 | A missing permission check in Jenkins Kmap Plugin in KmapJenkinsBuilder.DescriptorImpl form validation methods allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server. | ||
| CVE-2019-10290 | Med | 0.42 | 6.5 | 0.02 | Apr 4, 2019 | A missing permission check in Jenkins Netsparker Cloud Scan Plugin 1.1.5 and older in the NCScanBuilder.DescriptorImpl#doValidateAPI form validation method allowed attackers with Overall/Read permission to initiate a connection to an attacker-specified server. | ||
| CVE-2019-10279 | Med | 0.42 | 6.5 | 0.01 | Apr 4, 2019 | A missing permission check in Jenkins jenkins-reviewbot Plugin in the ReviewboardDescriptor#doTestConnection form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server. | ||
| CVE-2019-1003091 | Med | 0.42 | 6.5 | 0.01 | Apr 4, 2019 | A missing permission check in Jenkins SOASTA CloudTest Plugin in the CloudTestServer.DescriptorImpl#doValidate form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server. | ||
| CVE-2019-1003087 | Med | 0.42 | 6.5 | 0.02 | Apr 4, 2019 | A missing permission check in Jenkins Chef Sinatra Plugin in the ChefBuilderConfiguration.DescriptorImpl#doTestConnection form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server. | ||
| CVE-2019-1003083 | Med | 0.42 | 6.5 | 0.01 | Apr 4, 2019 | A missing permission check in Jenkins Gearman Plugin in the GearmanPluginConfig#doTestConnection form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server. | ||
| CVE-2019-1003081 | Med | 0.42 | 6.5 | 0.02 | Apr 4, 2019 | A missing permission check in Jenkins OpenShift Deployer Plugin in the DeployApplication.DeployApplicationDescriptor#doCheckLogin form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server. | ||
| CVE-2019-1003079 | Med | 0.42 | 6.5 | 0.02 | Apr 4, 2019 | A missing permission check in Jenkins VMware Lab Manager Slaves Plugin in the LabManager.DescriptorImpl#doTestConnection form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server. | ||
| CVE-2019-1003077 | Med | 0.42 | 6.5 | 0.01 | Apr 4, 2019 | A missing permission check in Jenkins Audit to Database Plugin in the DbAuditPublisherDescriptorImpl#doTestJdbcConnection form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server. | ||
| CVE-2019-1003059 | Med | 0.42 | 6.5 | 0.01 | Apr 4, 2019 | A missing permission check in Jenkins FTP publisher Plugin in the FTPPublisher.DescriptorImpl#doLoginCheck method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server. | ||
| CVE-2019-1003043 | Hig | 0.42 | 7.5 | 0.01 | Mar 28, 2019 | A missing permission check in Jenkins Slack Notification Plugin 2.19 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in… | ||
| CVE-2017-6923 | Med | 0.42 | 6.5 | 0.02 | Jan 22, 2019 | In Drupal 8.x prior to 8.3.7 When creating a view, you can optionally use Ajax to update the displayed data via filter parameters. The views subsystem/module did not restrict access to the Ajax endpoint to only views configured to use Ajax. This is mitigated if you have access… | ||
| CVE-2018-16048 | Med | 0.42 | 6.5 | 0.01 | Oct 3, 2018 | An issue was discovered in GitLab Community and Enterprise Edition before 11.0.6, 11.1.x before 11.1.5, and 11.2.x before 11.2.2. There is Missing Authorization Control for API Repository Storage. | ||
| CVE-2017-18101 | Med | 0.42 | 6.5 | 0.01 | Apr 10, 2018 | Various administrative external system import resources in Atlassian JIRA Server (including JIRA Core) before version 7.6.5, from version 7.7.0 before version 7.7.3, from version 7.8.0 before version 7.8.3 and before version 7.9.0 allow remote attackers to run import operations… | ||
| CVE-2018-9039 | Med | 0.42 | 6.5 | 0.01 | Mar 27, 2018 | In Octopus Deploy 2.0 and later before 2018.3.7, an authenticated user, with variable edit permissions, can scope some variables to targets greater than their permissions should allow. In other words, they can see machines beyond their team's scoped environments. | ||
| CVE-2017-0896 | Med | 0.42 | 6.5 | 0.01 | Jun 2, 2017 | Zulip Server 1.5.1 and below suffer from an error in the implementation of the invite_by_admins_only setting in the Zulip group chat application server that allowed an authenticated user to invite other users to join a Zulip organization even if the organization was configured… | ||
| CVE-2017-6564 | Med | 0.42 | 6.5 | 0.01 | May 1, 2017 | On Franklin Fueling Systems TS-550 evo 2.3.0.7332 devices, the Guest user, which contains the lowest privileges, can post to the idSourceFileName parameter found within the /download directory. This ability allows for an attacker to download sensitive system files from the host… | ||
| CVE-2026-42651 | Med | 0.41 | 6.3 | 0.00 | Jun 15, 2026 | Subscriber Broken Access Control in Classified Listing <= 5.3.9 versions. | ||
| CVE-2025-68049 | Med | 0.41 | 6.3 | 0.00 | Jun 15, 2026 | Subscriber Broken Access Control in bunny.net <= 2.3.6 versions. |
- risk 0.42cvss 6.5epss 0.01
In trytond/model/modelstorage.py in Tryton 4.2 before 4.2.21, 4.4 before 4.4.19, 4.6 before 4.6.14, 4.8 before 4.8.10, and 5.0 before 5.0.6, an authenticated user can order records based on a field for which he has no access right. This may allow the user to guess values.
- risk 0.42cvss 6.5epss 0.01
A missing permission check in Jenkins Kmap Plugin in KmapJenkinsBuilder.DescriptorImpl form validation methods allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server.
- risk 0.42cvss 6.5epss 0.02
A missing permission check in Jenkins Netsparker Cloud Scan Plugin 1.1.5 and older in the NCScanBuilder.DescriptorImpl#doValidateAPI form validation method allowed attackers with Overall/Read permission to initiate a connection to an attacker-specified server.
- risk 0.42cvss 6.5epss 0.01
A missing permission check in Jenkins jenkins-reviewbot Plugin in the ReviewboardDescriptor#doTestConnection form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server.
- risk 0.42cvss 6.5epss 0.01
A missing permission check in Jenkins SOASTA CloudTest Plugin in the CloudTestServer.DescriptorImpl#doValidate form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server.
- risk 0.42cvss 6.5epss 0.02
A missing permission check in Jenkins Chef Sinatra Plugin in the ChefBuilderConfiguration.DescriptorImpl#doTestConnection form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server.
- risk 0.42cvss 6.5epss 0.01
A missing permission check in Jenkins Gearman Plugin in the GearmanPluginConfig#doTestConnection form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server.
- risk 0.42cvss 6.5epss 0.02
A missing permission check in Jenkins OpenShift Deployer Plugin in the DeployApplication.DeployApplicationDescriptor#doCheckLogin form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server.
- risk 0.42cvss 6.5epss 0.02
A missing permission check in Jenkins VMware Lab Manager Slaves Plugin in the LabManager.DescriptorImpl#doTestConnection form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server.
- risk 0.42cvss 6.5epss 0.01
A missing permission check in Jenkins Audit to Database Plugin in the DbAuditPublisherDescriptorImpl#doTestJdbcConnection form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server.
- risk 0.42cvss 6.5epss 0.01
A missing permission check in Jenkins FTP publisher Plugin in the FTPPublisher.DescriptorImpl#doLoginCheck method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server.
- risk 0.42cvss 7.5epss 0.01
A missing permission check in Jenkins Slack Notification Plugin 2.19 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in…
- risk 0.42cvss 6.5epss 0.02
In Drupal 8.x prior to 8.3.7 When creating a view, you can optionally use Ajax to update the displayed data via filter parameters. The views subsystem/module did not restrict access to the Ajax endpoint to only views configured to use Ajax. This is mitigated if you have access…
- risk 0.42cvss 6.5epss 0.01
An issue was discovered in GitLab Community and Enterprise Edition before 11.0.6, 11.1.x before 11.1.5, and 11.2.x before 11.2.2. There is Missing Authorization Control for API Repository Storage.
- risk 0.42cvss 6.5epss 0.01
Various administrative external system import resources in Atlassian JIRA Server (including JIRA Core) before version 7.6.5, from version 7.7.0 before version 7.7.3, from version 7.8.0 before version 7.8.3 and before version 7.9.0 allow remote attackers to run import operations…
- risk 0.42cvss 6.5epss 0.01
In Octopus Deploy 2.0 and later before 2018.3.7, an authenticated user, with variable edit permissions, can scope some variables to targets greater than their permissions should allow. In other words, they can see machines beyond their team's scoped environments.
- risk 0.42cvss 6.5epss 0.01
Zulip Server 1.5.1 and below suffer from an error in the implementation of the invite_by_admins_only setting in the Zulip group chat application server that allowed an authenticated user to invite other users to join a Zulip organization even if the organization was configured…
- risk 0.42cvss 6.5epss 0.01
On Franklin Fueling Systems TS-550 evo 2.3.0.7332 devices, the Guest user, which contains the lowest privileges, can post to the idSourceFileName parameter found within the /download directory. This ability allows for an attacker to download sensitive system files from the host…
- risk 0.41cvss 6.3epss 0.00
Subscriber Broken Access Control in Classified Listing <= 5.3.9 versions.
- risk 0.41cvss 6.3epss 0.00
Subscriber Broken Access Control in bunny.net <= 2.3.6 versions.