VYPR

CWE-863

Incorrect Authorization

ClassIncompleteLikelihood: High

Description

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Hierarchy (View 1000)

CVEs mapped to this weakness (1,530)

page 11 of 77
  • CVE-2023-26484HigMar 15, 2023
    risk 0.53cvss 8.2epss 0.01

    KubeVirt is a virtual machine management add-on for Kubernetes. In versions 0.59.0 and prior, if a malicious user has taken over a Kubernetes node where virt-handler (the KubeVirt node-daemon) is running, the virt-handler service account can be used to modify all node specs.…

  • CVE-2021-42135HigOct 11, 2021
    risk 0.53cvss 8.1epss 0.01

    HashiCorp Vault and Vault Enterprise 1.8.x through 1.8.4 may have an unexpected interaction between glob-related policies and the Google Cloud secrets engine. Users may, in some situations, have more privileges than intended, e.g., a user with read permission for the…

  • CVE-2021-39156HigAug 24, 2021
    risk 0.53cvss 8.1epss 0.01

    Istio is an open source platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce policies and aggregate telemetry data. Istio 1.11.0, 1.10.3 and below, and 1.9.7 and below contain a remotely exploitable vulnerability…

  • CVE-2021-29452HigApr 16, 2021
    risk 0.53cvss 8.1epss 0.01

    a12n-server is an npm package which aims to provide a simple authentication system. A new HAL-Form was added to allow editing users in version 0.18.0. This feature should only have been accessible to admins. Unfortunately, privileges were incorrectly checked allowing any logged…

  • CVE-2017-18884HigJun 19, 2020
    risk 0.53cvss 8.1epss 0.01

    An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows attackers to gain privileges by using a registered OAuth application with personal access tokens.

  • CVE-2018-10925HigAug 9, 2018
    risk 0.53cvss 8.1epss 0.02

    It was discovered that PostgreSQL versions before 10.5, 9.6.10, 9.5.14, 9.4.19, and 9.3.24 failed to properly check authorization on certain statements involved with "INSERT ... ON CONFLICT DO UPDATE". An attacker with "CREATE TABLE" privileges could exploit this to read…

  • CVE-2018-1000197HigJun 5, 2018
    risk 0.53cvss 8.1epss 0.01

    An improper authorization vulnerability exists in Jenkins Black Duck Hub Plugin 3.0.3 and older in PostBuildScanDescriptor.java that allows users with Overall/Read permission to read and write the Black Duck Hub plugin configuration.

  • CVE-2017-12118HigJan 19, 2018
    risk 0.53cvss 8.1epss 0.02

    An exploitable improper authorization vulnerability exists in miner_stop API of cpp-ethereum's JSON-RPC (commit 4e1015743b95821849d001618a7ce82c7c073768). An attacker can send JSON to trigger this vulnerability.

  • CVE-2017-12116HigJan 19, 2018
    risk 0.53cvss 8.1epss 0.02

    An exploitable improper authorization vulnerability exists in miner_setGasPrice API of cpp-ethereum's JSON-RPC (commit 4e1015743b95821849d001618a7ce82c7c073768). A JSON request can cause an access to the restricted functionality resulting in authorization bypass. An attacker can…

  • CVE-2017-12113HigJan 19, 2018
    risk 0.53cvss 8.1epss 0.01

    An exploitable improper authorization vulnerability exists in admin_nodeInfo API of cpp-ethereum's JSON-RPC (commit 4e1015743b95821849d001618a7ce82c7c073768). A JSON request can cause an access to the restricted functionality resulting in authorization bypass. An attacker can…

  • CVE-2017-12117HigJan 19, 2018
    risk 0.53cvss 8.1epss 0.01

    An exploitable improper authorization vulnerability exists in miner_start API of cpp-ethereum's JSON-RPC (commit 4e1015743b95821849d001618a7ce82c7c073768). A JSON request can cause an access to the restricted functionality resulting in authorization bypass. An attacker can send…

  • CVE-2017-12115HigJan 19, 2018
    risk 0.53cvss 8.1epss 0.02

    An exploitable improper authorization vulnerability exists in miner_setEtherbase API of cpp-ethereum's JSON-RPC (commit 4e1015743b95821849d001618a7ce82c7c073768). A JSON request can cause an access to the restricted functionality resulting in authorization bypass.

  • CVE-2017-12112HigJan 19, 2018
    risk 0.53cvss 8.1epss 0.01

    An exploitable improper authorization vulnerability exists in admin_addPeer API of cpp-ethereum's JSON-RPC (commit 4e1015743b95821849d001618a7ce82c7c073768). A JSON request can cause an access to the restricted functionality resulting in authorization bypass. An attacker can…

  • CVE-2018-0110HigJan 18, 2018
    risk 0.53cvss 8.1epss 0.01

    A vulnerability in Cisco WebEx Meetings Server could allow an authenticated, remote attacker to access the remote support account even after it has been disabled via the web application. The vulnerability is due to a design flaw in Cisco WebEx Meetings Server, which would not…

  • CVE-2026-55518criJun 17, 2026
    risk 0.52cvss epss

    ## Summary A critical missing authorization flaw exists in Avo's association attach workflow. The UI and `GET /resources/:resource/:id/:related/new` path can check `attach_?`, but the actual write endpoint, `POST /resources/:resource/:id/:related`, does not run the…

  • CVE-2026-35482HigJun 2, 2026
    risk 0.52cvss 8.0epss 0.00

    alf.io is an open source ticket reservation system for conferences, trade shows, workshops, and meetups. Prior to version 2.0-M5-2606, a sandbox escape vulnerability in the alf.io extension script engine allows an authenticated administrator to execute arbitrary operating system…

  • CVE-2026-22872CriJun 1, 2026
    risk 0.52cvss 9.1epss 0.00

    Capsule is a multi-tenancy and policy-based framework for Kubernetes. The Capsule Controller runs with cluster-admin privileges. Although the TenantResource RawItems processing logic forcibly sets the namespace, this is ineffective for cluster-scoped resources. Prior to version…

  • CVE-2026-47407criMay 29, 2026
    risk 0.52cvss epss 0.00

    ## Summary The Platform server exposes resources under `/api/v1/workspaces/{workspace_id}/...` and protects them with a `require_workspace_member(workspace_id)` FastAPI dependency. The dependency only checks that the caller is a member of the workspace_id in the URL prefix. The…

  • CVE-2026-42032CriMay 13, 2026
    risk 0.52cvss 9.1epss 0.00

    CKAN is an open-source DMS (data management system) for powering data hubs and data portals. Prior to 2.10.10 and 2.11.5, a vulnerability in datastore_search_sql allowed attackers to bypass authorization in order to gain access to private resources and PostgreSQL system…

  • CVE-2026-44221CriMay 12, 2026
    risk 0.52cvss 9.0epss 0.00

    ArcadeDB is a Multi-Model DBMS. Prior to 2.6.4, authenticated users and API tokens scoped to a specific database could read, write, and mutate schema on any other database on the same server. Two distinct defects contributed: (1) ServerSecurityUser.getDatabaseUser() returned a…