VYPR

CWE-863

Incorrect Authorization

ClassIncompleteLikelihood: High

Description

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Hierarchy (View 1000)

CVEs mapped to this weakness (1,530)

page 16 of 77
  • CVE-2025-14866HigJan 23, 2026
    risk 0.50cvss 8.8epss 0.00

    The Melapress Role Editor plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.1.1. This is due to a misconfigured capability check on the 'save_secondary_roles_field' function. This makes it possible for authenticated attackers,…

  • CVE-2025-54888HigAug 9, 2025
    risk 0.50cvss epss 0.01

    Fedify is a TypeScript library for building federated server apps powered by ActivityPub. In versions below 1.3.20, 1.4.0-dev.585 through 1.4.12, 1.5.0-dev.636 through 1.5.4, 1.6.0-dev.754 through 1.6.7, 1.7.0-pr.251.885 through 1.7.8 and 1.8.0-dev.909 through 1.8.4, an…

  • CVE-2025-26511HigFeb 13, 2025
    risk 0.50cvss 8.8epss 0.01

    Systems running the Instaclustr fork of Stratio's Cassandra-Lucene-Index plugin versions 4.0-rc1-1.0.0 through 4.0.16-1.0.0 and 4.1.2-1.0.0 through 4.1.8-1.0.0, installed into Apache Cassandra version 4.x, are susceptible to a vulnerability which when successfully exploited…

  • CVE-2024-32003HigApr 12, 2024
    risk 0.50cvss 8.8epss 0.01

    wn-dusk-plugin (Dusk plugin) is a plugin which integrates Laravel Dusk browser testing into Winter CMS. The Dusk plugin provides some special routes as part of its testing framework to allow a browser environment (such as headless Chrome) to act as a user in the Backend or User…

  • CVE-2022-46167HigDec 2, 2022
    risk 0.50cvss 8.8epss 0.01

    Capsule is a multi-tenancy and policy-based framework for Kubernetes. Prior to version 0.1.3, a ServiceAccount deployed in a Tenant Namespace, when granted with `PATCH` capabilities on its own Namespace, is able to edit it and remove the Owner Reference, breaking the…

  • CVE-2022-36051HigAug 31, 2022
    risk 0.50cvss 8.7epss 0.01

    ZITADEL combines the ease of Auth0 and the versatility of Keycloak.**Actions**, introduced in ZITADEL **1.42.0** on the API and **1.56.0** for Console, is a feature, where users with role.`ORG_OWNER` are able to create Javascript Code, which is invoked by the system at certain…

  • CVE-2022-34255HigAug 16, 2022
    risk 0.50cvss 8.8epss 0.02

    Adobe Commerce versions 2.4.3-p2 (and earlier), 2.3.7-p3 (and earlier) and 2.4.4 (and earlier) are affected by an Improper Access Control vulnerability that could result in Privilege escalation. An attacker with a low privilege account could leverage this vulnerability to…

  • CVE-2022-1025HigJul 12, 2022
    risk 0.50cvss 8.8epss 0.01

    All unpatched versions of Argo CD starting with v1.0.0 are vulnerable to an improper access control bug, allowing a malicious user to potentially escalate their privileges to admin-level.

  • CVE-2021-39236HigNov 19, 2021
    risk 0.50cvss 8.8epss 0.02

    In Apache Ozone before 1.2.0, Authenticated users with valid Ozone S3 credentials can create specific OM requests, impersonating any other user.

  • CVE-2021-32620HigMay 28, 2021
    risk 0.50cvss 8.8epss 0.01

    XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions prior to 11.10.13, 12.6.7, and 12.10.2, a user disabled on a wiki using email verification for registration canouldre-activate themself by using the activation…

  • CVE-2021-26073HigApr 16, 2021
    risk 0.50cvss 7.7epss 0.01

    Broken Authentication in Atlassian Connect Express (ACE) from version 3.0.2 before version 6.6.0: Atlassian Connect Express is a Node.js package for building Atlassian Connect apps. Authentication between Atlassian products and the Atlassian Connect Express app occurs with a…

  • CVE-2020-15163HigSep 9, 2020
    risk 0.50cvss 8.7epss 0.01

    Python TUF (The Update Framework) reference implementation before version 0.12 it will incorrectly trust a previously downloaded root metadata file which failed verification at download time. This allows an attacker who is able to serve multiple new versions of root metadata…

  • CVE-2020-12669HigMay 6, 2020
    risk 0.50cvss 8.8epss 0.02

    core/get_menudiv.php in Dolibarr before 11.0.4 allows remote authenticated attackers to bypass intended access restrictions via a non-alphanumeric menu parameter.

  • CVE-2020-2135HigMar 9, 2020
    risk 0.50cvss 8.8epss 0.01

    Sandbox protection in Jenkins Script Security Plugin 1.70 and earlier could be circumvented through crafted method calls on objects that implement GroovyInterceptable.

  • CVE-2020-2134HigMar 9, 2020
    risk 0.50cvss 8.8epss 0.01

    Sandbox protection in Jenkins Script Security Plugin 1.70 and earlier could be circumvented through crafted constructor calls and crafted constructor bodies.

  • CVE-2019-16538HigNov 21, 2019
    risk 0.50cvss 8.8epss 0.01

    A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.67 and earlier related to the handling of default parameter expressions in closures allowed attackers to execute arbitrary code in sandboxed scripts.

  • CVE-2018-1000412HigJan 9, 2019
    risk 0.50cvss 8.8epss 0.01

    An improper authorization vulnerability exists in Jenkins Jira Plugin 3.0.1 and earlier in JiraSite.java that allows attackers with Overall/Read access to have Jenkins connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method,…

  • CVE-2017-15695HigJun 13, 2018
    risk 0.50cvss 8.8epss 0.03

    When an Apache Geode server versions 1.0.0 to 1.4.0 is configured with a security manager, a user with DATA:WRITE privileges is allowed to deploy code by invoking an internal Geode function. This allows remote code execution. Code deployment should be restricted to users with…

  • CVE-2018-1258HigMay 11, 2018
    risk 0.50cvss 8.8epss 0.02

    Spring Framework version 5.0.5 when used in combination with any versions of Spring Security contains an authorization bypass when using method security. An unauthorized malicious user can gain unauthorized access to methods that should be restricted.

  • CVE-2016-4514HigJun 19, 2016
    risk 0.50cvss 7.7epss 0.01

    Moxa PT-7728 devices with software 3.4 build 15081113 allow remote authenticated users to change the configuration via vectors involving a local proxy.