VYPR

CWE-863

Incorrect Authorization

ClassIncompleteLikelihood: High

Description

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Hierarchy (View 1000)

CVEs mapped to this weakness (1,530)

page 2 of 77
  • CVE-2024-7108CriSep 26, 2024
    risk 0.64cvss 9.8epss 0.00

    Incorrect Authorization vulnerability in National Keep Cyber Security Services CyberMath allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects CyberMath: before CYBM.240816253.

  • CVE-2024-4447CriJul 26, 2024
    risk 0.64cvss 9.9epss 0.00

    In the System → Maintenance tool, the Logged Users tab surfaces sessionId data for all users via the Direct Web Remoting API (UserSessionAjax.getSessionList.dwr) calls. While this is information that would and should be available to admins who possess "Sign In As" powers,…

  • CVE-2024-31682CriJun 3, 2024
    risk 0.64cvss 9.8epss 0.01

    Incorrect access control in the fingerprint authentication mechanism of Phone Cleaner: Boost & Clean v2.2.0 allows attackers to bypass fingerprint authentication due to the use of a deprecated API.

  • CVE-2024-28394CriMar 19, 2024
    risk 0.64cvss 9.8epss 0.01

    An issue in Advanced Plugins reportsstatistics v1.3.20 and before allows a remote attacker to execute arbitrary code via the Sales Reports, Statistics, Custom Fields & Export module.

  • CVE-2018-1000155CriMay 24, 2018
    risk 0.64cvss 9.8epss 0.01

    OpenFlow version 1.0 onwards contains a Denial of Service and Improper authorization vulnerability in OpenFlow handshake: The DPID (DataPath IDentifier) in the features_reply message are inherently trusted by the controller. that can result in Denial of Service, Unauthorized…

  • CVE-2017-16743CriJan 12, 2018
    risk 0.64cvss 9.8epss 0.03

    An Improper Authorization issue was discovered in PHOENIX CONTACT FL SWITCH 3xxx, 4xxx, and 48xxx Series products running firmware Version 1.0 to 1.32. A remote unauthenticated attacker may be able to craft special HTTP requests allowing an attacker to bypass web-service…

  • CVE-2017-17067CriNov 30, 2017
    risk 0.64cvss 9.8epss 0.03

    Splunk Web in Splunk Enterprise 7.0.x before 7.0.0.1, 6.6.x before 6.6.3.2, 6.5.x before 6.5.6, 6.4.x before 6.4.9, and 6.3.x before 6.3.12, when the SAML authType is enabled, mishandles SAML, which allows remote attackers to bypass intended access restrictions or conduct…

  • CVE-2017-9653CriAug 14, 2017
    risk 0.64cvss 9.8epss 0.02

    An Improper Authorization issue was discovered in OSIsoft PI Integrator for Business Analytics before 2016 R2, PI Integrator for Microsoft Azure before 2016 R2 SP1, and PI Integrator for SAP HANA before 2017. An attacker is able to gain privileged access to the system while…

  • CVE-2017-9855CriAug 5, 2017
    risk 0.64cvss 9.8epss 0.02

    An issue was discovered in SMA Solar Technology products. A secondary authentication system is available for Installers called the Grid Guard system. This system uses predictable codes, and a single Grid Guard code can be used on any SMA inverter. Any such code, when combined…

  • CVE-2017-7512CriJul 7, 2017
    risk 0.64cvss 9.8epss 0.02

    Red Hat 3scale (aka RH-3scale) API Management Platform (AMP) before 2.0.0 would permit creation of an access token without a client secret. An attacker could use this flaw to circumvent authentication controls and gain access to restricted APIs. NOTE: some sources have a typo in…

  • CVE-2008-7109CriAug 28, 2009
    risk 0.64cvss 9.8epss 0.04

    The Scanner File Utility (aka listener) in Kyocera Mita (KM) 3.3.0.1 allows remote attackers to bypass authorization and upload arbitrary files to the client system via a modified program that does not prompt the user for a password.

  • CVE-2001-1155CriAug 23, 2001
    risk 0.64cvss 9.8epss 0.02

    TCP Wrappers (tcp_wrappers) in FreeBSD 4.1.1 through 4.3 with the PARANOID ACL option enabled does not properly check the result of a reverse DNS lookup, which could allow remote attackers to bypass intended access restrictions via DNS spoofing.

  • CVE-2017-3891CriNov 14, 2017
    risk 0.63cvss 9.6epss 0.01

    In BlackBerry QNX Software Development Platform (SDP) 6.6.0, an elevation of privilege vulnerability in the default configuration of the QNX SDP with QNet enabled on networks comprising two or more QNet nodes could allow an attacker to access local and remote files or take…

  • CVE-2026-25293CriMay 4, 2026
    risk 0.62cvss 9.6epss 0.00

    Buffer overflow due to incorrect authorization in PLC FW

  • CVE-2025-29757CriJul 19, 2025
    risk 0.61cvss epss 0.00

    An incorrect authorisation check in the the 'plant transfer' function of the Growatt cloud service allowed a malicous attacker with a valid account to transfer any plant into his/her account.

  • CVE-2025-3476CriMay 7, 2025
    risk 0.61cvss epss 0.00

    Incorrect Authorization vulnerability in OpenText™ Operations Bridge Manager. The vulnerability could allows privilege escalation by authenticated users.This issue affects Operations Bridge Manager: 2023.05, 23.4, 24.2, 24.4.

  • CVE-2026-34660CriMay 12, 2026
    risk 0.60cvss 9.3epss 0.00

    Adobe Connect versions 2025.9.15, 2025.8.157 and earlier are affected by an Incorrect Authorization vulnerability that could result in arbitrary code execution in the context of the current user. An attacker could exploit this vulnerability to inject malicious scripts into a web…

  • CVE-2024-5539CriNov 27, 2025
    risk 0.60cvss epss 0.00

    The Access Control Bypass vulnerability found in ALC WebCTRL and Carrier i-Vu in versions up to and including 8.5 allows a malicious actor to bypass intended access restrictions and expose sensitive information via the web based building automation server.

  • CVE-2025-26850CriJul 5, 2025
    risk 0.60cvss 9.3epss 0.00

    The agent in Quest KACE Systems Management Appliance (SMA) before 14.0.97 and 14.1.x before 14.1.19 potentially allows privilege escalation on managed systems.

  • CVE-2025-53391CriJun 28, 2025
    risk 0.60cvss 9.3epss 0.00

    The Debian zuluPolkit/CMakeLists.txt file for zuluCrypt through the zulucrypt_6.2.0-1 package has insecure PolicyKit allow_any/allow_inactive/allow_active settings that allow a local user to escalate their privileges to root.