VYPR

CWE-863

Incorrect Authorization

ClassIncompleteLikelihood: High

Description

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Hierarchy (View 1000)

CVEs mapped to this weakness (1,530)

page 22 of 77
  • CVE-2025-62506HigOct 16, 2025
    risk 0.46cvss 8.1epss 0.01

    MinIO is a high-performance object storage system. In all versions prior to RELEASE.2025-10-15T17-29-55Z, a privilege escalation vulnerability allows service accounts and STS (Security Token Service) accounts with restricted session policies to bypass their inline policy…

  • CVE-2025-52890HigJun 25, 2025
    risk 0.46cvss 8.1epss 0.00

    Incus is a system container and virtual machine manager. When using an ACL on a device connected to a bridge, Incus versions 6.12 and 6.13generates nftables rules that partially bypass security options `security.mac_filtering`, `security.ipv4_filtering` and…

  • CVE-2025-1416HigMay 21, 2025
    risk 0.46cvss epss 0.00

    In Proget MDM, a low-privileged user can retrieve passwords for managed devices and subsequently use functionalities restricted by the MDM (Mobile Device Management). For it to happen, they must know the UUIDs of targetted devices, which might be obtained by…

  • CVE-2024-37300HigJun 12, 2024
    risk 0.46cvss 8.1epss 0.00

    OAuthenticator is software that allows OAuth2 identity providers to be plugged in and used with JupyterHub. JupyterHub < 5.0, when used with `GlobusOAuthenticator`, could be configured to allow all users from a particular institution only. This worked fine prior to JupyterHub…

  • CVE-2024-27933HigMar 21, 2024
    risk 0.46cvss 8.2epss 0.02

    Deno is a JavaScript, TypeScript, and WebAssembly runtime. In version 1.39.0, use of raw file descriptors in `op_node_ipc_pipe()` leads to premature close of arbitrary file descriptors, allowing standard input to be re-opened as a different resource resulting in permission…

  • CVE-2023-22480HigJan 14, 2023
    risk 0.46cvss 7.3epss 0.67

    KubeOperator is an open source Kubernetes distribution focused on helping enterprises plan, deploy and operate production-level K8s clusters. In KubeOperator versions 3.16.3 and below, API interfaces with unauthorized entities and can leak sensitive information. This…

  • CVE-2022-23451HigSep 6, 2022
    risk 0.46cvss 8.1epss 0.01

    An authorization flaw was found in openstack-barbican. The default policy rules for the secret metadata API allowed any authenticated user to add, modify, or delete metadata from any secret regardless of ownership. This flaw allows an attacker on the network to modify or delete…

  • CVE-2022-31107HigJul 15, 2022
    risk 0.46cvss 7.1epss 0.02

    Grafana is an open-source platform for monitoring and observability. In versions 5.3 until 9.0.3, 8.5.9, 8.4.10, and 8.3.10, it is possible for a malicious user who has authorization to log into a Grafana instance via a configured OAuth IdP which provides a login name to take…

  • CVE-2022-24721HigMar 15, 2022
    risk 0.46cvss 8.1epss 0.01

    CometD is a scalable comet implementation for web messaging. In any version prior to 5.0.11, 6.0.6, and 7.0.6, internal usage of Oort and Seti channels is improperly authorized, so any remote user could subscribe and publish to those channels. By subscribing to those channels, a…

  • CVE-2019-11247HigAug 29, 2019
    risk 0.46cvss 8.1epss 0.02

    The Kubernetes kube-apiserver mistakenly allows access to a cluster-scoped custom resource if the request is made as if the resource were namespaced. Authorizations for the resource accessed in this manner are enforced using roles and role bindings within the namespace, meaning…

  • CVE-2017-15091HigJan 23, 2018
    risk 0.46cvss 7.1epss 0.01

    An issue has been found in the API component of PowerDNS Authoritative 4.x up to and including 4.0.4 and 3.x up to and including 3.4.11, where some operations that have an impact on the state of the server are still allowed even though the API has been configured as read-only…

  • CVE-2015-0266HigApr 11, 2016
    risk 0.46cvss 7.1epss 0.02

    The Policy Admin Tool in Apache Ranger before 0.5.0 allows remote authenticated users to bypass intended access restrictions via direct access to module URLs.

  • CVE-2026-42604MedJun 12, 2026
    risk 0.45cvss epss 0.00

    Actual is a local-first personal finance tool. The `POST /openid/config` endpoint in Actual Budget's sync-server versions <= 26.4.0 exposes the full OpenID Connect configuration—including the OAuth2 `client_secret`—to any caller who knows the bootstrap password. The endpoint…

  • CVE-2026-4263MedMar 26, 2026
    risk 0.45cvss epss 0.00

    Vulnerability of incorrect authorization in HiJiffy Chatbot allows an attacker to download private messages from other users via the parameter  'visitor' in '/api/v1/webchat/message'.

  • CVE-2026-4262MedMar 26, 2026
    risk 0.45cvss epss 0.00

    Vulnerability of incorrect authorization in HiJiffy Chatbot allows an attacker to download private messages from other users via the parameter 'ID' in '/api/v1/download//'.

  • CVE-2025-41031MedSep 2, 2025
    risk 0.45cvss epss 0.00

    Lack of authorisation in Deporsite by T-INNOVA. This vulnerability allows an unauthenticated attacker to change other users' profile pictures via a POST request using the parameters ‘IdPersona’ and “Foto” in ‘/ajax/TInnova_c/FotoUsuario/llamadaAjax/uploadImage’.

  • CVE-2025-41030MedSep 2, 2025
    risk 0.45cvss epss 0.00

    Lack of authorisation in Deporsite by T-INNOVA. This vulnerability allows an unauthenticated attacker to obtain information from other users via GET ‘/ajax/TInnova_v2/Integrantes_Recurso_v2_1/llamadaAjax/buscarPersona’ using the ‘dni’ parameter.

  • CVE-2025-8533MedAug 7, 2025
    risk 0.45cvss epss 0.00

    A vulnerability was identified in the XPC services of Fantastical. The services failed to implement proper client authorization checks in its listener:shouldAcceptNewConnection method, unconditionally accepting requests from any local process. As a result, any local,…

  • CVE-2025-2202MedMar 17, 2025
    risk 0.45cvss epss 0.00

    Broken access control vulnerability in the Innovación y Cualificación local administration plugin ajax.php. This vulnerability allows an attacker to obtain sensitive information about other users such as id, name, login and email.

  • CVE-2025-2201MedMar 17, 2025
    risk 0.45cvss epss 0.00

    Broken access control vulnerability in the IcProgress Innovación y Cualificación plugin. This vulnerability allows an attacker to obtain sensitive information about other users such as public IP addresses, messages with other users and more.