VYPR

CWE-863

Incorrect Authorization

ClassIncompleteLikelihood: High

Description

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Hierarchy (View 1000)

CVEs mapped to this weakness (1,530)

page 28 of 77
  • CVE-2025-41249HigSep 16, 2025
    risk 0.42cvss 7.5epss 0.00

    The Spring Framework annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue if such annotations are used for authorization decisions. Your application…

  • CVE-2025-41248HigSep 16, 2025
    risk 0.42cvss 7.5epss 0.00

    The Spring Security annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue when using @PreAuthorize and other method security annotations, resulting in…

  • CVE-2025-40567MedJun 10, 2025
    risk 0.42cvss 6.5epss 0.00

    A vulnerability has been identified in RUGGEDCOM RST2428P (6GK6242-6PA00) (All versions < V3.2), SCALANCE XCH328 (6GK5328-4TS01-2EC2) (All versions < V3.2), SCALANCE XCM324 (6GK5324-8TS01-2AC2) (All versions < V3.2), SCALANCE XCM328 (6GK5328-4TS01-2AC2) (All versions < V3.2),…

  • CVE-2025-31481HigApr 3, 2025
    risk 0.42cvss 7.5epss 0.00

    API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. Using the Relay special node type you can bypass the configured security on an operation. This vulnerability is fixed in 4.0.22 and 3.4.17.

  • CVE-2025-29924HigMar 19, 2025
    risk 0.42cvss 7.5epss 0.00

    XWiki Platform is a generic wiki platform. Prior to 15.10.14, 16.4.6, and 16.10.0-rc-1, it's possible for an user to get access to private information through the REST API - but could also be through another API - when a sub wiki is using "Prevent unregistered users to view…

  • CVE-2024-42013MedJan 22, 2025
    risk 0.42cvss 6.4epss 0.00

    In GRAU DATA Blocky before 3.1, Blocky-Gui has a Client-Side Enforcement of Server-Side Security vulnerability. An attacker with Windows administrative or debugging privileges can patch a binary in memory or on disk to bypass the password login requirement and gain full access…

  • CVE-2024-39025HigDec 27, 2024
    risk 0.42cvss 7.5epss 0.00

    Incorrect access control in the /users endpoint of Cpacker MemGPT v0.3.17 allows attackers to access sensitive data.

  • CVE-2024-12539MedDec 17, 2024
    risk 0.42cvss 6.5epss 0.00

    An issue was discovered where improper authorization controls affected certain queries that could allow a malicious actor to circumvent Document Level Security in Elasticsearch and get access to documents that their roles would normally not allow.

  • CVE-2024-51479HigDec 17, 2024
    risk 0.42cvss 7.5epss 0.04

    Next.js is a React framework for building full-stack web applications. In affected versions if a Next.js application is performing authorization in middleware based on pathname, it was possible for this authorization to be bypassed for pages directly under the application's root…

  • CVE-2024-55633MedDec 12, 2024
    risk 0.42cvss 6.5epss 0.03

    Improper Authorization vulnerability in Apache Superset. On Postgres analytic databases an attacker with SQLLab access can craft a specially designed SQL DML statement that is Incorrectly identified as a read-only query, enabling its execution. Non postgres analytics database…

  • CVE-2024-36611HigNov 29, 2024
    risk 0.42cvss 7.5epss 0.01

    In Symfony v7.07, a security vulnerability was identified in the FormLoginAuthenticator component, where it failed to adequately handle cases where the username or password field of a login request is empty. This flaw could lead to various security risks, including improper…

  • CVE-2024-48651HigNov 29, 2024
    risk 0.42cvss 7.5epss 0.02

    In ProFTPD through 1.3.8b before cec01cc, supplemental group inheritance grants unintended access to GID 0 because of the lack of supplemental groups from mod_sql.

  • CVE-2022-31669MedNov 14, 2024
    risk 0.42cvss 6.4epss 0.00

    Harbor fails to validate the user permissions when updating tag immutability policies.  By sending a request to update a tag immutability policy with an id that belongs to a project that the currently authenticated user doesn’t have access to, the attacker could modify tag…

  • CVE-2022-31667MedNov 14, 2024
    risk 0.42cvss 6.4epss 0.01

    Harbor fails to validate the user permissions when updating a robot account that belongs to a project that the authenticated user doesn’t have access to.  By sending a request that attempts to update a robot account, and specifying a robot account id and robot account name…

  • CVE-2024-45877MedNov 13, 2024
    risk 0.42cvss 6.5epss 0.00

    baltic-it TOPqw Webportal v1.35.283.2 is vulnerable to Incorrect Access Control in the User Management function in /Apps/TOPqw/BenutzerManagement.aspx. This allows a low privileged user to access all modules in the web portal, view and manipulate information and permissions of…

  • CVE-2024-44765MedNov 8, 2024
    risk 0.42cvss 6.5epss 0.01

    An Improper Authorization (Access Control Misconfiguration) vulnerability in MGT-COMMERCE GmbH CloudPanel v2.0.0 to v2.4.2 allows low-privilege users to bypass access controls and gain unauthorized access to sensitive configuration files and administrative functionality.

  • CVE-2024-21262MedOct 15, 2024
    risk 0.42cvss 6.5epss 0.01

    Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/ODBC). Supported versions that are affected are 9.0.0 and prior. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL…

  • CVE-2024-45132MedOct 10, 2024
    risk 0.42cvss 6.5epss 0.01

    Adobe Commerce versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by an Improper Authorization vulnerability that could result in Privilege escalation. A low-privileged attacker could leverage this vulnerability to bypass security measures and affect…

  • CVE-2024-42490HigAug 22, 2024
    risk 0.42cvss 7.5epss 0.01

    authentik is an open-source Identity Provider. Several API endpoints can be accessed by users without correct authentication/authorization. The main API endpoints affected by this are /api/v3/crypto/certificatekeypairs//view_certificate/,…

  • CVE-2024-41670HigJul 26, 2024
    risk 0.42cvss 7.5epss 0.00

    In the module "PayPal Official" for PrestaShop 7+ releases prior to version 6.4.2 and for PrestaShop 1.6 releases prior to version 3.18.1, a malicious customer can confirm an order even if payment is finally declined by PayPal. A logical weakness during the capture of a payment…