VYPR

CWE-863

Incorrect Authorization

ClassIncompleteLikelihood: High

Description

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Hierarchy (View 1000)

CVEs mapped to this weakness (1,530)

page 29 of 77
  • CVE-2024-1639MedJun 21, 2024
    risk 0.42cvss 6.5epss 0.00

    The License Manager for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the showLicenseKey() and showAllLicenseKeys() functions in all versions up to, and including, 3.0.6. This makes it possible for…

  • CVE-2024-4390MedJun 20, 2024
    risk 0.42cvss 6.5epss 0.01

    The Slider and Carousel slider by Depicter plugin for WordPress is vulnerable to Arbitrary Nonce Generation in all versions up to, and including, 3.0.2. This makes it possible for authenticated attackers with contributor access and above, to generate a valid nonce for any…

  • CVE-2024-2098HigJun 13, 2024
    risk 0.42cvss 7.5epss 0.00

    The Download Manager plugin for WordPress is vulnerable to unauthorized access of data due to an improper authorization check on the 'protectMediaLibrary' function in all versions up to, and including, 3.2.89. This makes it possible for unauthenticated attackers to download…

  • CVE-2024-3957MedMay 2, 2024
    risk 0.42cvss 6.5epss 0.01

    The Booster for WooCommerce plugin is vulnerable to Unauthenticated Arbitrary Shortcode Execution in versions up to, and including, 7.1.8. This allows unauthenticated attackers to execute arbitrary shortcodes. The severity and exploitability depends on what other plugins are…

  • CVE-2024-28098MedMar 12, 2024
    risk 0.42cvss 6.4epss 0.02

    The vulnerability allows authenticated users with only produce or consume permissions to modify topic-level policies, such as retention, TTL, and offloading settings. These management operations should be restricted to users with the tenant admin role or super user role. This…

  • CVE-2024-23833HigFeb 12, 2024
    risk 0.42cvss 7.5epss 0.01

    OpenRefine is a free, open source power tool for working with messy data and improving it. A jdbc attack vulnerability exists in OpenRefine(version<=3.7.7) where an attacker may construct a JDBC query which may read files on the host filesystem. Due to the newer MySQL driver…

  • CVE-2023-47827MedNov 30, 2023
    risk 0.42cvss 6.5epss 0.00

    Incorrect Authorization vulnerability in NicheAddons Events Addon for Elementor allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Events Addon for Elementor: from n/a through 2.1.3.

  • CVE-2023-5195MedSep 29, 2023
    risk 0.42cvss 6.5epss 0.00

    Mattermost fails to properly validate the permissions when soft deleting a team allowing a team member to soft delete other teams that they are not part of

  • CVE-2023-39965MedAug 10, 2023
    risk 0.42cvss 6.5epss 0.00

    1Panel is an open source Linux server operation and maintenance management panel. In version 1.4.3, authenticated attackers can download arbitrary files through the API interface. This code has unauthorized access. Attackers can freely download the file content on the target…

  • CVE-2023-38209MedAug 9, 2023
    risk 0.42cvss 6.5epss 0.01

    Adobe Commerce versions 2.4.6-p1 (and earlier), 2.4.5-p3 (and earlier) and 2.4.4-p4 (and earlier) are affected by an Incorrect Authorization vulnerability that could lead to a Security feature bypass. A low-privileged attacker could leverage this vulnerability to access other…

  • CVE-2023-39154MedJul 26, 2023
    risk 0.42cvss 6.5epss 0.00

    Incorrect permission checks in Jenkins Qualys Web App Scanning Connector Plugin 2.0.10 and earlier allow attackers with global Item/Configure permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing…

  • CVE-2023-38493HigJul 25, 2023
    risk 0.42cvss 7.5epss 0.01

    Armeria is a microservice framework Spring supports Matrix variables. When Spring integration is used, Armeria calls Spring controllers via `TomcatService` or `JettyService` with the path that may contain matrix variables. Prior to version 1.24.3, the Armeria decorators might…

  • CVE-2023-0814MedFeb 14, 2023
    risk 0.42cvss 6.5epss 0.01

    The Profile Builder – User Profile & User Registration Forms plugin for WordPress is vulnerable to sensitive information disclosure via the [user_meta] shortcode in versions up to, and including 3.9.0. This is due to insufficient restriction on sensitive user meta values that…

  • CVE-2022-48216HigJan 4, 2023
    risk 0.42cvss 7.5epss 0.01

    Uniswap Universal Router before 1.1.0 mishandles reentrancy. This would have allowed theft of funds.

  • CVE-2022-23553HigDec 28, 2022
    risk 0.42cvss 7.5epss 0.01

    Alpine is a scaffolding library in Java. Alpine prior to version 1.10.4 allows URL access filter bypass. This issue has been fixed in version 1.10.4. There are no known workarounds.

  • CVE-2022-39388HigNov 10, 2022
    risk 0.42cvss 7.6epss 0.00

    Istio is an open platform to connect, manage, and secure microservices. In versions on the 1.15.x branch prior to 1.15.3, a user can impersonate any workload identity within the service mesh if they have localhost access to the Istiod control plane. Version 1.15.3 contains a…

  • CVE-2022-42975HigOct 17, 2022
    risk 0.42cvss 7.5epss 0.01

    socket/transport.ex in Phoenix before 1.6.14 mishandles check_origin wildcarding. NOTE: LiveView applications are unaffected by default because of the presence of a LiveView CSRF token.

  • CVE-2022-34256HigAug 16, 2022
    risk 0.42cvss 7.5epss 0.02

    Adobe Commerce versions 2.4.3-p2 (and earlier), 2.3.7-p3 (and earlier) and 2.4.4 (and earlier) are affected by an Improper Authorization vulnerability that could result in Privilege escalation. An attacker could leverage this vulnerability to access other user's data.…

  • CVE-2022-34180HigJun 23, 2022
    risk 0.42cvss 7.5epss 0.01

    Jenkins Embeddable Build Status Plugin 2.0.3 and earlier does not correctly perform the ViewStatus permission check in the HTTP endpoint it provides for "unprotected" status badge access, allowing attackers without any permissions to obtain the build status badge icon for any…

  • CVE-2022-34175HigJun 23, 2022
    risk 0.42cvss 7.5epss 0.01

    Jenkins 2.335 through 2.355 (both inclusive) allows attackers in some cases to bypass a protection mechanism, thereby directly accessing some view fragments containing sensitive information, bypassing any permission checks in the corresponding view.