VYPR

CWE-863

Incorrect Authorization

ClassIncompleteLikelihood: High

Description

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Hierarchy (View 1000)

CVEs mapped to this weakness (1,530)

page 31 of 77
  • CVE-2020-25699HigNov 19, 2020
    risk 0.42cvss 7.5epss 0.02

    In moodle, insufficient capability checks could lead to users with the ability to course restore adding additional capabilities to roles within that course. Versions affected: 3.9 to 3.9.2, 3.8 to 3.8.5, 3.7 to 3.7.8, 3.5 to 3.5.14 and earlier unsupported versions. This is fixed…

  • CVE-2020-24401MedNov 9, 2020
    risk 0.42cvss 6.5epss 0.02

    Magento versions 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect authorization vulnerability. A user can still access resources provisioned under their old role after an administrator removes the role or disables the user's account.

  • CVE-2020-24941HigSep 4, 2020
    risk 0.42cvss 7.5epss 0.01

    An issue was discovered in Laravel before 6.18.35 and 7.x before 7.24.0. The $guarded property is mishandled in some situations involving requests with JSON column nesting expressions.

  • CVE-2020-8151HigMay 12, 2020
    risk 0.42cvss 7.5epss 0.02

    There is a possible information disclosure issue in Active Resource <v5.1.1 that could allow an attacker to create specially crafted requests to access data in an unexpected way and possibly leak information.

  • CVE-2012-2238HigNov 21, 2019
    risk 0.42cvss 7.5epss 0.02

    trytond 2.4: ModelView.button fails to validate authorization

  • CVE-2019-14832HigOct 15, 2019
    risk 0.42cvss 7.5epss 0.01

    A flaw was found in the Keycloak REST API before version 8.0.0 where it would permit user access from a realm the user was not configured. An authenticated attacker with knowledge of a user id could use this flaw to access unauthorized information or to carry out further attacks.

  • CVE-2019-16884HigSep 25, 2019
    risk 0.42cvss 7.5epss 0.04

    runc through 1.0.0-rc8, as used in Docker through 19.03.2-ce and other products, allows AppArmor restriction bypass because libcontainer/rootfs_linux.go incorrectly checks mount targets, and thus a malicious Docker image can mount over a /proc directory.

  • CVE-2018-1000420MedJan 9, 2019
    risk 0.42cvss 6.5epss 0.01

    An improper authorization vulnerability exists in Jenkins Mesos Plugin 0.17.1 and earlier in MesosCloud.java that allows attackers with Overall/Read access to obtain credentials IDs for credentials stored in Jenkins.

  • CVE-2018-17195HigDec 19, 2018
    risk 0.42cvss 7.5epss 0.01

    The template upload API endpoint accepted requests from different domain when sent in conjunction with ARP spoofing + man in the middle (MiTM) attack, resulting in a CSRF attack. The required attack vector is complex, requiring a scenario with client certificate authentication,…

  • CVE-2018-15405MedOct 5, 2018
    risk 0.42cvss 6.5epss 0.02

    A vulnerability in the web interface for specific feature sets of Cisco Integrated Management Controller (IMC) Supervisor and Cisco UCS Director could allow an authenticated, remote attacker to access sensitive information. The vulnerability is due to an authorization check that…

  • CVE-2018-0460MedOct 5, 2018
    risk 0.42cvss 6.5epss 0.02

    A vulnerability in the REST API of Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an authenticated, remote attacker to read any file on an affected system. The vulnerability is due to insufficient authorization and parameter validation checks. An attacker could…

  • CVE-2018-0459MedOct 5, 2018
    risk 0.42cvss 6.5epss 0.02

    A vulnerability in the web-based management interface of Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an authenticated, remote attacker to cause an affected system to reboot or shut down. The vulnerability is due to insufficient server-side authorization…

  • CVE-2018-1250MedSep 28, 2018
    risk 0.42cvss 6.5epss 0.02

    Dell EMC Unity and UnityVSA versions prior to 4.3.1.1525703027 contains an Authorization Bypass vulnerability. A remote authenticated user could potentially exploit this vulnerability to read files in NAS server by directly interacting with certain APIs of Unity OE, bypassing…

  • CVE-2018-1999047MedAug 23, 2018
    risk 0.42cvss 6.5epss 0.01

    A improper authorization vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in UpdateCenter.java that allows attackers to cancel a Jenkins restart scheduled through the update center.

  • CVE-2018-5489MedAug 3, 2018
    risk 0.42cvss 6.5epss 0.01

    NetApp 7-Mode Transition Tool allows users with valid credentials to access functions and information which may have been intended to be restricted to administrators or privileged users. 7MTT versions below 2.0 do not enforce user authorization rules on file information and…

  • CVE-2017-7470MedJul 27, 2018
    risk 0.42cvss 6.5epss 0.02

    It was found that spacewalk-channel can be used by a non-admin user or disabled users to perform administrative tasks due to an incorrect authorization check in backend/server/rhnChannel.py.

  • CVE-2018-11047HigJul 24, 2018
    risk 0.42cvss 7.5epss 0.01

    Cloud Foundry UAA, versions 4.19 prior to 4.19.2 and 4.12 prior to 4.12.4 and 4.10 prior to 4.10.2 and 4.7 prior to 4.7.6 and 4.5 prior to 4.5.7, incorrectly authorizes requests to admin endpoints by accepting a valid refresh token in lieu of an access token. Refresh tokens by…

  • CVE-2018-12103MedJul 5, 2018
    risk 0.42cvss 6.5epss 0.00

    An issue was discovered on D-Link DIR-890L with firmware 1.21B02beta01 and earlier, DIR-885L/R with firmware 1.21B03beta01 and earlier, and DIR-895L/R with firmware 1.21B04beta04 and earlier devices (all hardware revisions). Due to the predictability of the…

  • CVE-2017-16773MedJul 5, 2018
    risk 0.42cvss 6.5epss 0.01

    Improper authorization vulnerability in Highlight Preview in Synology Universal Search before 1.0.5-0135 allows remote authenticated users to bypass permission checks for directories in POSIX mode.

  • CVE-2018-1463MedMay 17, 2018
    risk 0.42cvss 6.5epss 0.01

    IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products ( 6.1, 6.2, 6.3, 6.4, 7.1, 7.2, 7.3, 7.4, 7.5, 7.6, 7.6.1, 7.7, 7.7.1, 7.8, 7.8.1, 8.1, and 8.1.1) could allow an authenticated user to access system files they should not have access…