VYPR

CWE-863

Incorrect Authorization

ClassIncompleteLikelihood: High

Description

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Hierarchy (View 1000)

CVEs mapped to this weakness (1,530)

page 32 of 77
  • CVE-2018-1278MedMay 11, 2018
    risk 0.42cvss 6.5epss 0.01

    Apps Manager included in Pivotal Application Service, versions 1.12.x prior to 1.12.22, 2.0.x prior to 2.0.13, and 2.1.x prior to 2.1.4 contains an authorization enforcement vulnerability. A member of any org is able to create invitations to any org for which the org GUID can be…

  • CVE-2018-0278MedMay 2, 2018
    risk 0.42cvss 6.5epss 0.02

    A vulnerability in the management console of Cisco Firepower System Software could allow an unauthenticated, remote attacker to access sensitive data about the system. The vulnerability is due to improper cross-origin domain protections for the WebSocket protocol. An attacker…

  • CVE-2017-1700MedApr 24, 2018
    risk 0.42cvss 6.5epss 0.01

    IBM Jazz Team Server affecting the following IBM Rational Products: Collaborative Lifecycle Management (CLM), Rational DOORS Next Generation (RDNG), Rational Engineering Lifecycle Manager (RELM), Rational Team Concert (RTC), Rational Quality Manager (RQM), Rational Rhapsody…

  • CVE-2017-0927MedMar 21, 2018
    risk 0.42cvss 6.5epss 0.01

    Gitlab Community Edition version 10.3 is vulnerable to an improper authorization issue in the deployment keys component resulting in unauthorized use of deployment keys by guest users.

  • CVE-2017-1628MedNov 27, 2017
    risk 0.42cvss 6.5epss 0.02

    IBM Business Process Manager 8.6.0.0 allows authenticated users to stop and resume the Event Manager by calling a REST API with incorrect authorization checks.

  • CVE-2017-5060MedOct 27, 2017
    risk 0.42cvss 6.5epss 0.01

    Insufficient Policy Enforcement in Omnibox in Google Chrome prior to 58.0.3029.81 for Mac, Windows, and Linux, and 58.0.3029.83 for Android, allowed a remote attacker to perform domain spoofing via IDN homographs in a crafted domain name.

  • CVE-2017-10379MedOct 19, 2017
    risk 0.42cvss 6.5epss 0.02

    Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client programs). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.19 and earlier. Easily exploitable vulnerability allows low privileged attacker with network…

  • CVE-2016-6797HigAug 10, 2017
    risk 0.42cvss 7.5epss 0.08

    The ResourceLinkFactory implementation in Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not limit web application access to global JNDI resources to those resources explicitly linked to the web application.…

  • CVE-2017-9378MedJun 2, 2017
    risk 0.42cvss 6.5epss 0.01

    BigTree CMS through 4.2.18 does not prevent a user from deleting their own account. This could have security relevance because deletion was supposed to be an admin-only action, and the admin may have other tasks (such as data backups) to complete before a user is deleted.

  • CVE-2015-5167MedApr 12, 2016
    risk 0.42cvss 6.5epss 0.02

    The Policy Admin Tool in Apache Ranger before 0.5.1 allows remote authenticated users to bypass intended access restrictions via the REST API.

  • CVE-2009-2213MedJun 25, 2009
    risk 0.42cvss 6.5epss 0.02

    The default configuration of the Security global settings on the Citrix NetScaler Access Gateway appliance with Enterprise Edition firmware 9.0, 8.1, and earlier specifies Allow for the Default Authorization Action option, which might allow remote authenticated users to bypass…

  • CVE-2026-47910MedJun 9, 2026
    risk 0.41cvss 6.3epss 0.00

    Dreamweaver Desktop versions 21.7 and earlier are affected by an Incorrect Authorization vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files and directories outside the intended access scope.…

  • CVE-2026-10815MedJun 4, 2026
    risk 0.41cvss 6.3epss 0.00

    A vulnerability was found in LakshayD02 Hostel-Management-System-PHP up to f87e67c283bab6f718faf2fec6ae39a13bd7036b. This issue affects some unknown processing of the file hostel/index.php of the component Admin Dashboard Page. The manipulation of the argument ID results in…

  • CVE-2026-10211MedJun 1, 2026
    risk 0.41cvss 6.3epss 0.00

    A vulnerability was determined in AstrBotDevs AstrBot 4.23.6. Affected by this issue is the function _normalize_rw_path of the file astrbot/core/tools/computer_tools/fs.py. This manipulation causes incorrect authorization. It is possible to initiate the attack remotely. The…

  • CVE-2026-48501HigMay 29, 2026
    risk 0.41cvss 7.4epss 0.00

    GitHub CLI (gh) is GitHub’s official command line tool. Prior to 2.93.0, GitHub CLI incorrectly includes authorization header in API requests to TUF repository mirrors via gh attestation, gh release verify, and gh release verify-asset commands. The CLI uses a shared HTTP…

  • CVE-2026-35555MedMay 12, 2026
    risk 0.41cvss 6.3epss 0.00

    PowerSYSTEM Center feature for device project groups allows an authenticated user with limited permissions to perform an unauthorized deletion of project groups.

  • CVE-2026-3977MedMar 12, 2026
    risk 0.41cvss 6.3epss 0.00

    A security vulnerability has been detected in projectsend up to r1945. The affected element is an unknown function of the component AJAX Endpoints. The manipulation leads to missing authorization. The attack can be initiated remotely. The identifier of the patch is…

  • CVE-2026-2819MedFeb 20, 2026
    risk 0.41cvss 6.3epss 0.00

    A vulnerability was identified in Dromara RuoYi-Vue-Plus up to 5.5.3. This vulnerability affects the function SaServletFilter of the file /workflow/instance/deleteByInstanceIds of the component Workflow Module. The manipulation leads to missing authorization. The attack may be…

  • CVE-2026-2141MedFeb 8, 2026
    risk 0.41cvss 6.3epss 0.00

    A security flaw has been discovered in WuKongOpenSource WukongCRM up to 11.3.3. This affects an unknown part of the file gateway/src/main/java/com/kakarote/gateway/service/impl/PermissionServiceImpl.java of the component URL Handler. Performing a manipulation results in improper…

  • CVE-2025-15406MedJan 1, 2026
    risk 0.41cvss 6.3epss 0.00

    A flaw has been found in PHPGurukul Online Course Registration up to 3.1. This affects an unknown function. This manipulation causes missing authorization. Remote exploitation of the attack is possible. The exploit has been published and may be used.