CWE-863
Incorrect Authorization
Description
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Hierarchy (View 1000)
CVEs mapped to this weakness (1,530)
page 39 of 77| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-3722 | Med | 0.35 | 5.4 | 0.00 | May 14, 2024 | The Swift Performance Lite plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the ajax_handler() function in all versions up to, and including, 2.3.6.18. This makes it possible for authenticated attackers, with subscriber-level access… | ||
| CVE-2024-22208 | Med | 0.35 | 6.5 | 0.01 | Feb 5, 2024 | phpMyFAQ is an Open Source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. The 'sharing FAQ' functionality allows any unauthenticated actor to misuse the phpMyFAQ application to send arbitrary emails to a large range of targets. The phpMyFAQ… | ||
| CVE-2023-49273 | Med | 0.35 | 5.4 | 0.00 | Dec 12, 2023 | Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.8.1, and 12.3.4, users with low privileges (Editor, etc.) are able to access some unintended endpoints. Versions 8.18.10, 10.8.1, and 12.3.4 contain a patch for… | ||
| CVE-2023-46125 | Med | 0.35 | 6.5 | 0.01 | Oct 25, 2023 | Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in a runtime environment, and the enforcement of privacy regulations in code. The Fides webserver API allows users to retrieve its configuration using the `GET… | ||
| CVE-2023-35908 | Med | 0.35 | 6.5 | 0.01 | Jul 12, 2023 | Apache Airflow, versions before 2.6.3, is affected by a vulnerability that allows unauthorized read access to a DAG through the URL. It is recommended to upgrade to a version that is not affected | ||
| CVE-2023-3574 | — | Med | 0.35 | 6.5 | 0.00 | Jul 10, 2023 | Improper Authorization in GitHub repository pimcore/customer-data-framework prior to 3.4.1. | |
| CVE-2021-4352 | Med | 0.35 | 5.3 | 0.01 | Jun 7, 2023 | The JobSearch WP Job Board plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the save_locsettings function in versions up to, and including, 1.8.1. This makes it possible for unauthenticated attackers to change the settings of the… | ||
| CVE-2020-36710 | Med | 0.35 | 5.3 | 0.01 | Jun 7, 2023 | The WPS Hide Login plugin for WordPress is vulnerable to login page disclosure even when the settings of the plugin are set to hide the login page making it possible for unauthenticated attackers to brute force credentials on sites in versions up to, and including, 1.5.4.2. | ||
| CVE-2022-25274 | — | Med | 0.35 | 5.4 | 0.00 | Apr 26, 2023 | Drupal 9.3 implemented a generic entity access API for entity revisions. However, this API was not completely integrated with existing permissions, resulting in some possible access bypass for users who have access to use revisions of content generally, but who do not have… | |
| CVE-2023-25768 | Med | 0.35 | 6.5 | 0.01 | Feb 15, 2023 | A missing permission check in Jenkins Azure Credentials Plugin 253.v887e0f9e898b and earlier allows attackers with Overall/Read permission to connect to an attacker-specified web server. | ||
| CVE-2023-0298 | Med | 0.35 | 6.5 | 0.01 | Jan 14, 2023 | Incorrect Authorization in GitHub repository firefly-iii/firefly-iii prior to 5.8.0. | ||
| CVE-2022-45383 | Med | 0.35 | 6.5 | 0.01 | Nov 15, 2022 | An incorrect permission check in Jenkins Support Core Plugin 1206.v14049fa_b_d860 and earlier allows attackers with Support/DownloadBundle permission to download a previously created support bundle containing information limited to users with Overall/Administer permission. | ||
| CVE-2022-35692 | Med | 0.35 | 5.3 | 0.01 | Aug 19, 2022 | Adobe Commerce versions 2.4.3-p2 (and earlier), 2.3.7-p3 (and earlier) and 2.4.4 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to leak minor information of… | ||
| CVE-2022-31153 | — | Med | 0.35 | 6.5 | 0.01 | Jul 15, 2022 | OpenZeppelin Contracts for Cairo is a library for contract development written in Cairo for StarkNet, a decentralized ZK Rollup. Version 0.2.0 is vulnerable to an error that renders account contracts unusable on live networks. This issue affects all accounts (vanilla and… | |
| CVE-2022-0574 | Med | 0.35 | 6.5 | 0.01 | May 16, 2022 | Improper Access Control in GitHub repository publify/publify prior to 9.2.8. | ||
| CVE-2022-1365 | — | Med | 0.35 | 6.5 | 0.01 | Apr 15, 2022 | Exposure of Private Personal Information to an Unauthorized Actor in GitHub repository lquixada/cross-fetch prior to 3.1.5. | |
| CVE-2022-0528 | — | Med | 0.35 | 6.5 | 0.01 | Mar 3, 2022 | Server-Side Request Forgery (SSRF) in GitHub repository transloadit/uppy prior to 3.3.1. | |
| CVE-2021-3658 | Med | 0.35 | 6.5 | 0.01 | Mar 2, 2022 | bluetoothd from bluez incorrectly saves adapters' Discoverable status when a device is powered down, and restores it when powered up. If a device is powered down while discoverable, it will be discoverable when powered on again. This could lead to inadvertent exposure of the… | ||
| CVE-2022-0577 | Med | 0.35 | 6.5 | 0.01 | Mar 2, 2022 | Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository scrapy/scrapy prior to 2.6.1. | ||
| CVE-2022-0731 | Med | 0.35 | 6.5 | 0.01 | Feb 23, 2022 | Improper Access Control (IDOR) in GitHub repository dolibarr/dolibarr prior to 16.0. |
- risk 0.35cvss 5.4epss 0.00
The Swift Performance Lite plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the ajax_handler() function in all versions up to, and including, 2.3.6.18. This makes it possible for authenticated attackers, with subscriber-level access…
- risk 0.35cvss 6.5epss 0.01
phpMyFAQ is an Open Source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. The 'sharing FAQ' functionality allows any unauthenticated actor to misuse the phpMyFAQ application to send arbitrary emails to a large range of targets. The phpMyFAQ…
- risk 0.35cvss 5.4epss 0.00
Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.8.1, and 12.3.4, users with low privileges (Editor, etc.) are able to access some unintended endpoints. Versions 8.18.10, 10.8.1, and 12.3.4 contain a patch for…
- risk 0.35cvss 6.5epss 0.01
Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in a runtime environment, and the enforcement of privacy regulations in code. The Fides webserver API allows users to retrieve its configuration using the `GET…
- risk 0.35cvss 6.5epss 0.01
Apache Airflow, versions before 2.6.3, is affected by a vulnerability that allows unauthorized read access to a DAG through the URL. It is recommended to upgrade to a version that is not affected
- risk 0.35cvss 6.5epss 0.00
Improper Authorization in GitHub repository pimcore/customer-data-framework prior to 3.4.1.
- risk 0.35cvss 5.3epss 0.01
The JobSearch WP Job Board plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the save_locsettings function in versions up to, and including, 1.8.1. This makes it possible for unauthenticated attackers to change the settings of the…
- risk 0.35cvss 5.3epss 0.01
The WPS Hide Login plugin for WordPress is vulnerable to login page disclosure even when the settings of the plugin are set to hide the login page making it possible for unauthenticated attackers to brute force credentials on sites in versions up to, and including, 1.5.4.2.
- risk 0.35cvss 5.4epss 0.00
Drupal 9.3 implemented a generic entity access API for entity revisions. However, this API was not completely integrated with existing permissions, resulting in some possible access bypass for users who have access to use revisions of content generally, but who do not have…
- risk 0.35cvss 6.5epss 0.01
A missing permission check in Jenkins Azure Credentials Plugin 253.v887e0f9e898b and earlier allows attackers with Overall/Read permission to connect to an attacker-specified web server.
- risk 0.35cvss 6.5epss 0.01
Incorrect Authorization in GitHub repository firefly-iii/firefly-iii prior to 5.8.0.
- risk 0.35cvss 6.5epss 0.01
An incorrect permission check in Jenkins Support Core Plugin 1206.v14049fa_b_d860 and earlier allows attackers with Support/DownloadBundle permission to download a previously created support bundle containing information limited to users with Overall/Administer permission.
- risk 0.35cvss 5.3epss 0.01
Adobe Commerce versions 2.4.3-p2 (and earlier), 2.3.7-p3 (and earlier) and 2.4.4 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to leak minor information of…
- risk 0.35cvss 6.5epss 0.01
OpenZeppelin Contracts for Cairo is a library for contract development written in Cairo for StarkNet, a decentralized ZK Rollup. Version 0.2.0 is vulnerable to an error that renders account contracts unusable on live networks. This issue affects all accounts (vanilla and…
- risk 0.35cvss 6.5epss 0.01
Improper Access Control in GitHub repository publify/publify prior to 9.2.8.
- risk 0.35cvss 6.5epss 0.01
Exposure of Private Personal Information to an Unauthorized Actor in GitHub repository lquixada/cross-fetch prior to 3.1.5.
- risk 0.35cvss 6.5epss 0.01
Server-Side Request Forgery (SSRF) in GitHub repository transloadit/uppy prior to 3.3.1.
- risk 0.35cvss 6.5epss 0.01
bluetoothd from bluez incorrectly saves adapters' Discoverable status when a device is powered down, and restores it when powered up. If a device is powered down while discoverable, it will be discoverable when powered on again. This could lead to inadvertent exposure of the…
- risk 0.35cvss 6.5epss 0.01
Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository scrapy/scrapy prior to 2.6.1.
- risk 0.35cvss 6.5epss 0.01
Improper Access Control (IDOR) in GitHub repository dolibarr/dolibarr prior to 16.0.