VYPR

CWE-863

Incorrect Authorization

ClassIncompleteLikelihood: High

Description

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Hierarchy (View 1000)

CVEs mapped to this weakness (1,530)

page 40 of 77
  • CVE-2020-13676MedFeb 11, 2022
    risk 0.35cvss 6.5epss 0.01

    The QuickEdit module does not properly check access to fields in some circumstances, which can lead to unintended disclosure of field data. Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installed.

  • CVE-2022-0273MedJan 30, 2022
    risk 0.35cvss 6.5epss 0.01

    Improper Access Control in Pypi calibreweb prior to 0.6.16.

  • CVE-2021-4194MedJan 6, 2022
    risk 0.35cvss 6.5epss 0.01

    bookstack is vulnerable to Improper Access Control

  • CVE-2021-43781MedDec 6, 2021
    risk 0.35cvss 6.4epss 0.01

    Invenio-Drafts-Resources is a submission/deposit module for Invenio, a software framework for research data management. Invenio-Drafts-Resources prior to versions 0.13.7 and 0.14.6 does not properly check permissions when a record is published. The vulnerability is exploitable…

  • CVE-2021-3992MedDec 1, 2021
    risk 0.35cvss 6.5epss 0.01

    kimai2 is vulnerable to Improper Access Control

  • CVE-2021-25973MedNov 2, 2021
    risk 0.35cvss 6.5epss 0.01

    In Publify, 9.0.0.pre1 to 9.2.4 are vulnerable to Improper Access Control. “guest” role users can self-register even when the admin does not allow. This happens due to front-end restriction only.

  • CVE-2021-28567MedSep 8, 2021
    risk 0.35cvss 6.5epss 0.01

    Magento versions 2.4.2 (and earlier), 2.4.1-p1 (and earlier) and 2.3.6-p1 (and earlier) are vulnerable to an Improper Authorization vulnerability in the customers module. Successful exploitation could allow a low-privileged user to modify customer data. Access to the admin…

  • CVE-2021-21664MedJun 10, 2021
    risk 0.35cvss 6.5epss 0.01

    An incorrect permission check in Jenkins XebiaLabs XL Deploy Plugin 10.0.1 and earlier allows attackers with Generic Create permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing Username/password…

  • CVE-2021-21643MedApr 21, 2021
    risk 0.35cvss 6.5epss 0.01

    Jenkins Config File Provider Plugin 3.7.0 and earlier does not correctly perform permission checks in several HTTP endpoints, allowing attackers with global Job/Configure permission to enumerate system-scoped credentials IDs of credentials stored in Jenkins.

  • CVE-2021-21623MedMar 18, 2021
    risk 0.35cvss 6.5epss 0.01

    An incorrect permission check in Jenkins Matrix Authorization Strategy Plugin 2.6.5 and earlier allows attackers with Item/Read permission on nested items to access them, even if they lack Item/Read permission for parent folders.

  • CVE-2020-1725MedJan 28, 2021
    risk 0.35cvss 5.4epss 0.01

    A flaw was found in keycloak before version 13.0.0. In some scenarios a user still has access to a resource after changing the role mappings in Keycloak and after expiration of the previous access token.

  • CVE-2020-29156MedDec 27, 2020
    risk 0.35cvss 5.3epss 0.04

    The WooCommerce plugin before 4.7.0 for WordPress allows remote attackers to view the status of arbitrary orders via the order_id parameter in a fetch_order_status action.

  • CVE-2020-28053MedNov 23, 2020
    risk 0.35cvss 6.5epss 0.01

    HashiCorp Consul and Consul Enterprise 1.2.0 up to 1.8.5 allowed operators with operator:read ACL permissions to read the Connect CA private key configuration. Fixed in 1.6.10, 1.7.10, and 1.8.6.

  • CVE-2020-15126MedJul 22, 2020
    risk 0.35cvss 6.5epss 0.01

    In parser-server from version 3.5.0 and before 4.3.0, an authenticated user using the viewer GraphQL query can by pass all read security on his User object and can also by pass all objects linked via relation or Pointer on his User object.

  • CVE-2020-15513MedJul 7, 2020
    risk 0.35cvss 5.3epss 0.01

    The typo3_forum extension before 1.2.1 for TYPO3 has Incorrect Access Control.

  • CVE-2020-7955MedJan 31, 2020
    risk 0.35cvss 5.3epss 0.01

    HashiCorp Consul and Consul Enterprise 1.4.1 through 1.6.2 did not uniformly enforce ACLs across all API endpoints, resulting in potential unintended information disclosure. Fixed in 1.6.3.

  • CVE-2018-8927MedJun 14, 2018
    risk 0.35cvss 5.4epss 0.01

    Improper authorization vulnerability in SYNO.Cal.Event in Calendar before 2.1.2-0511 allows remote authenticated users to create arbitrary events via the (1) cal_id or (2) original_cal_id parameter.

  • CVE-2018-10212MedApr 25, 2018
    risk 0.35cvss 5.4epss 0.01

    An issue was discovered in Vaultize Enterprise File Sharing 17.05.31. There is improper authorization leading to creation of folders within another account via a modified device value.

  • CVE-2018-1000107MedMar 13, 2018
    risk 0.35cvss 6.5epss 0.01

    An improper authorization vulnerability exists in Jenkins Job and Node Ownership Plugin 0.11.0 and earlier in OwnershipDescription.java, JobOwnerJobProperty.java, and OwnerNodeProperty.java that allow an attacker with Job/Configure or Computer/Configure permission and without…

  • CVE-2017-18095MedFeb 19, 2018
    risk 0.35cvss 5.3epss 0.01

    The SnippetRPCServiceImpl class in Atlassian Crucible before version 4.5.1 (the fixed version 4.5.x) and before 4.6.0 allows remote attackers to comment on snippets they do not have authorization to access via an improper authorization vulnerability.