CWE-863
Incorrect Authorization
Description
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Hierarchy (View 1000)
CVEs mapped to this weakness (1,530)
page 40 of 77| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-13676 | — | Med | 0.35 | 6.5 | 0.01 | Feb 11, 2022 | The QuickEdit module does not properly check access to fields in some circumstances, which can lead to unintended disclosure of field data. Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installed. | |
| CVE-2022-0273 | Med | 0.35 | 6.5 | 0.01 | Jan 30, 2022 | Improper Access Control in Pypi calibreweb prior to 0.6.16. | ||
| CVE-2021-4194 | Med | 0.35 | 6.5 | 0.01 | Jan 6, 2022 | bookstack is vulnerable to Improper Access Control | ||
| CVE-2021-43781 | Med | 0.35 | 6.4 | 0.01 | Dec 6, 2021 | Invenio-Drafts-Resources is a submission/deposit module for Invenio, a software framework for research data management. Invenio-Drafts-Resources prior to versions 0.13.7 and 0.14.6 does not properly check permissions when a record is published. The vulnerability is exploitable… | ||
| CVE-2021-3992 | — | Med | 0.35 | 6.5 | 0.01 | Dec 1, 2021 | kimai2 is vulnerable to Improper Access Control | |
| CVE-2021-25973 | — | Med | 0.35 | 6.5 | 0.01 | Nov 2, 2021 | In Publify, 9.0.0.pre1 to 9.2.4 are vulnerable to Improper Access Control. “guest” role users can self-register even when the admin does not allow. This happens due to front-end restriction only. | |
| CVE-2021-28567 | Med | 0.35 | 6.5 | 0.01 | Sep 8, 2021 | Magento versions 2.4.2 (and earlier), 2.4.1-p1 (and earlier) and 2.3.6-p1 (and earlier) are vulnerable to an Improper Authorization vulnerability in the customers module. Successful exploitation could allow a low-privileged user to modify customer data. Access to the admin… | ||
| CVE-2021-21664 | Med | 0.35 | 6.5 | 0.01 | Jun 10, 2021 | An incorrect permission check in Jenkins XebiaLabs XL Deploy Plugin 10.0.1 and earlier allows attackers with Generic Create permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing Username/password… | ||
| CVE-2021-21643 | Med | 0.35 | 6.5 | 0.01 | Apr 21, 2021 | Jenkins Config File Provider Plugin 3.7.0 and earlier does not correctly perform permission checks in several HTTP endpoints, allowing attackers with global Job/Configure permission to enumerate system-scoped credentials IDs of credentials stored in Jenkins. | ||
| CVE-2021-21623 | Med | 0.35 | 6.5 | 0.01 | Mar 18, 2021 | An incorrect permission check in Jenkins Matrix Authorization Strategy Plugin 2.6.5 and earlier allows attackers with Item/Read permission on nested items to access them, even if they lack Item/Read permission for parent folders. | ||
| CVE-2020-1725 | Med | 0.35 | 5.4 | 0.01 | Jan 28, 2021 | A flaw was found in keycloak before version 13.0.0. In some scenarios a user still has access to a resource after changing the role mappings in Keycloak and after expiration of the previous access token. | ||
| CVE-2020-29156 | — | Med | 0.35 | 5.3 | 0.04 | Dec 27, 2020 | The WooCommerce plugin before 4.7.0 for WordPress allows remote attackers to view the status of arbitrary orders via the order_id parameter in a fetch_order_status action. | |
| CVE-2020-28053 | — | Med | 0.35 | 6.5 | 0.01 | Nov 23, 2020 | HashiCorp Consul and Consul Enterprise 1.2.0 up to 1.8.5 allowed operators with operator:read ACL permissions to read the Connect CA private key configuration. Fixed in 1.6.10, 1.7.10, and 1.8.6. | |
| CVE-2020-15126 | Med | 0.35 | 6.5 | 0.01 | Jul 22, 2020 | In parser-server from version 3.5.0 and before 4.3.0, an authenticated user using the viewer GraphQL query can by pass all read security on his User object and can also by pass all objects linked via relation or Pointer on his User object. | ||
| CVE-2020-15513 | — | Med | 0.35 | 5.3 | 0.01 | Jul 7, 2020 | The typo3_forum extension before 1.2.1 for TYPO3 has Incorrect Access Control. | |
| CVE-2020-7955 | — | Med | 0.35 | 5.3 | 0.01 | Jan 31, 2020 | HashiCorp Consul and Consul Enterprise 1.4.1 through 1.6.2 did not uniformly enforce ACLs across all API endpoints, resulting in potential unintended information disclosure. Fixed in 1.6.3. | |
| CVE-2018-8927 | Med | 0.35 | 5.4 | 0.01 | Jun 14, 2018 | Improper authorization vulnerability in SYNO.Cal.Event in Calendar before 2.1.2-0511 allows remote authenticated users to create arbitrary events via the (1) cal_id or (2) original_cal_id parameter. | ||
| CVE-2018-10212 | Med | 0.35 | 5.4 | 0.01 | Apr 25, 2018 | An issue was discovered in Vaultize Enterprise File Sharing 17.05.31. There is improper authorization leading to creation of folders within another account via a modified device value. | ||
| CVE-2018-1000107 | — | Med | 0.35 | 6.5 | 0.01 | Mar 13, 2018 | An improper authorization vulnerability exists in Jenkins Job and Node Ownership Plugin 0.11.0 and earlier in OwnershipDescription.java, JobOwnerJobProperty.java, and OwnerNodeProperty.java that allow an attacker with Job/Configure or Computer/Configure permission and without… | |
| CVE-2017-18095 | Med | 0.35 | 5.3 | 0.01 | Feb 19, 2018 | The SnippetRPCServiceImpl class in Atlassian Crucible before version 4.5.1 (the fixed version 4.5.x) and before 4.6.0 allows remote attackers to comment on snippets they do not have authorization to access via an improper authorization vulnerability. |
- risk 0.35cvss 6.5epss 0.01
The QuickEdit module does not properly check access to fields in some circumstances, which can lead to unintended disclosure of field data. Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installed.
- risk 0.35cvss 6.5epss 0.01
Improper Access Control in Pypi calibreweb prior to 0.6.16.
- risk 0.35cvss 6.5epss 0.01
bookstack is vulnerable to Improper Access Control
- risk 0.35cvss 6.4epss 0.01
Invenio-Drafts-Resources is a submission/deposit module for Invenio, a software framework for research data management. Invenio-Drafts-Resources prior to versions 0.13.7 and 0.14.6 does not properly check permissions when a record is published. The vulnerability is exploitable…
- risk 0.35cvss 6.5epss 0.01
kimai2 is vulnerable to Improper Access Control
- risk 0.35cvss 6.5epss 0.01
In Publify, 9.0.0.pre1 to 9.2.4 are vulnerable to Improper Access Control. “guest” role users can self-register even when the admin does not allow. This happens due to front-end restriction only.
- risk 0.35cvss 6.5epss 0.01
Magento versions 2.4.2 (and earlier), 2.4.1-p1 (and earlier) and 2.3.6-p1 (and earlier) are vulnerable to an Improper Authorization vulnerability in the customers module. Successful exploitation could allow a low-privileged user to modify customer data. Access to the admin…
- risk 0.35cvss 6.5epss 0.01
An incorrect permission check in Jenkins XebiaLabs XL Deploy Plugin 10.0.1 and earlier allows attackers with Generic Create permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing Username/password…
- risk 0.35cvss 6.5epss 0.01
Jenkins Config File Provider Plugin 3.7.0 and earlier does not correctly perform permission checks in several HTTP endpoints, allowing attackers with global Job/Configure permission to enumerate system-scoped credentials IDs of credentials stored in Jenkins.
- risk 0.35cvss 6.5epss 0.01
An incorrect permission check in Jenkins Matrix Authorization Strategy Plugin 2.6.5 and earlier allows attackers with Item/Read permission on nested items to access them, even if they lack Item/Read permission for parent folders.
- risk 0.35cvss 5.4epss 0.01
A flaw was found in keycloak before version 13.0.0. In some scenarios a user still has access to a resource after changing the role mappings in Keycloak and after expiration of the previous access token.
- risk 0.35cvss 5.3epss 0.04
The WooCommerce plugin before 4.7.0 for WordPress allows remote attackers to view the status of arbitrary orders via the order_id parameter in a fetch_order_status action.
- risk 0.35cvss 6.5epss 0.01
HashiCorp Consul and Consul Enterprise 1.2.0 up to 1.8.5 allowed operators with operator:read ACL permissions to read the Connect CA private key configuration. Fixed in 1.6.10, 1.7.10, and 1.8.6.
- risk 0.35cvss 6.5epss 0.01
In parser-server from version 3.5.0 and before 4.3.0, an authenticated user using the viewer GraphQL query can by pass all read security on his User object and can also by pass all objects linked via relation or Pointer on his User object.
- risk 0.35cvss 5.3epss 0.01
The typo3_forum extension before 1.2.1 for TYPO3 has Incorrect Access Control.
- risk 0.35cvss 5.3epss 0.01
HashiCorp Consul and Consul Enterprise 1.4.1 through 1.6.2 did not uniformly enforce ACLs across all API endpoints, resulting in potential unintended information disclosure. Fixed in 1.6.3.
- risk 0.35cvss 5.4epss 0.01
Improper authorization vulnerability in SYNO.Cal.Event in Calendar before 2.1.2-0511 allows remote authenticated users to create arbitrary events via the (1) cal_id or (2) original_cal_id parameter.
- risk 0.35cvss 5.4epss 0.01
An issue was discovered in Vaultize Enterprise File Sharing 17.05.31. There is improper authorization leading to creation of folders within another account via a modified device value.
- risk 0.35cvss 6.5epss 0.01
An improper authorization vulnerability exists in Jenkins Job and Node Ownership Plugin 0.11.0 and earlier in OwnershipDescription.java, JobOwnerJobProperty.java, and OwnerNodeProperty.java that allow an attacker with Job/Configure or Computer/Configure permission and without…
- risk 0.35cvss 5.3epss 0.01
The SnippetRPCServiceImpl class in Atlassian Crucible before version 4.5.1 (the fixed version 4.5.x) and before 4.6.0 allows remote attackers to comment on snippets they do not have authorization to access via an improper authorization vulnerability.