VYPR

CWE-863

Incorrect Authorization

ClassIncompleteLikelihood: High

Description

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Hierarchy (View 1000)

CVEs mapped to this weakness (1,530)

page 41 of 77
  • CVE-2017-12197MedJan 18, 2018
    risk 0.35cvss 6.5epss 0.02

    It was found that libpam4j up to and including 1.8 did not properly validate user accounts when authenticating. A user with a valid password for a disabled account would be able to bypass security restrictions and possibly access sensitive information.

  • CVE-2007-3968MedJul 25, 2007
    risk 0.35cvss 5.3epss 0.01

    index.php in dirLIST before 0.1.1 allows remote attackers to list the contents of an excluded folder via a modified URL containing the folder name.

  • CVE-2026-49299MedMay 28, 2026
    risk 0.34cvss epss 0.00

    In OpenStack Neutron before 28.0.1, the tagging controller enforces plural policy action names on single-tag write operations while the defined policy rules use singular names. The mismatched names evaluate as allowed under the default policy, permitting a project reader to…

  • CVE-2026-45297MedMay 28, 2026
    risk 0.34cvss epss 0.00

    OpenReplay is a self-hosted session replay suite. Prior to 1.26.0, there is a cross-tenant IDOR on feature-flag and assist-stats routes via {project_id} case mismatch. ProjectAuthorizer.__call__ (OSS api/auth/auth_project.py:14-38 and EE ee/api/auth/auth_project.py:14-46) only…

  • CVE-2026-6713MedMay 27, 2026
    risk 0.34cvss 5.3epss 0.00

    GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1 that under certain conditions could have allowed an unauthorized user to enumerate private projects due to incorrect authorization checks.

  • CVE-2026-24749MedApr 16, 2026
    risk 0.34cvss 5.3epss 0.00

    The Silverstripe Assets Module is a required component of Silverstripe Framework. In versions prior to 2.4.5 and 3.0.0-rc1 through 3.1.2, images rendered in templates or otherwise accessed via DBFile::getURL() or DBFile::getSourceURL() incorrectly add an access grant to the…

  • CVE-2026-5380MedApr 7, 2026
    risk 0.34cvss 5.3epss 0.00

    An issue that could allow an authorized user to view the clear-text secrets for a subset of credential types and fields has been resolved. This is an instance of CWE-522: Insufficiently Protected Credentials, and has an estimated CVSS score of…

  • CVE-2026-3526MedMar 26, 2026
    risk 0.34cvss 5.3epss 0.00

    Incorrect Authorization vulnerability in Drupal File Access Fix (deprecated) allows Forceful Browsing.This issue affects File Access Fix (deprecated): from 0.0.0 before 1.2.0.

  • CVE-2026-3525MedMar 26, 2026
    risk 0.34cvss 5.3epss 0.00

    Incorrect Authorization vulnerability in Drupal File Access Fix (deprecated) allows Forceful Browsing.This issue affects File Access Fix (deprecated): from 0.0.0 before 1.2.0.

  • CVE-2026-3210MedMar 25, 2026
    risk 0.34cvss 5.3epss 0.00

    Incorrect Authorization vulnerability in Drupal Material Icons allows Forceful Browsing.This issue affects Material Icons: from 0.0.0 before 2.0.4.

  • CVE-2026-31838MedMar 10, 2026
    risk 0.34cvss 5.3epss 0.00

    Istio is an open platform to connect, manage, and secure microservices. Prior to 1.29.1, 1.28.5, and 1.27.8, a vulnerability in Envoy RBAC header matching could allow authorization policy bypass when policies rely on HTTP headers that may contain multiple values. An attacker…

  • CVE-2026-2126MedFeb 18, 2026
    risk 0.34cvss 5.3epss 0.00

    The User Submitted Posts – Enable Users to Submit Posts from the Front End plugin for WordPress is vulnerable to Incorrect Authorization in all versions up to, and including, 20260113. This is due to the `usp_get_submitted_category()` function accepting user-submitted category…

  • CVE-2025-15525MedJan 31, 2026
    risk 0.34cvss 5.3epss 0.00

    The Ajax Load More – Infinite Scroll, Load More, & Lazy Load plugin for WordPress is vulnerable to unauthorized access of data due to incorrect authorization on the parse_custom_args() function in all versions up to, and including, 7.8.1. This makes it possible for…

  • CVE-2025-15513MedJan 14, 2026
    risk 0.34cvss 5.3epss 0.00

    The Float Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to improper error handling in the verifyFloatResponse() function in all versions up to, and including, 1.1.9. This makes it possible for unauthenticated attackers to mark any…

  • CVE-2025-14352MedJan 7, 2026
    risk 0.34cvss 5.3epss 0.00

    The Awesome Hotel Booking plugin for WordPress is vulnerable to unauthorized modification of data due to incorrect authorization in the room-single.php shortcode handler in all versions up to, and including, 1.0.3. This is due to the plugin relying solely on nonce verification…

  • CVE-2025-54554MedAug 4, 2025
    risk 0.34cvss 5.3epss 0.00

    tiaudit in Tera Insights tiCrypt before 2025-07-17 allows unauthenticated REST API requests that reveal sensitive information about the underlying SQL queries and database structure.

  • CVE-2025-6003MedJun 12, 2025
    risk 0.34cvss 5.3epss 0.00

    The WordPress Single Sign-On (SSO) plugin for WordPress is vulnerable to unauthorized access due to a misconfigured capability check on a function in all versions up to, and including, the *.5.3 versions of the plugin. This makes it possible for unauthenticated attackers to…

  • CVE-2025-3609MedMay 6, 2025
    risk 0.34cvss 5.3epss 0.00

    The Reales WP STPT plugin for WordPress is vulnerable to unauthorized user registration in all versions up to, and including, 2.1.2. This is due to the 'reales_user_signup_form' AJAX action not verifying if user registration is enabled, prior to registering a user. This makes it…

  • CVE-2021-41528MedFeb 7, 2025
    risk 0.34cvss epss 0.00

    An error when handling authorization related to the import / export interfaces on the RISC Platform prior to the saas-2021-12-29 release can potentially be exploited to access the import / export functionality with low privileges.

  • CVE-2024-54488MedJan 27, 2025
    risk 0.34cvss 5.3epss 0.00

    A logic issue was addressed with improved file handling. This issue is fixed in iOS 18.2 and iPadOS 18.2, iPadOS 17.7.3, macOS Sequoia 15.2, macOS Sonoma 14.7.2, macOS Ventura 13.7.2. Photos in the Hidden Photos Album may be viewed without authentication.