VYPR

CWE-863

Incorrect Authorization

ClassIncompleteLikelihood: High

Description

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Hierarchy (View 1000)

CVEs mapped to this weakness (1,530)

page 42 of 77
  • CVE-2024-11176MedNov 20, 2024
    risk 0.34cvss epss 0.00

    Improper access control vulnerability in M-Files Aino in versions before 24.10 allowed an authenticated user to access object information via incorrect evaluation of effective permissions.

  • CVE-2024-9902MedNov 6, 2024
    risk 0.34cvss 6.3epss 0.00

    A flaw was found in Ansible. The ansible-core `user` module can allow an unprivileged user to silently create or replace the contents of any file on any system path and take ownership of it when a privileged user executes the `user` module against the unprivileged user's home…

  • CVE-2024-1479MedMar 13, 2024
    risk 0.34cvss 5.3epss 0.01

    The WP Show Posts plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.1.4 via the wpsp_display function. This makes it possible for authenticated attackers with contributor access and above to view the contents of draft,…

  • CVE-2023-6963MedFeb 5, 2024
    risk 0.34cvss 5.3epss 0.01

    The Getwid – Gutenberg Blocks plugin for WordPress is vulnerable to CAPTCHA Bypass in versions up to, and including, 2.0.4. This makes it possible for unauthenticated attackers to bypass the Captcha Verification of the Contact Form block by omitting 'g-recaptcha-response' from…

  • CVE-2023-44401MedJan 23, 2024
    risk 0.34cvss 5.3epss 0.00

    The Silverstripe CMS GraphQL Server serves Silverstripe data as GraphQL representations. In versions 4.0.0 prior to 4.3.7 and 5.0.0 prior to 5.1.3, `canView` permission checks are bypassed for ORM data in paginated GraphQL query results where the total number of records is…

  • CVE-2022-41918MedNov 15, 2022
    risk 0.34cvss 6.3epss 0.00

    OpenSearch is a community-driven, open source fork of Elasticsearch and Kibana. There is an issue with the implementation of fine-grained access control rules (document-level security, field-level security and field masking) where they are not correctly applied to the indices…

  • CVE-2020-26250MedDec 1, 2020
    risk 0.34cvss 6.3epss 0.01

    OAuthenticator is an OAuth login mechanism for JupyterHub. In oauthenticator from version 0.12.0 and before 0.12.2, the deprecated (in jupyterhub 1.2) configuration `Authenticator.whitelist`, which should be transparently mapped to `Authenticator.allowed_users` with a warning,…

  • CVE-2026-54397MedJun 12, 2026
    risk 0.33cvss epss 0.00

    A vulnerability in MISP’s non-REST event editing path allowed an authenticated user with event edit permissions to manipulate the submitted form data and set an event’s sharing_group_id to a sharing group they were not authorized to use. When distribution was set to sharing…

  • CVE-2026-44173MedJun 12, 2026
    risk 0.33cvss 5.0epss 0.00

    MariaDB server is a community developed fork of MySQL server. From versions 10.6.1 to before 10.6.26, 10.11.1 to before 10.11.17, 11.4.1 to before 11.4.11, 11.8.1 to before 11.8.7, and 12.3.1, MariaDB allowed SELECT ... INTO OUTFILE and SELECT ... INTO DUMPFILE without verifying…

  • CVE-2026-44681MedMay 27, 2026
    risk 0.33cvss 6.1epss 0.00

    Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.12 and 1.7.1, an unauthenticated open redirect in Authlib's OpenIDImplicitGrant and OpenIDHybridGrant authorization endpoint lets a remote attacker cause the authorization server to issue an…

  • CVE-2026-35491MedApr 7, 2026
    risk 0.33cvss 6.1epss 0.00

    FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, Pi-hole FTL supports a CLI password feature (webserver.api.cli_pw) that creates “CLI” API sessions intended to be read-only for configuration…

  • CVE-2026-32919MedMar 29, 2026
    risk 0.33cvss 6.1epss 0.00

    OpenClaw before 2026.3.11 contains an authorization bypass vulnerability allowing write-scoped callers to reach admin-only session reset logic. Attackers with operator.write scope can issue agent requests containing /new or /reset slash commands to reset targeted conversation…

  • CVE-2025-52918MedJun 21, 2025
    risk 0.33cvss 5.0epss 0.00

    Yealink RPS before 2025-05-26 does not prevent OpenAPI access by frozen enterprise accounts, allowing unauthorized access to deactivated interfaces.

  • CVE-2025-1418MedMay 21, 2025
    risk 0.33cvss epss 0.00

    A low-privileged user can access information about profiles created in Proget MDM (Mobile Device Management), which contain details about allowed/prohibited functions. The profiles do not reveal any sensitive information (including their usage in connected devices).    This…

  • CVE-2025-1415MedMay 21, 2025
    risk 0.33cvss epss 0.00

    A low-privileged user is able to obtain information about tasks executed on devices controlled by Proget MDM (Mobile Device Management), as well as details of the devices like their UUIDs needed for exploitation of CVE-2025-1416. In order to perform the attack, one has to know…

  • CVE-2025-24099MedJan 30, 2025
    risk 0.33cvss 5.1epss 0.00

    The issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.3, macOS Sonoma 14.7.3, macOS Ventura 13.7.3. A local attacker may be able to elevate their privileges.

  • CVE-2023-27523MedSep 6, 2023
    risk 0.33cvss 5.0epss 0.01

    Improper data authorization check on Jinja templated queries in Apache Superset up to and including 2.1.0 allows for an authenticated user to issue queries on database tables they may not have access to.

  • CVE-2026-44394MedMay 28, 2026
    risk 0.32cvss 6.0epss 0.00

    An issue was discovered in OpenStack Keystone before 29.0.2. The Keystone federated token rescoping mechanism does not propagate the original token's expiry to the newly issued token. When a federated user rescopes a token via POST /v3/auth/tokens, the handle_scoped_token()…

  • CVE-2026-43000MedMay 28, 2026
    risk 0.32cvss 6.0epss 0.00

    An issue was discovered in OpenStack Keystone before 29.0.2. When combined with an application credential impersonation vulnerability, an attacker with the member role on a project can escalate to admin by chaining unrestricted application credentials with Keystone trusts. The…

  • CVE-2026-42999MedMay 28, 2026
    risk 0.32cvss 6.0epss 0.00

    An issue was discovered in OpenStack Keystone before 29.0.2. The Keystone RBAC policy enforcer in enforce_call unconditionally merges the raw JSON request body into the policy enforcement dictionary via policy_dict.update(json_input.copy()), overwriting trusted target data that…