VYPR

CWE-863

Incorrect Authorization

ClassIncompleteLikelihood: High

Description

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Hierarchy (View 1000)

CVEs mapped to this weakness (1,530)

page 47 of 77
  • CVE-2025-9228MedAug 20, 2025
    risk 0.28cvss 4.3epss 0.00

    MiR software versions prior to version 3.0.0 have insufficient authorization controls when creating text notes, allowing low-privilege users to create notes which are intended only for administrative users.

  • CVE-2025-20332MedAug 6, 2025
    risk 0.28cvss 4.3epss 0.00

    A vulnerability in the web-based management interface of Cisco ISE could allow an authenticated, remote attacker to modify parts of the configuration on an affected device. This vulnerability is due to the lack of server-side validation of Administrator permissions. An…

  • CVE-2025-54596MedJul 25, 2025
    risk 0.28cvss 4.3epss 0.00

    Abnormal Security /v1.0/rbac/users_v2/{USER_ID}/ before 2025-02-19 allows downgrading the privileges of other user accounts.

  • CVE-2025-6702MedJun 26, 2025
    risk 0.28cvss 4.3epss 0.00

    A vulnerability, which was classified as problematic, was found in linlinjava litemall 1.8.0. Affected is an unknown function of the file /wx/comment/post. The manipulation of the argument adminComment leads to improper authorization. It is possible to launch the attack…

  • CVE-2025-40568MedJun 10, 2025
    risk 0.28cvss 4.3epss 0.00

    A vulnerability has been identified in RUGGEDCOM RST2428P (6GK6242-6PA00) (All versions < V3.2), SCALANCE XCH328 (6GK5328-4TS01-2EC2) (All versions < V3.2), SCALANCE XCM324 (6GK5324-8TS01-2AC2) (All versions < V3.2), SCALANCE XCM328 (6GK5328-4TS01-2AC2) (All versions < V3.2),…

  • CVE-2025-3861MedApr 25, 2025
    risk 0.28cvss 5.4epss 0.00

    The Prevent Direct Access – Protect WordPress Files plugin for WordPress is vulnerable to unauthorized access and modification of data| due to a misconfigured capability check on the 'pda_lite_custom_permission_check' function in versions 2.8.6 to 2.8.8.2. This makes it…

  • CVE-2025-31331MedApr 8, 2025
    risk 0.28cvss 4.3epss 0.00

    SAP NetWeaver allows an attacker to bypass authorization checks, enabling them to view portions of ABAP code that would normally require additional validation. Once logged into the ABAP system, the attacker can run a specific transaction that exposes sensitive system code…

  • CVE-2025-24872MedFeb 11, 2025
    risk 0.28cvss 4.3epss 0.00

    The ABAP Build Framework in SAP ABAP Platform allows an authenticated attacker to gain unauthorized access to a specific transaction. By executing the add-on build functionality within the ABAP Build Framework, an attacker could call the transaction and view its details. This…

  • CVE-2025-24869MedFeb 11, 2025
    risk 0.28cvss 4.3epss 0.00

    SAP NetWeaver Application Server Java allows an attacker to access an endpoint that can disclose information about deployed server components, including their XML definitions. This information should ideally be restricted to customer administrators, even though they may not need…

  • CVE-2024-50671MedNov 25, 2024
    risk 0.28cvss 4.3epss 0.00

    Incorrect access control in Adapt Learning Adapt Authoring Tool <= 0.11.3 allows attackers with Authenticated User roles to obtain email addresses via the "Get users" feature. The vulnerability occurs due to a flaw in permission verification logic, where the wildcard character…

  • CVE-2024-40648MedJul 18, 2024
    risk 0.28cvss 5.4epss 0.00

    matrix-rust-sdk is an implementation of a Matrix client-server library in Rust. The `UserIdentity::is_verified()` method in the matrix-sdk-crypto crate before version 0.7.2 doesn't take into account the verification status of the user's own identity while performing the check…

  • CVE-2024-37897MedJun 20, 2024
    risk 0.28cvss 5.4epss 0.00

    SFTPGo is a full-featured and highly configurable SFTP, HTTP/S, FTP/S and WebDAV server - S3, Google Cloud Storage, Azure Blob. SFTPGo WebAdmin and WebClient support password reset. This feature is disabled in the default configuration. In SFTPGo versions prior to v2.6.1, if the…

  • CVE-2024-5860MedJun 18, 2024
    risk 0.28cvss 4.3epss 0.00

    The Tickera – WordPress Event Ticketing plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the tc_dl_delete_tickets AJAX action in all versions up to, and including, 3.5.2.8. This makes it possible for authenticated attackers,…

  • CVE-2023-25043MedApr 17, 2024
    risk 0.28cvss 4.3epss 0.01

    Incorrect Authorization vulnerability in Supsystic Data Tables Generator.This issue affects Data Tables Generator: from n/a through 1.10.25.

  • CVE-2023-50886MedMar 15, 2024
    risk 0.28cvss 4.3epss 0.00

    Cross-Site Request Forgery (CSRF), Incorrect Authorization vulnerability in wpWax Legal Pages.This issue affects Legal Pages: from n/a through 1.3.7.

  • CVE-2024-1452MedMar 13, 2024
    risk 0.28cvss 4.3epss 0.01

    The GenerateBlocks plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.8.2 via Query Loop. This makes it possible for authenticated attackers, with contributor access and above, to see contents of posts and pages in draft…

  • CVE-2023-50777MedDec 13, 2023
    risk 0.28cvss 4.3epss 0.00

    Jenkins PaaSLane Estimate Plugin 1.0.4 and earlier does not mask PaaSLane authentication tokens displayed on the job configuration form, increasing the potential for attackers to observe and capture them.

  • CVE-2023-48227MedDec 12, 2023
    risk 0.28cvss 4.3epss 0.00

    Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.7.0, and 12.3.0, Backoffice users with send for approval permission but not publish permission are able to publish in some scenarios. Versions 8.18.10, 10.7.0, and…

  • CVE-2023-28635MedOct 11, 2023
    risk 0.28cvss 5.4epss 0.00

    vantage6 is privacy preserving federated learning infrastructure. Prior to version 4.0.0, malicious users may try to get access to resources they are not allowed to see, by creating resources with integers as names. One example where this is a risk, is when users define which…

  • CVE-2023-32672MedSep 6, 2023
    risk 0.28cvss 4.3epss 0.01

    An Incorrect authorisation check in SQLLab in Apache Superset versions up to and including 2.1.0. This vulnerability allows an authenticated user to query tables that they do not have proper access to within Superset. The vulnerability can be exploited by leveraging a SQL…