CWE-863
Incorrect Authorization
Description
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Hierarchy (View 1000)
CVEs mapped to this weakness (1,530)
page 48 of 77| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-36387 | Med | 0.28 | 5.4 | 0.01 | Sep 6, 2023 | An improper default REST API permission for Gamma users in Apache Superset up to and including 2.1.0 allows for an authenticated Gamma user to test database connections. | ||
| CVE-2023-27526 | Med | 0.28 | 4.3 | 0.01 | Sep 6, 2023 | A non Admin authenticated user could incorrectly create resources using the import charts feature, on Apache Superset up to and including 2.1.0. | ||
| CVE-2023-4242 | Med | 0.28 | 4.3 | 0.00 | Aug 9, 2023 | The FULL - Customer plugin for WordPress is vulnerable to Information Disclosure via the /health REST route in versions up to, and including, 2.2.3 due to improper authorization. This allows authenticated attackers with subscriber-level permissions and above to obtain sensitive… | ||
| CVE-2023-29296 | Med | 0.28 | 4.3 | 0.01 | Jun 15, 2023 | Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. A low-privileged attacker could leverage this vulnerability to modify a minor… | ||
| CVE-2023-29295 | Med | 0.28 | 4.3 | 0.01 | Jun 15, 2023 | Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass a minor… | ||
| CVE-2023-29288 | Med | 0.28 | 4.3 | 0.01 | Jun 15, 2023 | Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. A privileged attacker could leverage this vulnerability to modify a minor… | ||
| CVE-2023-22251 | Med | 0.28 | 4.3 | 0.01 | Mar 27, 2023 | Adobe Commerce versions 2.4.4-p2 (and earlier) and 2.4.5-p1 (and earlier) are affected by an Incorrect Authorization vulnerability. A low-privileged authenticated attacker could leverage this vulnerability to achieve minor information disclosure. | ||
| CVE-2023-26056 | Med | 0.28 | 5.4 | 0.01 | Mar 2, 2023 | XWiki Platform is a generic wiki platform. Starting in version 3.0-milestone-1, it's possible to execute a script with the right of another user, provided the target user does not have programming right. The problem has been patched in XWiki 14.8-rc-1, 14.4.5, and 13.10.10.… | ||
| CVE-2022-45353 | Med | 0.28 | 4.3 | 0.01 | Jan 14, 2023 | Broken Access Control in Betheme theme <= 26.6.1 on WordPress. | ||
| CVE-2022-23551 | Med | 0.28 | 5.3 | 0.01 | Dec 21, 2022 | aad-pod-identity assigns Azure Active Directory identities to Kubernetes applications and has now been deprecated as of 24 October 2022. The NMI component in AAD Pod Identity intercepts and validates token requests based on regex. In this case, a token request made with… | ||
| CVE-2022-31683 | — | Med | 0.28 | 5.4 | 0.00 | Dec 19, 2022 | Concourse (7.x.y prior to 7.8.3 and 6.x.y prior to 6.7.9) contains an authorization bypass issue. A Concourse user can send a request with body including :team_name=team2 to bypass team scope check to gain access to certain resources belong to any other team. | |
| CVE-2022-39340 | Med | 0.28 | 5.3 | 0.01 | Oct 25, 2022 | OpenFGA is an authorization/permission engine. Prior to version 0.2.4, the `streamed-list-objects` endpoint was not validating the authorization header, resulting in disclosure of objects in the store. Users `openfga/openfga` versions 0.2.3 and prior who are exposing the OpenFGA… | ||
| CVE-2021-40692 | — | Med | 0.28 | 4.3 | 0.01 | Sep 29, 2022 | Insufficient capability checks made it possible for teachers to download users outside of their courses. | |
| CVE-2022-36109 | Med | 0.28 | 5.3 | 0.01 | Sep 9, 2022 | Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where supplementary groups are not set up properly. If an attacker has direct access to a container and manipulates their supplementary group access,… | ||
| CVE-2022-31190 | Med | 0.28 | 5.3 | 0.01 | Aug 1, 2022 | DSpace open source software is a repository application which provides durable access to digital resources. dspace-xmlui is a UI component for DSpace. In affected versions metadata on a withdrawn Item is exposed via the XMLUI "mets.xml" object, as long as you know the handle/URL… | ||
| CVE-2022-34814 | — | Med | 0.28 | 4.3 | 0.01 | Jun 30, 2022 | Jenkins Request Rename Or Delete Plugin 1.1.0 and earlier does not correctly perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to view an administrative configuration page listing pending requests. | |
| CVE-2022-34782 | Med | 0.28 | 4.3 | 0.01 | Jun 30, 2022 | An incorrect permission check in Jenkins requests-plugin Plugin 2.2.16 and earlier allows attackers with Overall/Read permission to view the list of pending requests. | ||
| CVE-2022-34298 | — | Med | 0.28 | 5.3 | 0.03 | Jun 23, 2022 | The NT auth module in OpenAM before 14.6.6 allows a "replace Samba username attack." | |
| CVE-2022-29047 | Med | 0.28 | 5.3 | 0.01 | Apr 12, 2022 | Jenkins Pipeline: Shared Groovy Libraries Plugin 564.ve62a_4eb_b_e039 and earlier, except 2.21.3, allows attackers able to submit pull requests (or equivalent), but not able to commit directly to the configured SCM, to effectively change the Pipeline behavior by changing the… | ||
| CVE-2022-23615 | Med | 0.28 | 5.4 | 0.01 | Feb 9, 2022 | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions any user with SCRIPT right can save a document with the right of the current user which allow accessing API requiring programming right if the current… |
- risk 0.28cvss 5.4epss 0.01
An improper default REST API permission for Gamma users in Apache Superset up to and including 2.1.0 allows for an authenticated Gamma user to test database connections.
- risk 0.28cvss 4.3epss 0.01
A non Admin authenticated user could incorrectly create resources using the import charts feature, on Apache Superset up to and including 2.1.0.
- risk 0.28cvss 4.3epss 0.00
The FULL - Customer plugin for WordPress is vulnerable to Information Disclosure via the /health REST route in versions up to, and including, 2.2.3 due to improper authorization. This allows authenticated attackers with subscriber-level permissions and above to obtain sensitive…
- risk 0.28cvss 4.3epss 0.01
Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. A low-privileged attacker could leverage this vulnerability to modify a minor…
- risk 0.28cvss 4.3epss 0.01
Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass a minor…
- risk 0.28cvss 4.3epss 0.01
Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. A privileged attacker could leverage this vulnerability to modify a minor…
- risk 0.28cvss 4.3epss 0.01
Adobe Commerce versions 2.4.4-p2 (and earlier) and 2.4.5-p1 (and earlier) are affected by an Incorrect Authorization vulnerability. A low-privileged authenticated attacker could leverage this vulnerability to achieve minor information disclosure.
- risk 0.28cvss 5.4epss 0.01
XWiki Platform is a generic wiki platform. Starting in version 3.0-milestone-1, it's possible to execute a script with the right of another user, provided the target user does not have programming right. The problem has been patched in XWiki 14.8-rc-1, 14.4.5, and 13.10.10.…
- risk 0.28cvss 4.3epss 0.01
Broken Access Control in Betheme theme <= 26.6.1 on WordPress.
- risk 0.28cvss 5.3epss 0.01
aad-pod-identity assigns Azure Active Directory identities to Kubernetes applications and has now been deprecated as of 24 October 2022. The NMI component in AAD Pod Identity intercepts and validates token requests based on regex. In this case, a token request made with…
- risk 0.28cvss 5.4epss 0.00
Concourse (7.x.y prior to 7.8.3 and 6.x.y prior to 6.7.9) contains an authorization bypass issue. A Concourse user can send a request with body including :team_name=team2 to bypass team scope check to gain access to certain resources belong to any other team.
- risk 0.28cvss 5.3epss 0.01
OpenFGA is an authorization/permission engine. Prior to version 0.2.4, the `streamed-list-objects` endpoint was not validating the authorization header, resulting in disclosure of objects in the store. Users `openfga/openfga` versions 0.2.3 and prior who are exposing the OpenFGA…
- risk 0.28cvss 4.3epss 0.01
Insufficient capability checks made it possible for teachers to download users outside of their courses.
- risk 0.28cvss 5.3epss 0.01
Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where supplementary groups are not set up properly. If an attacker has direct access to a container and manipulates their supplementary group access,…
- risk 0.28cvss 5.3epss 0.01
DSpace open source software is a repository application which provides durable access to digital resources. dspace-xmlui is a UI component for DSpace. In affected versions metadata on a withdrawn Item is exposed via the XMLUI "mets.xml" object, as long as you know the handle/URL…
- risk 0.28cvss 4.3epss 0.01
Jenkins Request Rename Or Delete Plugin 1.1.0 and earlier does not correctly perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to view an administrative configuration page listing pending requests.
- risk 0.28cvss 4.3epss 0.01
An incorrect permission check in Jenkins requests-plugin Plugin 2.2.16 and earlier allows attackers with Overall/Read permission to view the list of pending requests.
- risk 0.28cvss 5.3epss 0.03
The NT auth module in OpenAM before 14.6.6 allows a "replace Samba username attack."
- risk 0.28cvss 5.3epss 0.01
Jenkins Pipeline: Shared Groovy Libraries Plugin 564.ve62a_4eb_b_e039 and earlier, except 2.21.3, allows attackers able to submit pull requests (or equivalent), but not able to commit directly to the configured SCM, to effectively change the Pipeline behavior by changing the…
- risk 0.28cvss 5.4epss 0.01
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions any user with SCRIPT right can save a document with the right of the current user which allow accessing API requiring programming right if the current…