VYPR

CWE-863

Incorrect Authorization

ClassIncompleteLikelihood: High

Description

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Hierarchy (View 1000)

CVEs mapped to this weakness (1,530)

page 48 of 77
  • CVE-2023-36387MedSep 6, 2023
    risk 0.28cvss 5.4epss 0.01

    An improper default REST API permission for Gamma users in Apache Superset up to and including 2.1.0 allows for an authenticated Gamma user to test database connections.

  • CVE-2023-27526MedSep 6, 2023
    risk 0.28cvss 4.3epss 0.01

    A non Admin authenticated user could incorrectly create resources using the import charts feature, on Apache Superset up to and including 2.1.0. 

  • CVE-2023-4242MedAug 9, 2023
    risk 0.28cvss 4.3epss 0.00

    The FULL - Customer plugin for WordPress is vulnerable to Information Disclosure via the /health REST route in versions up to, and including, 2.2.3 due to improper authorization. This allows authenticated attackers with subscriber-level permissions and above to obtain sensitive…

  • CVE-2023-29296MedJun 15, 2023
    risk 0.28cvss 4.3epss 0.01

    Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. A low-privileged attacker could leverage this vulnerability to modify a minor…

  • CVE-2023-29295MedJun 15, 2023
    risk 0.28cvss 4.3epss 0.01

    Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass a minor…

  • CVE-2023-29288MedJun 15, 2023
    risk 0.28cvss 4.3epss 0.01

    Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. A privileged attacker could leverage this vulnerability to modify a minor…

  • CVE-2023-22251MedMar 27, 2023
    risk 0.28cvss 4.3epss 0.01

    Adobe Commerce versions 2.4.4-p2 (and earlier) and 2.4.5-p1 (and earlier) are affected by an Incorrect Authorization vulnerability. A low-privileged authenticated attacker could leverage this vulnerability to achieve minor information disclosure.

  • CVE-2023-26056MedMar 2, 2023
    risk 0.28cvss 5.4epss 0.01

    XWiki Platform is a generic wiki platform. Starting in version 3.0-milestone-1, it's possible to execute a script with the right of another user, provided the target user does not have programming right. The problem has been patched in XWiki 14.8-rc-1, 14.4.5, and 13.10.10.…

  • CVE-2022-45353MedJan 14, 2023
    risk 0.28cvss 4.3epss 0.01

    Broken Access Control in Betheme theme <= 26.6.1 on WordPress.

  • CVE-2022-23551MedDec 21, 2022
    risk 0.28cvss 5.3epss 0.01

    aad-pod-identity assigns Azure Active Directory identities to Kubernetes applications and has now been deprecated as of 24 October 2022. The NMI component in AAD Pod Identity intercepts and validates token requests based on regex. In this case, a token request made with…

  • CVE-2022-31683MedDec 19, 2022
    risk 0.28cvss 5.4epss 0.00

    Concourse (7.x.y prior to 7.8.3 and 6.x.y prior to 6.7.9) contains an authorization bypass issue. A Concourse user can send a request with body including :team_name=team2 to bypass team scope check to gain access to certain resources belong to any other team.

  • CVE-2022-39340MedOct 25, 2022
    risk 0.28cvss 5.3epss 0.01

    OpenFGA is an authorization/permission engine. Prior to version 0.2.4, the `streamed-list-objects` endpoint was not validating the authorization header, resulting in disclosure of objects in the store. Users `openfga/openfga` versions 0.2.3 and prior who are exposing the OpenFGA…

  • CVE-2021-40692MedSep 29, 2022
    risk 0.28cvss 4.3epss 0.01

    Insufficient capability checks made it possible for teachers to download users outside of their courses.

  • CVE-2022-36109MedSep 9, 2022
    risk 0.28cvss 5.3epss 0.01

    Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where supplementary groups are not set up properly. If an attacker has direct access to a container and manipulates their supplementary group access,…

  • CVE-2022-31190MedAug 1, 2022
    risk 0.28cvss 5.3epss 0.01

    DSpace open source software is a repository application which provides durable access to digital resources. dspace-xmlui is a UI component for DSpace. In affected versions metadata on a withdrawn Item is exposed via the XMLUI "mets.xml" object, as long as you know the handle/URL…

  • CVE-2022-34814MedJun 30, 2022
    risk 0.28cvss 4.3epss 0.01

    Jenkins Request Rename Or Delete Plugin 1.1.0 and earlier does not correctly perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to view an administrative configuration page listing pending requests.

  • CVE-2022-34782MedJun 30, 2022
    risk 0.28cvss 4.3epss 0.01

    An incorrect permission check in Jenkins requests-plugin Plugin 2.2.16 and earlier allows attackers with Overall/Read permission to view the list of pending requests.

  • CVE-2022-34298MedJun 23, 2022
    risk 0.28cvss 5.3epss 0.03

    The NT auth module in OpenAM before 14.6.6 allows a "replace Samba username attack."

  • CVE-2022-29047MedApr 12, 2022
    risk 0.28cvss 5.3epss 0.01

    Jenkins Pipeline: Shared Groovy Libraries Plugin 564.ve62a_4eb_b_e039 and earlier, except 2.21.3, allows attackers able to submit pull requests (or equivalent), but not able to commit directly to the configured SCM, to effectively change the Pipeline behavior by changing the…

  • CVE-2022-23615MedFeb 9, 2022
    risk 0.28cvss 5.4epss 0.01

    XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions any user with SCRIPT right can save a document with the right of the current user which allow accessing API requiring programming right if the current…