CWE-863
Incorrect Authorization
ClassIncompleteLikelihood: High
Description
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Hierarchy (View 1000)
CVEs mapped to this weakness (586)
page 5 of 30| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-24500 | Hig | 0.57 | — | 0.00 | Jan 30, 2025 | The vulnerability allows an unauthenticated attacker to access information in PAM database. | |
| CVE-2024-55579 | Hig | 0.57 | 8.8 | 0.00 | Dec 9, 2024 | An issue was discovered in Qlik Sense Enterprise for Windows before November 2024 IR. An unprivileged user with network access may be able to create connection objects that trigger execution of arbitrary EXE files. This is fixed in November 2024 IR, May 2024 Patch 10, February 2024 Patch 14, November 2023 Patch 16, August 2023 Patch 16, May 2023 Patch 18, and February 2023 Patch 15. | |
| CVE-2024-53937 | Hig | 0.57 | 8.8 | 0.00 | Dec 2, 2024 | An issue was discovered on Victure RX1800 WiFi 6 Router (software EN_V1.0.0_r12_110933, hardware 1.0) devices. The TELNET service is enabled by default with admin/admin as default credentials and is exposed over the LAN. The allows attackers to execute arbitrary commands with root-level permissions. Device setup does not require this password to be changed during setup in order to utilize the device. (However, the TELNET password is dictated by the current GUI password.) | |
| CVE-2024-53941 | Hig | 0.57 | 8.8 | 0.01 | Dec 2, 2024 | An issue was discovered in Victure RX1800 WiFi 6 Router (software EN_V1.0.0_r12_110933, hardware 1.0) devices. A remote attacker (in proximity to a Wi-Fi network) can derive the default Wi-Fi PSK value via the last 4 octets of the BSSID. | |
| CVE-2024-54124 | Hig | 0.57 | 8.8 | 0.00 | Nov 29, 2024 | In Click Studios Passwordstate before build 9920, there is a potential permission escalation on the edit folder screen. | |
| CVE-2024-51426 | Hig | 0.57 | 8.8 | 0.02 | Oct 30, 2024 | An issue in the PepeGxng smart contract (which can be run on the Ethereum blockchain) allows remote attackers to have an unspecified impact via the _transfer function. NOTE: this is disputed by third parties because the impact is limited to function calls. | |
| CVE-2024-51425 | Hig | 0.57 | 8.8 | 0.02 | Oct 30, 2024 | An issue in the WaterToken smart contract (which can be run on the Ethereum blockchain) allows remote attackers to have an unspecified impact. NOTE: this is disputed by third parties because the impact is limited to function calls. | |
| CVE-2024-41617 | Cri | 0.57 | 9.8 | 0.01 | Oct 24, 2024 | Money Manager EX WebApp (web-money-manager-ex) 1.2.2 is vulnerable to Incorrect Access Control. The `redirect_if_not_loggedin` function in `functions_security.php` fails to terminate script execution after redirecting unauthenticated users. This flaw allows an unauthenticated attacker to upload arbitrary files, potentially leading to Remote Code Execution. | |
| CVE-2021-4334 | Hig | 0.57 | 8.8 | 0.00 | Oct 20, 2023 | The Fancy Product Designer plugin for WordPress is vulnerable to unauthorized modification of site options due to a missing capability check on the fpd_update_options function in versions up to, and including, 4.6.9. This makes it possible for authenticated attackers with subscriber-level permissions to modify site options, including setting the default role to administrator which can allow privilege escalation. | |
| CVE-2017-0910 | Hig | 0.57 | 8.8 | 0.00 | Nov 27, 2017 | In Zulip Server before 1.7.1, on a server with multiple realms, a vulnerability in the invitation system lets an authorized user of one realm on the server create a user account on any other realm. | |
| CVE-2017-10805 | Hig | 0.57 | 8.8 | 0.00 | Jul 4, 2017 | In Odoo 8.0, Odoo Community Edition 9.0 and 10.0, and Odoo Enterprise Edition 9.0 and 10.0, incorrect access control on OAuth tokens in the OAuth module allows remote authenticated users to hijack OAuth sessions of other users. | |
| CVE-2017-8907 | Hig | 0.57 | 8.8 | 0.00 | Jun 14, 2017 | Atlassian Bamboo 5.x before 5.15.7 and 6.x before 6.0.1 did not correctly check if a user creating a deployment project had the edit permission and therefore the rights to do so. An attacker who can login to Bamboo as a user without the edit permission for deployment projects is able to use this vulnerability, provided there is an existing plan with a green build, to create a deployment project and execute arbitrary code on an available Bamboo Agent. By default a local agent is enabled; this means that code execution can occur on the system hosting Bamboo as the user running Bamboo. | |
| CVE-2017-2306 | Hig | 0.57 | 8.8 | 0.01 | May 30, 2017 | On Juniper Networks Junos Space versions prior to 16.1R1, due to an insufficient authorization check, readonly users on the Junos Space administrative web interface can execute code on the device. | |
| CVE-2017-2305 | Hig | 0.57 | 8.8 | 0.00 | May 30, 2017 | On Juniper Networks Junos Space versions prior to 16.1R1, due to an insufficient authorization check, readonly users on the Junos Space administrative web interface can create privileged users, allowing privilege escalation. | |
| CVE-2017-7505 | Hig | 0.57 | 8.8 | 0.00 | May 26, 2017 | Foreman since version 1.5 is vulnerable to an incorrect authorization check due to which users with user management permission who are assigned to some organization(s) can do all operations granted by these permissions on all administrator user object outside of their scope, such as editing global admin accounts including changing their passwords. | |
| CVE-2017-3801 | Hig | 0.57 | 8.8 | 0.00 | Feb 15, 2017 | A vulnerability in the web-based GUI of Cisco UCS Director 6.0.0.0 and 6.0.0.1 could allow an authenticated, local attacker to execute arbitrary workflow items with just an end-user profile, a Privilege Escalation Vulnerability. The vulnerability is due to improper role-based access control (RBAC) after the Developer Menu is enabled in Cisco UCS Director. An attacker could exploit this vulnerability by enabling Developer Mode for his/her user profile with an end-user profile and then adding new catalogs with arbitrary workflow items to his/her profile. An exploit could allow an attacker to perform any actions defined by these workflow items, including actions affecting other tenants. Cisco Bug IDs: CSCvb64765. | |
| CVE-2026-32173 | Hig | 0.56 | 8.6 | 0.00 | Apr 3, 2026 | Improper authentication in Azure SRE Agent allows an unauthorized attacker to disclose information over a network. | |
| CVE-2025-13829 | Hig | 0.56 | — | 0.00 | Dec 1, 2025 | Incorrect Authorization vulnerability in Data Illusion Zumbrunn NGSurvey allows any logged-in user to obtain the private information of any other user. Critical information retrieved: * APIKEY (1 year user Session) * RefreshToken (10 minutes user Session) * Password hashed with bcrypt * User IP * Email * Full Name | |
| CVE-2025-24479 | Hig | 0.56 | — | 0.00 | Jan 28, 2025 | A Local Code Execution Vulnerability exists in the product and version listed above. The vulnerability is due to a default setting in Windows and allows access to the Command Prompt as a higher privileged user. | |
| CVE-2024-44270 | Hig | 0.56 | 8.6 | 0.00 | Oct 28, 2024 | A logic issue was addressed with improved validation. This issue is fixed in macOS Sequoia 15.1, macOS Sonoma 14.7.1, macOS Ventura 13.7.1. A sandboxed process may be able to circumvent sandbox restrictions. |