VYPR

CWE-863

Incorrect Authorization

ClassIncompleteLikelihood: High

Description

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Hierarchy (View 1000)

CVEs mapped to this weakness (1,530)

page 56 of 77
  • CVE-2023-40611MedSep 12, 2023
    risk 0.21cvss 4.3epss 0.01

    Apache Airflow, versions before 2.7.1, is affected by a vulnerability that allows authenticated and DAG-view authorized Users to modify some DAG run detail values when submitting notes. This could have them alter details such as configuration parameters, start date, etc. Users…

  • CVE-2023-3957MedJul 27, 2023
    risk 0.21cvss 4.3epss 0.00

    The ACF Photo Gallery Field plugin for WordPress is vulnerable to unauthorized modification of data due to an insufficient restriction on the 'apg_profile_update' function in versions up to, and including, 1.9. This makes it possible for authenticated attackers, with…

  • CVE-2020-36625MedDec 22, 2022
    risk 0.21cvss 4.3epss 0.00

    A vulnerability was found in destiny.gg chat. It has been rated as problematic. This issue affects the function websocket.Upgrader of the file main.go. The manipulation leads to cross-site request forgery. The attack may be initiated remotely. The name of the patch is…

  • CVE-2022-41230MedSep 21, 2022
    risk 0.21cvss 4.3epss 0.01

    Jenkins Build-Publisher Plugin 1.22 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to obtain names and URLs of Jenkins servers that the plugin is configured to publish builds to, as well as builds pending for…

  • CVE-2022-0984MedApr 29, 2022
    risk 0.21cvss 4.3epss 0.01

    Users with the capability to configure badge criteria (teachers and managers by default) were able to configure course badges with profile field criteria, which should only be available for site badges.

  • CVE-2022-0985MedApr 29, 2022
    risk 0.21cvss 4.3epss 0.01

    Insufficient capability checks could allow users with the moodle/site:uploadusers capability to delete users, without having the necessary moodle/user:delete capability.

  • CVE-2022-0334MedJan 25, 2022
    risk 0.21cvss 4.3epss 0.01

    A flaw was found in Moodle in versions 3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versions. Insufficient capability checks could lead to users accessing their grade report for courses where they did not have the required gradereport/user:view…

  • CVE-2021-4026MedNov 30, 2021
    risk 0.21cvss 4.3epss 0.01

    bookstack is vulnerable to Improper Access Control

  • CVE-2021-25954MedAug 9, 2021
    risk 0.21cvss 4.3epss 0.01

    In “Dolibarr” application, 2.8.1 to 13.0.4 don’t restrict or incorrectly restricts access to a resource from an unauthorized actor. A low privileged attacker can modify the Private Note which only an administrator has rights to do, the affected field is at…

  • CVE-2021-21670MedJun 30, 2021
    risk 0.21cvss 4.3epss 0.02

    Jenkins 2.299 and earlier, LTS 2.289.1 and earlier allows users to cancel queue items and abort builds of jobs for which they have Item/Cancel permission even when they do not have Item/Read permission.

  • CVE-2021-21624MedMar 18, 2021
    risk 0.21cvss 4.3epss 0.01

    An incorrect permission check in Jenkins Role-based Authorization Strategy Plugin 3.1 and earlier allows attackers with Item/Read permission on nested items to access them, even if they lack Item/Read permission for parent folders.

  • CVE-2021-20283MedMar 15, 2021
    risk 0.21cvss 4.3epss 0.01

    The web service responsible for fetching other users' enrolled courses did not validate that the requesting user had permission to view that information in each course in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17.

  • CVE-2020-29605MedJan 29, 2021
    risk 0.21cvss 4.3epss 0.01

    An issue was discovered in MantisBT before 2.24.4. Due to insufficient access-level checks, any logged-in user allowed to perform Group Actions can get access to the Summary fields of private Issues via bug_arr[]= in a crafted bug_actiongroup_page.php URL. (The target Issues can…

  • CVE-2020-25781MedSep 30, 2020
    risk 0.21cvss 4.3epss 0.01

    An issue was discovered in file_download.php in MantisBT before 2.24.3. Users without access to view private issue notes are able to download the (supposedly private) attachments linked to these notes by accessing the corresponding file download URL directly.

  • CVE-2020-2258MedSep 16, 2020
    risk 0.21cvss 4.3epss 0.01

    Jenkins Health Advisor by CloudBees Plugin 3.2.0 and earlier does not correctly perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to view that HTTP endpoint.

  • CVE-2020-25026MedSep 2, 2020
    risk 0.21cvss 4.3epss 0.01

    The sf_event_mgt (aka Event management and registration) extension before 4.3.1 and 5.x before 5.1.1 for TYPO3 allows Information Disclosure (participant data, and event data via email) because of Broken Access Control.

  • CVE-2018-11802MedApr 1, 2020
    risk 0.21cvss 4.3epss 0.02

    In Apache Solr, the cluster can be partitioned into multiple collections and only a subset of nodes actually host any given collection. However, if a node receives a request for a collection it does not host, it proxies the request to a relevant node and serves the request. Solr…

  • CVE-2020-2148MedMar 9, 2020
    risk 0.21cvss 4.3epss 0.01

    A missing permission check in Jenkins Mac Plugin 1.1.0 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified SSH server using attacker-specified credentials.

  • CVE-2020-2104MedJan 29, 2020
    risk 0.21cvss 4.3epss 0.01

    Jenkins 2.218 and earlier, LTS 2.204.1 and earlier allowed users with Overall/Read access to view a JVM memory usage chart.

  • CVE-2018-7957LowJul 31, 2018
    risk 0.21cvss 3.3epss 0.00

    Huawei smartphones with software Victoria-AL00 8.0.0.336a(C00) have an information leakage vulnerability. Because an interface does not verify authorization correctly, attackers can exploit an application with the authorization of phone state to obtain user location additionally.