VYPR

CWE-863

Incorrect Authorization

ClassIncompleteLikelihood: High

Description

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Hierarchy (View 1000)

CVEs mapped to this weakness (1,530)

page 6 of 77
  • CVE-2021-4334HigOct 20, 2023
    risk 0.57cvss 8.8epss 0.01

    The Fancy Product Designer plugin for WordPress is vulnerable to unauthorized modification of site options due to a missing capability check on the fpd_update_options function in versions up to, and including, 4.6.9. This makes it possible for authenticated attackers with…

  • CVE-2017-3183HigJul 24, 2018
    risk 0.57cvss 8.8epss 0.02

    Sage XRT Treasury, version 3, fails to properly restrict database access to authorized users, which may enable any authenticated user to gain full access to privileged database functions. Sage XRT Treasury is a business finance management application. Database user access…

  • CVE-2017-0926HigMar 21, 2018
    risk 0.57cvss 8.8epss 0.01

    Gitlab Community Edition version 10.3 is vulnerable to an improper authorization issue in the Oauth sign-in component resulting in unauthorized user login.

  • CVE-2018-2361HigJan 9, 2018
    risk 0.57cvss 8.8epss 0.01

    In SAP Solution Manager 7.20, the role SAP_BPO_CONFIG gives the Business Process Operations (BPO) configuration user more authorization than required for configuring the BPO tools.

  • CVE-2017-0910HigNov 27, 2017
    risk 0.57cvss 8.8epss 0.01

    In Zulip Server before 1.7.1, on a server with multiple realms, a vulnerability in the invitation system lets an authorized user of one realm on the server create a user account on any other realm.

  • CVE-2017-10805HigJul 4, 2017
    risk 0.57cvss 8.8epss 0.01

    In Odoo 8.0, Odoo Community Edition 9.0 and 10.0, and Odoo Enterprise Edition 9.0 and 10.0, incorrect access control on OAuth tokens in the OAuth module allows remote authenticated users to hijack OAuth sessions of other users.

  • CVE-2017-8907HigJun 14, 2017
    risk 0.57cvss 8.8epss 0.02

    Atlassian Bamboo 5.x before 5.15.7 and 6.x before 6.0.1 did not correctly check if a user creating a deployment project had the edit permission and therefore the rights to do so. An attacker who can login to Bamboo as a user without the edit permission for deployment projects…

  • CVE-2017-2306HigMay 30, 2017
    risk 0.57cvss 8.8epss 0.02

    On Juniper Networks Junos Space versions prior to 16.1R1, due to an insufficient authorization check, readonly users on the Junos Space administrative web interface can execute code on the device.

  • CVE-2017-2305HigMay 30, 2017
    risk 0.57cvss 8.8epss 0.01

    On Juniper Networks Junos Space versions prior to 16.1R1, due to an insufficient authorization check, readonly users on the Junos Space administrative web interface can create privileged users, allowing privilege escalation.

  • CVE-2017-7505HigMay 26, 2017
    risk 0.57cvss 8.8epss 0.02

    Foreman since version 1.5 is vulnerable to an incorrect authorization check due to which users with user management permission who are assigned to some organization(s) can do all operations granted by these permissions on all administrator user object outside of their scope,…

  • CVE-2017-3801HigFeb 15, 2017
    risk 0.57cvss 8.8epss 0.00

    A vulnerability in the web-based GUI of Cisco UCS Director 6.0.0.0 and 6.0.0.1 could allow an authenticated, local attacker to execute arbitrary workflow items with just an end-user profile, a Privilege Escalation Vulnerability. The vulnerability is due to improper role-based…

  • CVE-2026-32173HigApr 3, 2026
    risk 0.56cvss 8.6epss 0.01

    Improper authentication in Azure SRE Agent allows an unauthorized attacker to disclose information over a network.

  • CVE-2025-13829HigDec 1, 2025
    risk 0.56cvss epss 0.00

    Incorrect Authorization vulnerability in Data Illusion Zumbrunn NGSurvey allows any logged-in user to obtain the private information of any other user. Critical information retrieved: * APIKEY (1 year user Session) * RefreshToken (10 minutes user Session) * …

  • CVE-2025-24200MedKEVFeb 10, 2025
    risk 0.56cvss 6.1epss 0.05

    An authorization issue was addressed with improved state management. This issue is fixed in iOS 15.8.4 and iPadOS 15.8.4, iOS 16.7.11 and iPadOS 16.7.11, iOS 18.3.1 and iPadOS 18.3.1, iPadOS 17.7.5. A physical attack may disable USB Restricted Mode on a locked device. Apple is…

  • CVE-2025-24479HigJan 28, 2025
    risk 0.56cvss epss 0.00

    A Local Code Execution Vulnerability exists in the product and version listed above. The vulnerability is due to a default setting in Windows and allows access to the Command Prompt as a higher privileged user.

  • CVE-2024-44270HigOct 28, 2024
    risk 0.56cvss 8.6epss 0.01

    A logic issue was addressed with improved validation. This issue is fixed in macOS Sequoia 15.1, macOS Sonoma 14.7.1, macOS Ventura 13.7.1. A sandboxed process may be able to circumvent sandbox restrictions.

  • CVE-2026-45549HigJun 10, 2026
    risk 0.55cvss 8.5epss 0.00

    Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, agent_action (app/routes/smon/agent_routes.py:166-179) has decorators @bp.post('/agent/action/') and @jwt_required() only — no role check, no group…

  • CVE-2026-47929HigJun 9, 2026
    risk 0.55cvss 8.4epss 0.08

    ColdFusion versions 2023.19, 2025.8 and earlier are affected by an Incorrect Authorization vulnerability that could result in arbitrary code execution in the context of the current user. A high-privileged attacker could exploit this vulnerability to gain elevated access or…

  • CVE-2026-4857HigApr 15, 2026
    risk 0.55cvss 8.4epss 0.00

    IdentityIQ 8.5, all IdentityIQ 8.5 patch levels prior to 8.5p2, IdentityIQ 8.4, and all IdentityIQ 8.4 patch levels prior to 8.4p4 allow authenticated users assigned the Debug Pages Read Only capability or any custom capability with the ViewAccessDebugPage SPRight to incorrectly…

  • CVE-2025-66005HigJan 14, 2026
    risk 0.55cvss epss 0.00

    Lack of authorization of the InputManager D-Bus interface in InputPlumber versions before v0.63.0 can lead to local Denial-of-Service, information leak or even privilege escalation in the context of the currently active user session.