VYPR

CWE-863

Incorrect Authorization

ClassIncompleteLikelihood: High

Description

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Hierarchy (View 1000)

CVEs mapped to this weakness (1,530)

page 71 of 77
  • CVE-2021-28661Oct 7, 2021
    risk 0.00cvss epss 0.01

    Default SilverStripe GraphQL Server (aka silverstripe/graphql) 3.x through 3.4.1 permission checker not inherited by query subclass.

  • CVE-2021-40325Oct 4, 2021
    risk 0.00cvss epss 0.01

    Cobbler before 3.3.0 allows authorization bypass for modification of settings.

  • CVE-2021-38299Sep 27, 2021
    risk 0.00cvss epss 0.02

    Webauthn Framework 3.3.x before 3.3.4 has Incorrect Access Control. An attacker that controls a user's system is able to login to a vulnerable service using an attached FIDO2 authenticator without passing a check of the user presence.

  • CVE-2021-39206Sep 9, 2021
    risk 0.00cvss epss 0.01

    Pomerium is an open source identity-aware access proxy. Envoy, which Pomerium is based on, contains two authorization related vulnerabilities CVE-2021-32777 and CVE-2021-32779. This may lead to incorrect routing or authorization policy decisions. With specially crafted requests,…

  • CVE-2021-28567Sep 8, 2021
    risk 0.00cvss epss 0.01

    Magento versions 2.4.2 (and earlier), 2.4.1-p1 (and earlier) and 2.3.6-p1 (and earlier) are vulnerable to an Improper Authorization vulnerability in the customers module. Successful exploitation could allow a low-privileged user to modify customer data. Access to the admin…

  • CVE-2021-38698Sep 7, 2021
    risk 0.00cvss epss 0.02

    HashiCorp Consul and Consul Enterprise 1.10.1 Txn.Apply endpoint allowed services to register proxies for other services, enabling access to service traffic. Fixed in 1.8.15, 1.9.9 and 1.10.2.

  • CVE-2021-25735Sep 6, 2021
    risk 0.00cvss epss 0.06

    A security issue was discovered in kube-apiserver that could allow node updates to bypass a Validating Admission Webhook. Clusters are only affected by this vulnerability if they run a Validating Admission Webhook for Nodes that denies admission based at least partially on the…

  • CVE-2021-36039Sep 1, 2021
    risk 0.00cvss epss 0.02

    Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability via the `quoteId` parameter. An attacker can abuse this vulnerability to disclose sensitive information.

  • CVE-2021-36037Sep 1, 2021
    risk 0.00cvss epss 0.02

    Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper improper authorization vulnerability. An authenticated attacker could leverage this vulnerability to achieve sensitive information disclosure.

  • CVE-2021-39156Aug 24, 2021
    risk 0.00cvss epss 0.01

    Istio is an open source platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce policies and aggregate telemetry data. Istio 1.11.0, 1.10.3 and below, and 1.9.7 and below contain a remotely exploitable vulnerability…

  • CVE-2021-38598Aug 23, 2021
    risk 0.00cvss epss 0.01

    OpenStack Neutron before 16.4.1, 17.x before 17.1.3, and 18.0.0 allows hardware address impersonation when the linuxbridge driver with ebtables-nft is used on a Netfilter-based platform. By sending carefully crafted packets, anyone in control of a server instance connected to…

  • CVE-2021-39138Aug 18, 2021
    risk 0.00cvss epss 0.01

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Developers can use the REST API to signup users and also allow users to login anonymously. Prior to version 4.5.1, when an anonymous user is first signed up using REST, the…

  • CVE-2021-37705Aug 13, 2021
    risk 0.00cvss epss 0.02

    OneFuzz is an open source self-hosted Fuzzing-As-A-Service platform. Starting with OneFuzz 2.12.0 or greater, an incomplete authorization check allows an authenticated user from any Azure Active Directory tenant to make authorized API calls to a vulnerable OneFuzz instance. To…

  • CVE-2021-38384Aug 10, 2021
    risk 0.00cvss epss 0.01

    Serverless Offline 8.0.0 returns a 403 HTTP status code for a route that has a trailing / character, which might cause a developer to implement incorrect access control, because the actual behavior within the Amazon AWS environment is a 200 HTTP status code (i.e., possibly…

  • CVE-2021-25954Aug 9, 2021
    risk 0.00cvss epss 0.01

    In “Dolibarr” application, 2.8.1 to 13.0.4 don’t restrict or incorrectly restricts access to a resource from an unauthorized actor. A low privileged attacker can modify the Private Note which only an administrator has rights to do, the affected field is at…

  • CVE-2021-33335Aug 3, 2021
    risk 0.00cvss epss 0.01

    Privilege escalation vulnerability in Liferay Portal 7.0.3 through 7.3.4, and Liferay DXP 7.1 before fix pack 20, and 7.2 before fix pack 9 allows remote authenticated users with permission to update/edit users to take over a company administrator user account by editing the…

  • CVE-2021-36383Jul 12, 2021
    risk 0.00cvss epss 0.01

    Xen Orchestra (with xo-web through 5.80.0 and xo-server through 5.84.0) mishandles authorization, as demonstrated by modified WebSocket resourceSet.getAll data is which the attacker changes the permission field from none to admin. The attacker gains access to data sets such as…

  • CVE-2021-26920Jul 2, 2021
    risk 0.00cvss epss 0.10

    In the Druid ingestion system, the InputSource is used for reading data from a certain data source. However, the HTTP InputSource allows authenticated users to read data from other sources than intended, such as the local file system, with the privileges of the Druid server…

  • CVE-2021-21670Jun 30, 2021
    risk 0.00cvss epss 0.02

    Jenkins 2.299 and earlier, LTS 2.289.1 and earlier allows users to cancel queue items and abort builds of jobs for which they have Item/Cancel permission even when they do not have Item/Read permission.

  • CVE-2021-22119Jun 29, 2021
    risk 0.00cvss epss 0.06

    Spring Security versions 5.5.x prior to 5.5.1, 5.4.x prior to 5.4.7, 5.3.x prior to 5.3.10 and 5.2.x prior to 5.2.11 are susceptible to a Denial-of-Service (DoS) attack via the initiation of the Authorization Request in an OAuth 2.0 Client Web and WebFlux application. A…