VYPR

CWE-863

Incorrect Authorization

ClassIncompleteLikelihood: High

Description

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Hierarchy (View 1000)

CVEs mapped to this weakness (1,530)

page 9 of 77
  • CVE-2025-24479HigJan 28, 2025
    risk 0.56cvss epss 0.00

    A Local Code Execution Vulnerability exists in the product and version listed above. The vulnerability is due to a default setting in Windows and allows access to the Command Prompt as a higher privileged user.

  • CVE-2024-44270HigOct 28, 2024
    risk 0.56cvss 8.6epss 0.01

    A logic issue was addressed with improved validation. This issue is fixed in macOS Sequoia 15.1, macOS Sonoma 14.7.1, macOS Ventura 13.7.1. A sandboxed process may be able to circumvent sandbox restrictions.

  • CVE-2021-39206HigSep 9, 2021
    risk 0.56cvss 8.6epss 0.01

    Pomerium is an open source identity-aware access proxy. Envoy, which Pomerium is based on, contains two authorization related vulnerabilities CVE-2021-32777 and CVE-2021-32779. This may lead to incorrect routing or authorization policy decisions. With specially crafted requests,…

  • CVE-2026-45549HigJun 10, 2026
    risk 0.55cvss 8.5epss 0.00

    Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, agent_action (app/routes/smon/agent_routes.py:166-179) has decorators @bp.post('/agent/action/') and @jwt_required() only — no role check, no group…

  • CVE-2026-47929HigJun 9, 2026
    risk 0.55cvss 8.4epss 0.08

    ColdFusion versions 2023.19, 2025.8 and earlier are affected by an Incorrect Authorization vulnerability that could result in arbitrary code execution in the context of the current user. A high-privileged attacker could exploit this vulnerability to gain elevated access or…

  • CVE-2026-4857HigApr 15, 2026
    risk 0.55cvss 8.4epss 0.00

    IdentityIQ 8.5, all IdentityIQ 8.5 patch levels prior to 8.5p2, IdentityIQ 8.4, and all IdentityIQ 8.4 patch levels prior to 8.4p4 allow authenticated users assigned the Debug Pages Read Only capability or any custom capability with the ViewAccessDebugPage SPRight to incorrectly…

  • CVE-2025-66005HigJan 14, 2026
    risk 0.55cvss epss 0.00

    Lack of authorization of the InputManager D-Bus interface in InputPlumber versions before v0.63.0 can lead to local Denial-of-Service, information leak or even privilege escalation in the context of the currently active user session.

  • CVE-2025-11862HigNov 11, 2025
    risk 0.55cvss epss 0.00

    A security issue was discovered within Verve Asset Manager allowing unauthorized read-only users to read, update, and delete users via the API.

  • CVE-2024-48547HigOct 24, 2024
    risk 0.55cvss 8.4epss 0.00

    Incorrect access control in the firmware update and download processes of DreamCatcher Life v1.8.7 allows attackers to access sensitive information by analyzing the code and data within the APK file.

  • CVE-2024-48546HigOct 24, 2024
    risk 0.55cvss 8.4epss 0.00

    Incorrect access control in the firmware update and download processes of Wear Sync v1.2.0 allows attackers to access sensitive information by analyzing the code and data within the APK file.

  • CVE-2024-48545HigOct 24, 2024
    risk 0.55cvss 8.4epss 0.00

    Incorrect access control in the firmware update and download processes of IVY Smart v4.5.0 allows attackers to access sensitive information by analyzing the code and data within the APK file.

  • CVE-2024-48544HigOct 24, 2024
    risk 0.55cvss 8.4epss 0.00

    Incorrect access control in the firmware update and download processes of Sylvania Smart Home v3.0.3 allows attackers to access sensitive information by analyzing the code and data within the APK file.

  • CVE-2024-48542HigOct 24, 2024
    risk 0.55cvss 8.4epss 0.00

    Incorrect access control in the firmware update and download processes of Yamaha Headphones Controller v1.6.7 allows attackers to access sensitive information by analyzing the code and data within the APK file.

  • CVE-2024-48541HigOct 24, 2024
    risk 0.55cvss 8.4epss 0.00

    Incorrect access control in the firmware update and download processes of Ruochan Smart v4.4.7 allows attackers to access sensitive information by analyzing the code and data within the APK file.

  • CVE-2020-14321HigAug 16, 2022
    risk 0.55cvss 8.8epss 0.16

    In Moodle before 3.9.1, 3.8.4, 3.7.7 and 3.5.13, teachers of a course were able to assign themselves the manager role within that course.

  • CVE-2018-13109HigJul 6, 2018
    risk 0.55cvss 7.5epss 0.36

    All ADB broadband gateways / routers based on the Epicentro platform are affected by an authorization bypass vulnerability where attackers are able to access and manipulate settings within the web interface that are forbidden to end users (e.g., by the ISP). An attacker would be…

  • CVE-2026-42882CriMay 11, 2026
    risk 0.54cvss 9.4epss 0.01

    oxyno-zeta/s3-proxy is an aws s3 proxy written in go. Prior to 5.0.0, s3-proxy contains an authentication bypass caused by inconsistent URL path interpretation between the authentication middleware and the bucket handler. The authentication middleware evaluates resource path…

  • CVE-2026-42313HigMay 11, 2026
    risk 0.54cvss 8.3epss 0.00

    pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the set_config_value() API method (@permission(Perms.SETTINGS)) in src/pyload/core/api/__init__.py gates security-sensitive options behind a hand-maintained allowlist…

  • CVE-2024-5324HigJun 6, 2024
    risk 0.54cvss 8.8epss 0.02

    Multiple plugins for WordPress utilizing the XootiX Framework are vulnerable to unauthorized modification of data due to a missing capability check on the 'import_settings' function in various versions. This makes it possible for authenticated attackers, with Subscriber-level…

  • CVE-2022-1631HigMay 9, 2022
    risk 0.54cvss 8.8epss 0.09

    Users Account Pre-Takeover or Users Account Takeover. in GitHub repository microweber/microweber prior to 1.2.15. Victim Account Take Over. Since, there is no email confirmation, an attacker can easily create an account in the application using the Victim’s Email. This allows…