CWE-863: Incorrect Authorization

CVE-2024-45132 is an improper authorization vulnerability in Adobe Commerce that allows low-privileged attackers to bypass security controls and escal...

This CVE describes an authorization bypass vulnerability in Devolutions Server's PAM access request approval mechanism. Authenticated users with appro...

This vulnerability allows authenticated attackers to bypass access controls and read other users' chat history files in the gaizhenbiao/chuanhuchatgpt...

This CVE describes an authorization bypass vulnerability in JetBrains TeamCity where users could perform actions beyond their assigned permissions. It...

This vulnerability in JetBrains TeamCity allows improper access control in Pull Requests and Commit status publisher build features. Attackers could p...

The Booster for WooCommerce plugin (also known as WooCommerce Jetpack) contains a vulnerability that allows unauthenticated attackers to execute arbit...

This vulnerability in the Restaurant Brands International (RBI) assistant platform allows remote attackers to manipulate Drive Thru speaker audio volu...

This vulnerability in On-Premises Data Gateway allows unauthorized access to sensitive information stored in gateway configurations. It affects organi...

A vulnerability in AWS Cloud Development Kit (CDK) versions 2.142.0 through 2.148.0 allows authenticated Amazon Cognito users to gain unintended acces...

NVIDIA ConnectX management interface has an authorization vulnerability where local attackers could gain unauthorized configuration access. This affec...

This vulnerability in Ansible's user module allows an unprivileged user to create or replace any file on the system and take ownership when a privileg...

This CVE describes an incorrect authorization vulnerability in the Themeum Droip WordPress plugin that allows users with lower privileges (like subscr...

CVE-2024-6358 is an incorrect authorization vulnerability in OpenText ArcSight Intelligence that allows authenticated users to access resources or per...

This vulnerability in XIAO HE Smart 4.3.1 allows attackers to bypass access controls and extract sensitive information by reverse-engineering the APK ...

This privilege escalation vulnerability allows administrators in lunary-ai/lunary to invite new users with billing permissions, bypassing intended acc...

This vulnerability in Oracle Life Sciences Argus Safety 8.2.3 allows unauthenticated attackers with network access to compromise the system via HTTP. ...

This vulnerability allows local unauthenticated users with low privileges to bypass authorization controls in Citrix Workspace App when Citrix CEB is ...

Pexip Infinity versions 38.0 and 38.1 have an insufficient access control vulnerability in their RTMP implementation. This allows attackers to disconn...

Adobe Commerce (Magento) versions 2.4.9-alpha2 through 2.4.4-p15 and earlier contain an incorrect authorization vulnerability (CWE-863) that allows at...

Archer Platform 2024.03 versions before 2024.08 have an authorization bypass vulnerability in supporting application files. This allows remote unprivi...

This vulnerability allows users with restricted permissions to bypass intended write restrictions in Kirby CMS. Attackers with authenticated access ca...

An improper access control vulnerability in WSO2 Enterprise Integrator allows low-privileged users to access internal SOAP admin services for system l...

This vulnerability in the SurrealDB database engine allows record or guest users to observe unauthorized records within the same table by exploiting c...

This vulnerability allows attackers to bypass authorization in WSO2 products by using refresh tokens instead of access tokens to access protected APIs...

Dell Device Management Agent (DDMA) versions before 26.02 contain an incorrect authorization vulnerability that allows local low-privileged attackers ...

This CVE describes an injection vulnerability in macOS that allows malicious applications to access sensitive user data. The issue affects macOS Sequo...

A permissions issue in macOS allows applications to cause denial-of-service conditions. This affects macOS Sequoia, Tahoe, and Sonoma systems before s...

This vulnerability in Android's Settings app allows local information disclosure without requiring user interaction or elevated privileges. It affects...

This vulnerability in Oracle CRM Technical Foundation allows high-privileged attackers with network access via HTTP to perform unauthorized data manip...

The macOS Rocket.Chat application has a TCC bypass vulnerability that allows attackers to inject malicious DYLIB files, circumventing macOS security p...

This CVE describes a macOS permissions vulnerability that allows applications to modify protected areas of the file system. It affects macOS Ventura, ...

This vulnerability in Oracle VM VirtualBox allows a low-privileged attacker with local access to the host system to access sensitive data from Virtual...

A local privilege escalation vulnerability in IBM AIX's perfstat kernel extension allows non-privileged local users to cause a denial of service. This...

This vulnerability allows a malicious application to bypass macOS file system protections and modify restricted areas. It affects macOS Ventura and So...

This CVE describes a macOS vulnerability where a malicious application could bypass file system protections and modify restricted areas. It affects ma...

This CVE describes a macOS sandbox escape vulnerability where a sandboxed application can bypass security restrictions to access sensitive user data. ...

This CVE describes an improper access control vulnerability in Aimeos e-commerce JSON API for administrative tasks. It allows users with editor permis...

IBM Security Access Manager Docker versions 10.0.0.0 through 10.0.7.1 have improper permission controls that could allow local users to access sensiti...

This vulnerability in Zoho ManageEngine ADAudit Plus allows unauthorized local users on agent machines to view session recordings. It affects organiza...

This CVE describes an authorization vulnerability in WeKan's card movement functionality. Users can move cards to boards, lists, or swimlanes without ...

An authorization logic flaw in Moodle's badge awarding system allows users to obtain badges without proper role verification. This affects all Moodle ...

A privilege escalation vulnerability in Discourse allows non-admin moderators to bypass email-change restrictions, potentially enabling account takeov...

This vulnerability in Discourse allows authenticated users to bypass AI persona access controls, gaining unauthorized access to staff-only AI personas...

The Auth0 Next.js SDK vulnerability allows simultaneous requests from the same client to cause improper token cache lookups, potentially leading to au...

This vulnerability allows authenticated users of Splunk MCP Server app to bypass SPL command restrictions by embedding commands as sub-searches. Attac...

CVE-2025-64707 is an access control vulnerability in Frappe Learning where role revocation isn't immediately effective due to caching issues. This all...

This vulnerability allows remote users to access and edit content via APIs in Liferay Portal and DXP before email verification, bypassing intended acc...

The WP JobHunt plugin for WordPress (used by JobCareer theme) has an authorization bypass vulnerability that allows authenticated attackers with Candi...

This Safari/iOS/iPadOS vulnerability allows malicious web content to trigger unexpected URL redirections due to improper URL validation. It affects us...

This WhatsApp vulnerability allows unauthorized users to trigger processing of arbitrary URLs on a target's device through linked device synchronizati...