CWE-863: Incorrect Authorization

CVE-2020-24771 is an incorrect access control vulnerability in NexusPHP that allows unauthorized attackers to access published content without proper ...

CVE-2022-25335 is an access control vulnerability in RigoBlock Dragos smart contracts where the setMultipleAllowances function lacks the onlyOwner mod...

This vulnerability in the WPS Hide Login WordPress plugin allows unauthenticated attackers to discover the secret login page URL by sending a crafted ...

CVE-2020-19765 is a reentrancy vulnerability in the Accounting 1.0 Ethereum smart contract's noReentrance() modifier. Attackers can exploit this to dr...

This vulnerability allows unauthorized TELNET access to certain Shenzhen PENGLIXIN components in DEPSTECH WiFi Digital Microscope 3 devices using defa...

This vulnerability in FreeBSD kernels allows system calls to disable SMAP (Supervisor Mode Access Prevention) protections temporarily, creating a wind...

This vulnerability allows unauthenticated attackers to retrieve valid WordPress nonces (security tokens) for any action via an AJAX endpoint in the Re...

CVE-2021-22209 is an authorization bypass vulnerability in GitLab's GraphQL API that allows unauthorized execution of mutations. This affects all GitL...

CVE-2020-21990 is an information disclosure vulnerability in Emmanuel MyDomoAtHome (MDAH) REST API Domoticz ISS Gateway that allows unauthenticated re...

CVE-2019-15059 allows unauthenticated remote attackers to download Liberty lisPBX configuration backup files containing sensitive PBX information. Thi...

This vulnerability allows unauthenticated attackers to change the administrator password on Acexy Wireless-N WiFi Repeater devices by sending a specia...

The auth_internal plugin in Tiny Tiny RSS (tt-rss) before March 12, 2021 allows attackers to log in using only a valid OTP (one-time password) code wi...

This vulnerability in Visualware MyConnection Server allows unauthorized access to published reports due to improper access control. Attackers can vie...

This vulnerability in Zcashd allows attackers to create alternative blockchain branches that could be incorrectly accepted, potentially enabling doubl...

During Apache Kafka migration from ZooKeeper to KRaft mode, ACL enforcement can fail when removing an ACL from a resource with multiple ACLs, causing ...

This vulnerability in IBM i Access Client Solutions allows attackers to execute remote code on affected PCs by exploiting improper authority checks. A...

The Brizy WordPress plugin up to version 1.0.125 contains an authorization bypass vulnerability due to an incorrect capability check in the is_adminis...

This vulnerability in TurboWarp Desktop allows malicious Scratch projects or custom extensions to read arbitrary files from the user's disk and upload...

This vulnerability allows attackers with network access to Pioneer DMH-WT7600NEX car infotainment systems to bypass authentication and create arbitrar...

This vulnerability in Drupal's Basic HTTP Authentication module allows attackers to bypass authorization checks and access restricted content through ...

SAP LT Replication Server in specified S4CORE versions lacks proper authorization checks, allowing authenticated high-privilege users to escalate priv...

This vulnerability allows authenticated TeamViewer users to bypass the 'Allow after confirmation' security setting during remote sessions. Attackers w...

This CVE describes an authentication bypass vulnerability in Kargo's API endpoints. Unauthenticated attackers can access configuration data (exposing ...

This vulnerability in BlueChi allows a root user on a managed node to create or modify systemd service unit files on the host node, leading to privile...

This vulnerability allows authenticated admin users with Instance Administrator role to execute arbitrary Groovy scripts through Object actions in Lif...

An incorrect authorization vulnerability in Centreon web's API token creation form allows authenticated users to create API tokens with higher privile...

A privilege escalation vulnerability in Apache CloudStack allows domain admin accounts to query API and secret keys of all account-users, including ro...

This vulnerability allows organizational administrators in CVE Services API to transfer user accounts to arbitrary organizations, granting unintended ...

This vulnerability allows an authenticated administrative user on a BIG-IQ managed BIG-IP device to access other BIG-IP devices managed by the same BI...

This vulnerability in Juniper SRX Series firewalls allows attackers to bypass Deep Packet Inspection rules when 'no-syn-check' is enabled, potentially...

This vulnerability in Juniper SRX Series firewalls allows attackers to bypass Deep Packet Inspection rules when 'no-syn-check' is enabled, potentially...

CVE-2021-41189 is a privilege escalation vulnerability in DSpace 7.0 where community or collection administrators can elevate their permissions to bec...

This vulnerability allows authenticated BIG-IP administrators to bypass Appliance Mode security restrictions using undisclosed iControl REST endpoints...

CVE-2021-29439 is an improper privilege verification vulnerability in Grav admin plugin that allows users with only login permissions to install third...

This vulnerability allows unauthorized access to the HTML editor route in Tryton trytond due to missing access rights enforcement. Attackers could pot...

Adobe Pass versions 3.7.3 and earlier contain an incorrect authorization vulnerability that allows attackers to bypass security controls and gain unau...

This vulnerability allows low-privileged authenticated users in JumpServer to bypass authorization checks and invoke LDAP configuration tests or synch...

This CVE describes an authorization bypass vulnerability in Siemens SmartClient modules where the server fails to enforce proper access controls on ce...

This vulnerability allows attackers to bypass ACL policies in Nomad event streams configured with wildcard namespaces, enabling unauthorized read acce...

Adobe Commerce has an incorrect authorization vulnerability (CWE-863) that allows low-privileged attackers to bypass security features and perform una...

This vulnerability allows authenticated users in Akamai SIA ThreatAvert to bypass authorization controls and disable policy enforcement by directly ac...

This vulnerability in Oracle Banking Liquidity Management allows authenticated attackers with network access to potentially compromise the system thro...

This vulnerability allows an authenticated GlobalProtect user to impersonate another GlobalProtect user, disconnecting the legitimate user while hidin...

This CVE describes an improper access control vulnerability in the Aimeos GraphQL API admin interface. It allows users with editor permissions to modi...

This vulnerability in the Emarsys SDK for Android allows attackers to bypass authorization checks and launch arbitrary web pages or deep links from th...

CVE-2023-48712 is an authentication bypass vulnerability in Warpgate that allows non-admin users to impersonate admin accounts when single-factor auth...

This vulnerability in Fortinet FortiClient for Windows allows attackers to cause denial of service by sending specially crafted requests to a specific...

This vulnerability allows an authenticated malicious user to take over another user's Grafana account via OAuth login manipulation. It affects Grafana...

An improper authorization flaw in Foreman's Salt plugin for smart-proxy allows authenticated local attackers to execute actions restricted to the Fore...

CVE-2022-0580 is an incorrect authorization vulnerability in LibreNMS that allows authenticated users to access unauthorized functionality. This affec...